[Freeipa-users] RFEs

Fraser Tweedale ftweedal at redhat.com
Fri Jan 23 02:23:00 UTC 2015 

On Thu, Jan 22, 2015 at 04:21:01PM -0500, Rob Crittenden wrote:
> Baptiste Agasse wrote:
> > Hi,
> > 
> > I'm a FreeIPA user for years now and i'm happy with this tool, but I've some 'little' RFEs to suggest to enhance automation and usability:
> > 
> > 1) Cross FreeIPA domain trust. 
> > Example use case: 
> > As an user, i'm part of the FOO.EXAMPLE.COM FreeIPA domain and i want to connect to some hosts in BAR.EXAMPLE.COM FreeIPA.
> 
> This is on the radar though I couldn't find an open ticket on it. It
> isn't something for the very near-term though AFAIK.
> 
> At least part of this is captured in
> https://fedorahosted.org/freeipa/ticket/4791 which prevents IPA ->
> Kerberos trusts today.
> 
> > 2) PKI subordinate CA support. 
> > Example use case: 
> > In the Example.com company, we use certificate authentication for cross services authentication or user authentication. I want, for example to allow only a group of source services (or users) to connect to a target service. On the target service, i filter client certificates by providing the subordinate CA as the trusted CA.
> 
> A developer is looking into something like this on the dogtag side,
> http://pki.fedoraproject.org/wiki/Lightweight_sub-CAs
> 
This work in Dogtag is the groundwork to have this capability in
FreeIPA.  The design document for the FreeIPA sub-CA support (a work
in progress) is http://www.freeipa.org/page/V4/Security_domains.

Cheers,
Fraser

> > 3) "autoservice rules", Ability to create rules to automatically create services on the host that match the rule, like automember rules for host groups. Example use cases:
> >   * When you create a bunch of 'clone' servers that use kerberos for authentication like kerberized webservers, you don't have to add each to 'webserversX' group because you can have an automember rule that automaticaly add them to the good hostgroup, but you must manually add 'http' service on each. This "autoservice rules" will be nice to make some HBAC rules work out of the box. For example the HBAC rule that said "Some user(s)/usergroup(s) are allowed to connect to 'webserversX' hostgroup members on 'http' service"
> >   * Puppet/Foreman integration: Use the FreeIPA pki with autosign functionality for puppet agents. When you create an host via foreman proxy, it will create the host in FreeIPA but if you want to use the FreeIPA PKI for puppet, you must manually add puppet service on your host, and then get the certificate.
> 
> An interesting idea. I filed
> https://fedorahosted.org/freeipa/ticket/4862 to track it.
> 
> > Any comments ?
> 
> Thanks for the suggestions!
> 
> rob
> 
> > 
> > Have a nice day.
> > 
> > Regards.
> > 
> > Baptiste.
> > 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list