[Freeipa-devel] [DESIGN] Dogtag GSS-API Authentication
Fraser Tweedale
ftweedal at redhat.com
Fri Jan 6 08:08:04 UTC 2017
Hi comrades,
I have written up the high-level details of the FreeIPA->Dogtag
GSS-API authentication design. The goal is improve security by
removing an egregious privilege separation violation: the RA Agent
cert.
There is a fair bit of work still to do on the Dogtag side but
things are shaping up there and it's time to work out the IPA
aspects. The design is at:
http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication
Right now, I need feedback about the Domain Level aspects: whether
it is the right approach, whether there are mechanisms to perform
update steps (specifically: LDAP updates and/or api calls) alongside
a DL bump, or if there aren't, how to deal with that (implement such
a mechanism, make admins do extra steps, ???).
Of course, any other general or specific feedback is welcome.
Thanks,
Fraser
More information about the Freeipa-devel
mailing list