So, Im am trying to do just this but failing,
So rather than, ipa sudorule-add-allow-command --sudocmds "/bin/su - banner" then, ipa sudorule-add-allow-command --sudocmds "/bin/sudo -i banner" regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: [email protected] [[email protected]] on behalf of Simo Sorce [[email protected]] Sent: Friday, 20 July 2012 5:09 a.m. To: Stephen Gallagher Cc: [email protected] Subject: Re: [Freeipa-users] IPA and UIDS <500 On Thu, 2012-07-19 at 11:59 -0400, Stephen Gallagher wrote: > On Thu, 2012-07-19 at 16:44 +0100, Innes, Duncan wrote: > > Does this mean that it's impossible to have IPA authenticate the > > oracle user or any other user that is normally below 500? > > > > Our security team is asking that we manage the passwords of oracle and > > other users centrally. Can IPA do this for me? > > It's not impossible, but it requires some mangling of your PAM stacks > in /etc/pam.d/* > > That said, it's generally a bad idea to have passwords on users < 500. > It should not be possible to log into them at all, and instead you > should rely on granting (restricted) sudo privileges to real users > allowing them to impersonate the service user instead. > > So instead of allowing people to log into the box as 'oracle', they > should log in as 'myusername' and then run 'sudo -u oracle <command>'. > This provides better auditing support as well, since you will always > know which real user modified your database configuration (rather than > trying to piece together who logged in as 'oracle' directly). Note you can also allow sudo -i which gives you an interactive shell just like su - would, but you can control sudo configuration centrally. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
