1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-sysadm] Usernames, uids, and groups
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20Usernames%2C%20uids%2C%20and%20groups&In-Reply-To=%3C201011091425.51183.bgmilne%40multilinks.com%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="000386.html">
<LINK REL="Next" HREF="000396.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-sysadm] Usernames, uids, and groups</H1>
<B>Buchan Milne</B>
<A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20Usernames%2C%20uids%2C%20and%20groups&In-Reply-To=%3C201011091425.51183.bgmilne%40multilinks.com%3E"
TITLE="[Mageia-sysadm] Usernames, uids, and groups">bgmilne at multilinks.com
</A><BR>
<I>Tue Nov 9 14:25:51 CET 2010</I>
<P><UL>
<LI>Previous message: <A HREF="000386.html">[Mageia-sysadm] Usernames, uids, and groups
</A></li>
<LI>Next message: <A HREF="000396.html">[Mageia-sysadm] Usernames, uids, and groups
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#408">[ date ]</a>
<a href="thread.html#408">[ thread ]</a>
<a href="subject.html#408">[ subject ]</a>
<a href="author.html#408">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>On Monday, 8 November 2010 17:40:24 Romain d'Alverny wrote:
><i> On Mon, Nov 8, 2010 at 17:29, nicolas vigier <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">boklm at mars-attacks.org</A>> wrote:
</I>><i> > On some machines like the svn server, we need to use pam_ldap to allow
</I>><i> > users access with their ldap accounts. But on others servers like
</I>><i> > alamut (web services), or the build nodes, normal users have no reason
</I>><i> > to login. On those servers, do you think we should restrict access with
</I>><i> > ssh configuration and a group, or disable pam_ldap completly on those
</I>><i> > servers and only use local accounts ?
</I>><i>
</I>><i> What would be the risk(s) to use specific ldap groups for that
</I>><i> purpose? (managing all access in a similar way may be better, no?)
</I>
Both have advantages and disadvantages, but the disadvantages for local
accounts increase with N*M (e.g. total number of operations to remove an
old/compromised account), whereas the disadvantages for LDAP increase with N.
where N=number of users and M=number of hosts.
Usually by the time N*M > 50 it becomes difficult to be sure passwords have
been removed everywhere etc.
><i> > And groups. I think we could use the following groups :
</I>><i> > * posix : promotes the user as posixAccount+sshPublicKey (in ldap), and
</I>><i> > allows access to the svn and git using svn+<A HREF="ssh://">ssh://</A> and git+<A HREF="ssh://">ssh://</A>
</I>><i> > * packager : allows commits in packages repository, package submit using
</I>><i> > mdvsys, additional permissions on bugzilla, access to the packages
</I>><i> > maintainers database, etc ...
</I>><i> > * web : for members of web team, allows commits in web repository
</I>><i> > * documentation, translator, qa, marketing, etc ... :
</I>><i> > * packagerapprentice, webapprentice, etc ... : for apprentices, with
</I>><i> > more restricted access
</I>><i> > * sysadm : gives admin permissions on all applications
</I>><i>
</I>><i> LDAP groups should as well map team membership. So marketing team guys
</I>><i> would belong to such a marketingTeam group then.
</I>><i>
</I>><i> > What do you think ?
</I>><i>
</I>><i> We probably won't nail this one in one shot :-)
</I>><i>
</I>><i> As for web, we would need three roles:
</I>><i> - web-apprentice
</I>><i> - web (commits to web repos and pushes to tests servers)
</I>><i> - webmaster (pushes to prod servers)
</I>><i>
</I>><i> We need groups as well for (not exclusive):
</I>><i> - being a team representative (that is, in the Council)
</I>
The current ACLs allow the DN listed in the 'manager' (single-valued)
attribute of a group to modify the member attribute of this group.
Or, do we need these as mailing lists as well?
><i> - being an association member (eligible and elector)
</I>><i> - being a board member
</I>><i> - being the chair(wo)man
</I>><i>
</I>><i> Are group belonging/ownership a "one-time" record or does it get
</I>><i> archived? (to access a history of past membership). Or should such a
</I>><i> history be built separately?
</I>
Archiving isn't that easy, I would prefer a record to be kept when
appropriate.
Regards,
Buchan
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="000386.html">[Mageia-sysadm] Usernames, uids, and groups
</A></li>
<LI>Next message: <A HREF="000396.html">[Mageia-sysadm] Usernames, uids, and groups
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#408">[ date ]</a>
<a href="thread.html#408">[ thread ]</a>
<a href="subject.html#408">[ subject ]</a>
<a href="author.html#408">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm
mailing list</a><br>
</body></html>
|
