[Freeipa-users] IPA and UIDS <500

Dmitri Pal dpal at redhat.com
Thu Jul 19 21:20:45 UTC 2012 

On 07/19/2012 05:00 PM, Steven Jones wrote:
> So,
>
> Im am trying to do just this but failing,
>
> So rather than,
>
> ipa sudorule-add-allow-command --sudocmds "/bin/su - banner" 
>
> then,
>
> ipa sudorule-add-allow-command --sudocmds "/bin/sudo  -i banner" 
>

Banner should not be a part of the command. He should be put into the
run as user if this is an ipa managed user or into external run as user
if this user is not managed by IPA but defined on a local system.

> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Simo Sorce [simo at redhat.com]
> Sent: Friday, 20 July 2012 5:09 a.m.
> To: Stephen Gallagher
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] IPA and UIDS <500
>
> On Thu, 2012-07-19 at 11:59 -0400, Stephen Gallagher wrote:
>> On Thu, 2012-07-19 at 16:44 +0100, Innes, Duncan wrote:
>>> Does this mean that it's impossible to have IPA authenticate the
>>> oracle user or any other user that is normally below 500?
>>>
>>> Our security team is asking that we manage the passwords of oracle and
>>> other users centrally.  Can IPA do this for me?
>> It's not impossible, but it requires some mangling of your PAM stacks
>> in /etc/pam.d/*
>>
>> That said, it's generally a bad idea to have passwords on users < 500.
>> It should not be possible to log into them at all, and instead you
>> should rely on granting (restricted) sudo privileges to real users
>> allowing them to impersonate the service user instead.
>>
>> So instead of allowing people to log into the box as 'oracle', they
>> should log in as 'myusername' and then run 'sudo -u oracle <command>'.
>> This provides better auditing support as well, since you will always
>> know which real user modified your database configuration (rather than
>> trying to piece together who logged in as 'oracle' directly).
> Note you can also allow sudo -i which gives you an interactive shell
> just like su - would, but you can control sudo configuration centrally.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list