[Freeipa-devel] Purpose of default user group
Simo Sorce
simo at redhat.com
Tue Mar 10 16:42:48 UTC 2015
On Tue, 2015-03-10 at 16:01 +0100, Jakub Hrozek wrote:
> On Tue, Mar 10, 2015 at 03:52:44PM +0100, Martin Kosek wrote:
> > On 03/10/2015 03:27 PM, Rob Crittenden wrote:
> > > Petr Vobornik wrote:
> > >> Hi,
> > >>
> > >> I would like to ask what is a purpose of a default user group - by
> > >> default ipausers? Default group is also a required field in ipa config.
> > >
> > > To be able to apply some (undefined) group policy to all users. I'm not
> > > aware that it has ever been used for this.
> >
> > I would also interested in the use cases, especially given all the pain we have
> > with ipausers and large user bases. Especially that for current policies (SUDO,
> > HBAC, SELinux user policy), we always have other means to specify "all users".
>
> yes, but those means usually specify both AD and IPA users, right?
>
> I always thought "ipausers" is a handy shortcut for selecting IPA users
> only and not AD users.
We should probably turn ipausers into a fully virtual group that is
added to the user's Authorization data in the KDC (MS-PAC or in future
PAD).
This way it will be possible to reference it in sssd but will not create
issues with memberships in the server.
But we need the PAD first, I guess.
(we could do something with authentication indicators too, but that
would be a hack).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list