mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-28 09:06:44 -06:00
a14ebbea89
In terms of cross-forest trust parent domain is the root domain of the forest because we only have trust established with the forest root. In FreeIPA LDAP store all sub-domains stored in cn=<forest root>, cn=ad,cn=trusts,... subtree. Thus, a first RDN after cn=ad is the forest root domain. This allows us to simplify logic of finding the parent domain. For complex hierachical forests with more than two levels of sub-domains, this will still be true because of the forest trust: as forest trust is established to the forest root domain, any communication to any sub-domain must traverse forest root domain's domain controller. Note that SSSD also generated incorrectly CA paths information for forests with non-hierarchical tree-roots. In such cases IPA KDC got confused and mistakenly assumed direct trust to the non-hierarchical tree-root instead of going through the forest root domain. See https://fedorahosted.org/sssd/ticket/3103 for details. Resolves: https://fedorahosted.org/freeipa/ticket/5738 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> |
||
|---|---|---|
| .. | ||
| tests | ||
| ipa_kdb_audit_as.c | ||
| ipa_kdb_common.c | ||
| ipa_kdb_delegation.c | ||
| ipa_kdb_mkey.c | ||
| ipa_kdb_mspac_private.h | ||
| ipa_kdb_mspac.c | ||
| ipa_kdb_passwords.c | ||
| ipa_kdb_principals.c | ||
| ipa_kdb_pwdpolicy.c | ||
| ipa_kdb.c | ||
| ipa_kdb.exports | ||
| ipa_kdb.h | ||
| Makefile.am | ||
| README | ||
| README.s4u2proxy.txt | ||
This is the ipa krb5kdc database backend.