Re: ldap/gosa postcreation and kerberos password synchronization
Hi,
On Mon, Aug 23, 2010 at 06:24:45PM +0200, Finn-Arne Johansen wrote:
> On 12. mai 2010 19:26, Andreas B. Mundt wrote:
> > I am currently thinking about how to handle the post-creation,
> > post-password-change and related stuff properly.
> >
> > So far, I use the draft-script attached below which is run by the gosa
> > postcreation hook (www-data added to sudoers file) to handle all needs:
> >
> > 1.: A (posix) user is created in gosa: The script called as
> > /usr/bin/sudo /usr/sbin/gosa-pp %uid
> > creates homedir and corresponding principal with random
> > password. This works fine.
>
> what if the gosa web server is not the homedirectory server, and maybe
> even not the ldap-server ?
>
> > 2.: Now, the password for the new user is entered in gosa. I figured
> > out that the passwordHook="/usr/bin/sudo /usr/sbin/gosa-pp" is
> > called with just the password as argument. Unfortunately there is
> > no uid attached, so I do not know how to set the attached password
> > for the user just(?) created. (Currently, the script tries to
> > create a homedir for a user with uid=password, so this has to be
> > fixed too.)
>
> What about other users that create php-scripts that also calls the gosa
> sudo-tools for debian, changing passowrds for the teachers and admins on
> their own ?
>
> > 3.: Assume, the user changes his password in gosa now. In this case
> > gosa-pp is called as:
> > gosa-pp uid oldpw newpw
> > As you see below, with root's almighty power the new password is
> > enforced, but there is no check if the old password is known by
> > the executing party.
>
> Same comment as above.
There have been many changes and improvements since I wrote the mail
cited above. Please provide comments/patches related to the current
scripts in use:
<URL:http://svn.debian.org/wsvn/debian-edu/trunk/src/debian-edu-config/share/debian-edu-config/tools/gosa-create>
<URL:http://svn.debian.org/wsvn/debian-edu/trunk/src/debian-edu-config/share/debian-edu-config/tools/gosa-remove>
<URL:http://svn.debian.org/wsvn/debian-edu/trunk/src/debian-edu-config/share/debian-edu-config/tools/gosa-sync>
Thanks,
Andi
Reply to: