[Freeipa-users] Common Name for the ipa-cacert-manage command

Natxo Asenjo natxo.asenjo at gmail.com
Fri May 1 15:53:08 UTC 2015 

hi,

On Fri, May 1, 2015 at 12:52 AM, William Graboyes <wgraboyes at cenic.org>
wrote:

>
> I guess it is time to get deep into API documentation.  This is a hell of
> a lot of hoops to jump through just so that users who don't have shell
> access can easily change their passwords without having to see a scare
> page.  Distributing the IPA CA is not an option at this point, as we have a
> very odd desktop support model.  I thought all of this was to be fixed in
> 4.1, which is why I went 4.1... and now nothing has changed... and I am
> back to square 1.
>

that is unfortunate for you. Most companies have at least AD deployed on
their infrastructure, and using that to deplay CA root certificates to all
domain member computers is very easy. For unix/linux networks system like
cfengine/puppet/whatever make this quite easy as well. So that is something
you need to address and not really IPA's fault in my opinion.

You could also deploy a password reset page using something like
http://ltb-project.org/wiki/documentation/self-service-password behind a
tls site with a certificate signed by one of the standard trusted
authoriteis like verising, digicert, etc. That way your users could reset
their passwords without the certificate errors and you could have the time
to put order in your desktop infrastructure ;-)


> This is the only, and I am serious here, the only gating factor for
> FreeIPA going into production.  The self-signed certs on the UI.  It really
> isn't safe or secure to tell users to "Just trust the self signed cert."
> You create an easy vector for users to get sucked into a phishing trap.
>


Users are trained to just click warnings away, nothing new here.

The certificate system is quite ... special. Just because the standard
stores of the browsers trust a bunch of root CAs, does not mean that those
are safe. Think of diginotar. I trust our IPA root CA much more than
Turktrust Bilgi Iletisim ... (just the first one on the list of root CA's
on firefox now).



> Next question, Has anyone made or documented an external password change
> program for freeipa?
>

I already pointed this one
http://ltb-project.org/wiki/documentation/self-service-password, but there
are others. I have used gente: https://github.com/sciurus/gente as well,
really easy to set up and does it job. And there are plenty of commercial
solutions out there willing to get your money if you let them :-)

-- 
regards,
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150501/38f55178/attachment.htm>

More information about the Freeipa-users mailing list