Skip to content

Allow for Windows PKI operations to target a different domain#33218

Merged
zmb3 merged 1 commit intomasterfrom
zmb3/pki-domain-2
Oct 10, 2023
Merged

Allow for Windows PKI operations to target a different domain#33218
zmb3 merged 1 commit intomasterfrom
zmb3/pki-domain-2

Conversation

@zmb3
Copy link
Copy Markdown
Collaborator

@zmb3 zmb3 commented Oct 10, 2023

Today, our AD support largely assumes there is a single active directory domain. The certificates that we generate are for users in this domain, the computers we discover via LDAP come from this domain, and the PKI set up we perform targets this domain.

In more complicated AD configurations, PKI is often configured in a root domain, while users, servers, and discovery should be done against a child domain.

The new pki_domain configuration field will allow you to override the default domain specified in the ldap section with a root domain that is used for configuring the NTAuth store and publishing the CRL. Teleport continues to do discovery and issue certificates for the domain specified in the ldap section of the config.

@zmb3 zmb3 mentioned this pull request Oct 10, 2023
Closed
@github-actions github-actions Bot requested review from gzdunek and hugoShaka October 10, 2023 15:54
@zmb3 zmb3 requested a review from ibeckermayer October 10, 2023 17:32
ibeckermayer
ibeckermayer approved these changes Oct 10, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@ibeckermayer ibeckermayer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Worthy of a docs update?

@zmb3
Copy link
Copy Markdown
Collaborator Author

zmb3 commented Oct 10, 2023

Worthy of a docs update?

Yep, 100%. Will do it separately.

@zmb3 zmb3 requested review from rosstimothy and removed request for hugoShaka October 10, 2023 18:46
rosstimothy
rosstimothy approved these changes Oct 10, 2023
View reviewed changes
Comment thread lib/srv/desktop/windows_server.go Outdated
@public-teleport-github-review-bot public-teleport-github-review-bot Bot removed the request for review from gzdunek October 10, 2023 19:23
@zmb3
Allow for Windows PKI operations to target a different domain
4b73fb0 
Today, our AD support largely assumes there is a single active directory
domain. The certificates that we generate are for users in this domain,
the computers we discover via LDAP come from this domain, and the PKI
set up we perform targets this domain.

In more complicated AD configurations, PKI is often configured in a root
domain, while users, servers, and discovery should be done against a
child domain.

The new pki_domain configuration field will allow you to override the
default domain specified in the ldap section with a root domain that is
used for configuring the NTAuth store and publishing the CRL. Teleport
continues to do discovery and issue certificates for the domain
specified in the ldap section of the config.
@zmb3 zmb3 force-pushed the zmb3/pki-domain-2 branch from 0f5ebd8 to 4b73fb0 Compare October 10, 2023 22:05
@zmb3 zmb3 enabled auto-merge October 10, 2023 22:05
@zmb3 zmb3 added this pull request to the merge queue Oct 10, 2023
@zmb3 zmb3 mentioned this pull request Oct 10, 2023
Merged
Merged via the queue into master with commit d30c5fa Oct 10, 2023
@zmb3 zmb3 deleted the zmb3/pki-domain-2 branch October 10, 2023 22:40
@public-teleport-github-review-bot
Copy link
Copy Markdown

public-teleport-github-review-bot Bot commented Oct 10, 2023

@zmb3 See the table below for backport results.

Branch Result
branch/v12 Failed
branch/v13 Create PR
branch/v14 Create PR

This was referenced Oct 10, 2023
Merged
Merged
zmb3 added a commit that referenced this pull request Oct 11, 2023
@zmb3
docs: mention support for multiple AD domains
7eaeed6 
This documents the changes in #33218
github-merge-queue Bot pushed a commit that referenced this pull request Oct 11, 2023
@zmb3
docs: mention support for multiple AD domains (#33273)
3afd112 
This documents the changes in #33218
github-actions Bot pushed a commit that referenced this pull request Oct 11, 2023
@zmb3
docs: mention support for multiple AD domains
90ee84c 
This documents the changes in #33218
github-actions Bot pushed a commit that referenced this pull request Oct 11, 2023
@zmb3
docs: mention support for multiple AD domains
d5830d4 
This documents the changes in #33218
zmb3 added a commit that referenced this pull request Oct 11, 2023
@zmb3
docs: mention support for multiple AD domains (#33273)
da920f8 
This documents the changes in #33218
This was referenced Oct 11, 2023
Merged
Closed
Merged
github-merge-queue Bot pushed a commit that referenced this pull request Oct 19, 2023
@zmb3
docs: mention support for multiple AD domains (#33273) (#33337)
8954b8c 
This documents the changes in #33218
github-merge-queue Bot pushed a commit that referenced this pull request Oct 19, 2023
@zmb3
docs: mention support for multiple AD domains (#33331)
7db5838 
This documents the changes in #33218
github-merge-queue Bot pushed a commit that referenced this pull request Oct 19, 2023
@zmb3
docs: mention support for multiple AD domains (#33332)
b12cf8f 
This documents the changes in #33218
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rosstimothy rosstimothy rosstimothy approved these changes

+1 more reviewer

@ibeckermayer ibeckermayer ibeckermayer approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

desktop-access size/sm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@zmb3 @ibeckermayer @rosstimothy