diff options
Diffstat (limited to 'zarb-ml/mageia-sysadm/2010-November/000386.html')
| -rw-r--r-- | zarb-ml/mageia-sysadm/2010-November/000386.html | 117 |
1 files changed, 117 insertions, 0 deletions
diff --git a/zarb-ml/mageia-sysadm/2010-November/000386.html b/zarb-ml/mageia-sysadm/2010-November/000386.html new file mode 100644 index 000000000..ef8c404f1 --- /dev/null +++ b/zarb-ml/mageia-sysadm/2010-November/000386.html @@ -0,0 +1,117 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-sysadm] Usernames, uids, and groups + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20Usernames%2C%20uids%2C%20and%20groups&In-Reply-To=%3CAANLkTimYsTneksDDpg0COhiGOzxG2TN65cXVV10NbKVO%40mail.gmail.com%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="000385.html"> + <LINK REL="Next" HREF="000408.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-sysadm] Usernames, uids, and groups</H1> + <B>Romain d'Alverny</B> + <A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20Usernames%2C%20uids%2C%20and%20groups&In-Reply-To=%3CAANLkTimYsTneksDDpg0COhiGOzxG2TN65cXVV10NbKVO%40mail.gmail.com%3E" + TITLE="[Mageia-sysadm] Usernames, uids, and groups">rdalverny at gmail.com + </A><BR> + <I>Mon Nov 8 17:40:24 CET 2010</I> + <P><UL> + <LI>Previous message: <A HREF="000385.html">[Mageia-sysadm] Usernames, uids, and groups +</A></li> + <LI>Next message: <A HREF="000408.html">[Mageia-sysadm] Usernames, uids, and groups +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#386">[ date ]</a> + <a href="thread.html#386">[ thread ]</a> + <a href="subject.html#386">[ subject ]</a> + <a href="author.html#386">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>On Mon, Nov 8, 2010 at 17:29, nicolas vigier <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">boklm at mars-attacks.org</A>> wrote: +><i> On some machines like the svn server, we need to use pam_ldap to allow +</I>><i> users access with their ldap accounts. But on others servers like +</I>><i> alamut (web services), or the build nodes, normal users have no reason +</I>><i> to login. On those servers, do you think we should restrict access with +</I>><i> ssh configuration and a group, or disable pam_ldap completly on those +</I>><i> servers and only use local accounts ? +</I> +What would be the risk(s) to use specific ldap groups for that +purpose? (managing all access in a similar way may be better, no?) + +><i> And groups. I think we could use the following groups : +</I>><i>  * posix : promotes the user as posixAccount+sshPublicKey (in ldap), and +</I>><i>   allows access to the svn and git using svn+<A HREF="ssh://">ssh://</A> and git+<A HREF="ssh://">ssh://</A> +</I>><i>  * packager : allows commits in packages repository, package submit using +</I>><i>   mdvsys, additional permissions on bugzilla, access to the packages +</I>><i>   maintainers database, etc ... +</I>><i>  * web : for members of web team, allows commits in web repository +</I>><i>  * documentation, translator, qa, marketing, etc ... : +</I>><i>  * packagerapprentice, webapprentice, etc ... : for apprentices, with +</I>><i>   more restricted access +</I>><i>  * sysadm : gives admin permissions on all applications +</I> +LDAP groups should as well map team membership. So marketing team guys +would belong to such a marketingTeam group then. + +><i> What do you think ? +</I> +We probably won't nail this one in one shot :-) + +As for web, we would need three roles: + - web-apprentice + - web (commits to web repos and pushes to tests servers) + - webmaster (pushes to prod servers) + +We need groups as well for (not exclusive): + - being a team representative (that is, in the Council) + - being an association member (eligible and elector) + - being a board member + - being the chair(wo)man + +Are group belonging/ownership a "one-time" record or does it get +archived? (to access a history of past membership). Or should such a +history be built separately? + +Romain +</PRE> + + + + + + + + + + + + + + + + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="000385.html">[Mageia-sysadm] Usernames, uids, and groups +</A></li> + <LI>Next message: <A HREF="000408.html">[Mageia-sysadm] Usernames, uids, and groups +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#386">[ date ]</a> + <a href="thread.html#386">[ thread ]</a> + <a href="subject.html#386">[ subject ]</a> + <a href="author.html#386">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm +mailing list</a><br> +</body></html> |