Here are some more runs of nested_group_perf.stp.
Running fc25 workstation, kernel 4.8.8-300.fc25.x86_64, gnome desktop.
Noticed a small issue with the system tap script
Mario Rossi wrote:
> Emergency users should be used when LDAP fails and there is no other way to
> get access to the box via ssh.
Yes.
> I can recall an incident a few years ago where an
> admin deleted the bigip_monitoring user thinking that the account is not used.
> You would think that
Mario Rossi wrote:
> I think this is the way to go - slapd config to allow certain groups to write
> to the tree via dn.regex.
Æ-DIR does not rely on host name convention or DIT structure because this is too
inflexible in practice.
Instead the ACLs work their way along the EER which also allows
On 11/30/2016 02:47 PM, Michael Ströder wrote:
Mario Rossi wrote:
I understand your pain, I have the same issue. We have a local emargency user
in /etc/passwd and initially when we deployed servers everything was good.
And then people started to use emergency user on a daily basis
1. Make
Thanks Michael,
I think this is the way to go - slapd config to allow certain groups to
write to the tree via dn.regex.
Thank you for the link.
Mario
On 11/30/2016 02:50 PM, Michael Ströder wrote:
Mario Rossi wrote:
Thank you for the information. We use both Puppet and Ansible to manage our
We're running 1.13.3 with the exception of a couple of hosts where sudo
rules are kept in ldap and where we had to install 1.14.2 from
unofficial repos . We had to do that because of random sudo issues in
1.13. On prod I would rather stay on the same version as official repo
and not
Mario Rossi wrote:
> Thank you for the information. We use both Puppet and Ansible to manage our
> servers. Let me add more details:
>
> 1. An admin will build 10 new servers via cobbler and use puppet to deploy
> settings
> 2. The admin will create a ticket to SecurityTeam who manages
> openldap
Mario Rossi wrote:
> I understand your pain, I have the same issue. We have a local emargency user
> in /etc/passwd and initially when we deployed servers everything was good.
> And then people started to use emergency user on a daily basis
1. Make sure there's an organizational process to
Jakub Hrozek wrote:
> On Wed, Nov 30, 2016 at 09:41:51AM -0500, Mario Rossi wrote:
>> sss_obfuscate is used locally on servers to replace clear text passwords in
>> sssd.conf.
>
> This is really not an SSSD question, but a generic
> deployment/configuration question, so whatever you use to push
Kevin,
I understand your pain, I have the same issue. We have a local emargency
user in /etc/passwd and initially when we deployed servers everything
was good. And then people started to use emergency user on a daily basis
instead of their ldap accounts to bypass any ldap restrictions or
On Wed, Nov 30, 2016 at 11:01:51AM -0500, Mario Rossi wrote:
> Jakub,
>
> Thank you for the information. We use both Puppet and Ansible to manage our
> servers. Let me add more details:
>
> 1. An admin will build 10 new servers via cobbler and use puppet to deploy
> settings
> 2. The admin will
Jakub,
Thank you for the information. We use both Puppet and Ansible to manage
our servers. Let me add more details:
1. An admin will build 10 new servers via cobbler and use puppet to
deploy settings
2. The admin will create a ticket to SecurityTeam who manages openldap
to create 10 new
On Wed, Nov 30, 2016 at 07:14:17AM -0800, Ali, Saqib wrote:
> Thanks Jakub. The diagram on your blogpost is really nice.
>
> So the Sudo Rules are cached by the NSS Responder (sssd_nss)?
No, the back end retrieves them from the server and stores the rules
into the ldb cache and the sssd_sudo
Thanks Jakub. The diagram on your blogpost is really nice.
So the Sudo Rules are cached by the NSS Responder (sssd_nss)?
On Wed, Nov 30, 2016 at 7:08 AM, Jakub Hrozek wrote:
> On Wed, Nov 30, 2016 at 06:48:59AM -0800, Ali, Saqib wrote:
>> Newbie question: What does
On Wed, Nov 30, 2016 at 06:48:59AM -0800, Ali, Saqib wrote:
> Newbie question: What does the be stands for in sssd_be?
Back End.
> And what is
> the function of the sssd_be?
https://fedorahosted.org/sssd/wiki/InternalsDocs
or https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/
On Wed, Nov 30, 2016 at 09:41:51AM -0500, Mario Rossi wrote:
> Hi,
>
> sss_obfuscate is used locally on servers to replace clear text passwords in
> sssd.conf. In our environment we have hundreds of servers and what I usually
> do is manually generate the password on a test server. I would like
Newbie question: What does the be stands for in sssd_be? And what is
the function of the sssd_be?
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Hi,
sss_obfuscate is used locally on servers to replace clear text passwords
in sssd.conf. In our environment we have hundreds of servers and what I
usually do is manually generate the password on a test server. I would
like to automate ldap_default_authtok via a php interface or API. This
On Tue, Nov 29, 2016 at 5:45 AM, Michael Ströder
wrote:
> Jakub Hrozek wrote:
> > On Tue, Nov 29, 2016 at 03:40:26AM -, kevin4sulli...@gmail.com
> wrote:
> >> I don't want to
> >> cache credentials and I can't guarantee that the account will have been
> >> used to login
On (30/11/16 05:47), Simo Sorce wrote:
>On Wed, 2016-11-30 at 00:22 +0100, Lukas Slebodnik wrote:
>> On (29/11/16 23:05), Michael Ströder wrote:
>> >Jakub Hrozek wrote:
>> >> Would "sss_seed" help here to add a temporary password for
>> >> some 'operator' account even if this operator never logged
On Wed, 2016-11-30 at 00:22 +0100, Lukas Slebodnik wrote:
> On (29/11/16 23:05), Michael Ströder wrote:
> >Jakub Hrozek wrote:
> >> Would "sss_seed" help here to add a temporary password for
> >> some 'operator' account even if this operator never logged
> >> in? e.g.
21 matches
Mail list logo