Re: ldap/gosa postcreation and kerberos password synchronization

To: debian-edu@lists.debian.org
Subject: Re: ldap/gosa postcreation and kerberos password synchronization
From: "Andreas B. Mundt" <andi.mundt@web.de>
Date: Mon, 23 Aug 2010 21:00:42 +0200
Message-id: <[🔎] 20100823190042.GA12689@siddhartha.sunshine>
In-reply-to: <[🔎] 4C72A0CD.6040009@bzz.no>
References: <20100512172612.GA4330@flashgordon> <[🔎] 4C72A0CD.6040009@bzz.no>

Hi,

On Mon, Aug 23, 2010 at 06:24:45PM +0200, Finn-Arne Johansen wrote:
> On 12. mai 2010 19:26, Andreas B. Mundt wrote:
> > I am currently thinking about how to handle the post-creation,
> > post-password-change and related stuff properly.
> >
> > So far, I use the draft-script attached below which is run by the gosa
> > postcreation hook (www-data added to sudoers file) to handle all needs:
> >
> > 1.: A (posix) user is created in gosa: The script called as
> >     /usr/bin/sudo /usr/sbin/gosa-pp %uid
> >     creates homedir and corresponding principal with random
> >     password. This works fine.
> 
> what if the gosa web server is not the homedirectory server, and maybe
> even not the ldap-server ?
> 
> > 2.: Now, the password for the new user is entered in gosa. I figured
> >     out that the passwordHook="/usr/bin/sudo /usr/sbin/gosa-pp" is
> >     called with just the password as argument. Unfortunately there is
> >     no uid attached, so I do not know how to set the attached password
> >     for the user just(?) created. (Currently, the script tries to
> >     create a homedir for a user with uid=password, so this has to be
> >     fixed too.)
> 
> What about other users that create php-scripts that also calls the gosa
> sudo-tools for debian, changing passowrds for the teachers and admins on
> their own ?
> 
> > 3.: Assume, the user changes his password in gosa now. In this case
> >     gosa-pp is called as:
> >     gosa-pp uid oldpw newpw
> >     As you see below, with root's almighty power the new password is
> >     enforced, but there is no check if the old password is known by
> >     the executing party.
> 
> Same comment as above.

There have been many changes and improvements since I wrote the mail
cited above. Please provide comments/patches related to the current
scripts in use:

<URL:http://svn.debian.org/wsvn/debian-edu/trunk/src/debian-edu-config/share/debian-edu-config/tools/gosa-create>
<URL:http://svn.debian.org/wsvn/debian-edu/trunk/src/debian-edu-config/share/debian-edu-config/tools/gosa-remove>
<URL:http://svn.debian.org/wsvn/debian-edu/trunk/src/debian-edu-config/share/debian-edu-config/tools/gosa-sync>

Thanks,

	Andi

Reply to:

Follow-Ups:
- Re: ldap/gosa postcreation and kerberos password synchronization
  - From: Finn-Arne Johansen <faj@bzz.no>

References:
- Re: ldap/gosa postcreation and kerberos password synchronization
  - From: Finn-Arne Johansen <faj@bzz.no>

Prev by Date: debian-edu-config_1.443~svn68794_i386.changes ACCEPTED
Next by Date: Re: Is LWAT completely broken in Squeeze?
Previous by thread: Re: ldap/gosa postcreation and kerberos password synchronization
Next by thread: Re: ldap/gosa postcreation and kerberos password synchronization
Index(es):
- Date
- Thread