On Fri, 11 Sep 2015, G√ľnther J. Niederwimmer wrote:
Hello,

System CentOs 7 FreeIPA 4.1,

I like to add a new Host with a Service like imap/imap.example.com

The imap.example.com exist in the zone file with a CNAME Record.

I can't found the correct Doc for my Problem ;-)
ipa help host
ipa help service

and in general 'ipa help <topic>' or 'ipa help <command>' where command
is something reported by 'ipa help <topic>' are very helpful if you
don't want to go and read the actual user's guide (which is very
comprehensive and has specific sections on host and service operations).

A CNAME-based hostname will not work for GSSAPI authentication so your
service bsaed on CNAME couldn't get Kerberos keys properly. You need to
create both A host entry and then service on that host to make sure they
are properly authenticating over GSSAPI/Kerberos. To allow issuing
certificates for services with subjectAltName to CNAME, make sure an A
host manages a CNAME host in IPA (see 'ipa host-*' related commands).

the second Problem is, is it possible to add a IPv6 Address to the Host and
Certificates?
While IP addresses could be added to certificates, we don't allow it as
it is not recommended practice, thus our current validation rules
prevent it. In short, you cannot currently set up a certificate request
that includes IPv4/IPv6 addresses to certificate's subjectAltName.

A question of IPv4/IPv6 addresses for hosts is orthogonal to IPA itself.
Whatever you use for DNS, should be able to handle A/AAAA entries
(including IPA DNS).

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to