On Tue, 10 Mar 2015, Petr Spacek wrote:
On 10.3.2015 16:01, Jakub Hrozek wrote:
On Tue, Mar 10, 2015 at 03:52:44PM +0100, Martin Kosek wrote:
On 03/10/2015 03:27 PM, Rob Crittenden wrote:
Petr Vobornik wrote:
Hi,

I would like to ask what is a purpose of a default user group - by
default ipausers? Default group is also a required field in ipa config.

To be able to apply some (undefined) group policy to all users. I'm not
aware that it has ever been used for this.

I would also interested in the use cases, especially given all the pain we have
with ipausers and large user bases. Especially that for current policies (SUDO,
HBAC, SELinux user policy), we always have other means to specify "all users".

yes, but those means usually specify both AD and IPA users, right?

I always thought "ipausers" is a handy shortcut for selecting IPA users
only and not AD users.

I always thought that "ipausers" is an equivalent of "domain users" in AD
world (compare with "Trusted domain users").

In my admin life I considered "domain users" to be useful alias for real
authenticated user accounts (compare with "Everyone" = even unauthenticated
access, "Authenticated users" = includes machine accounts too.)


Moreover, getting rid of ipausers does not help with 'big groups problem' in
any way. E.g. at university you are almost inevitably going to have groups
like 'students' which will contain more than 90 % of users anyway.
For what use we need this distinction in IPA itself?
- ACI (permissions) have separate notion to describe
 anonymous/any authenticated dichotomy
- HBAC has 'all' category for users which in HBAC context means all
 authenticated users

Where else we would need ipausers other than default POSIX group which
we are not using it for?
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to