On ke, 16 loka 2019, Sven Ludwig via FreeIPA-users wrote:
>Hi @audience,
>
>I'd like to ask is there is a chance to continue using single label
>domains with freeipa. We learned the hard way that this feature was
>restricted to use. It cannot be bypassed by any command line option. I
>found that this all comes down to a check in the ipalib/util.py, which
>now counts the number of tokens in a list split by dots.
>
>It's easy to patch, but I am asking myself for the reason to disallow
>this without being able to overwrite this in command-line?
>
>Are there any further problems with using single label domains
>currently or in the future?
There are problems when using forest trust to Active Directory. AD
simply doesn't support single label domains anymore.
The real problem is that you might not know whether you would need to
integrate with AD at the time IPA is deployed. Realm cannot be changed
afterwards, so if you'd stuck with single label domain, you stuck
forever. With no reasonable migration path to export all data including
hashed keys for Kerberos principals to a different deployment (with
different realm), you would block yourself forever.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland