Re: [Freeipa-users] RHEV-M + service accounts in IPA
On 09/05/2012 10:53 AM, Rob Crittenden wrote: > Dale Macartney wrote: >> >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> >> On 05/09/12 13:39, Rob Crittenden wrote: >>> Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Afternoon all I have a demo lab set up with RHEV 3.0 and IPA running on RHEL 6.3 ( ipa-server-2.2-16) I have an api script that handles all my deployments and I am trying to set up a role account for my script to run within a jenkins environment. I have created an ldap sysaccount, however that doesn't appear in the RHEV users list when I do a search. So its clear its looking for specific IPA users. Is there a way (or on the roadmap), to create service/role accounts in IPA where the password doesn't expire? I'm trying to avoid scenarios like this https://access.redhat.com/knowledge/solutions/67562 Any comments / suggestions are welcome Thanks everyone Dale >>> >>> A work-around is to set krbpasswordexpiration of the user somewhere >> far in the future to prevent expiration. >> That'll work.. Do I need to do anything fancy though? I tried running >> the below on a new user called rhev-build but it keeps erroring out. I >> know I have a current TGT otherwise I wouldn't be able to add the user >> in the first place. >> >> [root@ds01 ~]# ipa user-mod rhev-build >> --setattr=krbPasswordExpiration=20131231011529Z >> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the >> 'krbPasswordExpiration' attribute of entry >> 'uid=rhev-build,cn=users,cn=accounts,dc=example,dc=com'. >> [root@ds01 ~]# > > We don't let admins muck with the expiration date. Please file an RFE > ticket if you'd like that capability. https://fedorahosted.org/freeipa/ticket/3062 > > You'll have to resort to ldapmodify: > > $ ldapmodify -x -D 'cn=directory manager' -W > Enter LDAP Password: > dn: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com > changetype: modify > replace: krbPasswordExpiration > krbPasswordExpiration: 20131231011529Z > > modifying entry "uid=tuser1,cn=users,cn=accounts,dc=example,dc=com" > > You might want to consider 2037 as the year. 2014 will be here before > you know it. > > rob > >> >>> >>> We have a ticket open on this, >> https://fedorahosted.org/freeipa/ticket/2111, currently targeted for IPA >> 3.3. >> Good to know its on its way. This is a demo lab so setting a long >> password expiry addresses my needs. >>> >>> rob >> >> > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEV-M + service accounts in IPA
Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/09/12 13:39, Rob Crittenden wrote: Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Afternoon all I have a demo lab set up with RHEV 3.0 and IPA running on RHEL 6.3 ( ipa-server-2.2-16) I have an api script that handles all my deployments and I am trying to set up a role account for my script to run within a jenkins environment. I have created an ldap sysaccount, however that doesn't appear in the RHEV users list when I do a search. So its clear its looking for specific IPA users. Is there a way (or on the roadmap), to create service/role accounts in IPA where the password doesn't expire? I'm trying to avoid scenarios like this https://access.redhat.com/knowledge/solutions/67562 Any comments / suggestions are welcome Thanks everyone Dale A work-around is to set krbpasswordexpiration of the user somewhere far in the future to prevent expiration. That'll work.. Do I need to do anything fancy though? I tried running the below on a new user called rhev-build but it keeps erroring out. I know I have a current TGT otherwise I wouldn't be able to add the user in the first place. [root@ds01 ~]# ipa user-mod rhev-build --setattr=krbPasswordExpiration=20131231011529Z ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'krbPasswordExpiration' attribute of entry 'uid=rhev-build,cn=users,cn=accounts,dc=example,dc=com'. [root@ds01 ~]# We don't let admins muck with the expiration date. Please file an RFE ticket if you'd like that capability. You'll have to resort to ldapmodify: $ ldapmodify -x -D 'cn=directory manager' -W Enter LDAP Password: dn: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com changetype: modify replace: krbPasswordExpiration krbPasswordExpiration: 20131231011529Z modifying entry "uid=tuser1,cn=users,cn=accounts,dc=example,dc=com" You might want to consider 2037 as the year. 2014 will be here before you know it. rob We have a ticket open on this, https://fedorahosted.org/freeipa/ticket/2111, currently targeted for IPA 3.3. Good to know its on its way. This is a demo lab so setting a long password expiry addresses my needs. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEV-M + service accounts in IPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/09/12 13:39, Rob Crittenden wrote: > Dale Macartney wrote: >> >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> Afternoon all >> >> I have a demo lab set up with RHEV 3.0 and IPA running on RHEL 6.3 ( >> ipa-server-2.2-16) >> >> I have an api script that handles all my deployments and I am trying to >> set up a role account for my script to run within a jenkins environment. >> >> I have created an ldap sysaccount, however that doesn't appear in the >> RHEV users list when I do a search. So its clear its looking for >> specific IPA users. >> >> Is there a way (or on the roadmap), to create service/role accounts in >> IPA where the password doesn't expire? >> >> I'm trying to avoid scenarios like this >> >> https://access.redhat.com/knowledge/solutions/67562 >> >> Any comments / suggestions are welcome >> >> Thanks everyone >> >> Dale >> > > A work-around is to set krbpasswordexpiration of the user somewhere far in the future to prevent expiration. That'll work.. Do I need to do anything fancy though? I tried running the below on a new user called rhev-build but it keeps erroring out. I know I have a current TGT otherwise I wouldn't be able to add the user in the first place. [root@ds01 ~]# ipa user-mod rhev-build --setattr=krbPasswordExpiration=20131231011529Z ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'krbPasswordExpiration' attribute of entry 'uid=rhev-build,cn=users,cn=accounts,dc=example,dc=com'. [root@ds01 ~]# > > We have a ticket open on this, https://fedorahosted.org/freeipa/ticket/2111, currently targeted for IPA 3.3. Good to know its on its way. This is a demo lab so setting a long password expiry addresses my needs. > > rob -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQR2UNAAoJEAJsWS61tB+qAkEQAIc5mY45SckcSw97SOCIdbKE TDEX5Fl40EYPX7uqwJRa0VFtQukslpL2U9oQMyYY7uCA8KxNh7RbffgJVZb7H588 qGvrsOcK3zLt6lXkxJdIV/YsupkA23HDJgomZHLchwoBEQmwfioz3dguEdIt+lFt X9x6ZN80PV6K2BrOtKmUAGUB/yjFCZyImIqTUxi/uZU+Pf64KHA0bPcJFbi2+JI7 pZytlxmXKFKjks8650Mb+RJsDw+lb8k7fqV9TnwjmQGOYHjrK89znIwoSosPTzGJ r6oI1PCNKWwWFzC3UeNx6TSBBfNlGRdm6a+EuWzq50LzrhYzp7NWudtX4Hu6C7we bpG/umQaaHTlLzK/MGon0RH8Q20foaJCDALBhQk1S7IFmVgtjWraTaxCwtio1d2v CHPFSpe4v+Gl/JypU42V+2nC5qBLYkeAukEKjhHOVPcbS04lZpy2nfJjWMEOBTXo ow2tUCMkPHojE5qQl1DM7pzb2luW3wARTtBnpMNtHnaLz++VwbH6vW6J6MZCCFnu yBtJ8vuClYobdVzh6NLlQCpCn5zGopkIDFO25VUoPqMgfRH8v9TlkNb1VKOIB/3u 4GaYeNX3k7weG6UFyReKCA2QSOqh8r2RjaW0s9vuPvk0l5yka0jmrojog6bfZDDm 7KJE5xzMlLXdqu+Ivo+D =P57b -END PGP SIGNATURE- 0xB5B41FAA.asc Description: application/pgp-keys 0xB5B41FAA.asc.sig Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEV-M + service accounts in IPA
Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Afternoon all I have a demo lab set up with RHEV 3.0 and IPA running on RHEL 6.3 ( ipa-server-2.2-16) I have an api script that handles all my deployments and I am trying to set up a role account for my script to run within a jenkins environment. I have created an ldap sysaccount, however that doesn't appear in the RHEV users list when I do a search. So its clear its looking for specific IPA users. Is there a way (or on the roadmap), to create service/role accounts in IPA where the password doesn't expire? I'm trying to avoid scenarios like this https://access.redhat.com/knowledge/solutions/67562 Any comments / suggestions are welcome Thanks everyone Dale A work-around is to set krbpasswordexpiration of the user somewhere far in the future to prevent expiration. We have a ticket open on this, https://fedorahosted.org/freeipa/ticket/2111, currently targeted for IPA 3.3. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] RHEV-M + service accounts in IPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Afternoon all I have a demo lab set up with RHEV 3.0 and IPA running on RHEL 6.3 ( ipa-server-2.2-16) I have an api script that handles all my deployments and I am trying to set up a role account for my script to run within a jenkins environment. I have created an ldap sysaccount, however that doesn't appear in the RHEV users list when I do a search. So its clear its looking for specific IPA users. Is there a way (or on the roadmap), to create service/role accounts in IPA where the password doesn't expire? I'm trying to avoid scenarios like this https://access.redhat.com/knowledge/solutions/67562 Any comments / suggestions are welcome Thanks everyone Dale -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQRz5OAAoJEAJsWS61tB+qt78QALc+ocH5PAKbhHKJ24QeYzfe pZNeyQZ98UwTfCCdWrr4hwPrILhqZwCFogBsQPnM5uiAT1n+pbfvAaypsbBtsJM1 Gw9bajHkkb663twOlsOdetXxQt/jzKo8FdxHgAhTU7PSA6sr3O/SEjAaObUBw3yd wS1XOErGD/6IkKCbLZVO0gkoyt29Ir8HTq1dTX9JYAmG+i0XseZ1C5be9vtUvT7E G/am0ICyd4mErSwaA/RRyrRxDzjfbi0XtlqlAuMsirDGyPTqPhisoB2ZMmY00ix3 nAaJp/fECqW20jmPJ1u+YktCYRou4LC4vZUnbmMWMJTOhRO5J90GhIh74OjjHMnp kmj6r88QpSl7QDVRjWxTZdPj60WvhAp1/FRDZnBjUlfR0ENk2xxemLq9Ek2SRkJQ FqS++FQ1+lIERx4ng5rPR0DBLvd7xnaTvcGjRou/h/5tvmERbrUVtCKn9kJ6b6jJ KY0o89uJRgdiH1eEwIasq8zUnrrEPIxJXzl6iJV52kN705bob3rSXacGDWr9poOE eALPQQzxv743TKr4O41owOienwxw9pWR2Yw/pSvCua4rTJ+ryiZztWAX9HNVClBt krtgn+GHjAukxVdhboXTHabF1zGj1REle36sK0+0/NMYxTYgdZrPkwAhv0kp/n36 WWl86kBI+IhIxvlbKTs+ =TUAu -END PGP SIGNATURE- 0xB5B41FAA.asc Description: application/pgp-keys 0xB5B41FAA.asc.sig Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users