On Tue, 10 Mar 2015, Simo Sorce wrote:
On Tue, 2015-03-10 at 16:01 +0100, Jakub Hrozek wrote:
On Tue, Mar 10, 2015 at 03:52:44PM +0100, Martin Kosek wrote:
> On 03/10/2015 03:27 PM, Rob Crittenden wrote:
> > Petr Vobornik wrote:
> >> Hi,
> >>
> >> I would like to ask what is a purpose of a default user group - by
> >> default ipausers? Default group is also a required field in ipa config.
> >
> > To be able to apply some (undefined) group policy to all users. I'm not
> > aware that it has ever been used for this.
>
> I would also interested in the use cases, especially given all the pain we 
have
> with ipausers and large user bases. Especially that for current policies 
(SUDO,
> HBAC, SELinux user policy), we always have other means to specify "all users".

yes, but those means usually specify both AD and IPA users, right?

I always thought "ipausers" is a handy shortcut for selecting IPA users
only and not AD users.

We should probably turn ipausers into a fully virtual group that is
added to the user's Authorization data in the KDC (MS-PAC or in future
PAD).
This way it will be possible to reference it in sssd but will not create
issues with memberships in the server.

But we need the PAD first, I guess.
(we could do something with authentication indicators too, but that
would be a hack).
Yep. If we need ipausers for POSIX context interpretation on IPA
clients, PAD would be our choice as we already do with MS-PAC for AD
users.

Within LDAP server, if we want to address all IPA users to do some mass
operations on them, I think we probably should have some specialized
control that would give 389-ds chance to optimize on building this list
of users before applying an operation to them. This would be something
non-standard but more efficient than what we are doing right now.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to