-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/06/12 20:31, Alexander Bokovoy wrote: > On Sat, 02 Jun 2012, Dale Macartney wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Evening all >> >> What's the recommended method for using service accounts with IPA? >> >> For example, using a piece of software that needs to bind to LDAP (aka >> Zimbra, Moodle, Joomla, etc), having a password expiry on that specific >> bind user would result in the application constantly needing the >> password changed. >> >> I can see that you can modify the default password policy (i personally >> don't want to change this as this works for my requirements), and also >> have the ability to create additional pw policies if needed. >> >> What's the best method to create a user, however have that password for >> the new user that never expires? Am I thinking along the right lines of >> using a different pw policy for the service accounts? > A recommended way is to use system accounts. See, for example, how it is > set up for sudo (section 13.4.1): > http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example-configuring-sudo.html > > We have this particular case covered with following sudobind.ldif file > (available in /usr/share/ipa/sudobind.ldif at IPA server): > --------------- > #SUDO bind user > dn: uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX > changetype: add > objectclass: account > objectclass: simplesecurityobject > uid: sudo > userPassword: $RANDOM_PASSWORD > passwordExpirationTime: 20380119031407Z > nsIdleTimeout: 0 > --------------- > > As you can see, it has SimpleSecurityObject and Account object classes, and > password is set to expire at the end of Unix time. You'd need to add > also appropriate ACIs to limit what such account could perform against > IPA's LDAP store. > > We use this method for passync (AD replication), sudo integration, > and will use it also for cross-realm trusts with AD in FreeIPAv3, > albeit a bit differently (by making a container in sysaccounts to > include all 'AD agents' from IPA servers exposed via CIFS and limiting > what they can do). > > A downside is that you don't see these system accounts through IPA UI/CLI, > they are only managed manually. > Thanks very much Alexander, this worked brilliantly. Dale -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPyptbAAoJEAJsWS61tB+qB38P/iBt+P6JNwycIIzskaxjoZUo 2cCPO5Nt/VgiKn55ffjgpgyEKpMhVnSW69tiCpTj+7vgO3swei1Je55kIUEP1hpR 0OHd4fqIUNQnDsO+gAnT1VMFPeuCKPKCoItwhv0uwgmI7FvKdHnGwcFTTASZbSLa eLnpFxvl44NgTJ8aib7tnWeqj9YE1b/DfowouxQVsY1HsIiYztDUNM23M94Are0D uJ9wLV+y4Np9CnTSuttHn2a8zmj2AZr5keMwqFc1g6j8I7z3cpqJb7UViULzxSJ4 OxpKXv8C+imDDX4dBXNQCr2Cx9uUJkA8zQUN7t0UjAkuFMD1+Ie51/3zKK/NeJly kUYHVcFBWmYBRtMbh1GIPfVxUCUj3DHcGg6HxEZOpFVBipjxareazvpgnTVg/EMa 9V85vS11aIPs7lrGlGnJi/r+oBAGfyH8jt4ZV95FV9QgY4VezmT+14s7nnFMEpiU mYxkL3NuIDXdgkmj0hTpCgkqESNw/SNDsHmgUhHNd9H3y964xk7z+fSG7gK02bIR zRhmW4YSqaHWZrgoe+w/CvcDRypXxfn2QQY/BvM6TwYxPphuwShtk70mtmp+5ci+ BV5q480bulO1ye7T2rGUTZT4n0aa7DHKmSdX3uJjG+VRyE/yy+LjmXbL+gWLC0ws egafCMvLvzuRqcsODsGX =hzMm -----END PGP SIGNATURE-----
0xB5B41FAA.asc
Description: application/pgp-keys
0xB5B41FAA.asc.sig
Description: PGP signature
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users