Schrock, Chad - 0336 - MITLL via FreeIPA-users wrote: > > > Hi -- > > > > We have been using IdM/FreeIPA for a while, and as these things tend to > happen, we have a process to create “service accounts” in the domain > that is quite cumbersome and was what “just worked” at the time so it is > what we have been doing. Currently using IdM/FreeIPA 4.9.13 on RHEL 8.10. > > > > (When I say “service accounts” I mean an account that an application > would use to bind to the LDAP domain, read records, and do something > like allow the user to use the application.) > > > > What is the ‘suggested’ or preferred method to create this kind of user > in IdM? Is “system account” the better name? > > > > > > I found: > > * > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/44Z4ANXQYKRNTEVNL35BK27X7Q67RVDQ/ > * https://www.freeipa.org/page/HowTo/LDAP > * > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/2MBVML4L7OCM77VXXX5PQGFLAGGXGDSL/ > * https://github.com/noahbliss/freeipa-sam > > > > Which all seem good, especially freeipa-sam. But they are also all > pretty old.
I guess I'd prefer system accounts to de-duplicate "services". So the howto is old but wise I suppose. I've never used freeipa-sam but it seems reasonable enough. Since the underlying creation of system account hasn't changed in forever it should continue working. The trick with these system accounts is they have limited read capabilities and zero write. There is also no API to add them to roles to give them those rights. It is pretty easy if you know your away around ldapmodify to add them to a role. Just add member:<sysaccount dn> to a role and that should do it. After the mod an ldapsearch should show them as memberof permissions, privileges, etc. If you set the password expiration date to 0 then it will never expire. Assuming you're ok with passwords that never expire that is. You'll get no advance warning on them though which is why I think some folks do it that way. Otherwise it will expire on <insert major holiday weekend eve>. We have an RFE to not have to jump thru these hoops but its very low on the priority list. rob > > > > > > Thanks, > > Chad > > > > > > -- > > Chad Schrock, he/him > > Supporting MIT Lincoln Laboratory, Lexington, MA > > chad.schr...@ll.mit.edu > > > > > > -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
