On 04/03/2015 09:36 AM, Brian Topping wrote:
On Apr 3, 2015, at 6:17 AM, Dmitri Pal <[email protected]
<mailto:[email protected]>> wrote:
On 04/03/2015 01:51 AM, Brian Topping wrote:
Great work on 4.1.0! As a CentOS user, I am able to convey the 3.x
-> 4.1.0 upgrade went smoothly via the CentOS 7.0 -> 7.1 upgrade on
my replicated pair of IPA instances.
Question about proper setup of service accounts: I see that the
service accounts I set up under "cn=etc, cn=sysaccounts" are still
able to log in, but the permission changes have left them unable to
read anything. Previously, I hacked the ACLs on the domain root. I
would like to believe that's not how it should be done.
That said, I was surprised that service accounts are not supported
in 4.x UI, so I wonder if service accounts
(https://www.redhat.com/archives/freeipa-users/2012-June/msg00011.html)
are the wrong way for services like Postfix to be doing LDAP queries.
The ACIs changed because we tightened them for the read permissions.
I hope you would be able to change them so that your service account
works again.
Here is the root page of the changes that we implemented.
http://www.freeipa.org/page/V4/Permissions_V2
System account is probably the right one for Postfix.
It is not in the UI and CLI because other features take precedence.
We acknowledge that it needs to be added, we just not have enough
time and resources to do it.
When we looked at 4.2 we assessed it too and it was on the border
line with a good chance of not happening, sorry.
Thanks Dmitri. I had known in advance about the ACLs, but couldn't
fully appreciate what was going to happen until doing the upgrade.
Once it was done, I was kind of surprised that the ACL changes
replicated to the 3.x server. As luck would have it, I didn't snapshot
both servers at the same time before upgrading either, and eventually,
the ACLs managed to work their way back to both the 3.x snapshots (one
of them was obviously snapshotted after the other one had been
installed with 4.1). I couldn't find upgrade notes with "gotcha"s,
this might be a good addition if there are somewhere. It was kind of
humorous in all.
As for the service feature itself, please don't apologize. I think you
guys did a spectacular job with this feature set. What I was concerned
about is making sure I am doing things as closely as possible to
future patterns to reduce upgrade costs. I don't know if it's possible
to document the pattern without committing to the feature, but it
might be helpful.
The one thing I would like to discover at this point is whether roles
and privileges build in the UI can be used by system accounts.
I am eager to know that too, please do not hesitate to share your
findings. :-)
If so, I could stop editing ACLs directly in LDIF, which is error
prone and not the kind of thing I remember too well.
Kind regards, Brian
Thanks
Dmitri
Thanks, Brian
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
