[Freeipa-devel] webUI question
Simo Sorce
ssorce at redhat.com
Tue Nov 13 16:11:16 UTC 2007
On Tue, 2007-11-13 at 10:55 -0500, Karl MacMillan wrote:
> On Tue, 2007-11-13 at 10:48 -0500, Simo Sorce wrote:
> > On Tue, 2007-11-13 at 10:34 -0500, Karl MacMillan wrote:
> > > On Tue, 2007-11-13 at 10:23 -0500, Simo Sorce wrote:
> > > > On Tue, 2007-11-13 at 10:10 -0500, Rob Crittenden wrote:
> > > > > We already store into cn=users, just the UI need to be updated. If
> > > > > someone wants to file a trac for it I'll add it into the queue.
> > > >
> > > > Ack
> > > >
> > > > > Along those lines, should we be requiring e-mail address for users?
> > > >
> > > > I think we should not. Some accounts are service account and have no
> > > > mail, and besides people may not want to store this information here, or
> > > > may want to have someone (IT vs HR) else deal with it and requiring it
> > > > at creation would make it difficult.
> > > >
> > >
> > > As far as that goes, I think that as few required fields as possible is
> > > good. And for service accounts, we don't want a password, right?
> > > Just /sbin/nologin as a shell?
> >
> > What password?
> > The service will have it's own kerberos password of course.
>
> Hmmm - not certain about of course. What about services that don't need
> a keytab? We could just let those traditional daemon accounts be local
> accounts, but I wasn't certain what the best practice was there.
We can't make them in ldap at this stage as they may require different
fixed UID/GIDs on different distributions. For v1 we don't touch
anything below UID 500.
In any case for services that do not need a keytab you simply don't wnat
to have a krbPrincipalName at all. To do that we will need explicit
support in our tools. At this moment all accounts are created as
kerberos accounts.
Simo.
More information about the Freeipa-devel
mailing list