[Freeipa-devel] command-line arguments
Pete Rowley
prowley at redhat.com
Fri Sep 7 17:30:45 UTC 2007
Simo Sorce wrote:
> On Fri, 2007-09-07 at 10:19 -0400, Rob Crittenden wrote:
>
>> Simo Sorce wrote:
>>
>>> On Fri, 2007-09-07 at 09:10 -0400, Rob Crittenden wrote:
>>>
>
>>>> - Should adding a user create a user-specific group?
>>>>
>>> I'd say no, users are created which are members of the default users
>>> group or another specified existing group.
>>>
>> Ok. So optionally prompt for group. The current XML-RPC side add user
>> code has a default group, how configurable should that be? Should the
>> group name go into /etc/ipa/ipa.conf?
>>
>
> No, I want to get rid of ipa.conf as soon as possible.
> We need to store information on LDAP, as it is the only way to replicate
> and update it. Anything on files is BAAAAAD :)
>
Yes, site wide config goes in ldap somewhere under cn=system.
>
>>>> - Can we set the shell?
>>>>
>>> We need a default of some sort, but I guess we should be able to set it.
>>>
>> Ok, should the default be configurable? And what should the default be,
>> /bin/sh?
>>
>
> I'd say the default should be /bin/nologin not all users in an
> enterprise need shell access to some server, they may just need to auth
> against a mail server.
>
I think /bin/sh should be the default as it is likely linked to the
preferred site default shell anyway, we can have a specific option to
create a no login account. That way the most common task of creating a
new user account is the least work for the admin.
> But the shell thing is a big problem, and has always been.
> It is usually a user preference, and users should be able to have a
> different shell on different systems.
>
I don't think this problem is big, a little annoying if this is your
requirement, but not a big problem since the users can always arrange
for the correct shell to be loaded on login via other means.
> On some systems they should be forbidden to have a shell at all. Current
> practice of placing it in the user object sucks as it comes from the old
> days when /etc/passwd was on a single system.
>
>
That is a job for access control policy not a shell setting.
>
>
>>>> - Do we create any directories?
>>>>
>>> IMO, no, where would you create them? the tool may even run on a PDA on
>>> the other side of the world at some point, and usually it runs on the
>>> admin workstation anyway.
>>> Should we instead configure pam_mkhomedir by default ?
>>>
>> Right, I couldn't see how we'd create anything but I figure that
>> *something* would need to.
>>
>
> Yeah but should we install pam_mkhomedir by default? Current
> ipa-client-install does not do it.
>
>
If we can do it while having it make sense then that would be a good
thing - what are the corner cases here?
--
Pete
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070907/fd44db04/attachment.bin>
More information about the Freeipa-devel
mailing list