[Freeipa-users] Newbie problems
Rob Crittenden
rcritten at redhat.com
Mon Mar 9 14:37:54 UTC 2009
Per Qvindesland wrote:
> Hi list,
>
> I hava finally managed to install IPA on a Centos 5.2 server and it's
> working just fine, but I am having some questions that I hope I can get
> answers to.
>
> 1. if I add in a new group through the web interface will it then be the
> same as a ou? Since we have multiple servers here dealing with multiple
> countries I would like to add in a ou for each country and add users to each
> countries ou, not sure but would it then be something like
> ou=no,dc=company,dc=com
No, currently we have a very flat tree layout. Do you want this for
performance reasons or to apply an organization onto the tree? We
purposely selected a flat tree because organizations are constantly
reorganizing, people move, etc. Storing the data to reflect the
organization of the company doesn't really buy you much more than a lot
of pain (IMHO).
You can add ou to each entry without having it part of the DN though.
>
> 2. Can I configure each server to log on with ldap so it would be
> ou=no,dc=company,dc=com and ldap://ipaserver.company.com or must I use the
> client?
I'm not sure I understand the question.
>
> 3. How can I configure it so that I don't have to use a Kerberos login but
> get a login page so no single login.
You can set KrbMethodK5Passwd to "on" in /etc/httpd/conf.d/ipa.conf to
have the UI fall back to username/password. This hasn't been very well
tested so we'd appreciate any feedback on this.
> 4. can I configure it so that a normal person can add in a user for his/her
> own country without being added into the admins group?
You'd have to write an LDAP ACI to allow this. The current delegation
system is very limited and I don't think it would do what you want.
I think something like:
aci: (targetattr = "c")(version 3.0; acl "Self can write own country";
allow (write) userdn="ldap:///self";)
>
> 5. is there anyways to configure it to set the username as the default
> password on creation and then when the user logs on the first time the user
> has to change the password?
Not without code changes, no. The patch looks something like:
--- a/ipa-server/xmlrpc-server/funcs.py
+++ b/ipa-server/xmlrpc-server/funcs.py
@@ -623,6 +623,9 @@ class IPAServer:
if user.get('gn'):
del user['gn']
+ if not user.get('userpassword'):
+ user['userpassword'] = user['uid']
+
rob
>
> I have looked but I can't find anything about this in the manual so I am
> really hoping that someone could help me out here.
>
> Kind regards
> Per Qvindesland
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list