[Freeipa-users] RHEV-M + service accounts in IPA
Dmitri Pal
dpal at redhat.com
Fri Sep 7 19:00:58 UTC 2012
On 09/05/2012 10:53 AM, Rob Crittenden wrote:
> Dale Macartney wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>> On 05/09/12 13:39, Rob Crittenden wrote:
>>> Dale Macartney wrote:
>>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Afternoon all
>>>>
>>>> I have a demo lab set up with RHEV 3.0 and IPA running on RHEL 6.3 (
>>>> ipa-server-2.2-16)
>>>>
>>>> I have an api script that handles all my deployments and I am
>>>> trying to
>>>> set up a role account for my script to run within a jenkins
>>>> environment.
>>>>
>>>> I have created an ldap sysaccount, however that doesn't appear in the
>>>> RHEV users list when I do a search. So its clear its looking for
>>>> specific IPA users.
>>>>
>>>> Is there a way (or on the roadmap), to create service/role accounts in
>>>> IPA where the password doesn't expire?
>>>>
>>>> I'm trying to avoid scenarios like this
>>>>
>>>> https://access.redhat.com/knowledge/solutions/67562
>>>>
>>>> Any comments / suggestions are welcome
>>>>
>>>> Thanks everyone
>>>>
>>>> Dale
>>>>
>>>
>>> A work-around is to set krbpasswordexpiration of the user somewhere
>> far in the future to prevent expiration.
>> That'll work.. Do I need to do anything fancy though? I tried running
>> the below on a new user called rhev-build but it keeps erroring out. I
>> know I have a current TGT otherwise I wouldn't be able to add the user
>> in the first place.
>>
>> [root at ds01 ~]# ipa user-mod rhev-build
>> --setattr=krbPasswordExpiration=20131231011529Z
>> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
>> 'krbPasswordExpiration' attribute of entry
>> 'uid=rhev-build,cn=users,cn=accounts,dc=example,dc=com'.
>> [root at ds01 ~]#
>
> We don't let admins muck with the expiration date. Please file an RFE
> ticket if you'd like that capability.
https://fedorahosted.org/freeipa/ticket/3062
>
> You'll have to resort to ldapmodify:
>
> $ ldapmodify -x -D 'cn=directory manager' -W
> Enter LDAP Password:
> dn: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com
> changetype: modify
> replace: krbPasswordExpiration
> krbPasswordExpiration: 20131231011529Z
>
> modifying entry "uid=tuser1,cn=users,cn=accounts,dc=example,dc=com"
>
> You might want to consider 2037 as the year. 2014 will be here before
> you know it.
>
> rob
>
>>
>>>
>>> We have a ticket open on this,
>> https://fedorahosted.org/freeipa/ticket/2111, currently targeted for IPA
>> 3.3.
>> Good to know its on its way. This is a demo lab so setting a long
>> password expiry addresses my needs.
>>>
>>> rob
>>
>>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list