We currently have a "request certificate with subjectaltname" permission.
subjectAltName is required or relevant in most certificate use cases (esp. TLS, where carrying DNS name in Subject DN CN attribute is deprecated.)
Therefore it does not really make sense to have a special permission for this, over and above "request certificate" permission.
Furthermore, in IPA specifically:
we rigorously validate contents of SAN against subject principal data
the "request certificate with subjectaltname" permission check is currently waived for self-service requests or if the operator is a host principal.
Therefore, we should just remove this permission and remove associated code from cert_request.
master:
Metadata Update from @ftweedal: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5
Login to comment on this ticket.