Re: ldap/gosa postcreation and kerberos password synchronization

[Finn-Arne Johansen <faj@bzz.no>]

On 12. mai 2010 19:26, Andreas B. Mundt wrote:
> I am currently thinking about how to handle the post-creation,
> post-password-change and related stuff properly.
>
> So far, I use the draft-script attached below which is run by the gosa
> postcreation hook (www-data added to sudoers file) to handle all needs:
>
> 1.: A (posix) user is created in gosa: The script called as
>     /usr/bin/sudo /usr/sbin/gosa-pp %uid
>     creates homedir and corresponding principal with random
>     password. This works fine.

what if the gosa web server is not the homedirectory server, and maybe
even not the ldap-server ?

> 2.: Now, the password for the new user is entered in gosa. I figured
>     out that the passwordHook="/usr/bin/sudo /usr/sbin/gosa-pp" is
>     called with just the password as argument. Unfortunately there is
>     no uid attached, so I do not know how to set the attached password
>     for the user just(?) created. (Currently, the script tries to
>     create a homedir for a user with uid=password, so this has to be
>     fixed too.)

What about other users that create php-scripts that also calls the gosa
sudo-tools for debian, changing passowrds for the teachers and admins on
their own ?

> 3.: Assume, the user changes his password in gosa now. In this case
>     gosa-pp is called as:
>     gosa-pp uid oldpw newpw
>     As you see below, with root's almighty power the new password is
>     enforced, but there is no check if the old password is known by
>     the executing party.

Same comment as above.


Sorry for the late comments, but I dont think the gosa-sudo-tool-path is
the correct way to deal with these problems. I Also see that there are
hooks to make them work, but thankfully, they dont.

(I have not checked if there is checks that will cause password changes
to fail if a wrong old password is given.)

// faj