On Thu, Jan 22, 2015 at 04:21:01PM -0500, Rob Crittenden wrote:
> Baptiste Agasse wrote:
> > Hi,
> > 
> > I'm a FreeIPA user for years now and i'm happy with this tool, but I've 
> > some 'little' RFEs to suggest to enhance automation and usability:
> > 
> > 1) Cross FreeIPA domain trust. 
> > Example use case: 
> > As an user, i'm part of the FOO.EXAMPLE.COM FreeIPA domain and i want to 
> > connect to some hosts in BAR.EXAMPLE.COM FreeIPA.
> 
> This is on the radar though I couldn't find an open ticket on it. It
> isn't something for the very near-term though AFAIK.
> 
> At least part of this is captured in
> https://fedorahosted.org/freeipa/ticket/4791 which prevents IPA ->
> Kerberos trusts today.
> 
> > 2) PKI subordinate CA support. 
> > Example use case: 
> > In the Example.com company, we use certificate authentication for cross 
> > services authentication or user authentication. I want, for example to 
> > allow only a group of source services (or users) to connect to a target 
> > service. On the target service, i filter client certificates by providing 
> > the subordinate CA as the trusted CA.
> 
> A developer is looking into something like this on the dogtag side,
> http://pki.fedoraproject.org/wiki/Lightweight_sub-CAs
> 
This work in Dogtag is the groundwork to have this capability in
FreeIPA.  The design document for the FreeIPA sub-CA support (a work
in progress) is http://www.freeipa.org/page/V4/Security_domains.

Cheers,
Fraser

> > 3) "autoservice rules", Ability to create rules to automatically create 
> > services on the host that match the rule, like automember rules for host 
> > groups. Example use cases:
> >   * When you create a bunch of 'clone' servers that use kerberos for 
> > authentication like kerberized webservers, you don't have to add each to 
> > 'webserversX' group because you can have an automember rule that 
> > automaticaly add them to the good hostgroup, but you must manually add 
> > 'http' service on each. This "autoservice rules" will be nice to make some 
> > HBAC rules work out of the box. For example the HBAC rule that said "Some 
> > user(s)/usergroup(s) are allowed to connect to 'webserversX' hostgroup 
> > members on 'http' service"
> >   * Puppet/Foreman integration: Use the FreeIPA pki with autosign 
> > functionality for puppet agents. When you create an host via foreman proxy, 
> > it will create the host in FreeIPA but if you want to use the FreeIPA PKI 
> > for puppet, you must manually add puppet service on your host, and then get 
> > the certificate.
> 
> An interesting idea. I filed
> https://fedorahosted.org/freeipa/ticket/4862 to track it.
> 
> > Any comments ?
> 
> Thanks for the suggestions!
> 
> rob
> 
> > 
> > Have a nice day.
> > 
> > Regards.
> > 
> > Baptiste.
> > 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to