Re: [Freeipa-users] Please help: Any way to turn off IPA creation of private user group?
Hi Rob and all, The ipa-managed-entries command is not available on freeIPA 2.1.3 version comes with Redhat 6.2. Is there any other comparable ways to disable private user groups generation at global/system wide, instead of ''--noprivate option to 'ups user-add' which is user by user? Thanks a lot. --David From: Rob Crittenden rcrit...@redhat.com To: David Copperfield cao2...@yahoo.com Cc: Petr Spacek pspa...@redhat.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Wednesday, May 9, 2012 10:08 AM Subject: Re: [Freeipa-users] Please help: Any way to turn off IPA creation of private user group? David Copperfield wrote: Hi Petr and all, Thanks for your reply. After the automatic creation of the private user group is turned off, does the user creation Web page still show the GID field? and pre-filled with the same number(or the next available GID) as the UID number? or the filed is completely disappeared? Thanks. Disabling UPG has no effect on what appears in the UI or CLI. The assignment is done on the server. If either of the UID or GID number is not provided one is assigned. In the case of GID if one is not provided and UPG is enabled then it gets assigned the same value as the UID, otherwise it gets the GID of the default users group if it is POSIX. If it is not POSIX the creation request is denied. In 2.2 anyway. In 2.1.3 it may well allow it and try to create a user with no GID (which should fail). rob --David *From:* Petr Spacek pspa...@redhat.com *To:* freeipa-users@redhat.com *Sent:* Wednesday, May 9, 2012 4:02 AM *Subject:* Re: [Freeipa-users] Please help: Any way to turn off IPA creation of private user group? On 05/08/2012 03:29 PM, Rob Crittenden wrote: David Copperfield wrote: Hi folks, Are there any way to turn off IPA automatic creation of private user group? We use a common user group like ‘nis-wheel’, and completely disabled private groups in openldap before migration. If you disable private groups then the primary group of users is going to be the default IPA users group. This group will need to be POSIX. If it isn't you can promote it with: $ ipa group-mod --posix ipausers To disable private groups run: $ ipa-managed-entries disable -e 'UPG Definition' rob For record Google: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html-single/Identity_Management_Guide/index.html#user-private-groups Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Please help: Any way to turn off IPA creation of private user group?
David Copperfield wrote: Hi Rob and all, The ipa-managed-entries command is not available on freeIPA 2.1.3 version comes with Redhat 6.2. Is there any other comparable ways to disable private user groups generation at global/system wide, instead of ''--noprivate option to 'ups user-add' which is user by user? Thanks a lot. Yes, I sent you this yesterday privately: Ah, right, the 2.1.3 in RHEL 6.2 didn't ship this tool. You'll need to use ldapmodify to disable the plugin, something like: $ kinit admin $ ldapmodify -Y GSSAPI dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX changetype: modify replace: originfilter originfilter: (objectclass=disabled) Or you can delete the entry cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX where $SUFFIX is your basedn. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Please help: Any way to turn off IPA creation of private user group?
David Copperfield wrote: Hi folks, Are there any way to turn off IPA automatic creation of private user group? We use a common user group like ‘nis-wheel’, and completely disabled private groups in openldap before migration. If you disable private groups then the primary group of users is going to be the default IPA users group. This group will need to be POSIX. If it isn't you can promote it with: $ ipa group-mod --posix ipausers To disable private groups run: $ ipa-managed-entries disable -e 'UPG Definition' rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users