[Freeipa-devel] command-line arguments

Simo Sorce ssorce at redhat.com
Fri Sep 7 14:47:23 UTC 2007 

On Fri, 2007-09-07 at 10:19 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Fri, 2007-09-07 at 09:10 -0400, Rob Crittenden wrote:

> >> - Will we allow the password to be set?
> > Why not? You would have to go another step to set it if you don't allow
> > it here.
> 
> Right, I'm just not sure how once I have the password, to set it in 
> Kerberos. What do I need to call to get the right things set?

you do a password change after the user have been created using the
passwd ext op, our slapi module will take care of anything else.

> >> - Should adding a user create a user-specific group?
> > I'd say no, users are created which are members of the default users
> > group or another specified existing group.
> 
> Ok. So optionally prompt for group. The current XML-RPC side add user 
> code has a default group, how configurable should that be? Should the 
> group name go into /etc/ipa/ipa.conf?

No, I want to get rid of ipa.conf as soon as possible.
We need to store information on LDAP, as it is the only way to replicate
and update it. Anything on files is BAAAAAD :)

> >> - Can we set the shell?
> > We need a default of some sort, but I guess we should be able to set it.
> 
> Ok, should the default be configurable? And what should the default be, 
> /bin/sh?

I'd say the default should be /bin/nologin not all users in an
enterprise need shell access to some server, they may just need to auth
against a mail server.
But the shell thing is a big problem, and has always been.
It is usually a user preference, and users should be able to have a
different shell on different systems.
On some systems they should be forbidden to have a shell at all. Current
practice of placing it in the user object sucks as it comes from the old
days when /etc/passwd was on a single system.

I'd like to address this somehow for IPAv2, currently I am open to
suggestions.

> >> - Can we override the uidNumber?
> > IMO, we shouldn't, is there any reason why an admin should specify an
> > uidNumber on creation ?
> 
> I dunno, it's why I asked :-)

I say that if admins really want to mess with the system they go and
change it in ldap later, we should send no uidNumer at all and have DNA
come up with it.

> >> - Do we create any directories?
> > IMO, no, where would you create them? the tool may even run on a PDA on
> > the other side of the world at some point, and usually it runs on the
> > admin workstation anyway.
> > Should we instead configure pam_mkhomedir by default ?
> 
> Right, I couldn't see how we'd create anything but I figure that 
> *something* would need to.

Yeah but should we install pam_mkhomedir by default? Current
ipa-client-install does not do it.

> >> And for the tools in general, do we want an interactive mode?
> > 
> > IMO, yes.
> 
> Ok. The libuser commands seem to have an interactive mode but they don't 
> seem to work on F7 for me:

Honestly I'd abstain from using libuser as a model :)

> # luseradd --interactive foo
> #
> # grep foo /etc/passwd
> foo:x:502:502:foo:/home/foo:/bin/bash
> 
> Not very interactive :-)

Heh.

Simo.

More information about the Freeipa-devel mailing list