On Mon, 2011-12-12 at 19:34 +0100, Sigbjorn Lie wrote: > On 12/12/2011 04:18 PM, Simo Sorce wrote: > > On Mon, 2011-12-12 at 16:13 +0100, Sigbjorn Lie wrote: > >> On Mon, December 12, 2011 15:31, Simo Sorce wrote: > >>> On Mon, 2011-12-12 at 11:55 +0100, Sigbjorn Lie wrote: > >>> > >>>> options ldap.name uid=s-netapp,cn=users,cn=accounts,dc=test,dc=local > >>>> options ldap.passwd > >>>> passwordforbinduser > >>> If you need a special user you can avoid polluting the normal user space > >>> by creating a user under cn=sysaccounts,cn=etc,suffix.. > >>> > >>> It is a simple object, you can look at one user already there called > >>> uid=kdc, it is basically just an objectclass and a userPassword. > >>> > >>> We have no UI to create these users though, you'll have to create them > >>> manually, and they are not seen as regular users by any client, they are > >>> useuful exclusively to > >>> bind to ldap with a plaintext password. > >> Excellent! > >> > >> I suppose these are excempt from password policies? So their password will > >> never expire...? > > Yes the password policy applies only to kerberized entities. > > > > One of the reasons to use this. > > > > Cool. How much access does these accounts have? Do they have write > access anywhere?
By default they are powerless, they only have read access. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users