[Freeipa-users] IPA and UIDS <500
Stephen Gallagher
sgallagh at redhat.com
Thu Jul 19 15:59:45 UTC 2012
On Thu, 2012-07-19 at 16:44 +0100, Innes, Duncan wrote:
> Does this mean that it's impossible to have IPA authenticate the
> oracle user or any other user that is normally below 500?
>
> Our security team is asking that we manage the passwords of oracle and
> other users centrally. Can IPA do this for me?
It's not impossible, but it requires some mangling of your PAM stacks
in /etc/pam.d/*
That said, it's generally a bad idea to have passwords on users < 500.
It should not be possible to log into them at all, and instead you
should rely on granting (restricted) sudo privileges to real users
allowing them to impersonate the service user instead.
So instead of allowing people to log into the box as 'oracle', they
should log in as 'myusername' and then run 'sudo -u oracle <command>'.
This provides better auditing support as well, since you will always
know which real user modified your database configuration (rather than
trying to piece together who logged in as 'oracle' directly).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120719/b76e997a/attachment.sig>
More information about the Freeipa-users
mailing list