diff options
Diffstat (limited to 'zarb-ml/mageia-sysadm/2010-November/000408.html')
| -rw-r--r-- | zarb-ml/mageia-sysadm/2010-November/000408.html | 130 |
1 files changed, 130 insertions, 0 deletions
diff --git a/zarb-ml/mageia-sysadm/2010-November/000408.html b/zarb-ml/mageia-sysadm/2010-November/000408.html new file mode 100644 index 000000000..f4732c3ed --- /dev/null +++ b/zarb-ml/mageia-sysadm/2010-November/000408.html @@ -0,0 +1,130 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-sysadm] Usernames, uids, and groups + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20Usernames%2C%20uids%2C%20and%20groups&In-Reply-To=%3C201011091425.51183.bgmilne%40multilinks.com%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="000386.html"> + <LINK REL="Next" HREF="000396.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-sysadm] Usernames, uids, and groups</H1> + <B>Buchan Milne</B> + <A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20Usernames%2C%20uids%2C%20and%20groups&In-Reply-To=%3C201011091425.51183.bgmilne%40multilinks.com%3E" + TITLE="[Mageia-sysadm] Usernames, uids, and groups">bgmilne at multilinks.com + </A><BR> + <I>Tue Nov 9 14:25:51 CET 2010</I> + <P><UL> + <LI>Previous message: <A HREF="000386.html">[Mageia-sysadm] Usernames, uids, and groups +</A></li> + <LI>Next message: <A HREF="000396.html">[Mageia-sysadm] Usernames, uids, and groups +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#408">[ date ]</a> + <a href="thread.html#408">[ thread ]</a> + <a href="subject.html#408">[ subject ]</a> + <a href="author.html#408">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>On Monday, 8 November 2010 17:40:24 Romain d'Alverny wrote: +><i> On Mon, Nov 8, 2010 at 17:29, nicolas vigier <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">boklm at mars-attacks.org</A>> wrote: +</I>><i> > On some machines like the svn server, we need to use pam_ldap to allow +</I>><i> > users access with their ldap accounts. But on others servers like +</I>><i> > alamut (web services), or the build nodes, normal users have no reason +</I>><i> > to login. On those servers, do you think we should restrict access with +</I>><i> > ssh configuration and a group, or disable pam_ldap completly on those +</I>><i> > servers and only use local accounts ? +</I>><i> +</I>><i> What would be the risk(s) to use specific ldap groups for that +</I>><i> purpose? (managing all access in a similar way may be better, no?) +</I> +Both have advantages and disadvantages, but the disadvantages for local +accounts increase with N*M (e.g. total number of operations to remove an +old/compromised account), whereas the disadvantages for LDAP increase with N. + +where N=number of users and M=number of hosts. + +Usually by the time N*M > 50 it becomes difficult to be sure passwords have +been removed everywhere etc. + +><i> > And groups. I think we could use the following groups : +</I>><i> > * posix : promotes the user as posixAccount+sshPublicKey (in ldap), and +</I>><i> > allows access to the svn and git using svn+<A HREF="ssh://">ssh://</A> and git+<A HREF="ssh://">ssh://</A> +</I>><i> > * packager : allows commits in packages repository, package submit using +</I>><i> > mdvsys, additional permissions on bugzilla, access to the packages +</I>><i> > maintainers database, etc ... +</I>><i> > * web : for members of web team, allows commits in web repository +</I>><i> > * documentation, translator, qa, marketing, etc ... : +</I>><i> > * packagerapprentice, webapprentice, etc ... : for apprentices, with +</I>><i> > more restricted access +</I>><i> > * sysadm : gives admin permissions on all applications +</I>><i> +</I>><i> LDAP groups should as well map team membership. So marketing team guys +</I>><i> would belong to such a marketingTeam group then. +</I>><i> +</I>><i> > What do you think ? +</I>><i> +</I>><i> We probably won't nail this one in one shot :-) +</I>><i> +</I>><i> As for web, we would need three roles: +</I>><i> - web-apprentice +</I>><i> - web (commits to web repos and pushes to tests servers) +</I>><i> - webmaster (pushes to prod servers) +</I>><i> +</I>><i> We need groups as well for (not exclusive): +</I>><i> - being a team representative (that is, in the Council) +</I> +The current ACLs allow the DN listed in the 'manager' (single-valued) +attribute of a group to modify the member attribute of this group. + +Or, do we need these as mailing lists as well? + +><i> - being an association member (eligible and elector) +</I>><i> - being a board member +</I>><i> - being the chair(wo)man +</I>><i> +</I>><i> Are group belonging/ownership a "one-time" record or does it get +</I>><i> archived? (to access a history of past membership). Or should such a +</I>><i> history be built separately? +</I> +Archiving isn't that easy, I would prefer a record to be kept when +appropriate. + +Regards, +Buchan +</PRE> + + + + + + + + + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="000386.html">[Mageia-sysadm] Usernames, uids, and groups +</A></li> + <LI>Next message: <A HREF="000396.html">[Mageia-sysadm] Usernames, uids, and groups +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#408">[ date ]</a> + <a href="thread.html#408">[ thread ]</a> + <a href="subject.html#408">[ subject ]</a> + <a href="author.html#408">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm +mailing list</a><br> +</body></html> |