freeipa/ipaserver
Alexander Bokovoy 443ecbc29e adtrust: filter out subdomains when defining our topology to AD
When definining a topology of a forest to be visible over a cross-forest
trust, we set *.<forest name> as all-catch top level name already.

This means that all DNS subdomains of the forest will already be matched
by this top level name (TLN). If we add more TLNs for subdomains, Active
Directory will respond with NT_STATUS_INVALID_PARAMETER.

Filter out all subdomains of the forest root domain. All other realm
domains will be added with explicit TLN records.

Also filter out single label domains. These aren't possible to add as
TLNs to Windows Server 2016 as it considers them incorrect. Given that
we do not allow single lable domains as part of freeIPA installs, this
is another layer of protection here.

Fixes https://pagure.io/freeipa/issue/6666

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-11-16 16:43:36 +02:00
..
advise logging: do not log into the root logger 2017-07-14 15:55:59 +02:00
dnssec dnssec: fix localhsm.py utility script 2017-08-30 16:00:23 +02:00
install Support sqlite NSSDB 2017-11-16 12:17:01 +01:00
plugins Fix cert-find for CA-less installations 2017-11-10 10:09:57 +01:00
secrets Support sqlite NSSDB 2017-11-16 12:17:01 +01:00
__init__.py Change FreeIPA license to GPLv3+ 2010-12-20 17:19:53 -05:00
dcerpc.py adtrust: filter out subdomains when defining our topology to AD 2017-11-16 16:43:36 +02:00
dns_data_management.py DNS update: reduce timeout for CA records 2017-08-30 13:02:59 +02:00
Makefile.am Build: Makefiles for Python packages 2016-11-09 13:08:32 +01:00
p11helper.py py3: softhsm key_id must be bytes 2017-06-01 09:24:24 +02:00
rpcserver.py rpcserver: don't call xmlserver.Command 2017-09-08 15:42:07 +02:00
servroles.py Do not remove the old masters when setting the attribute fails 2017-07-04 14:42:43 +02:00
setup.cfg Port all setup.py to setuptools 2016-10-20 18:43:37 +02:00
setup.py Turn on NSSOCSP check in mod_nss conf 2017-05-10 09:08:34 +02:00
topology.py fix incorrect suffix handling in topology checks 2017-06-05 18:37:37 +02:00