URL:
https://github.com/freeipa/freeipa/pull/812
Title: #812: [WIP] Refactoring cert-find to use API call directly instead of using
martbab commented:
"""
Remember taht you have to use 'exact=False' in the filter to perform substring
search for krbPrincipalName given the fact that (except for services) the principal is
constructed from primary key by appending realm (and prepending `host/` in the case of
hosts). This, however, opens a range of possibilities for new bug to creep in (considering
'tuser' is the owner but we have 'tuser1' and 'tuser2' in LDAP,
what will your search filter return?).
That's why I think this is not correct solution given we currently reference owners by
primary keys and not by principals (krbPrincipalName != primary key in most cases except
services without krbCanonicalName attribute). I am more inclined to @HonzaCholasta's
solution as it seems cleaner to me. An alternative is to report principals as cert owners,
which will break API, however.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/812#issuecomment-304304587