'ipa-ca' DNS record - where used? - FreeIPA-users - Fedora mailing-lists

List overview All Threads
Download

'ipa-ca' DNS record - where used?

ldapsearch for AD users via FreeIPA

spake_preauth_groups

Dmitry Perets

2 Sep 2019 2 Sep '19

9:58 a.m.

Hi,

I know of one usage - all the IPA ansible modules (ipa_*) query for 'ipa-ca' record to find the IPA server. But for other cases - looks like IPA clients mostly rely on entries like '_kerberos.*' and '_ldap.*'...

What other functionality uses 'ipa-ca' record? Thanks.

--- Regards, Dmitry Perets

Reply

Show replies by date

Florence Blanc-Renaud

2 Sep 2 Sep

10:54 a.m.

On 9/2/19 4:58 PM, Dmitry Perets via FreeIPA-users wrote:

Hi,

I know of one usage - all the IPA ansible modules (ipa_*) query for 'ipa-ca' record to find the IPA server. But for other cases - looks like IPA clients mostly rely on entries like '_kerberos.*' and '_ldap.*'...

What other functionality uses 'ipa-ca' record?

Hi,

Certificates are issued from IPA CA with the OCSP responder URI http://ipa-ca.$DOMAIN/ca/ocsp and CRL distribution point http://ipa-ca.$DOMAIN/ipa/crl/MasterCRL.bin (these are set in the certificate extensions).

flo

Thanks.

Regards, Dmitry Perets _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...

Reply

Dmitry Perets

11:01 a.m.

Certificates are issued from IPA CA with the OCSP responder URI http://ipa-ca.$DOMAIN/ca/ocsp and CRL distribution point http://ipa-ca.$DOMAIN/ipa/crl/MasterCRL.bin (these are set in the certificate extensions).

flo

Thanks! Does it have to be an IPA server with CA? What if it doesn't have CA component - will it forward the request to one of the IPA servers with CA?

Reply

Alexander Bokovoy

2:08 p.m.

On Mon, 02 Sep 2019, Dmitry Perets via FreeIPA-users wrote:

...
Certificates are issued from IPA CA with the OCSP responder URI http://ipa-ca.$DOMAIN/ca/ocsp and CRL distribution point http://ipa-ca.$DOMAIN/ipa/crl/MasterCRL.bin (these are set in the certificate extensions).

flo

Thanks! Does it have to be an IPA server with CA? What if it doesn't have CA component - will it forward the request to one of the IPA servers with CA?

It has to be CA component server. That's why we have ipa-ca -- it is an entry that is managed to have only IP addresses of CA servers. Technically, something else could front it but there are other issues with this approach.

In past we tried to use CNAME to point to CA master but it didn't work for HTTP end-points.

-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

Reply

1699

Age (days ago)

1699

Last active (days ago)

freeipa-users@lists.fedorahosted.org

3 comments

3 participants

tags (0)

participants (3)

Alexander Bokovoy
Dmitry Perets
Florence Blanc-Renaud