[Freeipa-users] Non-human users

[Orion Poplawski]

On 02/15/2013 01:42 PM, John Dennis wrote:
> On 02/15/2013 02:23 PM, Orion Poplawski wrote:
>> On 02/15/2013 12:01 PM, Orion Poplawski wrote:
>>>
>>> I've been trying to track down any bugs I may have filed without success, but
>>> I'm pretty sure I tried at first adding a system user to LDAP groups and that
>>> not working unless the system user was in LDAP.  This may have been before I
>>> started using SSSD on the servers so I'll need to retest this.
>>
>> This still appears to be the case.  As soon as I removed the system user from
>> our current ldap database, id now longer reported any other group memberships.
>>    This is with the default using "memberUid" for group membership.  With the
>> IPA schema of recording group membership with the full dn, it seems the user
>> would have to be in the database to have a dn.
>
> Yes you're right, the user has to exist in LDAP in order to be a member of a
> group managed in LDAP.
>
> Your other alternative is not put these system users in LDAP and instead use
> local users & groups managed via some other mechanism (puppet?).
>

I've been testing with puppet, but that doesn't work.  It detects the groups 
presence in ldap, so doesn't add them to /etc/group, then when it goes to add 
apache to the various groups, that fails.  Possibly could missing 
functionality in puppet, but not a solution at the moment.

-- 
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA, Boulder Office                  FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                   http://www.nwra.com