Baptiste Agasse wrote:
> Hi,
> 
> I'm a FreeIPA user for years now and i'm happy with this tool, but I've some 
> 'little' RFEs to suggest to enhance automation and usability:
> 
> 1) Cross FreeIPA domain trust. 
> Example use case: 
> As an user, i'm part of the FOO.EXAMPLE.COM FreeIPA domain and i want to 
> connect to some hosts in BAR.EXAMPLE.COM FreeIPA.

This is on the radar though I couldn't find an open ticket on it. It
isn't something for the very near-term though AFAIK.

At least part of this is captured in
https://fedorahosted.org/freeipa/ticket/4791 which prevents IPA ->
Kerberos trusts today.

> 2) PKI subordinate CA support. 
> Example use case: 
> In the Example.com company, we use certificate authentication for cross 
> services authentication or user authentication. I want, for example to allow 
> only a group of source services (or users) to connect to a target service. On 
> the target service, i filter client certificates by providing the subordinate 
> CA as the trusted CA.

A developer is looking into something like this on the dogtag side,
http://pki.fedoraproject.org/wiki/Lightweight_sub-CAs

> 3) "autoservice rules", Ability to create rules to automatically create 
> services on the host that match the rule, like automember rules for host 
> groups. Example use cases:
>   * When you create a bunch of 'clone' servers that use kerberos for 
> authentication like kerberized webservers, you don't have to add each to 
> 'webserversX' group because you can have an automember rule that automaticaly 
> add them to the good hostgroup, but you must manually add 'http' service on 
> each. This "autoservice rules" will be nice to make some HBAC rules work out 
> of the box. For example the HBAC rule that said "Some user(s)/usergroup(s) 
> are allowed to connect to 'webserversX' hostgroup members on 'http' service"
>   * Puppet/Foreman integration: Use the FreeIPA pki with autosign 
> functionality for puppet agents. When you create an host via foreman proxy, 
> it will create the host in FreeIPA but if you want to use the FreeIPA PKI for 
> puppet, you must manually add puppet service on your host, and then get the 
> certificate.

An interesting idea. I filed
https://fedorahosted.org/freeipa/ticket/4862 to track it.

> Any comments ?

Thanks for the suggestions!

rob

> 
> Have a nice day.
> 
> Regards.
> 
> Baptiste.
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to