[Freeipa-devel] [DESIGN] IPA client in AD DNS domain
Alexander Bokovoy
abokovoy at redhat.com
Tue May 24 07:26:53 UTC 2016
On Tue, 24 May 2016, Petr Spacek wrote:
>>>>> Speaking of certs, should we introduce a aliases for host entries to avoid
>>>>> the
>>>>> need of fake hosts?
>>>> These 'fake hosts' are as good as aliases, even better, because they
>>>> allow us to have full control over who can manage them.
>>>
>>> I do not see how this is different from any other object which has managedBy
>>> attribute. It is not a special property of host.
>> We have managedBy handling in hosts and services specifically to allow
>> certificate issuing on behalf of another entity.
>
>I'm still not convinced that 'we historically do it this way' is good enough
>justification for using fake host objects instead of tailored aliases.
I'm not sure it is good to add that. Note that host objects can be used
to provide a lot more than just mere aliases:
- they can have services associated, with both Kerberos keys and
certificates
- they can be used to target HBAC rules against them which will be
extremely useful when we'll get Authentication Indicators management
in place
Having "fake" host objects is also crucial for clustered services.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list