[Freeipa-devel] Purpose of default user group
Petr Spacek
pspacek at redhat.com
Tue Mar 10 15:44:32 UTC 2015
On 10.3.2015 16:01, Jakub Hrozek wrote:
> On Tue, Mar 10, 2015 at 03:52:44PM +0100, Martin Kosek wrote:
>> On 03/10/2015 03:27 PM, Rob Crittenden wrote:
>>> Petr Vobornik wrote:
>>>> Hi,
>>>>
>>>> I would like to ask what is a purpose of a default user group - by
>>>> default ipausers? Default group is also a required field in ipa config.
>>>
>>> To be able to apply some (undefined) group policy to all users. I'm not
>>> aware that it has ever been used for this.
>>
>> I would also interested in the use cases, especially given all the pain we have
>> with ipausers and large user bases. Especially that for current policies (SUDO,
>> HBAC, SELinux user policy), we always have other means to specify "all users".
>
> yes, but those means usually specify both AD and IPA users, right?
>
> I always thought "ipausers" is a handy shortcut for selecting IPA users
> only and not AD users.
I always thought that "ipausers" is an equivalent of "domain users" in AD
world (compare with "Trusted domain users").
In my admin life I considered "domain users" to be useful alias for real
authenticated user accounts (compare with "Everyone" = even unauthenticated
access, "Authenticated users" = includes machine accounts too.)
Moreover, getting rid of ipausers does not help with 'big groups problem' in
any way. E.g. at university you are almost inevitably going to have groups
like 'students' which will contain more than 90 % of users anyway.
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list