[Freeipa-users] Non-human users
John Dennis
jdennis at redhat.com
Fri Feb 15 20:42:19 UTC 2013
On 02/15/2013 02:23 PM, Orion Poplawski wrote:
> On 02/15/2013 12:01 PM, Orion Poplawski wrote:
>>
>> I've been trying to track down any bugs I may have filed without success, but
>> I'm pretty sure I tried at first adding a system user to LDAP groups and that
>> not working unless the system user was in LDAP. This may have been before I
>> started using SSSD on the servers so I'll need to retest this.
>
> This still appears to be the case. As soon as I removed the system user from
> our current ldap database, id now longer reported any other group memberships.
> This is with the default using "memberUid" for group membership. With the
> IPA schema of recording group membership with the full dn, it seems the user
> would have to be in the database to have a dn.
Yes you're right, the user has to exist in LDAP in order to be a member
of a group managed in LDAP.
If your goal is not to have system users returned in a ldap search
you'll have to filter them (e.g. adding (uid >= 1024) to the search
filter because system users are usually less than some magic number, it
used to be 512, now it's 1024 I believe). Adding that (or some other
filter criteria) to every LDAP client in your enterprise is probably not
viable.
I don't think setting ACL's to prevent specific users from being
returned in searches is viable either because they need to visible
during the operations they're involved in.
The problem as I see it is that IPA by design stores users in a "flat"
namespace. That means you cannot partition users by putting them in
different LDAP containers (trees). During the design of IPA the issue of
whether we would use a flat namespace or permit different namespaces
(via LDAP containers, conventionally called organizational units, i.e.
OU's) came up. There was a sentiment that OU's had historically been
problematic, hence we have a flat namespace and partitioning would be
done via filtering. Thus only thing I can suggest at the moment is
filtering, perhaps others have a better idea.
Your other alternative is not put these system users in LDAP and instead
use local users & groups managed via some other mechanism (puppet?).
I'm not sure this issue has come up before, it does present some
interesting issues.
John
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list