I'm a FreeIPA user for years now and i'm happy with this tool, but I've some 
'little' RFEs to suggest to enhance automation and usability:

1) Cross FreeIPA domain trust. 
Example use case: 
As an user, i'm part of the FOO.EXAMPLE.COM FreeIPA domain and i want to 
connect to some hosts in BAR.EXAMPLE.COM FreeIPA.

2) PKI subordinate CA support. 
Example use case: 
In the Example.com company, we use certificate authentication for cross 
services authentication or user authentication. I want, for example to allow 
only a group of source services (or users) to connect to a target service. On 
the target service, i filter client certificates by providing the subordinate 
CA as the trusted CA.

3) "autoservice rules", Ability to create rules to automatically create 
services on the host that match the rule, like automember rules for host 
groups. Example use cases:
  * When you create a bunch of 'clone' servers that use kerberos for 
authentication like kerberized webservers, you don't have to add each to 
'webserversX' group because you can have an automember rule that automaticaly 
add them to the good hostgroup, but you must manually add 'http' service on 
each. This "autoservice rules" will be nice to make some HBAC rules work out of 
the box. For example the HBAC rule that said "Some user(s)/usergroup(s) are 
allowed to connect to 'webserversX' hostgroup members on 'http' service"
  * Puppet/Foreman integration: Use the FreeIPA pki with autosign functionality 
for puppet agents. When you create an host via foreman proxy, it will create 
the host in FreeIPA but if you want to use the FreeIPA PKI for puppet, you must 
manually add puppet service on your host, and then get the certificate.

Any comments ?

Have a nice day.



Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to