[Freeipa-users] Newbie problems

Rob Crittenden rcritten at redhat.com
Mon Mar 9 14:37:54 UTC 2009 

Per Qvindesland wrote:
> Hi list,
> 
> I hava finally managed to install IPA on a Centos 5.2 server and it's
> working just fine, but I am having some questions that I hope I can get
> answers to.
> 
> 1. if I add in a new group through the web interface will it then be the
> same as a ou? Since we have multiple servers here dealing with multiple
> countries I would like to add in a ou for each country and add users to each
> countries ou, not sure but would it then be something like
> ou=no,dc=company,dc=com

No, currently we have a very flat tree layout. Do you want this for 
performance reasons or to apply an organization onto the tree? We 
purposely selected a flat tree because organizations are constantly 
reorganizing, people move, etc. Storing the data to reflect the 
organization of the company doesn't really buy you much more than a lot 
of pain (IMHO).

You can add ou to each entry without having it part of the DN though.

> 
> 2. Can I configure each server to log on with ldap so it would be
> ou=no,dc=company,dc=com and ldap://ipaserver.company.com or must I use the
> client?

I'm not sure I understand the question.

> 
> 3. How can I configure it so that I don't have to use a Kerberos login but
> get a login page so no single login.

You can set KrbMethodK5Passwd to "on" in /etc/httpd/conf.d/ipa.conf to 
have the UI fall back to username/password. This hasn't been very well 
tested so we'd appreciate any feedback on this.

> 4. can I configure it so that a normal person can add in a user for his/her
> own country without being added into the admins group?

You'd have to write an LDAP ACI to allow this. The current delegation 
system is very limited and I don't think it would do what you want.

I think something like:

aci: (targetattr = "c")(version 3.0; acl "Self can write own country"; 
allow (write) userdn="ldap:///self";)

> 
> 5. is there anyways to configure it to set the username as the default
> password on creation and then when the user logs on the first time the user
> has to change the password?

Not without code changes, no. The patch looks something like:

--- a/ipa-server/xmlrpc-server/funcs.py
+++ b/ipa-server/xmlrpc-server/funcs.py
@@ -623,6 +623,9 @@ class IPAServer:
          if user.get('gn'):
              del user['gn']

+        if not user.get('userpassword'):
+            user['userpassword'] = user['uid']
+

rob

> 
> I have looked but I can't find anything about this in the manual so I am
> really hoping that someone could help me out here.
> 
> Kind regards
> Per Qvindesland
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list