[Freeipa-devel] Purpose of default user group

[Alexander Bokovoy]

On Tue, 10 Mar 2015, Simo Sorce wrote:
>On Tue, 2015-03-10 at 16:01 +0100, Jakub Hrozek wrote:
>> On Tue, Mar 10, 2015 at 03:52:44PM +0100, Martin Kosek wrote:
>> > On 03/10/2015 03:27 PM, Rob Crittenden wrote:
>> > > Petr Vobornik wrote:
>> > >> Hi,
>> > >>
>> > >> I would like to ask what is a purpose of a default user group - by
>> > >> default ipausers? Default group is also a required field in ipa config.
>> > >
>> > > To be able to apply some (undefined) group policy to all users. I'm not
>> > > aware that it has ever been used for this.
>> >
>> > I would also interested in the use cases, especially given all the pain we have
>> > with ipausers and large user bases. Especially that for current policies (SUDO,
>> > HBAC, SELinux user policy), we always have other means to specify "all users".
>>
>> yes, but those means usually specify both AD and IPA users, right?
>>
>> I always thought "ipausers" is a handy shortcut for selecting IPA users
>> only and not AD users.
>
>We should probably turn ipausers into a fully virtual group that is
>added to the user's Authorization data in the KDC (MS-PAC or in future
>PAD).
>This way it will be possible to reference it in sssd but will not create
>issues with memberships in the server.
>
>But we need the PAD first, I guess.
>(we could do something with authentication indicators too, but that
>would be a hack).
Yep. If we need ipausers for POSIX context interpretation on IPA
clients, PAD would be our choice as we already do with MS-PAC for AD
users.

Within LDAP server, if we want to address all IPA users to do some mass
operations on them, I think we probably should have some specialized
control that would give 389-ds chance to optimize on building this list
of users before applying an operation to them. This would be something
non-standard but more efficient than what we are doing right now.
-- 
/ Alexander Bokovoy