[Freeipa-devel] Purpose of default user group
Petr Spacek
pspacek at redhat.com
Tue Mar 10 15:57:52 UTC 2015
On 10.3.2015 16:55, Alexander Bokovoy wrote:
> On Tue, 10 Mar 2015, Petr Spacek wrote:
>> On 10.3.2015 16:01, Jakub Hrozek wrote:
>>> On Tue, Mar 10, 2015 at 03:52:44PM +0100, Martin Kosek wrote:
>>>> On 03/10/2015 03:27 PM, Rob Crittenden wrote:
>>>>> Petr Vobornik wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I would like to ask what is a purpose of a default user group - by
>>>>>> default ipausers? Default group is also a required field in ipa config.
>>>>>
>>>>> To be able to apply some (undefined) group policy to all users. I'm not
>>>>> aware that it has ever been used for this.
>>>>
>>>> I would also interested in the use cases, especially given all the pain we
>>>> have
>>>> with ipausers and large user bases. Especially that for current policies
>>>> (SUDO,
>>>> HBAC, SELinux user policy), we always have other means to specify "all
>>>> users".
>>>
>>> yes, but those means usually specify both AD and IPA users, right?
>>>
>>> I always thought "ipausers" is a handy shortcut for selecting IPA users
>>> only and not AD users.
>>
>> I always thought that "ipausers" is an equivalent of "domain users" in AD
>> world (compare with "Trusted domain users").
>>
>> In my admin life I considered "domain users" to be useful alias for real
>> authenticated user accounts (compare with "Everyone" = even unauthenticated
>> access, "Authenticated users" = includes machine accounts too.)
>>
>>
>> Moreover, getting rid of ipausers does not help with 'big groups problem' in
>> any way. E.g. at university you are almost inevitably going to have groups
>> like 'students' which will contain more than 90 % of users anyway.
> For what use we need this distinction in IPA itself?
> - ACI (permissions) have separate notion to describe
> anonymous/any authenticated dichotomy
> - HBAC has 'all' category for users which in HBAC context means all
> authenticated users
>
> Where else we would need ipausers other than default POSIX group which
> we are not using it for?
Ah, it is not a POSIX group? Too bad. I was using AD "domain users" for file
permissions so POSIX group equivalent is what I had in mind.
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list