[Freeipa-users] Proper configuration of service accounts

Alexander Bokovoy abokovoy at redhat.com
Fri Apr 3 20:32:59 UTC 2015 

On Fri, 03 Apr 2015, Dmitri Pal wrote:
>On 04/03/2015 09:36 AM, Brian Topping wrote:
>>>On Apr 3, 2015, at 6:17 AM, Dmitri Pal <dpal at redhat.com 
>>><mailto:dpal at redhat.com>> wrote:
>>>
>>>On 04/03/2015 01:51 AM, Brian Topping wrote:
>>>>Great work on 4.1.0! As a CentOS user, I am able to convey the 
>>>>3.x -> 4.1.0 upgrade went smoothly via the CentOS 7.0 -> 7.1 
>>>>upgrade on my replicated pair of IPA instances.
>>>>
>>>>Question about proper setup of service accounts: I see that the 
>>>>service accounts I set up under "cn=etc, cn=sysaccounts" are 
>>>>still able to log in, but the permission changes have left them 
>>>>unable to read anything. Previously, I hacked the ACLs on the 
>>>>domain root. I would like to believe that's not how it should be 
>>>>done.
>>>>
>>>>That said, I was surprised that service accounts are not 
>>>>supported in 4.x UI, so I wonder if service accounts (https://www.redhat.com/archives/freeipa-users/2012-June/msg00011.html) 
>>>>are the wrong way for services like Postfix to be doing LDAP 
>>>>queries.
>>>>
>>>
>>>The ACIs changed because we tightened them for the read permissions.
>>>I hope you would be able to change them so that your service 
>>>account works again.
>>>Here is the root page of the changes that we implemented.
>>>http://www.freeipa.org/page/V4/Permissions_V2
>>>
>>>System account is probably the right one for Postfix.
>>>
>>>It is not in the UI and CLI because other features take 
>>>precedence. We acknowledge that it needs to be added, we just not 
>>>have enough time and resources to do it.
>>>When we looked at 4.2 we assessed it too and it was on the border 
>>>line with a good chance of not happening, sorry.
>>
>>Thanks Dmitri. I had known in advance about the ACLs, but couldn't 
>>fully appreciate what was going to happen until doing the upgrade. 
>>Once it was done, I was kind of surprised that the ACL changes 
>>replicated to the 3.x server. As luck would have it, I didn't 
>>snapshot both servers at the same time before upgrading either, and 
>>eventually, the ACLs managed to work their way back to both the 3.x 
>>snapshots (one of them was obviously snapshotted after the other one 
>>had been installed with 4.1). I couldn't find upgrade notes with 
>>"gotcha"s, this might be a good addition if there are somewhere. It 
>>was kind of humorous in all.
>>
>>As for the service feature itself, please don't apologize. I think 
>>you guys did a spectacular job with this feature set. What I was 
>>concerned about is making sure I am doing things as closely as 
>>possible to future patterns to reduce upgrade costs. I don't know if 
>>it's possible to document the pattern without committing to the 
>>feature, but it might be helpful.
>>
>>The one thing I would like to discover at this point is whether 
>>roles and privileges build in the UI can be used by system accounts.
>
>I am eager to know that too, please do not hesitate to share your 
>findings. :-)
I don't think you can achieve that with existing 'ipa permission-add'
command because it limits memberof filter to existing IPA groups.

We have an update plugin that updates managed permissions and it could
be used as a basis to add more permissions declarative-style but right
now it can't be used as it is.

Definitely worth filing a ticket and fixing this ASAP.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list