[Freeipa-users] Proper configuration of service accounts
Dmitri Pal
dpal at redhat.com
Fri Apr 3 12:17:19 UTC 2015
On 04/03/2015 01:51 AM, Brian Topping wrote:
> Great work on 4.1.0! As a CentOS user, I am able to convey the 3.x ->
> 4.1.0 upgrade went smoothly via the CentOS 7.0 -> 7.1 upgrade on my
> replicated pair of IPA instances.
>
> Question about proper setup of service accounts: I see that the
> service accounts I set up under "cn=etc, cn=sysaccounts" are still
> able to log in, but the permission changes have left them unable to
> read anything. Previously, I hacked the ACLs on the domain root. I
> would like to believe that's not how it should be done.
>
> That said, I was surprised that service accounts are not supported in
> 4.x UI, so I wonder if service accounts
> (https://www.redhat.com/archives/freeipa-users/2012-June/msg00011.html) are
> the wrong way for services like Postfix to be doing LDAP queries.
>
The ACIs changed because we tightened them for the read permissions.
I hope you would be able to change them so that your service account
works again.
Here is the root page of the changes that we implemented.
http://www.freeipa.org/page/V4/Permissions_V2
System account is probably the right one for Postfix.
It is not in the UI and CLI because other features take precedence. We
acknowledge that it needs to be added, we just not have enough time and
resources to do it.
When we looked at 4.2 we assessed it too and it was on the border line
with a good chance of not happening, sorry.
Thanks
Dmitri
> Thanks, Brian
>
>
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150403/2aa28ee5/attachment.htm>
More information about the Freeipa-users
mailing list