On Mon, Feb 23, 2015 at 06:02:53PM +0200, Alexander Bokovoy wrote: > trust-related functionality would be limited to IPA admins or TDO > object in LDAP would have to be more accessible. Given that TDO > credentials can be used to compromise access to our domain, it is not
Could you clarify which domain is the "our" domain? > advisable to give a wider access to them. > > As a side-effect of reducing exposure of TDO credentials, FreeIPA lost > ability to establish and use one-way trust to Active Directory. The "Lost ability" might be confusing -- was removed in 3.1 (?) might be better. > purpose of this feature is to regain the one-way trust support, yet > without giving an elevated access to TDO credentials. You might also want to either add a note or a link, explaining why one-way trust is harder than two-way, IOW, why we lost the one-way ability when we have the two-way one. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
