Please see article http://jcape.name/2012/01/16/using-the-freeipa-pki-with-puppet/ The article identifies a problem that all IPA certificates are from the same domain so that means that any host that is connected to IPA and got certificate signed by IPA would be able to access a puppet master. The article suggests there should be a way to create a sub domain certificate for puppet master and then issue certificates for hosts in such a way that only holders of the certificates for the sub domain can access puppet master.
This may be an umbrella RFE. It seems that it at least requires: 1. Support of different cert profiles (tickets already exist) 2. Ability to define sub CAs 3. Ability to issue certificates on behalf of sub CA (if this is possible) 4. Ability to store more than one certificate per host or service
Adding some sort of access control to puppet is an alternate solution. Right now it appears that any authenticated client certificate can do anything.
Metadata Update from @dpal: - Issue assigned to someone - Issue set to the milestone: Ticket Backlog
Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.
Metadata Update from @rcritten: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.