[Freeipa-devel] One-way trust design
Jan Pazdziora
jpazdziora at redhat.com
Tue Mar 3 09:50:57 UTC 2015
On Mon, Feb 23, 2015 at 06:02:53PM +0200, Alexander Bokovoy wrote:
> trust-related functionality would be limited to IPA admins or TDO
> object in LDAP would have to be more accessible. Given that TDO
> credentials can be used to compromise access to our domain, it is not
Could you clarify which domain is the "our" domain?
> advisable to give a wider access to them.
>
> As a side-effect of reducing exposure of TDO credentials, FreeIPA lost
> ability to establish and use one-way trust to Active Directory. The
"Lost ability" might be confusing -- was removed in 3.1 (?) might be
better.
> purpose of this feature is to regain the one-way trust support, yet
> without giving an elevated access to TDO credentials.
You might also want to either add a note or a link, explaining why
one-way trust is harder than two-way, IOW, why we lost the one-way
ability when we have the two-way one.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
More information about the Freeipa-devel
mailing list