Re: [Freeipa-users] Proper configuration of service accounts

2015-05-21 Thread Boyce, George Robert. (GSFC-762.0)[NICS]
Rob, << Try adding the inetUser objectclass to your system account. You're probably lacking memberOf. >> Thanks, that worked. My last issue is to add read/search permission on the "name" attribute as the vendor doesn't offer a way to not include it in a search filter to find user groups. << I

Re: [Freeipa-users] Proper configuration of service accounts

2015-05-20 Thread Boyce, George Robert. (GSFC-762.0)[NICS]
I forgot to describe the system account that I created. I followed the procedure at https://www.freeipa.org/page/HowTo/LDAP#System_Accounts # LDAPsearch, sysaccounts, etc, ... dn: uid=LDAPsearch,cn=sysaccounts,cn=etc,dc=... objectClass: account objectClass: simplesecurityobject objectClass: top u

Re: [Freeipa-users] Proper configuration of service accounts

2015-05-20 Thread Rob Crittenden
Boyce, George Robert. (GSFC-762.0)[NICS] wrote: << If you want to add special ACIs using the new/updated permission API (ipa permission-add), I would suggest following procedure: 1) Add the new system account in cn=sysaccounts,cn=etc,dc=rhel71 2) Add the new permissions you want to add, make

Re: [Freeipa-users] Proper configuration of service accounts

2015-05-20 Thread Boyce, George Robert. (GSFC-762.0)[NICS]
<< If you want to add special ACIs using the new/updated permission API (ipa permission-add), I would suggest following procedure: 1) Add the new system account in cn=sysaccounts,cn=etc,dc=rhel71 2) Add the new permissions you want to add, make them a member of a (new) privilege. 3) Create a new r

Re: [Freeipa-users] Proper configuration of service accounts

2015-04-07 Thread Martin Kosek
On 04/03/2015 03:36 PM, Brian Topping wrote: >> On Apr 3, 2015, at 6:17 AM, Dmitri Pal wrote: >> >> On 04/03/2015 01:51 AM, Brian Topping wrote: >>> Great work on 4.1.0! As a CentOS user, I am able to convey the 3.x -> >>> 4.1.0 upgrade went smoothly via the CentOS 7.0 -> 7.1 upgrade on my >>> re

Re: [Freeipa-users] Proper configuration of service accounts

2015-04-03 Thread Alexander Bokovoy
On Fri, 03 Apr 2015, Dmitri Pal wrote: On 04/03/2015 09:36 AM, Brian Topping wrote: On Apr 3, 2015, at 6:17 AM, Dmitri Pal > wrote: On 04/03/2015 01:51 AM, Brian Topping wrote: Great work on 4.1.0! As a CentOS user, I am able to convey the 3.x -> 4.1.0 upgrade went smoo

Re: [Freeipa-users] Proper configuration of service accounts

2015-04-03 Thread Dmitri Pal
On 04/03/2015 09:36 AM, Brian Topping wrote: On Apr 3, 2015, at 6:17 AM, Dmitri Pal > wrote: On 04/03/2015 01:51 AM, Brian Topping wrote: Great work on 4.1.0! As a CentOS user, I am able to convey the 3.x -> 4.1.0 upgrade went smoothly via the CentOS 7.0 -> 7.1 upgrade o

Re: [Freeipa-users] Proper configuration of service accounts

2015-04-03 Thread Brian Topping
> On Apr 3, 2015, at 6:17 AM, Dmitri Pal wrote: > > On 04/03/2015 01:51 AM, Brian Topping wrote: >> Great work on 4.1.0! As a CentOS user, I am able to convey the 3.x -> 4.1.0 >> upgrade went smoothly via the CentOS 7.0 -> 7.1 upgrade on my replicated >> pair of IPA instances. >> >> Question a

Re: [Freeipa-users] Proper configuration of service accounts

2015-04-03 Thread Dmitri Pal
On 04/03/2015 01:51 AM, Brian Topping wrote: Great work on 4.1.0! As a CentOS user, I am able to convey the 3.x -> 4.1.0 upgrade went smoothly via the CentOS 7.0 -> 7.1 upgrade on my replicated pair of IPA instances. Question about proper setup of service accounts: I see that the service acco

[Freeipa-users] Proper configuration of service accounts

2015-04-02 Thread Brian Topping
Great work on 4.1.0! As a CentOS user, I am able to convey the 3.x -> 4.1.0 upgrade went smoothly via the CentOS 7.0 -> 7.1 upgrade on my replicated pair of IPA instances. Question about proper setup of service accounts: I see that the service accounts I set up under "cn=etc, cn=sysaccounts" ar