[Freeipa-users] IPA Service accounts (Bind accounts)
Dale Macartney
dale at themacartneyclan.com
Sat Jun 2 23:01:58 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/06/12 20:31, Alexander Bokovoy wrote:
> On Sat, 02 Jun 2012, Dale Macartney wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Evening all
>>
>> What's the recommended method for using service accounts with IPA?
>>
>> For example, using a piece of software that needs to bind to LDAP (aka
>> Zimbra, Moodle, Joomla, etc), having a password expiry on that specific
>> bind user would result in the application constantly needing the
>> password changed.
>>
>> I can see that you can modify the default password policy (i personally
>> don't want to change this as this works for my requirements), and also
>> have the ability to create additional pw policies if needed.
>>
>> What's the best method to create a user, however have that password for
>> the new user that never expires? Am I thinking along the right lines of
>> using a different pw policy for the service accounts?
> A recommended way is to use system accounts. See, for example, how it is
> set up for sudo (section 13.4.1):
> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example-configuring-sudo.html
>
> We have this particular case covered with following sudobind.ldif file
> (available in /usr/share/ipa/sudobind.ldif at IPA server):
> ---------------
> #SUDO bind user
> dn: uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX
> changetype: add
> objectclass: account
> objectclass: simplesecurityobject
> uid: sudo
> userPassword: $RANDOM_PASSWORD
> passwordExpirationTime: 20380119031407Z
> nsIdleTimeout: 0
> ---------------
>
> As you can see, it has SimpleSecurityObject and Account object classes, and
> password is set to expire at the end of Unix time. You'd need to add
> also appropriate ACIs to limit what such account could perform against
> IPA's LDAP store.
>
> We use this method for passync (AD replication), sudo integration,
> and will use it also for cross-realm trusts with AD in FreeIPAv3,
> albeit a bit differently (by making a container in sysaccounts to
> include all 'AD agents' from IPA servers exposed via CIFS and limiting
> what they can do).
>
> A downside is that you don't see these system accounts through IPA UI/CLI,
> they are only managed manually.
>
Thanks very much Alexander, this worked brilliantly.
Dale
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJPyptbAAoJEAJsWS61tB+qB38P/iBt+P6JNwycIIzskaxjoZUo
2cCPO5Nt/VgiKn55ffjgpgyEKpMhVnSW69tiCpTj+7vgO3swei1Je55kIUEP1hpR
0OHd4fqIUNQnDsO+gAnT1VMFPeuCKPKCoItwhv0uwgmI7FvKdHnGwcFTTASZbSLa
eLnpFxvl44NgTJ8aib7tnWeqj9YE1b/DfowouxQVsY1HsIiYztDUNM23M94Are0D
uJ9wLV+y4Np9CnTSuttHn2a8zmj2AZr5keMwqFc1g6j8I7z3cpqJb7UViULzxSJ4
OxpKXv8C+imDDX4dBXNQCr2Cx9uUJkA8zQUN7t0UjAkuFMD1+Ie51/3zKK/NeJly
kUYHVcFBWmYBRtMbh1GIPfVxUCUj3DHcGg6HxEZOpFVBipjxareazvpgnTVg/EMa
9V85vS11aIPs7lrGlGnJi/r+oBAGfyH8jt4ZV95FV9QgY4VezmT+14s7nnFMEpiU
mYxkL3NuIDXdgkmj0hTpCgkqESNw/SNDsHmgUhHNd9H3y964xk7z+fSG7gK02bIR
zRhmW4YSqaHWZrgoe+w/CvcDRypXxfn2QQY/BvM6TwYxPphuwShtk70mtmp+5ci+
BV5q480bulO1ye7T2rGUTZT4n0aa7DHKmSdX3uJjG+VRyE/yy+LjmXbL+gWLC0ws
egafCMvLvzuRqcsODsGX
=hzMm
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc
Type: application/pgp-keys
Size: 5790 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120603/682112ea/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc.sig
Type: application/pgp-signature
Size: 543 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120603/682112ea/attachment.sig>
More information about the Freeipa-users
mailing list