On Thu, 22 Jan 2015 16:37:47 +0100 (CET)
Baptiste Agasse <baptiste.aga...@lyra-network.com> wrote:
thank you for the ideas.
I'll address each inline.
> I'm a FreeIPA user for years now and i'm happy with this tool, but
> I've some 'little' RFEs to suggest to enhance automation and
> 1) Cross FreeIPA domain trust.
> Example use case:
> As an user, i'm part of the FOO.EXAMPLE.COM FreeIPA domain and i want
> to connect to some hosts in BAR.EXAMPLE.COM FreeIPA.
This is something we are planning to do, but it will take some time.
> 2) PKI subordinate CA support.
> Example use case:
> In the Example.com company, we use certificate authentication for
> cross services authentication or user authentication. I want, for
> example to allow only a group of source services (or users) to
> connect to a target service. On the target service, i filter client
> certificates by providing the subordinate CA as the trusted CA.
I think this is what you are asking:
Does it meet your expectations ?
> 3) "autoservice rules", Ability to create rules to automatically
> create services on the host that match the rule, like automember
> rules for host groups. Example use cases:
> * When you create a bunch of 'clone' servers that use kerberos for
> authentication like kerberized webservers, you don't have to add each
> to 'webserversX' group because you can have an automember rule that
> automaticaly add them to the good hostgroup, but you must manually
> add 'http' service on each. This "autoservice rules" will be nice to
> make some HBAC rules work out of the box. For example the HBAC rule
> that said "Some user(s)/usergroup(s) are allowed to connect to
> 'webserversX' hostgroup members on 'http' service"
> * Puppet/Foreman integration: Use the FreeIPA pki with autosign
> functionality for puppet agents. When you create an host via foreman
> proxy, it will create the host in FreeIPA but if you want to use the
> FreeIPA PKI for puppet, you must manually add puppet service on your
> host, and then get the certificate.
This is something that has come up once before but I do not think we
have a ticket, it would be nice if you could open a RFE ticket with
> Any comments ?
Simo Sorce * Red Hat, Inc * New York
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project