[Freeipa-devel] command-line arguments

[Andrew C. Dingman]

On Fri, 2007-09-07 at 10:49 -0400, Simo Sorce wrote:
> Usually uidNumbers may have to be set for system accounts, but for user
> accounts??

In an ideal world, no. In the real world, it can smooth things out just
often enough that I wouldn't want the ability to go away. I wouldn't
mind if it were a bit of a pain, though, 'cause even in a large
environment it's a rare occurrence. Personally, as long as I can safely
make the change with ldapmodify on the new user and group, I don't feel
a need for a specific UI. If it's more complicated than that to pull
off, I do.

> And this opens another debate, should we have system services accounts
> in IPA?
> IMO no, for v1 at least they should stay local in /etc/passwd as
> unfortunately they are not at all standardized on all platforms and
> linux flavors.

Sounds reasonable to start with. System accounts aren't even the same
across an all-RHEL site, since some packages add their own.

There's an argument to be made that putting 'root' in the directory is a
good thing, since it lets you leave the account passwordless on the
local systems. That's nice if you have an admin leave and need to change
the password everywhere. If you do that, though, it would be good to
make the client installer remove the local root password so that the
system doesn't end up with two working credentials for root, one of
which will never get rotated. And, of course, whether having root in
both /etc/password and LDAP even works depends on your NSS
configuration. I'm afraid I haven't followed this project quite closely
enough to know how it would work with the rest of your infrastructure.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070907/344b13ff/attachment.sig>