Re: Static UIDs and GIDs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/12/2013 11:35 AM, Toshio Kuratomi wrote:
> On Fri, Apr 12, 2013 at 09:35:27AM -0400, Tom Lane wrote:
>> Stephen Gallagher <sgallagh@xxxxxxxxxx> writes:
>>> On 04/11/2013 03:30 PM, "J??hann B. Gu??mundsson" wrote:
>>>> Based on experience storing system related uid's and gid's in
>>>> ldap is a bad idea ( what happens if you cant reach your ldap
>>>> )
>> 
>>> That was true once upon a time, but I'd like to mention that in
>>> the era of SSSD for user-ID lookups, there are a great many
>>> deployments out there using LDAP for such IDs quite
>>> successfully.
>> 
>> Is this new technology since, um, January?  Because I was told
>> as recently as January that you can't rely on systemd knowing
>> about UIDs that are defined in LDAP: 
>> https://bugzilla.redhat.com/show_bug.cgi?id=894750#c4
>> 
>> The context there was that any service with tmpfiles.d entries
>> had better have uid/gid that are known at poweron.  Reliably, not
>> just most of the time.  I'm uninterested in somebody telling me
>> they'll cache the values, because *I* get the bug report when it
>> doesn't work.
>> 
> I've made a note in the ticket to look at wording around LDAP when
> I start changing the draft.  I do note that lennart mentioned SSSD
> as a way to make LDAP suitable though:
> 
> """ There are solutions for that (i think sssd can cache that for
> you), but as system users are generally managed by postinst
> scripts, and hence are more under the ownership of the OS than the
> admin I'd not bother. """
> 
> So I'm not certain I should vastly discourage the use of LDAP for
> system accounts.  If LDAP + SSSD does work reliably then packages
> should probably support that use case even if they don't cater
> specifically to it (and a preallocation-based policy would allow
> that).
> 

SSSD *should* be able to handle this. It may partially depend on where
in the boot order SSSD resides, but I think we have the unit files on
modern systems starting SSSD very early in the process. If not, that's
a bug that we can resolve.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlFoYpUACgkQeiVVYja6o6NuRwCgpfnPp0FWATNkfTgZmqBuJF/G
WR8An0yIAQ2w+/KxPW7gaH5tO8gasTJr
=F/B/
-----END PGP SIGNATURE-----
--
packaging mailing list
packaging@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/packaging





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite Forum]     [KDE Users]

  Powered by Linux