On 02/15/2013 01:46 PM, Simo Sorce wrote:
On Fri, 2013-02-15 at 12:01 -0700, Orion Poplawski wrote:
What brought this up was the need to sync users from LDAP into another
authentication system, and for that system we only wanted "real" human people
to be listed.
Also, we don't want these accounts listed in things like Thunderbird LDAP
address books (hence no "*person" attributes: mail cn givenName sn).
And just for doing periodic audits it would be helpful for distinguishing
between them.
I've been trying to track down any bugs I may have filed without success, but
I'm pretty sure I tried at first adding a system user to LDAP groups and that
not working unless the system user was in LDAP. This may have been before I
started using SSSD on the servers so I'll need to retest this.
This is an interesting use case, it would probably be appropriate to
have a RFE filed to allow to create ipa users marked as 'non-person' so
that they are not assigned the person objectclass.
Simo.
Filed https://fedorahosted.org/freeipa/ticket/3431
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane or...@nwra.com
Boulder, CO 80301 http://www.nwra.com
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
