John Dennis wrote:
On 02/15/2013 12:32 PM, Orion Poplawski wrote:
On 02/15/2013 09:45 AM, Petr Viktorin wrote:
On 02/15/2013 05:36 PM, Orion Poplawski wrote:
Is there a recommended way to distinguish between "real" human user
accounts in IPA and non-human "system" accounts in IPA?


What kind of system accounts do you have in IPA? Consider not storing
them in
IPA at all.


Yeah, that seems like the better idea, but:

I think the main issue we've run into is needing the apache user to be a
member of groups in ldap, and that not working unless the apache user
was in
ldap as well.

Another example is a backup user account that backup software logs in as.

Also some accounts that own files and some services run as that are
needed on
multiple machines.  I suppose we could use puppet to manage those, but
ldap
seems more convenient.


Generally system users do not need accounts. Most daemons define a
system user only for the purposes of having a uid they can drop
privileges to after starting as root. These users typically do not have
shells (technically their shell is /sbin/nologin) nor home directories.
Also these system accounts typically have fixed well known uid's. Also
these system users are automatically created when you install the
package. Thus there is little point in trying to manage them. If you
find yourself with a need to manage them step back and ask yourself why.


The mock user is sort of a system account but it would be definitely nice to be able to manage its group membership from IPA, for example.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to