I'm a FreeIPA user for years now and i'm happy with this tool, but I've some
'little' RFEs to suggest to enhance automation and usability:
1) Cross FreeIPA domain trust.
Example use case:
As an user, i'm part of the FOO.EXAMPLE.COM FreeIPA domain and i want to
connect to some hosts in BAR.EXAMPLE.COM FreeIPA.
2) PKI subordinate CA support.
Example use case:
In the Example.com company, we use certificate authentication for cross
services authentication or user authentication. I want, for example to allow
only a group of source services (or users) to connect to a target service. On
the target service, i filter client certificates by providing the subordinate
CA as the trusted CA.
3) "autoservice rules", Ability to create rules to automatically create
services on the host that match the rule, like automember rules for host
groups. Example use cases:
* When you create a bunch of 'clone' servers that use kerberos for
authentication like kerberized webservers, you don't have to add each to
'webserversX' group because you can have an automember rule that automaticaly
add them to the good hostgroup, but you must manually add 'http' service on
each. This "autoservice rules" will be nice to make some HBAC rules work out of
the box. For example the HBAC rule that said "Some user(s)/usergroup(s) are
allowed to connect to 'webserversX' hostgroup members on 'http' service"
* Puppet/Foreman integration: Use the FreeIPA pki with autosign functionality
for puppet agents. When you create an host via foreman proxy, it will create
the host in FreeIPA but if you want to use the FreeIPA PKI for puppet, you must
manually add puppet service on your host, and then get the certificate.
Any comments ?
Have a nice day.
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project