[Freeipa-users] RFEs

[Fraser Tweedale]

On Fri, Jan 23, 2015 at 04:26:26PM +0100, Baptiste Agasse wrote:
> Hi,
> 
> > > > 1) Cross FreeIPA domain trust.
> > > > Example use case:
> > > > As an user, i'm part of the FOO.EXAMPLE.COM FreeIPA domain and i want to
> > > > connect to some hosts in BAR.EXAMPLE.COM FreeIPA.
> > > 
> > > This is on the radar though I couldn't find an open ticket on it. It
> > > isn't something for the very near-term though AFAIK.
> > > 
> > > At least part of this is captured in
> > > https://fedorahosted.org/freeipa/ticket/4791 which prevents IPA ->
> > > Kerberos trusts today.
> 
> Thank you, i missed this one when i searched issues related to these RFEs before send a mail on the list.
> 
> > > 
> > > > 2) PKI subordinate CA support.
> > > > Example use case:
> > > > In the Example.com company, we use certificate authentication for cross
> > > > services authentication or user authentication. I want, for example to
> > > > allow only a group of source services (or users) to connect to a target
> > > > service. On the target service, i filter client certificates by
> > > > providing the subordinate CA as the trusted CA.
> > > 
> > > A developer is looking into something like this on the dogtag side,
> > > http://pki.fedoraproject.org/wiki/Lightweight_sub-CAs
> > > 
> > This work in Dogtag is the groundwork to have this capability in
> > FreeIPA.  The design document for the FreeIPA sub-CA support (a work
> > in progress) is http://www.freeipa.org/page/V4/Security_domains.
> 
> Yes, this describe that we want to achieve: have a sub-ca by functionality/usecase.
> 
> On this point, one comment. Hosts in FreeIPA can have an x.509
> certificate for the host principal, you don't have to create any
> service on the host to request this certificate. If the security
> domains land in FreeIPA, it would be nice to have 'some' defaults
> security domains, like one that sign hosts certificates by
> default, and why not another that sign user certificates by
> default.
> 
That's definitely worth considering.  I'll add this suggestion to
the design proposal.

Fraser

> > 
> > Cheers,
> > Fraser
> > 
> > > > 3) "autoservice rules", Ability to create rules to automatically create
> > > > services on the host that match the rule, like automember rules for host
> > > > groups. Example use cases:
> > > >   * When you create a bunch of 'clone' servers that use kerberos for
> > > >   authentication like kerberized webservers, you don't have to add each
> > > >   to 'webserversX' group because you can have an automember rule that
> > > >   automaticaly add them to the good hostgroup, but you must manually add
> > > >   'http' service on each. This "autoservice rules" will be nice to make
> > > >   some HBAC rules work out of the box. For example the HBAC rule that
> > > >   said "Some user(s)/usergroup(s) are allowed to connect to
> > > >   'webserversX' hostgroup members on 'http' service"
> > > >   * Puppet/Foreman integration: Use the FreeIPA pki with autosign
> > > >   functionality for puppet agents. When you create an host via foreman
> > > >   proxy, it will create the host in FreeIPA but if you want to use the
> > > >   FreeIPA PKI for puppet, you must manually add puppet service on your
> > > >   host, and then get the certificate.
> > > 
> > > An interesting idea. I filed
> > > https://fedorahosted.org/freeipa/ticket/4862 to track it.
> 
> Thank you, i didn't have an fedora account but i created one to follow this.
> 
> Have a nice day.
> 
> Regards.
> 
> Baptiste.