Im am trying to do just this but failing,

So rather than,

ipa sudorule-add-allow-command --sudocmds "/bin/su - banner" 


ipa sudorule-add-allow-command --sudocmds "/bin/sudo  -i banner" 


Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

From: [] on 
behalf of Simo Sorce []
Sent: Friday, 20 July 2012 5:09 a.m.
To: Stephen Gallagher
Subject: Re: [Freeipa-users] IPA and UIDS <500

On Thu, 2012-07-19 at 11:59 -0400, Stephen Gallagher wrote:
> On Thu, 2012-07-19 at 16:44 +0100, Innes, Duncan wrote:
> > Does this mean that it's impossible to have IPA authenticate the
> > oracle user or any other user that is normally below 500?
> >
> > Our security team is asking that we manage the passwords of oracle and
> > other users centrally.  Can IPA do this for me?
> It's not impossible, but it requires some mangling of your PAM stacks
> in /etc/pam.d/*
> That said, it's generally a bad idea to have passwords on users < 500.
> It should not be possible to log into them at all, and instead you
> should rely on granting (restricted) sudo privileges to real users
> allowing them to impersonate the service user instead.
> So instead of allowing people to log into the box as 'oracle', they
> should log in as 'myusername' and then run 'sudo -u oracle <command>'.
> This provides better auditing support as well, since you will always
> know which real user modified your database configuration (rather than
> trying to piece together who logged in as 'oracle' directly).

Note you can also allow sudo -i which gives you an interactive shell
just like su - would, but you can control sudo configuration centrally.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to