On 10.3.2015 16:55, Alexander Bokovoy wrote:
> On Tue, 10 Mar 2015, Petr Spacek wrote:
>> On 10.3.2015 16:01, Jakub Hrozek wrote:
>>> On Tue, Mar 10, 2015 at 03:52:44PM +0100, Martin Kosek wrote:
>>>> On 03/10/2015 03:27 PM, Rob Crittenden wrote:
>>>>> Petr Vobornik wrote:
>>>>>> Hi,
>>>>>> I would like to ask what is a purpose of a default user group - by
>>>>>> default ipausers? Default group is also a required field in ipa config.
>>>>> To be able to apply some (undefined) group policy to all users. I'm not
>>>>> aware that it has ever been used for this.
>>>> I would also interested in the use cases, especially given all the pain we
>>>> have
>>>> with ipausers and large user bases. Especially that for current policies
>>>> (SUDO,
>>>> HBAC, SELinux user policy), we always have other means to specify "all
>>>> users".
>>> yes, but those means usually specify both AD and IPA users, right?
>>> I always thought "ipausers" is a handy shortcut for selecting IPA users
>>> only and not AD users.
>> I always thought that "ipausers" is an equivalent of "domain users" in AD
>> world (compare with "Trusted domain users").
>> In my admin life I considered "domain users" to be useful alias for real
>> authenticated user accounts (compare with "Everyone" = even unauthenticated
>> access, "Authenticated users" = includes machine accounts too.)
>> Moreover, getting rid of ipausers does not help with 'big groups problem' in
>> any way. E.g. at university you are almost inevitably going to have groups
>> like 'students' which will contain more than 90 % of users anyway.
> For what use we need this distinction in IPA itself?
> - ACI (permissions) have separate notion to describe
>  anonymous/any authenticated dichotomy
> - HBAC has 'all' category for users which in HBAC context means all
>  authenticated users
> Where else we would need ipausers other than default POSIX group which
> we are not using it for?

Ah, it is not a POSIX group? Too bad. I was using AD "domain users" for file
permissions so POSIX group equivalent is what I had in mind.

Petr^2 Spacek

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to