[Freeipa-devel] One-way trust design
Alexander Bokovoy
abokovoy at redhat.com
Tue Mar 3 10:33:19 UTC 2015
On Tue, 03 Mar 2015, Jan Pazdziora wrote:
>On Mon, Feb 23, 2015 at 06:02:53PM +0200, Alexander Bokovoy wrote:
>> trust-related functionality would be limited to IPA admins or TDO
>> object in LDAP would have to be more accessible. Given that TDO
>> credentials can be used to compromise access to our domain, it is not
>
>Could you clarify which domain is the "our" domain?
>From SMB perspective whole IPA realm is a single domain.
>
>> advisable to give a wider access to them.
>>
>> As a side-effect of reducing exposure of TDO credentials, FreeIPA lost
>> ability to establish and use one-way trust to Active Directory. The
>
>"Lost ability" might be confusing -- was removed in 3.1 (?) might be
>better.
We never had it as a feature so support for that wasn't removed. Rather,
we lost ability to add that support.
>> purpose of this feature is to regain the one-way trust support, yet
>> without giving an elevated access to TDO credentials.
>
>You might also want to either add a note or a link, explaining why
>one-way trust is harder than two-way, IOW, why we lost the one-way
>ability when we have the two-way one.
I think current text covers it clearly. If you have concrete
suggestions, feel free to edit the wiki, it is not locked down. :)
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list