[Freeipa-users] Freeipa v2.

Dmitri Pal dpal at redhat.com
Thu Jun 4 00:04:36 UTC 2009 

Valent Turkovic wrote:
> On Mon, Jun 1, 2009 at 5:51 PM, Simo Sorce <ssorce at redhat.com> wrote:
>   
>> On Mon, 2009-06-01 at 17:39 +0200, Valent Turkovic wrote:
>>     
>>> On Mon, Jun 1, 2009 at 4:30 PM, Simo Sorce <ssorce at redhat.com> wrote:
>>>       
>>>> On Sun, 2009-05-31 at 20:23 +0400, Sergei V. Kovylov wrote:
>>>>         
>>>>> Hello guys.
>>>>> Glad to see that the project under havy development. I have several questions:
>>>>> 1. Is it still actual to produce some release/ RC in may?\\
>>>>>           
>>>> Nope, we will update the website as soon as we have new estimates, but
>>>> we are clearly slipping at least a few months.
>>>>         
>>> If you don't mind my asking, what is the reason for slipping?
>>>       
>> We have not yet finished all the features and the python framework
>> rewrite :-)
>>
>> I think we simply underestimated some tasks initially.
>>
>> Simo.
>>     
>
> I have just one more quick question...
>
> Will IPAv2 have implementation of replication of group policy objects.
> That is to say, the ability to make a small change, to multiple
> machines, with one setting on the server. An example of this is to
> lock down proxy settings for a browser on all machines with one
> setting on the server, or to restrict portions of the menu.
>
> Cheers.
>
>
>   
We are more and more stepping away from the P of IPA as we originally 
thought about it.
The P of IPA duplicates a lot of other existing projects in different 
ways so we are currently evaluating our plans about policy management in 
IPA.
Rather than building our own solution from scratch it makes sense to 
integrate with existing solid configuration management alternatives.
How? It is the big question and we seriously looking into it. But it is 
something that will take time and a lot of investigation and coordination.
We are committed to P of IPA but our  assessment showed that what we 
planned might not be the right way to tackle the problem.

Audit also seems to be a much bigger undertaking than we originally 
thought but we are committed to it. However audit is being developed as 
a n independent component.
This would allow us to deliver it on the independent schedule when it is 
ready to do the basics.

For now, it seems that is would make sense to focus on things we already 
know how to do and can be completed in a foreseeable future (by 
September or so).
Looking at what this might mean I would say that the release would 
consist of:

1) SSSD - client identity framework that allows offline authentication 
functionality and provides capability to have different identity domains 
including but not limited to IPA. (LDAP, NIS, etc.). This would allow 
client machines to be a part of the domain and have secure channel to 
server. This secure channel can/will be used for cert provisioning and 
key management.
2) Server with :
a) New extensible and pluggable management framework and richer CLI/UI
b) Integrated DNS
c) Integrated NIS backward compatibility plugin (for systems that do not 
understand LDAP for NSS)
d) Integrated CA with ability to issues certs of auto renew certs on the 
client
e) Some key management features (may be)
f) Host base access control rules
g) Support of automount maps via LDAP

This is a realistic view of what IPA v2 might end up being.
We will continue on the project.
We are already looking into post IPA v2 features related to Kerberos and 
Samba.

-- 
Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list