What we do is create a non-posix group in FreeIPA and apply a custom password policy, then join the users to that group.  Then login as the service account and reset the account's password to some random string.  But if you reset it through the UI, it will set the password to expire in 1 hour.  Also, you can "disable" the account from the FreeIPA UI or the command line, which appears to work too. 

Here is a simple write up of how we setup service accounts in FreeIPA:
1. Login to the FreeIPA UI as a user/admin with priviledges to add groups and password policies.

2. First we will add a group.
Click on Identity --> User Groups, then Add
Group name: svc_accounts
Description: Group used for Service Accounts
Group Type: Normal
GID: (this will be blanked out)

3. Next, add a new password policy (because you do NOT want to the password on service accounts expiring every 90 days)
Policy --> Password Policies, then Add
Group: (select svc_accounts from dropdown box)
Priority: 1
Then click "Add and Edit", which will allow you more fields to populate.
Max lifetime (days): 3650  (which gives you 10 years between password changes)

4. Create a new service user account (we choose to use the prefix "svc_" for any new service accounts)
Identity --> Users, then Add
User login: svc_testuser
First Name: Test
Last Name: User
New Password: Foobar1  (easy to remember temp password)
Verify Password: Foobar1
Click on "Add and Edit",
then click on "User Groups", Add
Add this user to the "svc_accounts" group.

5. Now login as svc_testuser with temp password "Foobar1".
Update the password to some long string of random characters (something you can set and forget).
Logout

6. Create any necessary sudo rules that allow regular users to switch to the svc_testuser account.

7. Disable service account:
From the FreeIPA UI, Go to Identity --> Users, then click on the svc_testuser user in the list.
Then use the "select action" dropdown box to "Disable" the user account, click Apply.

7. Done!

-Mike


-----Original Message-----
From: "Redmond, Stacy"
Sent: Dec 10, 2015 1:24 PM
To: "freeipa-users@redhat.com"
Subject: [Freeipa-users] Service Accounts via IPA

Generally I will lock a service account on linux so that the account cannot login, but users can sudo su – to that user.  As I don’t have access to the password field in free ipa, what are my options to set this up as a default for service accounts, or how can I modify individual accounts that need access to a system, but should not be able to login to the system.  Any help is appreciated.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to