Hi, I'm a FreeIPA user for years now and i'm happy with this tool, but I've some 'little' RFEs to suggest to enhance automation and usability:
1) Cross FreeIPA domain trust. Example use case: As an user, i'm part of the FOO.EXAMPLE.COM FreeIPA domain and i want to connect to some hosts in BAR.EXAMPLE.COM FreeIPA. 2) PKI subordinate CA support. Example use case: In the Example.com company, we use certificate authentication for cross services authentication or user authentication. I want, for example to allow only a group of source services (or users) to connect to a target service. On the target service, i filter client certificates by providing the subordinate CA as the trusted CA. 3) "autoservice rules", Ability to create rules to automatically create services on the host that match the rule, like automember rules for host groups. Example use cases: * When you create a bunch of 'clone' servers that use kerberos for authentication like kerberized webservers, you don't have to add each to 'webserversX' group because you can have an automember rule that automaticaly add them to the good hostgroup, but you must manually add 'http' service on each. This "autoservice rules" will be nice to make some HBAC rules work out of the box. For example the HBAC rule that said "Some user(s)/usergroup(s) are allowed to connect to 'webserversX' hostgroup members on 'http' service" * Puppet/Foreman integration: Use the FreeIPA pki with autosign functionality for puppet agents. When you create an host via foreman proxy, it will create the host in FreeIPA but if you want to use the FreeIPA PKI for puppet, you must manually add puppet service on your host, and then get the certificate. Any comments ? Have a nice day. Regards. Baptiste. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
