On Fri, 11 Sep 2015, Günther J. Niederwimmer wrote:
System CentOs 7 FreeIPA 4.1,
I like to add a new Host with a Service like imap/imap.example.com
The imap.example.com exist in the zone file with a CNAME Record.
I can't found the correct Doc for my Problem ;-)
ipa help host
ipa help service
and in general 'ipa help <topic>' or 'ipa help <command>' where command
is something reported by 'ipa help <topic>' are very helpful if you
don't want to go and read the actual user's guide (which is very
comprehensive and has specific sections on host and service operations).
A CNAME-based hostname will not work for GSSAPI authentication so your
service bsaed on CNAME couldn't get Kerberos keys properly. You need to
create both A host entry and then service on that host to make sure they
are properly authenticating over GSSAPI/Kerberos. To allow issuing
certificates for services with subjectAltName to CNAME, make sure an A
host manages a CNAME host in IPA (see 'ipa host-*' related commands).
the second Problem is, is it possible to add a IPv6 Address to the Host and
While IP addresses could be added to certificates, we don't allow it as
it is not recommended practice, thus our current validation rules
prevent it. In short, you cannot currently set up a certificate request
that includes IPv4/IPv6 addresses to certificate's subjectAltName.
A question of IPv4/IPv6 addresses for hosts is orthogonal to IPA itself.
Whatever you use for DNS, should be able to handle A/AAAA entries
(including IPA DNS).
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project