Re: Question about system accounts in LDAP.

To: fred@xinitsystems.com
Cc: debian-isp@lists.debian.org
Subject: Re: Question about system accounts in LDAP.
From: Donovan Baarda <abo@minkirri.apana.org.au>
Date: 12 Aug 2003 09:58:41 +1000
Message-id: <[🔎] 1060646320.801.14.camel@schizo>
In-reply-to: <[🔎] 1060617042.3581.41.camel@neb>
References: <[🔎] 1060617042.3581.41.camel@neb>

On Tue, 2003-08-12 at 01:50, Fred Clausen wrote:
> Hi All,
> 
> I am in the process of deploying openldap for authentication. I am just
> not sure what the best policy is for including system account like root,
> daemon, lp, etc. in LDAP. Should they be there for consistency across
> systems? Or will they just cause confusion by having the same system
> account with multiple UIDs?
> 
> I am inclined to remove them and only source real users from LDAP (and
> maybe some groups, like cvs and/or staff).
> 
> What would you guys suggest is the best practice?

In general its inadvisable to have system users in LDAP; when LDAP
breaks you can't even log in at the console as root.

The default LDAP migration script in the debian migrationtools does not
migrate all users below UID 1000 and groups below GID 100.


-- 
Donovan Baarda <abo@minkirri.apana.org.au>
http://minkirri.apana.org.au/~abo/

Reply to:

Follow-Ups:
- Re: Question about system accounts in LDAP.
  - From: "Leonardo Boselli" <leo@dicea.unifi.it>
- Re: Question about system accounts in LDAP.
  - From: Jon Wood <jon@jellybob.co.uk>

References:
- Question about system accounts in LDAP.
  - From: Fred Clausen <fred.clausen@xinitsystems.com>

Prev by Date: SMTP relay with UW-IMAP and Exim
Next by Date: Re: sane trouble-ticket systems
Previous by thread: Question about system accounts in LDAP.
Next by thread: Re: Question about system accounts in LDAP.
Index(es):
- Date
- Thread