[Freeipa-users] Dogtag vs Freeipa Dogtag

[Alexander Bokovoy]

Hi,

On to, 02 helmi 2017, Gorazd wrote:
>Hi Fraser,
>
>thank you for your comment.
>
>Still doing some decision making, could anyone know if for example KeyCloak
>(as identity and acces managment solution)+DogTag could have the same or
>better experience (since dogtag has more features than IPA's bundeled
>dogtag) than using Freeipa, what are really the benefits of FreeIPA to use
>it as a system for IdM and PKI solution, is that really just that it has
>integrations with RADIUS also supported, so to be also ready for the deploy
>within typical enterprise environments?

FreeIPA attempts to make easier deployment of common use cases we've
seen so far. There are two limiting factors: 1) available people who can
do the work (contributions are welcome!), and 2) priorities that come
from paying customers for those teams that could contribute development
resources. In short, a software needs to be written and maintained, that
does not happens by itself.

If someone wants to use more advanced Dogtag features, they are free to
work with Dogtag and FreeIPA to contribute an integration pieces. Most
of such integration requires changes on the Dogtag side as well -- we
discovered multiple times that in order to automate/simplify/etc we have
to change on both sides, so a deeper development cooperation between
those projects was always needed (and was/is happening). Finally,
talking to Dogtag developers directly to get an advise what is possible
on their side is an option too.

Obviously, doing a joint development takes time and has to be planned
out. In some cases you might be not being able to contribute that time
or your goals are to deploy within a shorter time frame. This means your
other option could be to either use Dogtag directly or look for
alternatives.

>From my perspective it is just perfectly fine to make an informed
decision to not use FreeIPA. It is also perfectly fine to consider
installing additional Dogtag components and take responsibility of
supporting a resulting deployment setup. Each situation has own
constraints and limitations which only you are aware of, not other
members of extended community. And only you can decide what amount of
effort could be put to achieve your goals.

>
>Thank you in advance,
>Gorazd
>
>
>
>On Thu, Feb 2, 2017 at 1:11 AM, Fraser Tweedale <ftweedal at redhat.com> wrote:
>
>> On Wed, Feb 01, 2017 at 09:44:34PM +0100, Gorazd wrote:
>> > Hello,
>> >
>> > i am interested if there is any feature matrix available for FreeIpa
>> > version of dogtag packaging. So which features of DogTak are not included
>> > or does come with limitations when installed with Freeipa (such as OCSP
>> is
>> > already part of CA and could not be installed seperately), in contrast
>> when
>> > on uses Dogtag as a standlone software installation?
>> >
>> FreeIPA does not use the standalone OCSP responder, or the token
>> processing subsystems (TKS/TPS).  There is nothing preventing you
>> from installing them, but FreeIPA won't help you to do that, and
>> there is no integration.
>>
>> Cheers,
>> Fraser
>>
>> > Thank you in advance.
>> >
>> > Regards,
>> > Gorazd
>>
>> > --
>> > Manage your subscription for the Freeipa-users mailing list:
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > Go to http://freeipa.org for more info on the project
>>
>>

>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project


-- 
/ Alexander Bokovoy