> -----Original Message----- > From: Rob Crittenden <[email protected]> > Schrock, Chad - 0336 - MITLL via FreeIPA-users wrote: > > > > > > Hi -- > > > > > > > > We have been using IdM/FreeIPA for a while, and as these things tend > > to happen, we have a process to create “service accounts” in the > > domain that is quite cumbersome and was what “just worked” at the time > > so it is what we have been doing. Currently using IdM/FreeIPA 4.9.13 on > RHEL 8.10. > > > > (When I say “service accounts” I mean an account that an application > > would use to bind to the LDAP domain, read records, and do something > > like allow the user to use the application.) > > > > What is the ‘suggested’ or preferred method to create this kind of > > user in IdM? Is “system account” the better name? > > > > > > I found: > > > > * https://lists.fedorahosted.org/archives/list/freeipa- > [email protected]/thread/44Z4ANXQYKRNTEVNL35BK27X7Q67R > VDQ/ > > * https://www.freeipa.org/page/HowTo/LDAP > > * https://lists.fedorahosted.org/archives/list/freeipa- > [email protected]/thread/2MBVML4L7OCM77VXXX5PQGFLAGG > XGDSL/ > > * https://github.com/noahbliss/freeipa-sam > > > > > > > > Which all seem good, especially freeipa-sam. But they are also all > > pretty old. > > I guess I'd prefer system accounts to de-duplicate "services".
That makes sense. I'll make a note to start using "system accounts" instead of "service accounts" going forward > So the howto is old but wise I suppose. I've never used freeipa-sam but it > seems reasonable enough. Since the underlying creation of system account > hasn't changed in forever it should continue working. > > The trick with these system accounts is they have limited read capabilities > and zero write. There is also no API to add them to roles to give them those > rights. It is pretty easy if you know your away around ldapmodify to add > them to a role. Just add member:<sysaccount dn> to a role and that should > do it. OK, that's pretty cool. I don't think we have them in any roles (in our use-case), but that's good to know. I'll have to play with it some to see if it does what I'm hoping it will do in our environment. > After the mod an ldapsearch should show them as memberof permissions, > privileges, etc. > > If you set the password expiration date to 0 then it will never expire. > Assuming you're ok with passwords that never expire that is. > > You'll get no advance warning on them though which is why I think some > folks do it that way. Otherwise it will expire on <insert major holiday > weekend eve>. That's always the case, isn't it? And the person who would know about it is on vacation or has left the organization. > We have an RFE to not have to jump thru these hoops but its very low on the > priority list. Thank you so much for your help and insight Rob. -- Chad Schrock, he/him Supporting MIT Lincoln Laboratory, Lexington, MA [email protected]
smime.p7s
Description: S/MIME cryptographic signature
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
