[Freeipa-devel] command-line arguments

Andrew C. Dingman adingman at redhat.com
Fri Sep 7 15:42:21 UTC 2007 

On Fri, 2007-09-07 at 11:27 -0400, Simo Sorce wrote:
> On Fri, 2007-09-07 at 11:11 -0400, Andrew C. Dingman wrote:
> > On Fri, 2007-09-07 at 10:49 -0400, Simo Sorce wrote:
> > > Usually uidNumbers may have to be set for system accounts, but for user
> > > accounts??
> > 
> > In an ideal world, no. In the real world, it can smooth things out just
> > often enough that I wouldn't want the ability to go away. I wouldn't
> > mind if it were a bit of a pain, though, 'cause even in a large
> > environment it's a rare occurrence. Personally, as long as I can safely
> > make the change with ldapmodify on the new user and group, I don't feel
> > a need for a specific UI. If it's more complicated than that to pull
> > off, I do.
> 
> ldapmodify will do it, so I vote for not letting the admin specify the
> uidNumber in the current tools.

As long as it's that simple, so do I.

> > There's an argument to be made that putting 'root' in the directory is a
> > good thing, since it lets you leave the account passwordless on the
> > local systems. That's nice if you have an admin leave and need to change
> > the password everywhere.
> 
> It makes it also impossible to take the system out or to log in when the
> network is down for system maintenance. Until we have offline support I
> would not do this.

Single-user mode gets around this pretty easily, and it's pretty well a
given that going into runlevel one doesn't disrupt the clients when the
network is already down.

> Also having a single per-site password, would make it for a very bad
> situation when the password is compromised (you have access as root on
> _all_ the machines at that point).

True

> Also it make it impossible for users to join the machine and keep
> themselves control on it. In some enterprises that is not wanted but in
> many R&D departments that's a necessity.

Sudo solves many problems, including this one. In fact, I run a number
of my machines with no root password and all administration done through
sudo. The FDA auditors loved that.

> No plan to move root into IPA for now,

Probably at best too complicated for v1

>  ah and now that I think of it I
> am going to make sure our conf does not allow to "see" uids lower than
> 500 (or we risk disrupting local accounts and root) for IPAv1

Makes sense to me
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070907/dfe22487/attachment.sig>

More information about the Freeipa-devel mailing list