On Thu, 22 Jan 2015 16:37:47 +0100 (CET)
Baptiste Agasse <baptiste.aga...@lyra-network.com> wrote:

> Hi,

Hi Baptiste,
thank you for the ideas.
I'll address each inline.
> I'm a FreeIPA user for years now and i'm happy with this tool, but
> I've some 'little' RFEs to suggest to enhance automation and
> usability:
> 1) Cross FreeIPA domain trust. 
> Example use case: 
> As an user, i'm part of the FOO.EXAMPLE.COM FreeIPA domain and i want
> to connect to some hosts in BAR.EXAMPLE.COM FreeIPA.

This is something we are planning to do, but it will take some time.

> 2) PKI subordinate CA support. 
> Example use case: 
> In the Example.com company, we use certificate authentication for
> cross services authentication or user authentication. I want, for
> example to allow only a group of source services (or users) to
> connect to a target service. On the target service, i filter client
> certificates by providing the subordinate CA as the trusted CA.

I think this is what you are asking:

Does it meet your expectations ?

> 3) "autoservice rules", Ability to create rules to automatically
> create services on the host that match the rule, like automember
> rules for host groups. Example use cases:
>   * When you create a bunch of 'clone' servers that use kerberos for
> authentication like kerberized webservers, you don't have to add each
> to 'webserversX' group because you can have an automember rule that
> automaticaly add them to the good hostgroup, but you must manually
> add 'http' service on each. This "autoservice rules" will be nice to
> make some HBAC rules work out of the box. For example the HBAC rule
> that said "Some user(s)/usergroup(s) are allowed to connect to
> 'webserversX' hostgroup members on 'http' service"
>   * Puppet/Foreman integration: Use the FreeIPA pki with autosign
> functionality for puppet agents. When you create an host via foreman
> proxy, it will create the host in FreeIPA but if you want to use the
> FreeIPA PKI for puppet, you must manually add puppet service on your
> host, and then get the certificate.

This is something that has come up once before but I do not think we
have a ticket, it would be nice if you could open a RFE ticket with
this text.

> Any comments ?

Good ideas,
Thank you.


Simo Sorce * Red Hat, Inc * New York

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to