[Freeipa-devel] Purpose of default user group
Martin Kosek
mkosek at redhat.com
Tue Mar 10 16:29:59 UTC 2015
On 03/10/2015 05:08 PM, Rob Crittenden wrote:
> Alexander Bokovoy wrote:
>> On Tue, 10 Mar 2015, Petr Spacek wrote:
>>> On 10.3.2015 16:01, Jakub Hrozek wrote:
>>>> On Tue, Mar 10, 2015 at 03:52:44PM +0100, Martin Kosek wrote:
>>>>> On 03/10/2015 03:27 PM, Rob Crittenden wrote:
>>>>>> Petr Vobornik wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I would like to ask what is a purpose of a default user group - by
>>>>>>> default ipausers? Default group is also a required field in ipa
>>>>>>> config.
>>>>>>
>>>>>> To be able to apply some (undefined) group policy to all users. I'm
>>>>>> not
>>>>>> aware that it has ever been used for this.
>>>>>
>>>>> I would also interested in the use cases, especially given all the
>>>>> pain we have
>>>>> with ipausers and large user bases. Especially that for current
>>>>> policies (SUDO,
>>>>> HBAC, SELinux user policy), we always have other means to specify
>>>>> "all users".
>>>>
>>>> yes, but those means usually specify both AD and IPA users, right?
>>>>
>>>> I always thought "ipausers" is a handy shortcut for selecting IPA users
>>>> only and not AD users.
>>>
>>> I always thought that "ipausers" is an equivalent of "domain users" in AD
>>> world (compare with "Trusted domain users").
>>>
>>> In my admin life I considered "domain users" to be useful alias for real
>>> authenticated user accounts (compare with "Everyone" = even
>>> unauthenticated
>>> access, "Authenticated users" = includes machine accounts too.)
>>>
>>>
>>> Moreover, getting rid of ipausers does not help with 'big groups
>>> problem' in
>>> any way. E.g. at university you are almost inevitably going to have
>>> groups
>>> like 'students' which will contain more than 90 % of users anyway.
>> For what use we need this distinction in IPA itself?
>> - ACI (permissions) have separate notion to describe
>> anonymous/any authenticated dichotomy
>> - HBAC has 'all' category for users which in HBAC context means all
>> authenticated users
>>
>> Where else we would need ipausers other than default POSIX group which
>> we are not using it for?
>
>
> Petr's point is that deleting ipausers is a short-term solution that
> ignores the underlying problem.
>
> But yeah, ipausers is a solution looking for a problem AFAIK. It was a
> future-proofing move because if we ever decided we needed on, slurping
> in all the users at once and adding to some common group would be
> time-consuming.
I wonder if it would help if these special groups do not have explicit members
defined, but are more descriptive. Something like DS Dynamic Groups [1]. If we
could define - ipausers are all users in this container having this objectclass
and DS and SSSD would take care of the rest.
I am not sure if it would help with performance, it would be easier at least
for managing the membership. I am also not sure how would we create the group
for AD users.
[1] https://fedorahosted.org/389/ticket/128
More information about the Freeipa-devel
mailing list