On 02/15/2013 01:46 PM, Simo Sorce wrote:
On Fri, 2013-02-15 at 12:01 -0700, Orion Poplawski wrote:
What brought this up was the need to sync users from LDAP into another
authentication system, and for that system we only wanted "real" human people
to be listed.

Also, we don't want these accounts listed in things like Thunderbird LDAP
address books (hence no "*person" attributes: mail cn givenName sn).

And just for doing periodic audits it would be helpful for distinguishing
between them.

I've been trying to track down any bugs I may have filed without success, but
I'm pretty sure I tried at first adding a system user to LDAP groups and that
not working unless the system user was in LDAP.  This may have been before I
started using SSSD on the servers so I'll need to retest this.

This is an interesting use case, it would probably be appropriate to
have a RFE filed to allow to create ipa users marked as 'non-person' so
that they are not assigned the person objectclass.


Filed https://fedorahosted.org/freeipa/ticket/3431

Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA, Boulder Office                  FAX: 303-415-9702
3380 Mitchell Lane                       or...@nwra.com
Boulder, CO 80301                   http://www.nwra.com

Freeipa-users mailing list

Reply via email to