[Freeipa-users] RHEV-M + service accounts in IPA

Dale Macartney dale at themacartneyclan.com
Wed Sep 5 14:43:29 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 05/09/12 13:39, Rob Crittenden wrote:
> Dale Macartney wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Afternoon all
>>
>> I have a demo lab set up with RHEV 3.0 and IPA running on RHEL 6.3 (
>> ipa-server-2.2-16)
>>
>> I have an api script that handles all my deployments and I am trying to
>> set up a role account for my script to run within a jenkins environment.
>>
>> I have created an ldap sysaccount, however that doesn't appear in the
>> RHEV users list when I do a search. So its clear its looking for
>> specific IPA users.
>>
>> Is there a way (or on the roadmap), to create service/role accounts in
>> IPA where the password doesn't expire?
>>
>> I'm trying to avoid scenarios like this
>>
>> https://access.redhat.com/knowledge/solutions/67562
>>
>> Any comments / suggestions are welcome
>>
>> Thanks everyone
>>
>> Dale
>>
>
> A work-around is to set krbpasswordexpiration of the user somewhere
far in the future to prevent expiration.
That'll work.. Do I need to do anything fancy though? I tried running
the below on a new user called rhev-build but it keeps erroring out. I
know I have a current TGT otherwise I wouldn't be able to add the user
in the first place.

[root at ds01 ~]# ipa user-mod rhev-build
--setattr=krbPasswordExpiration=20131231011529Z
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
'krbPasswordExpiration' attribute of entry
'uid=rhev-build,cn=users,cn=accounts,dc=example,dc=com'.
[root at ds01 ~]#

>
> We have a ticket open on this,
https://fedorahosted.org/freeipa/ticket/2111, currently targeted for IPA
3.3.
Good to know its on its way. This is a demo lab so setting a long
password expiry addresses my needs.
>
> rob



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQR2UNAAoJEAJsWS61tB+qAkEQAIc5mY45SckcSw97SOCIdbKE
TDEX5Fl40EYPX7uqwJRa0VFtQukslpL2U9oQMyYY7uCA8KxNh7RbffgJVZb7H588
qGvrsOcK3zLt6lXkxJdIV/YsupkA23HDJgomZHLchwoBEQmwfioz3dguEdIt+lFt
X9x6ZN80PV6K2BrOtKmUAGUB/yjFCZyImIqTUxi/uZU+Pf64KHA0bPcJFbi2+JI7
pZytlxmXKFKjks8650Mb+RJsDw+lb8k7fqV9TnwjmQGOYHjrK89znIwoSosPTzGJ
r6oI1PCNKWwWFzC3UeNx6TSBBfNlGRdm6a+EuWzq50LzrhYzp7NWudtX4Hu6C7we
bpG/umQaaHTlLzK/MGon0RH8Q20foaJCDALBhQk1S7IFmVgtjWraTaxCwtio1d2v
CHPFSpe4v+Gl/JypU42V+2nC5qBLYkeAukEKjhHOVPcbS04lZpy2nfJjWMEOBTXo
ow2tUCMkPHojE5qQl1DM7pzb2luW3wARTtBnpMNtHnaLz++VwbH6vW6J6MZCCFnu
yBtJ8vuClYobdVzh6NLlQCpCn5zGopkIDFO25VUoPqMgfRH8v9TlkNb1VKOIB/3u
4GaYeNX3k7weG6UFyReKCA2QSOqh8r2RjaW0s9vuPvk0l5yka0jmrojog6bfZDDm
7KJE5xzMlLXdqu+Ivo+D
=P57b
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc
Type: application/pgp-keys
Size: 5790 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120905/d27c97d3/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc.sig
Type: application/pgp-signature
Size: 543 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120905/d27c97d3/attachment.sig>

More information about the Freeipa-users mailing list