Hi comrades,

I have written up the high-level details of the FreeIPA->Dogtag
GSS-API authentication design.  The goal is improve security by
removing an egregious privilege separation violation: the RA Agent

There is a fair bit of work still to do on the Dogtag side but
things are shaping up there and it's time to work out the IPA
aspects.  The design is at:


Right now, I need feedback about the Domain Level aspects: whether
it is the right approach, whether there are mechanisms to perform
update steps (specifically: LDAP updates and/or api calls) alongside
a DL bump, or if there aren't, how to deal with that (implement such
a mechanism, make admins do extra steps, ???).

Of course, any other general or specific feedback is welcome.


Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to