On 12. mai 2010 19:26, Andreas B. Mundt wrote: > I am currently thinking about how to handle the post-creation, > post-password-change and related stuff properly. > > So far, I use the draft-script attached below which is run by the gosa > postcreation hook (www-data added to sudoers file) to handle all needs: > > 1.: A (posix) user is created in gosa: The script called as > /usr/bin/sudo /usr/sbin/gosa-pp %uid > creates homedir and corresponding principal with random > password. This works fine.
what if the gosa web server is not the homedirectory server, and maybe even not the ldap-server ? > 2.: Now, the password for the new user is entered in gosa. I figured > out that the passwordHook="/usr/bin/sudo /usr/sbin/gosa-pp" is > called with just the password as argument. Unfortunately there is > no uid attached, so I do not know how to set the attached password > for the user just(?) created. (Currently, the script tries to > create a homedir for a user with uid=password, so this has to be > fixed too.) What about other users that create php-scripts that also calls the gosa sudo-tools for debian, changing passowrds for the teachers and admins on their own ? > 3.: Assume, the user changes his password in gosa now. In this case > gosa-pp is called as: > gosa-pp uid oldpw newpw > As you see below, with root's almighty power the new password is > enforced, but there is no check if the old password is known by > the executing party. Same comment as above. Sorry for the late comments, but I dont think the gosa-sudo-tool-path is the correct way to deal with these problems. I Also see that there are hooks to make them work, but thankfully, they dont. (I have not checked if there is checks that will cause password changes to fail if a wrong old password is given.) // faj -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
