Re: ldap/gosa postcreation and kerberos password synchronization
- To: debian-edu@lists.debian.org
- Subject: Re: ldap/gosa postcreation and kerberos password synchronization
- From: Finn-Arne Johansen <faj@bzz.no>
- Date: Mon, 23 Aug 2010 18:24:45 +0200
- Message-id: <[🔎] 4C72A0CD.6040009@bzz.no>
- In-reply-to: <20100512172612.GA4330@flashgordon>
- References: <20100512172612.GA4330@flashgordon>
On 12. mai 2010 19:26, Andreas B. Mundt wrote:
> I am currently thinking about how to handle the post-creation,
> post-password-change and related stuff properly.
>
> So far, I use the draft-script attached below which is run by the gosa
> postcreation hook (www-data added to sudoers file) to handle all needs:
>
> 1.: A (posix) user is created in gosa: The script called as
> /usr/bin/sudo /usr/sbin/gosa-pp %uid
> creates homedir and corresponding principal with random
> password. This works fine.
what if the gosa web server is not the homedirectory server, and maybe
even not the ldap-server ?
> 2.: Now, the password for the new user is entered in gosa. I figured
> out that the passwordHook="/usr/bin/sudo /usr/sbin/gosa-pp" is
> called with just the password as argument. Unfortunately there is
> no uid attached, so I do not know how to set the attached password
> for the user just(?) created. (Currently, the script tries to
> create a homedir for a user with uid=password, so this has to be
> fixed too.)
What about other users that create php-scripts that also calls the gosa
sudo-tools for debian, changing passowrds for the teachers and admins on
their own ?
> 3.: Assume, the user changes his password in gosa now. In this case
> gosa-pp is called as:
> gosa-pp uid oldpw newpw
> As you see below, with root's almighty power the new password is
> enforced, but there is no check if the old password is known by
> the executing party.
Same comment as above.
Sorry for the late comments, but I dont think the gosa-sudo-tool-path is
the correct way to deal with these problems. I Also see that there are
hooks to make them work, but thankfully, they dont.
(I have not checked if there is checks that will cause password changes
to fail if a wrong old password is given.)
// faj
Reply to: