[Freeipa-users] Dogtag vs Freeipa Dogtag
Fraser Tweedale
ftweedal at redhat.com
Thu Feb 2 23:18:30 UTC 2017
On Thu, Feb 02, 2017 at 11:56:55AM +0100, Gorazd wrote:
> Hi Fraser,
>
> thank you for your comment.
>
> Still doing some decision making, could anyone know if for example KeyCloak
> (as identity and acces managment solution)+DogTag could have the same or
> better experience (since dogtag has more features than IPA's bundeled
> dogtag) than using Freeipa, what are really the benefits of FreeIPA to use
> it as a system for IdM and PKI solution, is that really just that it has
> integrations with RADIUS also supported, so to be also ready for the deploy
> within typical enterprise environments?
>
One of the big advantages: if you are issuing certificates for
subject principals defined in the FreeIPA directory, you get a lot
of validation and authorisation for those certificate requests based
on what FreeIPA knows. It can be quite complicated to set up such a
regime with Dogtag. OTOH if you need to issue certs for entities
about which FreeIPA knows nothing, then FreeIPA doesn't bring a lot
to the table right now.
If you clearly know what you want but there's isn't support in
FreeIPA, file an RFE. Like Alexander mentioned there's no guarantee
if or when we can implement it, but at least we will know about it
and be able to work assess it alongside other priorities.
Cheers,
Fraser
> Thank you in advance,
> Gorazd
>
>
>
> On Thu, Feb 2, 2017 at 1:11 AM, Fraser Tweedale <ftweedal at redhat.com> wrote:
>
> > On Wed, Feb 01, 2017 at 09:44:34PM +0100, Gorazd wrote:
> > > Hello,
> > >
> > > i am interested if there is any feature matrix available for FreeIpa
> > > version of dogtag packaging. So which features of DogTak are not included
> > > or does come with limitations when installed with Freeipa (such as OCSP
> > is
> > > already part of CA and could not be installed seperately), in contrast
> > when
> > > on uses Dogtag as a standlone software installation?
> > >
> > FreeIPA does not use the standalone OCSP responder, or the token
> > processing subsystems (TKS/TPS). There is nothing preventing you
> > from installing them, but FreeIPA won't help you to do that, and
> > there is no integration.
> >
> > Cheers,
> > Fraser
> >
> > > Thank you in advance.
> > >
> > > Regards,
> > > Gorazd
> >
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go to http://freeipa.org for more info on the project
> >
> >
More information about the Freeipa-users
mailing list