[Freeipa-users] IPA and UIDS <500
Simo Sorce
simo at redhat.com
Thu Jul 19 17:09:56 UTC 2012
On Thu, 2012-07-19 at 11:59 -0400, Stephen Gallagher wrote:
> On Thu, 2012-07-19 at 16:44 +0100, Innes, Duncan wrote:
> > Does this mean that it's impossible to have IPA authenticate the
> > oracle user or any other user that is normally below 500?
> >
> > Our security team is asking that we manage the passwords of oracle and
> > other users centrally. Can IPA do this for me?
>
> It's not impossible, but it requires some mangling of your PAM stacks
> in /etc/pam.d/*
>
> That said, it's generally a bad idea to have passwords on users < 500.
> It should not be possible to log into them at all, and instead you
> should rely on granting (restricted) sudo privileges to real users
> allowing them to impersonate the service user instead.
>
> So instead of allowing people to log into the box as 'oracle', they
> should log in as 'myusername' and then run 'sudo -u oracle <command>'.
> This provides better auditing support as well, since you will always
> know which real user modified your database configuration (rather than
> trying to piece together who logged in as 'oracle' directly).
Note you can also allow sudo -i which gives you an interactive shell
just like su - would, but you can control sudo configuration centrally.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list