On Thu, 2012-07-19 at 11:59 -0400, Stephen Gallagher wrote: > On Thu, 2012-07-19 at 16:44 +0100, Innes, Duncan wrote: > > Does this mean that it's impossible to have IPA authenticate the > > oracle user or any other user that is normally below 500? > > > > Our security team is asking that we manage the passwords of oracle and > > other users centrally. Can IPA do this for me? > > It's not impossible, but it requires some mangling of your PAM stacks > in /etc/pam.d/* > > That said, it's generally a bad idea to have passwords on users < 500. > It should not be possible to log into them at all, and instead you > should rely on granting (restricted) sudo privileges to real users > allowing them to impersonate the service user instead. > > So instead of allowing people to log into the box as 'oracle', they > should log in as 'myusername' and then run 'sudo -u oracle <command>'. > This provides better auditing support as well, since you will always > know which real user modified your database configuration (rather than > trying to piece together who logged in as 'oracle' directly).
Note you can also allow sudo -i which gives you an interactive shell just like su - would, but you can control sudo configuration centrally. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users