On Tue, 2015-04-07 at 18:54 +0000, Coy Hile wrote: > Quoting Simo Sorce <s...@redhat.com>: > > >> > > >> > > >> I guess that makes sense. Is it possible to add a user that simply > >> doesn't have the posix attributes defined? In the particular case of > >> */admin, I would expect that user to login to the ipa ui or to be > >> kinit'd to prior to running ipa administrative commands, but I should > >> hope that it should never login directly. > >> > >> Does that question make more sense? > > > > It does, but we do not have such a feature, sorry. > > > > Simo. > > > > Could one hypothetically remove the posix attributes (via some scripted > process that validates that what it's doing is inline with organizational > norms/goals) without breaking freeIPA, or are the posix attributes MUST in > the IPA object classes? I'm sorry for so many endless questions, but having > finally got my personal setup/lab using something other than Active Directory, > I'm looking to migrate to something that is easier to manage, so I'm trying to > draw comparisons between what I had been used to in previous vanilla krb/ldap > shops.
Removing attributes will probably not work well, but let me ask: Do you require different passwords for these principals ? Or do you merely want to have the alternative names but would be ok if the credentials were identical ? Because you could (manually for now) add aliases so that hile@ hile/admin@ hile/foo@ are the same thing, where hile@ is the canonical name but you can use aliases too (just make sure not to request canonicalization at kinit time. Simo. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project