On Thu, Jan 22, 2015 at 04:21:01PM -0500, Rob Crittenden wrote: > Baptiste Agasse wrote: > > Hi, > > > > I'm a FreeIPA user for years now and i'm happy with this tool, but I've > > some 'little' RFEs to suggest to enhance automation and usability: > > > > 1) Cross FreeIPA domain trust. > > Example use case: > > As an user, i'm part of the FOO.EXAMPLE.COM FreeIPA domain and i want to > > connect to some hosts in BAR.EXAMPLE.COM FreeIPA. > > This is on the radar though I couldn't find an open ticket on it. It > isn't something for the very near-term though AFAIK. > > At least part of this is captured in > https://fedorahosted.org/freeipa/ticket/4791 which prevents IPA -> > Kerberos trusts today. > > > 2) PKI subordinate CA support. > > Example use case: > > In the Example.com company, we use certificate authentication for cross > > services authentication or user authentication. I want, for example to > > allow only a group of source services (or users) to connect to a target > > service. On the target service, i filter client certificates by providing > > the subordinate CA as the trusted CA. > > A developer is looking into something like this on the dogtag side, > http://pki.fedoraproject.org/wiki/Lightweight_sub-CAs > This work in Dogtag is the groundwork to have this capability in FreeIPA. The design document for the FreeIPA sub-CA support (a work in progress) is http://www.freeipa.org/page/V4/Security_domains.
Cheers, Fraser > > 3) "autoservice rules", Ability to create rules to automatically create > > services on the host that match the rule, like automember rules for host > > groups. Example use cases: > > * When you create a bunch of 'clone' servers that use kerberos for > > authentication like kerberized webservers, you don't have to add each to > > 'webserversX' group because you can have an automember rule that > > automaticaly add them to the good hostgroup, but you must manually add > > 'http' service on each. This "autoservice rules" will be nice to make some > > HBAC rules work out of the box. For example the HBAC rule that said "Some > > user(s)/usergroup(s) are allowed to connect to 'webserversX' hostgroup > > members on 'http' service" > > * Puppet/Foreman integration: Use the FreeIPA pki with autosign > > functionality for puppet agents. When you create an host via foreman proxy, > > it will create the host in FreeIPA but if you want to use the FreeIPA PKI > > for puppet, you must manually add puppet service on your host, and then get > > the certificate. > > An interesting idea. I filed > https://fedorahosted.org/freeipa/ticket/4862 to track it. > > > Any comments ? > > Thanks for the suggestions! > > rob > > > > > Have a nice day. > > > > Regards. > > > > Baptiste. > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project