[Freeipa-devel] [DESIGN] IPA client in AD DNS domain

Simo Sorce simo at redhat.com
Tue May 24 13:26:41 UTC 2016 

On Tue, 2016-05-24 at 09:55 +0200, Petr Spacek wrote:
> >> Alternative technical approach is to add aliases to an host's
> attribute and
> >> use it from there. I suspect that this would be less flexible and
> less
> >> future-proof.
> > I don't see a need for alias-as-a-property. Instead, I'm interested
> in
> > having a possibility to have different keys, certificates, etc, on
> > objects used as aliases. This improves security position by
> splitting
> > the manager and the user of the resource.
> 
> I think that these two are not mutually exclusive.
> 
> a) If you need separate keys (and the headache associated with it) use
> a new host object.

This is what we do today, and we need to keep it that way, we do not
really have a choice, it's how it works, 1 identity 1 key, attaching
multiple identities to a single object is just going to cause a lot of
issues, and I do not see any benefit.

> b) If you need to share keys use alias.

No, you need to use a separate identity, that just happens to be common
to multiple hosts. Please let's not conflate the "alias" concept with
"additional identity". 

> Aliases could have other advantages, e.g. using diffrent DNS checks to
> the user does not need to use --force just to create the alias.

How ?

> Right now we do not have the (b) option so code needs to use hacks
> like the one you proposed above:
> "we can add this one specifically as an option to existing code to
> just follow managedBy"

This is news to me. I suspect there is a language issue here ?

> This is simply a hack and relies on user not forgetting to add option
> --follow-managed-by (e.g.) when requesting a certificate. Not speaking
> about automated processes requesting certs which would need own
> heuristics to detect when the option should be supplied.

What problem, exactly, are we trying to solve here ?

For certs, if you have multiple identities you should really use SNI,
not try to put all names of the world in one cert, but if you really
want to cobble together a fake identity that uses multiple different
names with the same key, you should do that manually, there is no
automation that can read the admin mind.

Note that "manually" may simply mean that the admin prepares appropriate
reference attributes on the main object, but it still is a manual
setting of "referrals" somewhere.

> I really do not like these ad-hoc hacks and I'm looking for a
> systematic solution.

Is this just for certs ? Or something else ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list