Marat Vyshegorodtsev wrote:
> My FreeIPA deployment is a part of PCI cardholder data environment.
> Hence, I have to comply with with the requirements such as 8.1.1
> (assign unique ID to each user) and 8.5 (do not use generic or shared
> I would like to move this user under service accounts (it may still be
> used by chef/puppet to run the recipes etc), but I don't see how it is
> even possible.
> I tried recreating this user under cn=sysaccounts,cn=etc and removing
> the following object classes, but this breaks everything.
> objectClass: top
> objectClass: person
> objectClass: posixaccount
> objectClass: ipaobject
> objectClass: ipasshuser
> objectClass: ipaSshGroupOfPubKeys
There is little very special about the user uid=admin. The only thing
special is that it is a member of the group admins.
That said, not sure if it has ever been tested from sysaccounts and I'm
sure that creating new replicas will break
(https://fedorahosted.org/freeipa/ticket/5060) but I don't know what else.
> How can I pull this off? Did anybody pass PCI DSS audit (for real, I'm
> not talking about sloppy QSAs) using FreeIPA as an IdM solution?
> Best regards,
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project