I have written up the high-level details of the FreeIPA->Dogtag
GSS-API authentication design. The goal is improve security by
removing an egregious privilege separation violation: the RA Agent
There is a fair bit of work still to do on the Dogtag side but
things are shaping up there and it's time to work out the IPA
aspects. The design is at:
Right now, I need feedback about the Domain Level aspects: whether
it is the right approach, whether there are mechanisms to perform
update steps (specifically: LDAP updates and/or api calls) alongside
a DL bump, or if there aren't, how to deal with that (implement such
a mechanism, make admins do extra steps, ???).
Of course, any other general or specific feedback is welcome.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code