[Freeipa-users] Non-human users
John Dennis
jdennis at redhat.com
Fri Feb 15 17:52:06 UTC 2013
On 02/15/2013 12:32 PM, Orion Poplawski wrote:
> On 02/15/2013 09:45 AM, Petr Viktorin wrote:
>> On 02/15/2013 05:36 PM, Orion Poplawski wrote:
>>> Is there a recommended way to distinguish between "real" human user
>>> accounts in IPA and non-human "system" accounts in IPA?
>>>
>>
>> What kind of system accounts do you have in IPA? Consider not storing them in
>> IPA at all.
>>
>
> Yeah, that seems like the better idea, but:
>
> I think the main issue we've run into is needing the apache user to be a
> member of groups in ldap, and that not working unless the apache user was in
> ldap as well.
>
> Another example is a backup user account that backup software logs in as.
>
> Also some accounts that own files and some services run as that are needed on
> multiple machines. I suppose we could use puppet to manage those, but ldap
> seems more convenient.
>
Generally system users do not need accounts. Most daemons define a
system user only for the purposes of having a uid they can drop
privileges to after starting as root. These users typically do not have
shells (technically their shell is /sbin/nologin) nor home directories.
Also these system accounts typically have fixed well known uid's. Also
these system users are automatically created when you install the
package. Thus there is little point in trying to manage them. If you
find yourself with a need to manage them step back and ask yourself why.
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list