Re: [Freeipa-users] Non-human users

2013-02-17 Thread Simo Sorce
On Sat, 2013-02-16 at 13:31 +, Charlie Derwent wrote: Bit late to the conversation here, but if you want another example of a quasi-system account within IPA, there is the need for a user to handle automated enrollment/re-enrollment of servers. Charlie For this we should be able

Re: [Freeipa-users] Non-human users

2013-02-17 Thread Dmitri Pal
On 02/17/2013 02:37 PM, Simo Sorce wrote: On Sat, 2013-02-16 at 13:31 +, Charlie Derwent wrote: Bit late to the conversation here, but if you want another example of a quasi-system account within IPA, there is the need for a user to handle automated enrollment/re-enrollment of servers.

Re: [Freeipa-users] Non-human users

2013-02-16 Thread Charlie Derwent
Bit late to the conversation here, but if you want another example of a quasi-system account within IPA, there is the need for a user to handle automated enrollment/re-enrollment of servers. Charlie On Fri, Feb 15, 2013 at 11:32 PM, Brian Cook bc...@redhat.com wrote: On Feb 15, 2013, at 3:11

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Petr Viktorin
On 02/15/2013 05:36 PM, Orion Poplawski wrote: Is there a recommended way to distinguish between real human user accounts in IPA and non-human system accounts in IPA? What kind of system accounts do you have in IPA? Consider not storing them in IPA at all. -- PetrĀ³

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Orion Poplawski
On 02/15/2013 09:45 AM, Petr Viktorin wrote: On 02/15/2013 05:36 PM, Orion Poplawski wrote: Is there a recommended way to distinguish between real human user accounts in IPA and non-human system accounts in IPA? What kind of system accounts do you have in IPA? Consider not storing them in

Re: [Freeipa-users] Non-human users

2013-02-15 Thread John Dennis
On 02/15/2013 12:32 PM, Orion Poplawski wrote: On 02/15/2013 09:45 AM, Petr Viktorin wrote: On 02/15/2013 05:36 PM, Orion Poplawski wrote: Is there a recommended way to distinguish between real human user accounts in IPA and non-human system accounts in IPA? What kind of system accounts do

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Brian Cook
There are lots of use cases where it makes sense to have a share 'application' user: -agentless monitoring -penetration testing -code deployment -clustering The system user is not always the user an application is running as. Sometimes it is just a user that is used to gain access to a remote

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Rob Crittenden
John Dennis wrote: On 02/15/2013 12:32 PM, Orion Poplawski wrote: On 02/15/2013 09:45 AM, Petr Viktorin wrote: On 02/15/2013 05:36 PM, Orion Poplawski wrote: Is there a recommended way to distinguish between real human user accounts in IPA and non-human system accounts in IPA? What kind of

Re: [Freeipa-users] Non-human users

2013-02-15 Thread John Dennis
The example cited was the apache user, a system daemon. For system users bound to system daemons I stand by what I said. If you want to talk about other system users not bound to a daemon than state that rather than confusing the issue. -- John Dennis jden...@redhat.com Looking to carve out

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Rob Crittenden
John Dennis wrote: The example cited was the apache user, a system daemon. For system users bound to system daemons I stand by what I said. If you want to talk about other system users not bound to a daemon than state that rather than confusing the issue. He cited a backup user. That isn't

Re: [Freeipa-users] Non-human users

2013-02-15 Thread John Dennis
On 02/15/2013 01:35 PM, Rob Crittenden wrote: John Dennis wrote: The example cited was the apache user, a system daemon. For system users bound to system daemons I stand by what I said. If you want to talk about other system users not bound to a daemon than state that rather than confusing the

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Orion Poplawski
On 02/15/2013 11:38 AM, John Dennis wrote: On 02/15/2013 01:35 PM, Rob Crittenden wrote: John Dennis wrote: The example cited was the apache user, a system daemon. For system users bound to system daemons I stand by what I said. If you want to talk about other system users not bound to a

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Rob Crittenden
Orion Poplawski wrote: On 02/15/2013 11:38 AM, John Dennis wrote: On 02/15/2013 01:35 PM, Rob Crittenden wrote: John Dennis wrote: The example cited was the apache user, a system daemon. For system users bound to system daemons I stand by what I said. If you want to talk about other system

Re: [Freeipa-users] Non-human users

2013-02-15 Thread John Dennis
On 02/15/2013 01:39 PM, Orion Poplawski wrote: On 02/15/2013 11:38 AM, John Dennis wrote: On 02/15/2013 01:35 PM, Rob Crittenden wrote: John Dennis wrote: The example cited was the apache user, a system daemon. For system users bound to system daemons I stand by what I said. If you want to

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Orion Poplawski
On 02/15/2013 11:50 AM, John Dennis wrote: O.K. but I want to make sure you understand the difference. If you give login or other permissions to a network facing system daemon you're opening a huge security hole. Adding the apache user to the set of users managed by IPA is quite dangerous

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Orion Poplawski
On 02/15/2013 11:49 AM, Rob Crittenden wrote: Another example is a backup user account that backup software logs in as. Also some accounts that own files and some services run as that are needed on multiple machines. I suppose we could use puppet to manage those, but ldap seems more

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Orion Poplawski
On 02/15/2013 12:01 PM, Orion Poplawski wrote: I've been trying to track down any bugs I may have filed without success, but I'm pretty sure I tried at first adding a system user to LDAP groups and that not working unless the system user was in LDAP. This may have been before I started using

Re: [Freeipa-users] Non-human users

2013-02-15 Thread John Dennis
On 02/15/2013 02:23 PM, Orion Poplawski wrote: On 02/15/2013 12:01 PM, Orion Poplawski wrote: I've been trying to track down any bugs I may have filed without success, but I'm pretty sure I tried at first adding a system user to LDAP groups and that not working unless the system user was in

Re: [Freeipa-users] Non-human users

2013-02-15 Thread John Dennis
On 02/15/2013 03:46 PM, Simo Sorce wrote: This is an interesting use case, it would probably be appropriate to have a RFE filed to allow to create ipa users marked as 'non-person' so that they are not assigned the person objectclass. Yes, that addresses one large component of the problem. But

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Orion Poplawski
On 02/15/2013 01:56 PM, John Dennis wrote: On 02/15/2013 03:46 PM, Simo Sorce wrote: This is an interesting use case, it would probably be appropriate to have a RFE filed to allow to create ipa users marked as 'non-person' so that they are not assigned the person objectclass. Yes, that

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Orion Poplawski
On 02/15/2013 01:42 PM, John Dennis wrote: On 02/15/2013 02:23 PM, Orion Poplawski wrote: On 02/15/2013 12:01 PM, Orion Poplawski wrote: I've been trying to track down any bugs I may have filed without success, but I'm pretty sure I tried at first adding a system user to LDAP groups and that

Re: [Freeipa-users] Non-human users

2013-02-15 Thread John Dennis
On 02/15/2013 03:57 PM, Orion Poplawski wrote: On 02/15/2013 01:56 PM, John Dennis wrote: On 02/15/2013 03:46 PM, Simo Sorce wrote: This is an interesting use case, it would probably be appropriate to have a RFE filed to allow to create ipa users marked as 'non-person' so that they are not

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Brian Cook
On Feb 15, 2013, at 1:02 PM, John Dennis jden...@redhat.com wrote: On 02/15/2013 03:57 PM, Orion Poplawski wrote: On 02/15/2013 01:56 PM, John Dennis wrote: On 02/15/2013 03:46 PM, Simo Sorce wrote: This is an interesting use case, it would probably be appropriate to have a RFE filed to

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Orion Poplawski
On 02/15/2013 02:02 PM, John Dennis wrote: On 02/15/2013 03:57 PM, Orion Poplawski wrote: On 02/15/2013 01:56 PM, John Dennis wrote: On 02/15/2013 03:46 PM, Simo Sorce wrote: This is an interesting use case, it would probably be appropriate to have a RFE filed to allow to create ipa users

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Dmitri Pal
On 02/15/2013 03:46 PM, Simo Sorce wrote: On Fri, 2013-02-15 at 12:01 -0700, Orion Poplawski wrote: On 02/15/2013 11:49 AM, Rob Crittenden wrote: Another example is a backup user account that backup software logs in as. Also some accounts that own files and some services run as that are

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Lucas Yamanishi
On 02/15/2013 04:01 PM, Orion Poplawski wrote: On 02/15/2013 01:42 PM, John Dennis wrote: On 02/15/2013 02:23 PM, Orion Poplawski wrote: On 02/15/2013 12:01 PM, Orion Poplawski wrote: I've been trying to track down any bugs I may have filed without success, but I'm pretty sure I tried at

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Orion Poplawski
On 02/15/2013 01:46 PM, Simo Sorce wrote: On Fri, 2013-02-15 at 12:01 -0700, Orion Poplawski wrote: What brought this up was the need to sync users from LDAP into another authentication system, and for that system we only wanted real human people to be listed. Also, we don't want these

Re: [Freeipa-users] Non-human users

2013-02-15 Thread John Dennis
On 02/15/2013 04:16 PM, Orion Poplawski wrote: On 02/15/2013 02:02 PM, John Dennis wrote: On 02/15/2013 03:57 PM, Orion Poplawski wrote: On 02/15/2013 01:56 PM, John Dennis wrote: On 02/15/2013 03:46 PM, Simo Sorce wrote: This is an interesting use case, it would probably be appropriate to

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Orion Poplawski
On 02/15/2013 02:34 PM, John Dennis wrote: On 02/15/2013 04:16 PM, Orion Poplawski wrote: Hmm, that is the filter in TB for me too, but: [15/Feb/2013:11:17:21 -0700] conn=931 op=1 SRCH base=ou=people,dc=nwra,dc=com scope=2

Re: [Freeipa-users] Non-human users

2013-02-15 Thread John Dennis
On 02/15/2013 04:54 PM, Orion Poplawski wrote: On 02/15/2013 02:34 PM, John Dennis wrote: On 02/15/2013 04:16 PM, Orion Poplawski wrote: Hmm, that is the filter in TB for me too, but: [15/Feb/2013:11:17:21 -0700] conn=931 op=1 SRCH base=ou=people,dc=nwra,dc=com scope=2

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Dmitri Pal
On 02/15/2013 05:12 PM, John Dennis wrote: On 02/15/2013 04:54 PM, Orion Poplawski wrote: On 02/15/2013 02:34 PM, John Dennis wrote: On 02/15/2013 04:16 PM, Orion Poplawski wrote: Hmm, that is the filter in TB for me too, but: [15/Feb/2013:11:17:21 -0700] conn=931 op=1 SRCH

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Orion Poplawski
On 02/15/2013 03:12 PM, John Dennis wrote: On 02/15/2013 04:54 PM, Orion Poplawski wrote: On 02/15/2013 02:34 PM, John Dennis wrote: What happens if you set the TB filter to (objectclass=person)? Yup, then it adds it:

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Simo Sorce
On Fri, 2013-02-15 at 17:12 -0500, John Dennis wrote: On 02/15/2013 04:54 PM, Orion Poplawski wrote: On 02/15/2013 02:34 PM, John Dennis wrote: On 02/15/2013 04:16 PM, Orion Poplawski wrote: Hmm, that is the filter in TB for me too, but: [15/Feb/2013:11:17:21 -0700] conn=931 op=1

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Orion Poplawski
On 02/15/2013 04:03 PM, Simo Sorce wrote: On Fri, 2013-02-15 at 17:12 -0500, John Dennis wrote: On 02/15/2013 04:54 PM, Orion Poplawski wrote: On 02/15/2013 02:34 PM, John Dennis wrote: On 02/15/2013 04:16 PM, Orion Poplawski wrote: Hmm, that is the filter in TB for me too, but:

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Orion Poplawski
On 02/15/2013 04:06 PM, Orion Poplawski wrote: On 02/15/2013 04:03 PM, Simo Sorce wrote: On Fri, 2013-02-15 at 17:12 -0500, John Dennis wrote: On 02/15/2013 04:54 PM, Orion Poplawski wrote: Yup, then it adds it:

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Simo Sorce
On Fri, 2013-02-15 at 16:06 -0700, Orion Poplawski wrote: On 02/15/2013 04:03 PM, Simo Sorce wrote: On Fri, 2013-02-15 at 17:12 -0500, John Dennis wrote: On 02/15/2013 04:54 PM, Orion Poplawski wrote: On 02/15/2013 02:34 PM, John Dennis wrote: On 02/15/2013 04:16 PM, Orion Poplawski

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Simo Sorce
On Fri, 2013-02-15 at 17:34 -0500, Dmitri Pal wrote: On 02/15/2013 05:12 PM, John Dennis wrote: On 02/15/2013 04:54 PM, Orion Poplawski wrote: On 02/15/2013 02:34 PM, John Dennis wrote: On 02/15/2013 04:16 PM, Orion Poplawski wrote: Hmm, that is the filter in TB for me too, but:

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Brian Cook
On Feb 15, 2013, at 3:11 PM, Simo Sorce s...@redhat.com wrote: On Fri, 2013-02-15 at 17:34 -0500, Dmitri Pal wrote: On 02/15/2013 05:12 PM, John Dennis wrote: On 02/15/2013 04:54 PM, Orion Poplawski wrote: On 02/15/2013 02:34 PM, John Dennis wrote: On 02/15/2013 04:16 PM, Orion Poplawski