[Freeipa-users] Proper configuration of service accounts

Dmitri Pal dpal at redhat.com
Fri Apr 3 14:48:15 UTC 2015 

On 04/03/2015 09:36 AM, Brian Topping wrote:
>> On Apr 3, 2015, at 6:17 AM, Dmitri Pal <dpal at redhat.com 
>> <mailto:dpal at redhat.com>> wrote:
>>
>> On 04/03/2015 01:51 AM, Brian Topping wrote:
>>> Great work on 4.1.0! As a CentOS user, I am able to convey the 3.x 
>>> -> 4.1.0 upgrade went smoothly via the CentOS 7.0 -> 7.1 upgrade on 
>>> my replicated pair of IPA instances.
>>>
>>> Question about proper setup of service accounts: I see that the 
>>> service accounts I set up under "cn=etc, cn=sysaccounts" are still 
>>> able to log in, but the permission changes have left them unable to 
>>> read anything. Previously, I hacked the ACLs on the domain root. I 
>>> would like to believe that's not how it should be done.
>>>
>>> That said, I was surprised that service accounts are not supported 
>>> in 4.x UI, so I wonder if service accounts 
>>> (https://www.redhat.com/archives/freeipa-users/2012-June/msg00011.html) 
>>> are the wrong way for services like Postfix to be doing LDAP queries.
>>>
>>
>> The ACIs changed because we tightened them for the read permissions.
>> I hope you would be able to change them so that your service account 
>> works again.
>> Here is the root page of the changes that we implemented.
>> http://www.freeipa.org/page/V4/Permissions_V2
>>
>> System account is probably the right one for Postfix.
>>
>> It is not in the UI and CLI because other features take precedence. 
>> We acknowledge that it needs to be added, we just not have enough 
>> time and resources to do it.
>> When we looked at 4.2 we assessed it too and it was on the border 
>> line with a good chance of not happening, sorry.
>
> Thanks Dmitri. I had known in advance about the ACLs, but couldn't 
> fully appreciate what was going to happen until doing the upgrade. 
> Once it was done, I was kind of surprised that the ACL changes 
> replicated to the 3.x server. As luck would have it, I didn't snapshot 
> both servers at the same time before upgrading either, and eventually, 
> the ACLs managed to work their way back to both the 3.x snapshots (one 
> of them was obviously snapshotted after the other one had been 
> installed with 4.1). I couldn't find upgrade notes with "gotcha"s, 
> this might be a good addition if there are somewhere. It was kind of 
> humorous in all.
>
> As for the service feature itself, please don't apologize. I think you 
> guys did a spectacular job with this feature set. What I was concerned 
> about is making sure I am doing things as closely as possible to 
> future patterns to reduce upgrade costs. I don't know if it's possible 
> to document the pattern without committing to the feature, but it 
> might be helpful.
>
> The one thing I would like to discover at this point is whether roles 
> and privileges build in the UI can be used by system accounts.

I am eager to know that too, please do not hesitate to share your 
findings. :-)

> If so, I could stop editing ACLs directly in LDIF, which is error 
> prone and not the kind of thing I remember too well.
>
> Kind regards, Brian
>
>>
>> Thanks
>> Dmitri
>>
>>> Thanks, Brian
>>>
>>>
>>>
>>>
>>
>>
>> -- 
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>> -- 
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150403/718d852d/attachment.htm>

More information about the Freeipa-users mailing list