[Freeipa-users] Non-human users
Orion Poplawski
orion at cora.nwra.com
Fri Feb 15 21:01:05 UTC 2013
On 02/15/2013 01:42 PM, John Dennis wrote:
> On 02/15/2013 02:23 PM, Orion Poplawski wrote:
>> On 02/15/2013 12:01 PM, Orion Poplawski wrote:
>>>
>>> I've been trying to track down any bugs I may have filed without success, but
>>> I'm pretty sure I tried at first adding a system user to LDAP groups and that
>>> not working unless the system user was in LDAP. This may have been before I
>>> started using SSSD on the servers so I'll need to retest this.
>>
>> This still appears to be the case. As soon as I removed the system user from
>> our current ldap database, id now longer reported any other group memberships.
>> This is with the default using "memberUid" for group membership. With the
>> IPA schema of recording group membership with the full dn, it seems the user
>> would have to be in the database to have a dn.
>
> Yes you're right, the user has to exist in LDAP in order to be a member of a
> group managed in LDAP.
>
> Your other alternative is not put these system users in LDAP and instead use
> local users & groups managed via some other mechanism (puppet?).
>
I've been testing with puppet, but that doesn't work. It detects the groups
presence in ldap, so doesn't add them to /etc/group, then when it goes to add
apache to the various groups, that fails. Possibly could missing
functionality in puppet, but not a solution at the moment.
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane orion at nwra.com
Boulder, CO 80301 http://www.nwra.com
More information about the Freeipa-users
mailing list