Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 11:51 < jkt> Honoome: ah, great -- I read your recent post and was wondering what you mean with using different tools for changing different passwords
- 11:52 < Honoome> jkt: passwd → changes unix password; ldappasswd → changes ldap password; kpasswd → changes kerberos password
- 11:52 < jkt> Honoome: I come from RHEL-like background, and most of your boxes have just local accounts in /etc/passwd and real users in LDAP, which means that no records for real people exist in the files a
- t all
- 11:52 < lejonet> igraltist: maybe it operates with regexs so you have do PAX\:?
- 11:53 < jkt> Honoome: now, there is no problem to unify that in such a way that users only have to remember to use `passwd` for passwords
- 11:53 < Honoome> jkt: there is no way to have it working as intended as I said
- 11:53 < jkt> Honoome: I guess it is your "change only the matching token"
- 11:53 < Honoome> it only works as long as there is _no_ crossover between users in different auth methods
- 11:54 < Honoome> which I wouldn't bet myself on, if you have such a setup you're still free to edit the one file with the definitions and do it as you prefer
- 11:54 < jkt> Honoome: I'm not sure what you intend, but I'm completely sure that our systems are working as I want them, and users do not have to run `ldappasswd` with crazy parameters -- they do not even ha
- ve to know they are managed in LDAP
- 11:54 < jkt> Honoome: what you mean by user crossover?
- 11:54 < Honoome> jkt: if one user is in both ldap and unix
- 11:55 < Honoome> if there are users that are on both, you can have passwd accept ONE of the two passwords or BOTH of the two passwords; and then change ONE of the two passwords or BOTH of the two passowrds
- 11:55 < Honoome> but not "change ldap password only if given the ldap password; change the unix password only if given the unix password"
- 11:55 < jkt> Honoome: well, would anyone sane have users in both places?
- 11:55 < jkt> in my opinion, that's extremely corner case
- 11:55 < Honoome> I do, with kerberos
- 11:56 < Honoome> and the problem is that you have a number of other authentication schemes that don't have split account information, such as smartcards and otp
- 11:56 < jkt> what's the reason for that?
- 11:56 < jkt> indeed
- 11:56 < Honoome> if I have network connection I log in to the kerberos server, if I don't have network connection, I log in locally
- 11:57 < Honoome> really, this is JUST THE DEFAULT and the default ought not to surprise anybody
- 11:57 < Honoome> setting all the tokens at once feels fishy to me
- 11:57 < Honoome> [but setting only one is simply stupid]
- 11:57 < jkt> I can't think of any method besides ldap and kerberos which allows for setting passwords
- 11:57 < Honoome> if you think you can do better, pambase is there and I'm happy to stop caring about pam myself
- 11:57 < jkt> you can't set an OTP password, nor a smartcard one
- 11:58 < Honoome> right, but then you can use an OTP password to change the Unix password if you have a single password setup like we have now
- 11:58 < jkt> see, I do not know what you're going to do, and your blog posts do not provide much detail for me to know what your plans are
- 11:58 < Honoome> …
- 11:58 < Honoome> are you serious?
- 11:58 < jkt> I just know that proposing ldappasswd for changing passwords is crazy, and everyone else does it differently
- 11:59 < Honoome> okay now before I start using bad words let me note a few things
- 11:59 < Honoome> - I post things on the blog for comments; comments is open yet you look up for me on IRC → waste my time
- 11:59 < Honoome> - I have pushed all the code on a git repository you can look at it just as you wish
- 11:59 < jkt> yes, I've read all of them, and I didn't get the idea what you're going to use the M4 for -- is it going to be a build time thing, or do you expect the admin to specify their preferences in M4?
- 12:00 < Honoome> - right now we have NO integration so from no integration to integration that doesn't suit YOUR needs, I don't see how that can be "crazy"
- 12:00 < Honoome> - I'm TIRED OF THIS BLOODY PAM and yet I'm still managing it, should I just leave all users without a PAM maintainer _again_?
- 12:00 < Honoome> THE CODE IS ON THE REPOSITORY, just clone the repo and do what the heck you want
- 12:01 < jkt> Diego, if you feel like answering my questions on IRC is wasting your time, please go ahead and do whatever you want to do, it's indeed pointless to cintinue discussing in such case
- 12:01 < Honoome> I have open comments on my blog and I ask for comments there FOR A REASON
- 12:01 -!- SIGBUS [~SIGBUS@forkbomb.nl] has quit [Ping timeout: 255 seconds]
- 12:01 -!- sera [~sera@189-255.62-81.cust.bluewin.ch] has quit [Ping timeout: 245 seconds]
- 12:01 < Honoome> beside, you're not "asking questions", you've basically started with a "you're doing it wrong"
- 12:02 < lejonet> One useful thing of putting this discussion on his blog is that others can comment it and it is searchable too
- 12:02 < Honoome> and yes, it pisses me off if instead of sending an email or leaving a comment, people use a low-latency contact like irc to tell me that I'm doing something wrong when I'm the only one tryin
- g to sort it the deuce out
- 12:02 < jkt> ad ldappasswd -- `passwd` doesn't take any, while `ldappasswd` expects you to specify the base DN of the LDAP tree, the DN to bind with and a DN of the user
- 12:03 < jkt> lejonet: point taken
- 12:03 < jkt> Honoome: I'm sorry if I expressed my technical concern in a way which offends you. I'll move this discussion to your blog and will do my best not to harm your feelings next time.
- 12:03 < jkt> Honoome: Thanks for your time.
- 12:04 < lejonet> I personally must say that the way Honoome wants to do with pam seems sane, it also increases the likelyhood that people know which password they are changing
- 12:04 < lejonet> if you just have one program to rule them all you might accidently change an password you did not intend to change
- 12:04 < Honoome> [and no, no admin needs to deal with m4, if they want passwd to change ldap password, they just set up /etc/pam.d/system-password as they prefer, and then it'll all work nicely… it's just th
- at _the default_ can't be something "surprising"]
- 12:05 < jkt> Honoome: which ML should I use for discussions?
- 12:05 < Honoome> jkt: there is no ML and I much prefer not using -dev, which is why it's mostly on my blog… otherwise you can mail pam-bugs alias
- 12:06 < jkt> so, for the sake of "archival", let's stick to blog comments, then.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement