docs: mention support for multiple AD domains#33273
Merged
Conversation
github-actions
Bot
requested review from
lsgunn-teleport,
ptgott,
r0mant and
xinding33
Contributor
|
🤖 Vercel preview here: https://docs-mtvext55i-goteleport.vercel.app/docs/ver/preview |
zmb3
commented
Oct 10, 2023
Collaborator
Author
There was a problem hiding this comment.
Reminder to self: it probably makes sense to mention the version that this will be released in.
Comment on lines
691
to
696
Contributor
There was a problem hiding this comment.
you can configure Teleport to perform PKI operations against a different domain.
must reside in the same domain.
These two appear to contradict each other, consider whether there's a different and/or more precise way to word this.
Collaborator
Author
There was a problem hiding this comment.
The users must be in the same domain as the computers. The PKI set up can be in a different domain. Open to suggestions for alternative ways to phrase it.
Contributor
There was a problem hiding this comment.
Suggested change
| If you have multiple domains with a trust relationship between them, you can | |
| configure Teleport to perform PKI operations against a different domain. | |
| In order for this to work, the hosts that you want to connect to and the AD | |
| users that you want to connect as must reside in the same domain. | |
| Alternatively, if you have a pair of domains A and B with a trust relationship between them, you can | |
| configure Teleport to perform PKI operations against domain A for users/hosts in domain B. | |
| <Admonition type="warning" title="Supported Configuration"> | |
| In order for this to work, the hosts that you want to connect to and the | |
| users that you want to connect as must reside in the same domain. Other | |
| configurations are not currently supported. | |
| </Admonition> |
Collaborator
Author
There was a problem hiding this comment.
@ptgott what say you? I try to avoid fancy components and extra flair in favor of plain old text. Is this important enough to highlight?
Contributor
There was a problem hiding this comment.
I think this particular passage works just fine without the Admonition. The second paragraph flows naturally from the first, so (at least theoretically) users should move from the first paragraph to the second without the need for a box.
Contributor
There was a problem hiding this comment.
Suggested change
| domain's group policy and add the certificate to the NTAuth store as listed above. | |
| domain's group policy and add the certificate to the NTAuth store as described in the [section above](#publish-the-teleport-ca-to-the-ntauth-store). |
ptgott
approved these changes
Oct 11, 2023
Contributor
ptgott
left a comment
ptgott
left a comment
There was a problem hiding this comment.
Approved with minor suggestions
zmb3
force-pushed
the
zmb3/docs-multi-domain
branch
from
42a54f3 to
6563d19
Compare
ibeckermayer
approved these changes
Oct 11, 2023
Contributor
|
🤖 Vercel preview here: https://docs-q46w0pugb-goteleport.vercel.app/docs/ver/preview |
zmb3
force-pushed
the
zmb3/docs-multi-domain
branch
from
6563d19 to
92d0b78
Compare
Contributor
|
🤖 Vercel preview here: https://docs-7jpmh96qi-goteleport.vercel.app/docs/ver/preview |
zmb3
force-pushed
the
zmb3/docs-multi-domain
branch
from
92d0b78 to
56abf6f
Compare
Contributor
|
🤖 Vercel preview here: https://docs-qlxycl3rp-goteleport.vercel.app/docs/ver/preview |
zmb3
force-pushed
the
zmb3/docs-multi-domain
branch
from
56abf6f to
7db433e
Compare
Contributor
|
🤖 Vercel preview here: https://docs-nbe1a5hy5-goteleport.vercel.app/docs/ver/preview |
This documents the changes in #33218
zmb3
force-pushed
the
zmb3/docs-multi-domain
branch
from
7db433e to
7eaeed6
Compare
Contributor
|
🤖 Vercel preview here: https://docs-m0qcqs6pj-goteleport.vercel.app/docs/ver/preview |
This was referenced Oct 11, 2023
zmb3
added a commit
that referenced
this pull request
Oct 11, 2023
This documents the changes in #33218
ibeckermayer
pushed a commit
that referenced
this pull request
Jan 10, 2024
zmb3
pushed a commit
that referenced
this pull request
Jan 12, 2024
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Jan 13, 2024
* Refactor desktop player Adopt an approach similar to the SSH player (more standard react calls and less event emitting). This also updates the progress bar to be more of a "dumb" component that just renders state, and leaves the smoothing out of progress updates to the client. In addition, this adds support for seeking by dragging the progress bar to a particular portion of the video. Fixes #17199 * Prevents EOF from being reported as a tdp.Notification error at the end of every session * Removes duplicated code, handles errors in handleRDPFastPathPDU, ensures we always spit out some message if an error notification pops up in the UI * Add dynamic/ prefix to server info labels (#36219) This change: - Adds the dynamic/ prefix to labels from a server_info resource created with tctl - Forbids labels with the dynamic/ prefix form being used in deny rules for new roles. Existing roles will generate warnings in tctl as well as a cluster alert. * Address deprecation TODOs for or before v15. (#36473) * Convert insecure-drop to drop for unsupported clients (#35803) This change converts the insecure-drop host user creation mode to drop for clients that don't support it. * discovery: remove update if discovery group differs (#36472) * discovery: remove update if discovery group differs This PR removes code marked to be removed in Teleport 15 that updated unconditionally kubernetes and databases that were discovered using a different discovery group. Until this PR, if the `onCreate` function returned `trace.AlreadyExists` error, the resource ended up being updated without any condition. After this PR, the resource is only updated if the existing resource has an empty discovery group. This behavior is kept to ensure that users that migrate from bad configs don't need to delete resources manually. Signed-off-by: Tiago Silva <tiago.silva@goteleport.com> * Update discovery.go Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * handle code review suggestions --------- Signed-off-by: Tiago Silva <tiago.silva@goteleport.com> Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * Refactor Kubernetes Exec sessions upgrade logic (#36325) * Refactor Kubernetes Exec sessions upgrade logic Signed-off-by: Tiago Silva <tiago.silva@goteleport.com> * handle code review suggestions * Update lib/kube/proxy/forwarder.go Co-authored-by: Anton Miniailo <anton@goteleport.com> * Update lib/kube/proxy/forwarder.go Co-authored-by: Anton Miniailo <anton@goteleport.com> * handle code review suggestions --------- Signed-off-by: Tiago Silva <tiago.silva@goteleport.com> Co-authored-by: Anton Miniailo <anton@goteleport.com> * Deduplicate yarn.lock (#36560) * Deduplicate yarn.lock * Fix types in ProgressBar * docs: updates to tsh connect your client (#36526) * docs: updates to tsh connect your client * remove extra dash * Add backend code for listing EKS clusters through AWS OIDC integration. (#36489) * Add backend code for listing EKS clusters through AWS OIDC integration. * Remove leftover commented code. Co-authored-by: Marco André Dinis <marco.dinis@goteleport.com> * Add godoc. * Remove unneeded intialization of a parameter. * Reduce nesting. * Rename ExtraLabels to JoinLabels. --------- Co-authored-by: Marco André Dinis <marco.dinis@goteleport.com> * Update devbox. (#36193) * Update AWS account ID used in `update-ami-ids` GHA workflow (#36556) PR #36153 updated the AWS account ID used for pulling AMIs, but the GHA workflow was not updated to use this updated AWS account ID. Ref #34282. * Fix accesslist `tctl` (#36531) * Support unmarshalling accesslists manifests wihtout next_audit_date * Support `tctl get access_lists` * Fix accesslist reference * accountrecovery.go: Unconditionally delete the token after use (#36527) A previous conditional was allowing a replay attack on the recovery process. Although discovery of this token is a high bar for an attacker, we should be able to unconditionally delete this token after it's used. * Add app gateways to Connect (#36393) * Allow creating app gateways in tshd * Add UI for document gateway app * Show apps in connections This is a copy & paste from other connection kinds. * Capture app protocol * Start app proxy when clicking on 'Connect' in app * Remove `removeAppGateway` * `appUri` -> `targetUri` * Add TCP and HTTP constants * Add CLI command for HTTP apps * Add `makeAppGateway` * Specify `handleChangePort` dependencies correctly * Remove `doc.gateway_app` and `connection.app`, instead differentiate gateways by URI * Correctly report protocol usage * Mention that AWS apps are supported in tsh * Rename constants and add godoc * Add a TODO comment about dialogs for connecting to unsupported apps * `onRun` -> `onButtonClick`, `runButtonText` -> `buttonText` * Show a notification after copying to clipboard * Make the message about unsupported gateways more precise * Revert mistakenly removed `document.targetUri` from `getResourceUri` * Remove 'Local app proxy' header * Post-merge fixes * Use proper component for the 'offline gateway' state * Support all gateway types in relogin UI * Fix JSdoc comment * Add a TODO comment about the docs link --------- Co-authored-by: Rafał Cieślak <rafal.cieslak@goteleport.com> * Allow configuration of Okta access list importing. (#36569) Configuration options for enabling/disabling Okta access list importing have been added. This defaults to false. This has been added to both to Okta plugin settings and the standalone Okta service. Co-authored-by: Trent Clarke <trent@goteleport.com> * Fix example mysql grant all command (#36519) Fixing example mysql grant all command, because current one fails with `ERROR 1102 (42000): Incorrect database name ' % '` because of extra spaces around `%` * lib/teleterm app access: Add middleware for handling expired certs (#36520) * Add middleware for app gateways * Accommodate for app gateways in integration tests The previous version of tests depended on receiving helpers.TeleInstance from higher up. It was then used to generate valid and expired user certs, as well as to get client.TeleportClient. proxy.Suite (Kube tests) and dbhelpers.DatabasePack (db tests) expose helpers.TeleInstance so it wasn't a problem. However, appaccess.Pack, which we're going to use for app access tests, does not expose it. To work around that, we introduce two new fields to gatewayCertRenewalParams, tc (which accepts client.TeleportClient) and generateAndSetupUserCreds. These two fields get rid of the dependency on helpers.TeleInstance. * Add integration tests for app gateways * Switch to the new account settings screen (#36525) * Migrate `RotateCertAuthority` to gRPC (#36536) * Add RotateCertAuthority to gRPC TrustService. * Add gRPC server implementation. * Move RotateRequest type to api/types. * Mark deprecated HTTP rotate endpoint for deletion. * Add client implemenation and HTTP fallback. * Update go-oidc to get final go-jose v2 -> v3 updates (#36514) * Update go-oidc to get final go-jose v2 updates This updates our replaced go-oidc fork to use a tag with go-jose updated to v3: gravitational/go-oidc#19 This update removes the final usage of v2, and fully addresses the GHSA-2c7c-3mj9-8fqh DoS. * Update gopkg.in/go-jose/go-jose.v2 to 2.6.2 to get p2c DoS fix * Add ClusterDropdown component (#36310) This replaces the current ClusterSelector in the TopBar and adds the functionality to ClusterDropdown component on relevant pages * fix: Verify MFA device locks during authentication (#36471) * Test authn and password change with a locked user * Verify MFA device locks during authentication * Configure a LockWatcher in the passwordSuite setup * Appease linter * Update Toggle component styles (#36535) * Reintroduces the changes in #33273 which were erroneously deleted in #33273 (#36538) * Route to server by public addr (#36584) This change fixes a bug where tsh ssh could not dial a node with its public address. * Add EKS Discover into web testplan. (#36578) * Remove unused static token endpoints. (#36545) * Ensure player finishes at 100% * Fix style for disabled progress bar * Remove unused file * fix import order --------- Signed-off-by: Tiago Silva <tiago.silva@goteleport.com> Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com> Co-authored-by: Andrew Burke <31974658+atburke@users.noreply.github.com> Co-authored-by: Brian Joerger <bjoerger@goteleport.com> Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Anton Miniailo <anton@goteleport.com> Co-authored-by: Rafał Cieślak <rafal.cieslak@goteleport.com> Co-authored-by: Steven Martin <steven@goteleport.com> Co-authored-by: Marco André Dinis <marco.dinis@goteleport.com> Co-authored-by: Michael Wilson <mike@mdwn.dev> Co-authored-by: Reed Loden <reed@goteleport.com> Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> Co-authored-by: Mike Jensen <jentfoo@users.noreply.github.com> Co-authored-by: Grzegorz Zdunek <gzdunek@users.noreply.github.com> Co-authored-by: Trent Clarke <trent@goteleport.com> Co-authored-by: Taras <9948629+taraspos@users.noreply.github.com> Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> Co-authored-by: Michael <michael.myers@goteleport.com> Co-authored-by: Alan Parra <alan.parra@goteleport.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This documents the changes in #33218