[Freeipa-users] RHEV-M + service accounts in IPA

Rob Crittenden rcritten at redhat.com
Wed Sep 5 14:53:50 UTC 2012 

Dale Macartney wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> On 05/09/12 13:39, Rob Crittenden wrote:
>> Dale Macartney wrote:
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Afternoon all
>>>
>>> I have a demo lab set up with RHEV 3.0 and IPA running on RHEL 6.3 (
>>> ipa-server-2.2-16)
>>>
>>> I have an api script that handles all my deployments and I am trying to
>>> set up a role account for my script to run within a jenkins environment.
>>>
>>> I have created an ldap sysaccount, however that doesn't appear in the
>>> RHEV users list when I do a search. So its clear its looking for
>>> specific IPA users.
>>>
>>> Is there a way (or on the roadmap), to create service/role accounts in
>>> IPA where the password doesn't expire?
>>>
>>> I'm trying to avoid scenarios like this
>>>
>>> https://access.redhat.com/knowledge/solutions/67562
>>>
>>> Any comments / suggestions are welcome
>>>
>>> Thanks everyone
>>>
>>> Dale
>>>
>>
>> A work-around is to set krbpasswordexpiration of the user somewhere
> far in the future to prevent expiration.
> That'll work.. Do I need to do anything fancy though? I tried running
> the below on a new user called rhev-build but it keeps erroring out. I
> know I have a current TGT otherwise I wouldn't be able to add the user
> in the first place.
>
> [root at ds01 ~]# ipa user-mod rhev-build
> --setattr=krbPasswordExpiration=20131231011529Z
> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
> 'krbPasswordExpiration' attribute of entry
> 'uid=rhev-build,cn=users,cn=accounts,dc=example,dc=com'.
> [root at ds01 ~]#

We don't let admins muck with the expiration date. Please file an RFE 
ticket if you'd like that capability.

You'll have to resort to ldapmodify:

$ ldapmodify -x -D 'cn=directory manager' -W
Enter LDAP Password:
dn: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com
changetype: modify
replace: krbPasswordExpiration
krbPasswordExpiration: 20131231011529Z

modifying entry "uid=tuser1,cn=users,cn=accounts,dc=example,dc=com"

You might want to consider 2037 as the year. 2014 will be here before 
you know it.

rob

>
>>
>> We have a ticket open on this,
> https://fedorahosted.org/freeipa/ticket/2111, currently targeted for IPA
> 3.3.
> Good to know its on its way. This is a demo lab so setting a long
> password expiry addresses my needs.
>>
>> rob
>
>

More information about the Freeipa-users mailing list