[Freeipa-users] Proper configuration of service accounts
Dmitri Pal
dpal at redhat.com
Fri Apr 3 14:48:15 UTC 2015
On 04/03/2015 09:36 AM, Brian Topping wrote:
>> On Apr 3, 2015, at 6:17 AM, Dmitri Pal <dpal at redhat.com
>> <mailto:dpal at redhat.com>> wrote:
>>
>> On 04/03/2015 01:51 AM, Brian Topping wrote:
>>> Great work on 4.1.0! As a CentOS user, I am able to convey the 3.x
>>> -> 4.1.0 upgrade went smoothly via the CentOS 7.0 -> 7.1 upgrade on
>>> my replicated pair of IPA instances.
>>>
>>> Question about proper setup of service accounts: I see that the
>>> service accounts I set up under "cn=etc, cn=sysaccounts" are still
>>> able to log in, but the permission changes have left them unable to
>>> read anything. Previously, I hacked the ACLs on the domain root. I
>>> would like to believe that's not how it should be done.
>>>
>>> That said, I was surprised that service accounts are not supported
>>> in 4.x UI, so I wonder if service accounts
>>> (https://www.redhat.com/archives/freeipa-users/2012-June/msg00011.html)
>>> are the wrong way for services like Postfix to be doing LDAP queries.
>>>
>>
>> The ACIs changed because we tightened them for the read permissions.
>> I hope you would be able to change them so that your service account
>> works again.
>> Here is the root page of the changes that we implemented.
>> http://www.freeipa.org/page/V4/Permissions_V2
>>
>> System account is probably the right one for Postfix.
>>
>> It is not in the UI and CLI because other features take precedence.
>> We acknowledge that it needs to be added, we just not have enough
>> time and resources to do it.
>> When we looked at 4.2 we assessed it too and it was on the border
>> line with a good chance of not happening, sorry.
>
> Thanks Dmitri. I had known in advance about the ACLs, but couldn't
> fully appreciate what was going to happen until doing the upgrade.
> Once it was done, I was kind of surprised that the ACL changes
> replicated to the 3.x server. As luck would have it, I didn't snapshot
> both servers at the same time before upgrading either, and eventually,
> the ACLs managed to work their way back to both the 3.x snapshots (one
> of them was obviously snapshotted after the other one had been
> installed with 4.1). I couldn't find upgrade notes with "gotcha"s,
> this might be a good addition if there are somewhere. It was kind of
> humorous in all.
>
> As for the service feature itself, please don't apologize. I think you
> guys did a spectacular job with this feature set. What I was concerned
> about is making sure I am doing things as closely as possible to
> future patterns to reduce upgrade costs. I don't know if it's possible
> to document the pattern without committing to the feature, but it
> might be helpful.
>
> The one thing I would like to discover at this point is whether roles
> and privileges build in the UI can be used by system accounts.
I am eager to know that too, please do not hesitate to share your
findings. :-)
> If so, I could stop editing ACLs directly in LDIF, which is error
> prone and not the kind of thing I remember too well.
>
> Kind regards, Brian
>
>>
>> Thanks
>> Dmitri
>>
>>> Thanks, Brian
>>>
>>>
>>>
>>>
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150403/718d852d/attachment.htm>
More information about the Freeipa-users
mailing list