On ke, 16 loka 2019, Sven Ludwig via FreeIPA-users wrote:
Hi @audience,
I'd like to ask is there is a chance to continue using single label
domains with freeipa. We learned the hard way that this feature was
restricted to use. It cannot be bypassed by any command line option. I
found that this all comes down to a check in the ipalib/util.py, which
now counts the number of tokens in a list split by dots.
It's easy to patch, but I am asking myself for the reason to disallow
this without being able to overwrite this in command-line?
Are there any further problems with using single label domains
currently or in the future?
There are problems when using forest trust to Active Directory. AD
simply doesn't support single label domains anymore.
The real problem is that you might not know whether you would need to
integrate with AD at the time IPA is deployed. Realm cannot be changed
afterwards, so if you'd stuck with single label domain, you stuck
forever. With no reasonable migration path to export all data including
hashed keys for Kerberos principals to a different deployment (with
different realm), you would block yourself forever.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
