Marat Vyshegorodtsev wrote: > Hi! > > My FreeIPA deployment is a part of PCI cardholder data environment. > > Hence, I have to comply with with the requirements such as 8.1.1 > (assign unique ID to each user) and 8.5 (do not use generic or shared > IDs). > > I would like to move this user under service accounts (it may still be > used by chef/puppet to run the recipes etc), but I don't see how it is > even possible. > > I tried recreating this user under cn=sysaccounts,cn=etc and removing > the following object classes, but this breaks everything. > objectClass: top > objectClass: person > objectClass: posixaccount > objectClass: ipaobject > objectClass: ipasshuser > objectClass: ipaSshGroupOfPubKeys
Breaks what? There is little very special about the user uid=admin. The only thing special is that it is a member of the group admins. That said, not sure if it has ever been tested from sysaccounts and I'm sure that creating new replicas will break (https://fedorahosted.org/freeipa/ticket/5060) but I don't know what else. rob > > How can I pull this off? Did anybody pass PCI DSS audit (for real, I'm > not talking about sloppy QSAs) using FreeIPA as an IdM solution? > > Best regards, > Marat > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project