[Freeipa-devel] Purpose of default user group
Rob Crittenden
rcritten at redhat.com
Tue Mar 10 16:08:21 UTC 2015
Alexander Bokovoy wrote:
> On Tue, 10 Mar 2015, Petr Spacek wrote:
>> On 10.3.2015 16:01, Jakub Hrozek wrote:
>>> On Tue, Mar 10, 2015 at 03:52:44PM +0100, Martin Kosek wrote:
>>>> On 03/10/2015 03:27 PM, Rob Crittenden wrote:
>>>>> Petr Vobornik wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I would like to ask what is a purpose of a default user group - by
>>>>>> default ipausers? Default group is also a required field in ipa
>>>>>> config.
>>>>>
>>>>> To be able to apply some (undefined) group policy to all users. I'm
>>>>> not
>>>>> aware that it has ever been used for this.
>>>>
>>>> I would also interested in the use cases, especially given all the
>>>> pain we have
>>>> with ipausers and large user bases. Especially that for current
>>>> policies (SUDO,
>>>> HBAC, SELinux user policy), we always have other means to specify
>>>> "all users".
>>>
>>> yes, but those means usually specify both AD and IPA users, right?
>>>
>>> I always thought "ipausers" is a handy shortcut for selecting IPA users
>>> only and not AD users.
>>
>> I always thought that "ipausers" is an equivalent of "domain users" in AD
>> world (compare with "Trusted domain users").
>>
>> In my admin life I considered "domain users" to be useful alias for real
>> authenticated user accounts (compare with "Everyone" = even
>> unauthenticated
>> access, "Authenticated users" = includes machine accounts too.)
>>
>>
>> Moreover, getting rid of ipausers does not help with 'big groups
>> problem' in
>> any way. E.g. at university you are almost inevitably going to have
>> groups
>> like 'students' which will contain more than 90 % of users anyway.
> For what use we need this distinction in IPA itself?
> - ACI (permissions) have separate notion to describe
> anonymous/any authenticated dichotomy
> - HBAC has 'all' category for users which in HBAC context means all
> authenticated users
>
> Where else we would need ipausers other than default POSIX group which
> we are not using it for?
Petr's point is that deleting ipausers is a short-term solution that
ignores the underlying problem.
But yeah, ipausers is a solution looking for a problem AFAIK. It was a
future-proofing move because if we ever decided we needed on, slurping
in all the users at once and adding to some common group would be
time-consuming.
rob
More information about the Freeipa-devel
mailing list