[Freeipa-devel] command-line arguments
Andrew C. Dingman
adingman at redhat.com
Fri Sep 7 15:42:21 UTC 2007
On Fri, 2007-09-07 at 11:27 -0400, Simo Sorce wrote:
> On Fri, 2007-09-07 at 11:11 -0400, Andrew C. Dingman wrote:
> > On Fri, 2007-09-07 at 10:49 -0400, Simo Sorce wrote:
> > > Usually uidNumbers may have to be set for system accounts, but for user
> > > accounts??
> >
> > In an ideal world, no. In the real world, it can smooth things out just
> > often enough that I wouldn't want the ability to go away. I wouldn't
> > mind if it were a bit of a pain, though, 'cause even in a large
> > environment it's a rare occurrence. Personally, as long as I can safely
> > make the change with ldapmodify on the new user and group, I don't feel
> > a need for a specific UI. If it's more complicated than that to pull
> > off, I do.
>
> ldapmodify will do it, so I vote for not letting the admin specify the
> uidNumber in the current tools.
As long as it's that simple, so do I.
> > There's an argument to be made that putting 'root' in the directory is a
> > good thing, since it lets you leave the account passwordless on the
> > local systems. That's nice if you have an admin leave and need to change
> > the password everywhere.
>
> It makes it also impossible to take the system out or to log in when the
> network is down for system maintenance. Until we have offline support I
> would not do this.
Single-user mode gets around this pretty easily, and it's pretty well a
given that going into runlevel one doesn't disrupt the clients when the
network is already down.
> Also having a single per-site password, would make it for a very bad
> situation when the password is compromised (you have access as root on
> _all_ the machines at that point).
True
> Also it make it impossible for users to join the machine and keep
> themselves control on it. In some enterprises that is not wanted but in
> many R&D departments that's a necessity.
Sudo solves many problems, including this one. In fact, I run a number
of my machines with no root password and all administration done through
sudo. The FDA auditors loved that.
> No plan to move root into IPA for now,
Probably at best too complicated for v1
> ah and now that I think of it I
> am going to make sure our conf does not allow to "see" uids lower than
> 500 (or we risk disrupting local accounts and root) for IPAv1
Makes sense to me
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070907/dfe22487/attachment.sig>
More information about the Freeipa-devel
mailing list