1 |
On Wed, May 29, 2019 at 12:25:59PM +0200, Michał Górny wrote: |
2 |
> On Wed, 2019-05-29 at 11:50 +0200, Jaco Kroon wrote: |
3 |
> > Hi Michal, |
4 |
> > |
5 |
> > This sounds sensible and is an interesting approach. I kinda like it. |
6 |
> > |
7 |
> > There is only one technical comment I have based on the earlier |
8 |
> > discussion, not addressed. |
9 |
> > |
10 |
> > What if users needs to be created into a centralized UID/GID system to |
11 |
> > be pulled in via nss? |
12 |
> > |
13 |
> > So calling system tools by default is fine, but what if the sysadmin |
14 |
> > would prefer to have users and groups pushed into ldap? Can we at least |
15 |
> > accomodate a hook mechanism to allow system administrators not relying |
16 |
> > on local users to deal with this? |
17 |
> We kinda have hooks already. Just drop your 'useradd' etc. replacements |
18 |
> into /usr/local/bin, and tadaam! KISS all the way. |
19 |
Having written one of those replacements (diradm), I would like a little |
20 |
more flexibility: |
21 |
- permit the sysadmin to configure paths to the useradd(etc) |
22 |
tools/wrappers to be actually used. |
23 |
- include a manual mode that just has the package bail out and wait for |
24 |
the sysadmin to do it (e.g. they have to actually create the user on |
25 |
another host). |
26 |
|
27 |
> > My personal rule of thumb is that system users are (and should be) |
28 |
> > local. But there are definite use cases where shared "system uids" are |
29 |
> > a definite legitimate requirement. |
30 |
Created in a central system AND mirrored locally is my preference, using |
31 |
nsscache. |
32 |
|
33 |
-- |
34 |
Robin Hugh Johnson |
35 |
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer |
36 |
E-Mail : robbat2@g.o |
37 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
38 |
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 |