On 02/17/2013 02:37 PM, Simo Sorce wrote:
> On Sat, 2013-02-16 at 13:31 +, Charlie Derwent wrote:
>>
>> Bit late to the conversation here, but if you want another example of
>> a
>> quasi-system account within IPA, there is the need for a user to
>> handle
>> automated enrollment/re-enrollment
On Sat, 2013-02-16 at 13:31 +, Charlie Derwent wrote:
>
>
> Bit late to the conversation here, but if you want another example of
> a
> quasi-system account within IPA, there is the need for a user to
> handle
> automated enrollment/re-enrollment of servers.
>
> Charlie
>
For this we should
Bit late to the conversation here, but if you want another example of a
quasi-system account within IPA, there is the need for a user to handle
automated enrollment/re-enrollment of servers.
Charlie
On Fri, Feb 15, 2013 at 11:32 PM, Brian Cook wrote:
>
> On Feb 15, 2013, at 3:11 PM, Simo Sorce
On Feb 15, 2013, at 3:11 PM, Simo Sorce wrote:
> On Fri, 2013-02-15 at 17:34 -0500, Dmitri Pal wrote:
>> On 02/15/2013 05:12 PM, John Dennis wrote:
>>> On 02/15/2013 04:54 PM, Orion Poplawski wrote:
On 02/15/2013 02:34 PM, John Dennis wrote:
> On 02/15/2013 04:16 PM, Orion Poplawski wro
On Fri, 2013-02-15 at 17:34 -0500, Dmitri Pal wrote:
> On 02/15/2013 05:12 PM, John Dennis wrote:
> > On 02/15/2013 04:54 PM, Orion Poplawski wrote:
> >> On 02/15/2013 02:34 PM, John Dennis wrote:
> >>> On 02/15/2013 04:16 PM, Orion Poplawski wrote:
>
> Hmm, that is the filter in TB for m
On Fri, 2013-02-15 at 16:06 -0700, Orion Poplawski wrote:
> On 02/15/2013 04:03 PM, Simo Sorce wrote:
> > On Fri, 2013-02-15 at 17:12 -0500, John Dennis wrote:
> >> On 02/15/2013 04:54 PM, Orion Poplawski wrote:
> >>> On 02/15/2013 02:34 PM, John Dennis wrote:
> On 02/15/2013 04:16 PM, Orion P
On 02/15/2013 04:06 PM, Orion Poplawski wrote:
On 02/15/2013 04:03 PM, Simo Sorce wrote:
On Fri, 2013-02-15 at 17:12 -0500, John Dennis wrote:
On 02/15/2013 04:54 PM, Orion Poplawski wrote:
Yup, then it adds it:
filter="(&(objectClass=person)(|(mail=*apac*)(cn=*apac*)(givenName=*apac*)(sn=*a
On 02/15/2013 04:03 PM, Simo Sorce wrote:
On Fri, 2013-02-15 at 17:12 -0500, John Dennis wrote:
On 02/15/2013 04:54 PM, Orion Poplawski wrote:
On 02/15/2013 02:34 PM, John Dennis wrote:
On 02/15/2013 04:16 PM, Orion Poplawski wrote:
Hmm, that is the filter in TB for me too, but:
[15/Fe
On Fri, 2013-02-15 at 17:12 -0500, John Dennis wrote:
> On 02/15/2013 04:54 PM, Orion Poplawski wrote:
> > On 02/15/2013 02:34 PM, John Dennis wrote:
> >> On 02/15/2013 04:16 PM, Orion Poplawski wrote:
> >>>
> >>> Hmm, that is the filter in TB for me too, but:
> >>>
> >>> [15/Feb/2013:11:17:21
On 02/15/2013 03:12 PM, John Dennis wrote:
On 02/15/2013 04:54 PM, Orion Poplawski wrote:
On 02/15/2013 02:34 PM, John Dennis wrote:
What happens if you set the TB filter to (objectclass=person)?
Yup, then it adds it:
filter="(&(objectClass=person)(|(mail=*apac*)(cn=*apac*)(givenName=*apac
On 02/15/2013 05:12 PM, John Dennis wrote:
> On 02/15/2013 04:54 PM, Orion Poplawski wrote:
>> On 02/15/2013 02:34 PM, John Dennis wrote:
>>> On 02/15/2013 04:16 PM, Orion Poplawski wrote:
Hmm, that is the filter in TB for me too, but:
[15/Feb/2013:11:17:21 -0700] conn=931 o
On 02/15/2013 04:54 PM, Orion Poplawski wrote:
On 02/15/2013 02:34 PM, John Dennis wrote:
On 02/15/2013 04:16 PM, Orion Poplawski wrote:
Hmm, that is the filter in TB for me too, but:
[15/Feb/2013:11:17:21 -0700] conn=931 op=1 SRCH
base="ou=people,dc=nwra,dc=com" scope=2
filter="(|(mail=*
On 02/15/2013 02:34 PM, John Dennis wrote:
On 02/15/2013 04:16 PM, Orion Poplawski wrote:
Hmm, that is the filter in TB for me too, but:
[15/Feb/2013:11:17:21 -0700] conn=931 op=1 SRCH
base="ou=people,dc=nwra,dc=com" scope=2
filter="(|(mail=*apache*)(cn=*apache*)(givenName=*apache*)(sn=*apa
On 02/15/2013 04:16 PM, Orion Poplawski wrote:
On 02/15/2013 02:02 PM, John Dennis wrote:
On 02/15/2013 03:57 PM, Orion Poplawski wrote:
On 02/15/2013 01:56 PM, John Dennis wrote:
On 02/15/2013 03:46 PM, Simo Sorce wrote:
This is an interesting use case, it would probably be appropriate to
ha
On 02/15/2013 01:46 PM, Simo Sorce wrote:
On Fri, 2013-02-15 at 12:01 -0700, Orion Poplawski wrote:
What brought this up was the need to sync users from LDAP into another
authentication system, and for that system we only wanted "real" human people
to be listed.
Also, we don't want these accoun
On 02/15/2013 04:01 PM, Orion Poplawski wrote:
> On 02/15/2013 01:42 PM, John Dennis wrote:
>> On 02/15/2013 02:23 PM, Orion Poplawski wrote:
>>> On 02/15/2013 12:01 PM, Orion Poplawski wrote:
I've been trying to track down any bugs I may have filed without
success, but
I'm pret
On 02/15/2013 03:46 PM, Simo Sorce wrote:
> On Fri, 2013-02-15 at 12:01 -0700, Orion Poplawski wrote:
>> On 02/15/2013 11:49 AM, Rob Crittenden wrote:
Another example is a backup user account that backup software logs in as.
Also some accounts that own files and some services run as
On 02/15/2013 02:02 PM, John Dennis wrote:
On 02/15/2013 03:57 PM, Orion Poplawski wrote:
On 02/15/2013 01:56 PM, John Dennis wrote:
On 02/15/2013 03:46 PM, Simo Sorce wrote:
This is an interesting use case, it would probably be appropriate to
have a RFE filed to allow to create ipa users mark
On Feb 15, 2013, at 1:02 PM, John Dennis wrote:
> On 02/15/2013 03:57 PM, Orion Poplawski wrote:
>> On 02/15/2013 01:56 PM, John Dennis wrote:
>>> On 02/15/2013 03:46 PM, Simo Sorce wrote:
This is an interesting use case, it would probably be appropriate to
have a RFE filed to allow to
On 02/15/2013 03:57 PM, Orion Poplawski wrote:
On 02/15/2013 01:56 PM, John Dennis wrote:
On 02/15/2013 03:46 PM, Simo Sorce wrote:
This is an interesting use case, it would probably be appropriate to
have a RFE filed to allow to create ipa users marked as 'non-person' so
that they are not assi
On 02/15/2013 01:42 PM, John Dennis wrote:
On 02/15/2013 02:23 PM, Orion Poplawski wrote:
On 02/15/2013 12:01 PM, Orion Poplawski wrote:
I've been trying to track down any bugs I may have filed without success, but
I'm pretty sure I tried at first adding a system user to LDAP groups and that
n
On 02/15/2013 01:56 PM, John Dennis wrote:
On 02/15/2013 03:46 PM, Simo Sorce wrote:
This is an interesting use case, it would probably be appropriate to
have a RFE filed to allow to create ipa users marked as 'non-person' so
that they are not assigned the person objectclass.
Yes, that address
On 02/15/2013 03:46 PM, Simo Sorce wrote:
This is an interesting use case, it would probably be appropriate to
have a RFE filed to allow to create ipa users marked as 'non-person' so
that they are not assigned the person objectclass.
Yes, that addresses one large component of the problem. But t
On Fri, 2013-02-15 at 12:01 -0700, Orion Poplawski wrote:
> On 02/15/2013 11:49 AM, Rob Crittenden wrote:
> >> Another example is a backup user account that backup software logs in as.
> >>
> >> Also some accounts that own files and some services run as that are
> >> needed on multiple machines. I
On 02/15/2013 02:23 PM, Orion Poplawski wrote:
On 02/15/2013 12:01 PM, Orion Poplawski wrote:
I've been trying to track down any bugs I may have filed without success, but
I'm pretty sure I tried at first adding a system user to LDAP groups and that
not working unless the system user was in LDA
On 02/15/2013 12:01 PM, Orion Poplawski wrote:
I've been trying to track down any bugs I may have filed without success, but
I'm pretty sure I tried at first adding a system user to LDAP groups and that
not working unless the system user was in LDAP. This may have been before I
started using SS
On 02/15/2013 11:49 AM, Rob Crittenden wrote:
Another example is a backup user account that backup software logs in as.
Also some accounts that own files and some services run as that are
needed on multiple machines. I suppose we could use puppet to manage
those, but ldap seems more convenient.
On 02/15/2013 11:50 AM, John Dennis wrote:
O.K. but I want to make sure you understand the difference. If you give login
or other permissions to a network facing system daemon you're opening a huge
security hole. Adding the apache user to the set of users managed by IPA is
quite dangerous unless
On 02/15/2013 01:39 PM, Orion Poplawski wrote:
On 02/15/2013 11:38 AM, John Dennis wrote:
On 02/15/2013 01:35 PM, Rob Crittenden wrote:
John Dennis wrote:
The example cited was the apache user, a system daemon. For system users
bound to system daemons I stand by what I said. If you want to tal
Orion Poplawski wrote:
On 02/15/2013 11:38 AM, John Dennis wrote:
On 02/15/2013 01:35 PM, Rob Crittenden wrote:
John Dennis wrote:
The example cited was the apache user, a system daemon. For system
users
bound to system daemons I stand by what I said. If you want to talk
about other system use
On 02/15/2013 11:38 AM, John Dennis wrote:
On 02/15/2013 01:35 PM, Rob Crittenden wrote:
John Dennis wrote:
The example cited was the apache user, a system daemon. For system users
bound to system daemons I stand by what I said. If you want to talk
about other system users not bound to a daemon
On 02/15/2013 01:35 PM, Rob Crittenden wrote:
John Dennis wrote:
The example cited was the apache user, a system daemon. For system users
bound to system daemons I stand by what I said. If you want to talk
about other system users not bound to a daemon than state that rather
than confusing the i
John Dennis wrote:
The example cited was the apache user, a system daemon. For system users
bound to system daemons I stand by what I said. If you want to talk
about other system users not bound to a daemon than state that rather
than confusing the issue.
He cited a backup user. That isn't tie
The example cited was the apache user, a system daemon. For system users
bound to system daemons I stand by what I said. If you want to talk
about other system users not bound to a daemon than state that rather
than confusing the issue.
--
John Dennis
Looking to carve out IT costs?
www.redha
John Dennis wrote:
On 02/15/2013 12:32 PM, Orion Poplawski wrote:
On 02/15/2013 09:45 AM, Petr Viktorin wrote:
On 02/15/2013 05:36 PM, Orion Poplawski wrote:
Is there a recommended way to distinguish between "real" human user
accounts in IPA and non-human "system" accounts in IPA?
What kind
There are lots of use cases where it makes sense to have a share 'application'
user:
-agentless monitoring
-penetration testing
-code deployment
-clustering
The system user is not always the user an application is running as. Sometimes
it is just a user that is used to gain access to a remote
On 02/15/2013 12:32 PM, Orion Poplawski wrote:
On 02/15/2013 09:45 AM, Petr Viktorin wrote:
On 02/15/2013 05:36 PM, Orion Poplawski wrote:
Is there a recommended way to distinguish between "real" human user
accounts in IPA and non-human "system" accounts in IPA?
What kind of system accounts
On 02/15/2013 09:45 AM, Petr Viktorin wrote:
On 02/15/2013 05:36 PM, Orion Poplawski wrote:
Is there a recommended way to distinguish between "real" human user
accounts in IPA and non-human "system" accounts in IPA?
What kind of system accounts do you have in IPA? Consider not storing them in
On 02/15/2013 05:36 PM, Orion Poplawski wrote:
Is there a recommended way to distinguish between "real" human user
accounts in IPA and non-human "system" accounts in IPA?
What kind of system accounts do you have in IPA? Consider not storing
them in IPA at all.
--
PetrĀ³
Is there a recommended way to distinguish between "real" human user accounts
in IPA and non-human "system" accounts in IPA?
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane
40 matches
Mail list logo