<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 04/03/2015 09:36 AM, Brian Topping
wrote:<br>
</div>
<blockquote
cite="mid:CE0EA64E-BB7E-4809-8D29-1157EFF25F25@gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<div>
<blockquote type="cite" class="">
<div class="">On Apr 3, 2015, at 6:17 AM, Dmitri Pal <<a
moz-do-not-send="true" href="mailto:dpal@redhat.com"
class="">dpal@redhat.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type" class="">
<div bgcolor="#FFFFFF" text="#000000" class="">
<div class="moz-cite-prefix">On 04/03/2015 01:51 AM, Brian
Topping wrote:<br class="">
</div>
<blockquote
cite="mid:654DC42D-4FB4-44AE-97D5-05C8414B97D9@gmail.com"
type="cite" class="">Great work on 4.1.0! As a CentOS
user, I am able to convey the 3.x -> 4.1.0 upgrade
went smoothly via the CentOS 7.0 -> 7.1 upgrade on my
replicated pair of IPA instances.
<div class=""><br class="">
</div>
<div class="">Question about proper setup of service
accounts: I see that the service accounts I set up
under "cn=etc, cn=sysaccounts" are still able to log
in, but the permission changes have left them unable
to read anything. Previously, I hacked the ACLs on the
domain root. I would like to believe that's not how it
should be done.</div>
<div class=""><br class="">
</div>
<div class="">That said, I was surprised that service
accounts are not supported in 4.x UI, so I wonder if
service accounts (<a moz-do-not-send="true"
href="https://www.redhat.com/archives/freeipa-users/2012-June/msg00011.html"
class="">https://www.redhat.com/archives/freeipa-users/2012-June/msg00011.html</a>)
are the wrong way for services like Postfix to be
doing LDAP queries.</div>
<div class=""><br class="">
</div>
</blockquote>
<br class="">
The ACIs changed because we tightened them for the read
permissions.<br class="">
I hope you would be able to change them so that your
service account works again.<br class="">
Here is the root page of the changes that we implemented.<br
class="">
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://www.freeipa.org/page/V4/Permissions_V2">http://www.freeipa.org/page/V4/Permissions_V2</a><br
class="">
<br class="">
System account is probably the right one for Postfix.<br
class="">
<br class="">
It is not in the UI and CLI because other features take
precedence. We acknowledge that it needs to be added, we
just not have enough time and resources to do it.<br
class="">
When we looked at 4.2 we assessed it too and it was on the
border line with a good chance of not happening, sorry.<br
class="">
</div>
</div>
</blockquote>
<div><br class="">
</div>
Thanks Dmitri. I had known in advance about the ACLs, but
couldn't fully appreciate what was going to happen until doing
the upgrade. Once it was done, I was kind of surprised that the
ACL changes replicated to the 3.x server. As luck would have it,
I didn't snapshot both servers at the same time before upgrading
either, and eventually, the ACLs managed to work their way back
to both the 3.x snapshots (one of them was obviously snapshotted
after the other one had been installed with 4.1). I couldn't
find upgrade notes with "gotcha"s, this might be a good addition
if there are somewhere. It was kind of humorous in all.
<div class=""><br class="">
</div>
<div class="">As for the service feature itself, please don't
apologize. I think you guys did a spectacular job with this
feature set. What I was concerned about is making sure I am
doing things as closely as possible to future patterns to
reduce upgrade costs. I don't know if it's possible to
document the pattern without committing to the feature, but it
might be helpful.</div>
<div class=""><br class="">
</div>
<div class="">The one thing I would like to discover at this
point is whether roles and privileges build in the UI can be
used by system accounts. </div>
</div>
</blockquote>
<br>
I am eager to know that too, please do not hesitate to share your
findings. :-)<br>
<br>
<blockquote
cite="mid:CE0EA64E-BB7E-4809-8D29-1157EFF25F25@gmail.com"
type="cite">
<div>
<div class="">If so, I could stop editing ACLs directly in LDIF,
which is error prone and not the kind of thing I remember too
well.</div>
<div class=""><br class="">
</div>
<div class="">Kind regards, Brian</div>
<div class=""><br class="">
</div>
<blockquote type="cite" class="">
<div class="">
<div bgcolor="#FFFFFF" text="#000000" class=""> <br
class="">
Thanks<br class="">
Dmitri<br class="">
<br class="">
<blockquote
cite="mid:654DC42D-4FB4-44AE-97D5-05C8414B97D9@gmail.com"
type="cite" class="">
<div class="">Thanks, Brian</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<br class="">
</blockquote>
<br class="">
<br class="">
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</div>
-- <br class="">
Manage your subscription for the Freeipa-users mailing list:<br
class="">
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
class="">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br
class="">
Go to <a class="moz-txt-link-freetext" href="http://freeipa.org">http://freeipa.org</a> for more info on the project</div>
</blockquote>
</div>
<br class="">
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>