Hello, I want to create an IPA "system" account that will be able to enroll clients (nothing else). There a discussion (around 2016) but it looks that is not relevant with the FreeIPA 4.5. Also, I cannot find anything in the Red Hat's KB.
So, what is the correct way to create a system account that will join hosts in the IdM domain?
Peter Tselios via FreeIPA-users wrote:
Hello, I want to create an IPA "system" account that will be able to enroll clients (nothing else). There a discussion (around 2016) but it looks that is not relevant with the FreeIPA 4.5. Also, I cannot find anything in the Red Hat's KB.
So, what is the correct way to create a system account that will join hosts in the IdM domain?
Adding a role to a system account is not directly supported yet. You can fudge it by manually adding a memberOf to the entry pointing to the role you want it to be a member of using ldapmodify.
There are generic sysaccount creation instructions on the freeIPA wiki.
rob
Satellite/Katello has a script that automates the whole process of creating a user that will manage the hosts. I haven't try that yet but I will return when I have more data.
On ti, 17 heinä 2018, Peter Tselios via FreeIPA-users wrote:
Satellite/Katello has a script that automates the whole process of creating a user that will manage the hosts. I haven't try that yet but I will return when I have more data.
Then you are using a wrong term and getting a response based on what you have asked. 'System account' is something that is not managed by FreeIPA, an account used for a normal LDAP bind rather than any administrative work you do for FreeIPA.
If you need a user that can perform certain operations within IPA framework (like enrolling hosts), just create that user, assign needed permissions and use it.
In FreeIPA 4.7 you'd be able to do that with services too as services will be available as group members and thus could be used for adding into permissions/privileges/roles.
Thank you for your answer Alexander. To be honest, I am not sure I liked the Katello/Satellite solution but from your answer I understand that the intention is to use IPA users for IPA operations, correct?
On ti, 24 heinä 2018, Peter Tselios via FreeIPA-users wrote:
Thank you for your answer Alexander. To be honest, I am not sure I liked the Katello/Satellite solution but from your answer I understand that the intention is to use IPA users for IPA operations, correct?
That's how it was designed in the first place so the rest of IPA stack assumes it. For pure IPA API access services are OK as long as you are able to assign them privileges to do so (in 4.7.0 and later).
For anything that requires HBAC checks, you have to deal with POSIX context right now and thus these actors have to be POSIX users/groups.
freeipa-users@lists.fedorahosted.org