On Wed, May 29, 2019 at 12:25:59PM +0200, Michał Górny wrote: > On Wed, 2019-05-29 at 11:50 +0200, Jaco Kroon wrote: > > Hi Michal, > > > > This sounds sensible and is an interesting approach. I kinda like it. > > > > There is only one technical comment I have based on the earlier > > discussion, not addressed. > > > > What if users needs to be created into a centralized UID/GID system to > > be pulled in via nss? > > > > So calling system tools by default is fine, but what if the sysadmin > > would prefer to have users and groups pushed into ldap? Can we at least > > accomodate a hook mechanism to allow system administrators not relying > > on local users to deal with this? > We kinda have hooks already. Just drop your 'useradd' etc. replacements > into /usr/local/bin, and tadaam! KISS all the way. Having written one of those replacements (diradm), I would like a little more flexibility: - permit the sysadmin to configure paths to the useradd(etc) tools/wrappers to be actually used. - include a manual mode that just has the package bail out and wait for the sysadmin to do it (e.g. they have to actually create the user on another host).
> > My personal rule of thumb is that system users are (and should be) > > local. But there are definite use cases where shared "system uids" are > > a definite legitimate requirement. Created in a central system AND mirrored locally is my preference, using nsscache. -- Robin Hugh Johnson Gentoo Linux: Dev, Infra Lead, Foundation Treasurer E-Mail : robb...@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136
signature.asc
Description: PGP signature