<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 04/03/2015 01:51 AM, Brian Topping
wrote:<br>
</div>
<blockquote
cite="mid:654DC42D-4FB4-44AE-97D5-05C8414B97D9@gmail.com"
type="cite">Great work on 4.1.0! As a CentOS user, I am able to
convey the 3.x -> 4.1.0 upgrade went smoothly via the CentOS
7.0 -> 7.1 upgrade on my replicated pair of IPA instances.
<div class=""><br class="">
</div>
<div class="">Question about proper setup of service accounts: I
see that the service accounts I set up under "cn=etc,
cn=sysaccounts" are still able to log in, but the permission
changes have left them unable to read anything. Previously, I
hacked the ACLs on the domain root. I would like to believe
that's not how it should be done.</div>
<div class=""><br class="">
</div>
<div class="">That said, I was surprised that service accounts are
not supported in 4.x UI, so I wonder if service accounts (<a
moz-do-not-send="true"
href="https://www.redhat.com/archives/freeipa-users/2012-June/msg00011.html"
class="">https://www.redhat.com/archives/freeipa-users/2012-June/msg00011.html</a>)
are the wrong way for services like Postfix to be doing LDAP
queries.</div>
<div class=""><br class="">
</div>
</blockquote>
<br>
The ACIs changed because we tightened them for the read permissions.<br>
I hope you would be able to change them so that your service account
works again.<br>
Here is the root page of the changes that we implemented.<br>
<a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/V4/Permissions_V2">http://www.freeipa.org/page/V4/Permissions_V2</a><br>
<br>
System account is probably the right one for Postfix.<br>
<br>
It is not in the UI and CLI because other features take precedence.
We acknowledge that it needs to be added, we just not have enough
time and resources to do it.<br>
When we looked at 4.2 we assessed it too and it was on the border
line with a good chance of not happening, sorry.<br>
<br>
Thanks<br>
Dmitri<br>
<br>
<blockquote
cite="mid:654DC42D-4FB4-44AE-97D5-05C8414B97D9@gmail.com"
type="cite">
<div class="">Thanks, Brian</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>