[Mike Gabriel] > Hi Petter, Hi, Mike.
> I agree with the confusion factor here. Great. Then lets try to reduce it. :) > When I set up LDAP based networks, I always have a local user that is > not in LDAP and not root. Since Ubuntu, using sudo is common practice > and I rather would like to propose that the root account is not used > at all, but to provide (continue providing) a fully functional local > sudo-able account (like localadmin, the name may be different, of > course). When it is impossible to log into the root account, having another local account in /etc/passwd definitely make sense. But each local user on each system come with the burden of keeping the password for that user up-to-date. Where I work, we do not provide such local users as the poin of changing the passwords outweight the advantages. If we need to log in and the root user is broken, we fetch a rescue USB stick. I can not remember when that happened the last time. > GOsa² won't authenticate against Kerberos credentials. GOsa² uses > x_simple_bind. Right. Too bad, but then we will just have to handle that. :/ > My suggestion would be instead: > > 1. rename localadmin -> admin, keep it locally, on every machine in > /etc/passwd, force it to uidNumber 1000, gidNumber 1000 > 2. drop the super-admin DN for GOsa and use > cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no > 3. add posixAccount and Kerberos information to > cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no > with duplicate uidNumber 1000, gidNumber 1000 > but keep the cn=admin item hidden from GOsa² Having two different users with different passwords string but the same name is going to lead to most admins only changing the password in LDAP/Kerberos, and leaving the local admin user behind. That is too high a security risk to put on the school admins. I believe it is better to drop the localadmin account completely, ask the admin during installation of the main-server for his name, username and password, create a LDAP/Kerberos user using this information. This way the local admin will get his normal account right away, and at least one non-personal account go away. I am quite close to having this working. We will still have the root, admin and super-admin accounts with the initial root password, but at least one step closer. We could consider merging the first user and the super-admin user to reduse the set to 'root' in /etc/passwd and 'admin' in LDAP. This way the first time user/admin will know which username and password to use when logging into GOsa to create the rest of the users. -- Happy hacking Petter Reinholdtsen -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
