[Freeipa-devel] command-line arguments

Pete Rowley prowley at redhat.com
Fri Sep 7 17:30:45 UTC 2007 

Simo Sorce wrote:
> On Fri, 2007-09-07 at 10:19 -0400, Rob Crittenden wrote:
>   
>> Simo Sorce wrote:
>>     
>>> On Fri, 2007-09-07 at 09:10 -0400, Rob Crittenden wrote:
>>>       
>   
>>>> - Should adding a user create a user-specific group?
>>>>         
>>> I'd say no, users are created which are members of the default users
>>> group or another specified existing group.
>>>       
>> Ok. So optionally prompt for group. The current XML-RPC side add user 
>> code has a default group, how configurable should that be? Should the 
>> group name go into /etc/ipa/ipa.conf?
>>     
>
> No, I want to get rid of ipa.conf as soon as possible.
> We need to store information on LDAP, as it is the only way to replicate
> and update it. Anything on files is BAAAAAD :)
>   
Yes, site wide config goes in ldap somewhere under cn=system.
>   
>>>> - Can we set the shell?
>>>>         
>>> We need a default of some sort, but I guess we should be able to set it.
>>>       
>> Ok, should the default be configurable? And what should the default be, 
>> /bin/sh?
>>     
>
> I'd say the default should be /bin/nologin not all users in an
> enterprise need shell access to some server, they may just need to auth
> against a mail server.
>   
I think /bin/sh should be the default as it is likely linked to the 
preferred site default shell anyway, we can have a specific option to  
create a no login account. That way the most common task of creating a 
new user account is the least work for the admin.
> But the shell thing is a big problem, and has always been.
> It is usually a user preference, and users should be able to have a
> different shell on different systems.
>   
I don't think this problem is big, a little annoying if this is your 
requirement, but not a big problem since the users can always arrange 
for the correct shell to be loaded on login via other means.
> On some systems they should be forbidden to have a shell at all. Current
> practice of placing it in the user object sucks as it comes from the old
> days when /etc/passwd was on a single system.
>
>   
That is a job for access control policy not a shell setting.

>
>   
>>>> - Do we create any directories?
>>>>         
>>> IMO, no, where would you create them? the tool may even run on a PDA on
>>> the other side of the world at some point, and usually it runs on the
>>> admin workstation anyway.
>>> Should we instead configure pam_mkhomedir by default ?
>>>       
>> Right, I couldn't see how we'd create anything but I figure that 
>> *something* would need to.
>>     
>
> Yeah but should we install pam_mkhomedir by default? Current
> ipa-client-install does not do it.
>
>   
If we can do it while having it make sense then that would be a good 
thing - what are the corner cases here?

-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070907/fd44db04/attachment.bin>

More information about the Freeipa-devel mailing list