[Freeipa-users] RFEs

Baptiste Agasse baptiste.agasse at lyra-network.com
Fri Jan 23 15:26:26 UTC 2015 

Hi,

> > > 1) Cross FreeIPA domain trust.
> > > Example use case:
> > > As an user, i'm part of the FOO.EXAMPLE.COM FreeIPA domain and i want to
> > > connect to some hosts in BAR.EXAMPLE.COM FreeIPA.
> > 
> > This is on the radar though I couldn't find an open ticket on it. It
> > isn't something for the very near-term though AFAIK.
> > 
> > At least part of this is captured in
> > https://fedorahosted.org/freeipa/ticket/4791 which prevents IPA ->
> > Kerberos trusts today.

Thank you, i missed this one when i searched issues related to these RFEs before send a mail on the list.

> > 
> > > 2) PKI subordinate CA support.
> > > Example use case:
> > > In the Example.com company, we use certificate authentication for cross
> > > services authentication or user authentication. I want, for example to
> > > allow only a group of source services (or users) to connect to a target
> > > service. On the target service, i filter client certificates by
> > > providing the subordinate CA as the trusted CA.
> > 
> > A developer is looking into something like this on the dogtag side,
> > http://pki.fedoraproject.org/wiki/Lightweight_sub-CAs
> > 
> This work in Dogtag is the groundwork to have this capability in
> FreeIPA.  The design document for the FreeIPA sub-CA support (a work
> in progress) is http://www.freeipa.org/page/V4/Security_domains.

Yes, this describe that we want to achieve: have a sub-ca by functionality/usecase.

On this point, one comment. Hosts in FreeIPA can have an x.509 certificate for the host principal, you don't have to create any service on the host to request this certificate. If the security domains land in FreeIPA, it would be nice to have 'some' defaults security domains, like one that sign hosts certificates by default, and why not another that sign user certificates by default.

> 
> Cheers,
> Fraser
> 
> > > 3) "autoservice rules", Ability to create rules to automatically create
> > > services on the host that match the rule, like automember rules for host
> > > groups. Example use cases:
> > >   * When you create a bunch of 'clone' servers that use kerberos for
> > >   authentication like kerberized webservers, you don't have to add each
> > >   to 'webserversX' group because you can have an automember rule that
> > >   automaticaly add them to the good hostgroup, but you must manually add
> > >   'http' service on each. This "autoservice rules" will be nice to make
> > >   some HBAC rules work out of the box. For example the HBAC rule that
> > >   said "Some user(s)/usergroup(s) are allowed to connect to
> > >   'webserversX' hostgroup members on 'http' service"
> > >   * Puppet/Foreman integration: Use the FreeIPA pki with autosign
> > >   functionality for puppet agents. When you create an host via foreman
> > >   proxy, it will create the host in FreeIPA but if you want to use the
> > >   FreeIPA PKI for puppet, you must manually add puppet service on your
> > >   host, and then get the certificate.
> > 
> > An interesting idea. I filed
> > https://fedorahosted.org/freeipa/ticket/4862 to track it.

Thank you, i didn't have an fedora account but i created one to follow this.

Have a nice day.

Regards.

Baptiste.

More information about the Freeipa-users mailing list