[Freeipa-users] Proper configuration of service accounts

Martin Kosek mkosek at redhat.com
Tue Apr 7 11:18:10 UTC 2015 

On 04/03/2015 03:36 PM, Brian Topping wrote:
>> On Apr 3, 2015, at 6:17 AM, Dmitri Pal <dpal at redhat.com> wrote:
>> 
>> On 04/03/2015 01:51 AM, Brian Topping wrote:
>>> Great work on 4.1.0! As a CentOS user, I am able to convey the 3.x ->
>>> 4.1.0 upgrade went smoothly via the CentOS 7.0 -> 7.1 upgrade on my
>>> replicated pair of IPA instances.
>>> 
>>> Question about proper setup of service accounts: I see that the service
>>> accounts I set up under "cn=etc, cn=sysaccounts" are still able to log
>>> in, but the permission changes have left them unable to read anything.
>>> Previously, I hacked the ACLs on the domain root. I would like to
>>> believe that's not how it should be done.
>>> 
>>> That said, I was surprised that service accounts are not supported in
>>> 4.x UI, so I wonder if service accounts
>>> (https://www.redhat.com/archives/freeipa-users/2012-June/msg00011.html
>>> <https://www.redhat.com/archives/freeipa-users/2012-June/msg00011.html>)
>>> are the wrong way for services like Postfix to be doing LDAP queries.
>>> 
>> 
>> The ACIs changed because we tightened them for the read permissions. I
>> hope you would be able to change them so that your service account works
>> again. Here is the root page of the changes that we implemented. 
>> http://www.freeipa.org/page/V4/Permissions_V2
>> <http://www.freeipa.org/page/V4/Permissions_V2>
>> 
>> System account is probably the right one for Postfix.
>> 
>> It is not in the UI and CLI because other features take precedence. We
>> acknowledge that it needs to be added, we just not have enough time and
>> resources to do it. When we looked at 4.2 we assessed it too and it was on
>> the border line with a good chance of not happening, sorry.
> 
> Thanks Dmitri. I had known in advance about the ACLs, but couldn't fully
> appreciate what was going to happen until doing the upgrade. Once it was
> done, I was kind of surprised that the ACL changes replicated to the 3.x
> server. As luck would have it, I didn't snapshot both servers at the same
> time before upgrading either, and eventually, the ACLs managed to work their
> way back to both the 3.x snapshots (one of them was obviously snapshotted
> after the other one had been installed with 4.1). I couldn't find upgrade
> notes with "gotcha"s, this might be a good addition if there are somewhere.
> It was kind of humorous in all.

Interesting, I sort of thought this is automatically implied, given that
FreeIPA has a fully replicated environment. Based on your recommendation, I
added a note to

https://www.freeipa.org/page/Upgrade#Words_of_caution

> As for the service feature itself, please don't apologize. I think you guys
> did a spectacular job with this feature set. What I was concerned about is
> making sure I am doing things as closely as possible to future patterns to
> reduce upgrade costs. I don't know if it's possible to document the pattern
> without committing to the feature, but it might be helpful.
> 
> The one thing I would like to discover at this point is whether roles and
> privileges build in the UI can be used by system accounts. If so, I could
> stop editing ACLs directly in LDIF, which is error prone and not the kind of
> thing I remember too well.

FreeIPA 4.x permission system can now assign privileges and new permission ACIs
to users, groups, hosts, host groups and services.

System accounts are not covered, they should be covered when we have API for
them. I added this requirement to the respective RFE:
https://fedorahosted.org/freeipa/ticket/2801

Brian, what exactly would you like to achieve? There were changes to the
default permissions, some objects are only readable by authenticated users -
which should apply also to system users.

If you want to add special ACIs using the new/updated permission API (ipa
permission-add), I would suggest following procedure:

1) Add the new system account in cn=sysaccounts,cn=etc,dc=rhel71
2) Add the new permissions you want to add, make them a member of a (new)
privilege.
3) Create a new role, make the new/updated privileges members of that role
4) Use ldapmodify to make the system account DN member of that role (you just
add a new member attribute value)
5) Profit - you should be now able to control permissions to your system
account with FreeIPA CLI/UI

More information about the Freeipa-users mailing list