[Mageia-sysadm] Usernames, uids, and groups

Tue Nov 9 14:14:41 CET 2010

On Monday, 8 November 2010 17:29:24 nicolas vigier wrote:
> Hello,

Why a new thread?

> On some machines like the svn server, we need to use pam_ldap to allow
> users access with their ldap accounts. But on others servers like
> alamut (web services), or the build nodes, normal users have no reason
> to login.

But, sysadm members have a reason, and I see no reason to increase their 
overhead with local accounts.

> On those servers, do you think we should restrict access with
> ssh configuration and a group, or disable pam_ldap completly on those
> servers and only use local accounts ?

I was planning for pam_ldap's pam_groupdn option. E.g. a 'sysadm' group.

> We also need to decide what UID ranges we use for local accounts, and for
> ldap accounts.
> 
> And groups. I think we could use the following groups :
>  * posix : promotes the user as posixAccount+sshPublicKey (in ldap), and
>    allows access to the svn and git using svn+ssh:// and git+ssh://

I think it would be better to try and provide VCS commit access without shell 
access. This is easy enough for subversion with mod_dav_svn.

>  * packager : allows commits in packages repository, package submit using
>    mdvsys,

How are we submitting to mdvsys? Command-line? API?

>    additional permissions on bugzilla,

What permissions do packagers need that non-packager committer don't?

>    access to the packages
>    maintainers database, etc ...

>  * web : for members of web team, allows commits in web repository
>  * documentation, translator, qa, marketing, etc ... :
>  * packagerapprentice, webapprentice, etc ... : for apprentices, with
>    more restricted access

This is svn commit but no mdvsys access?

>  * sysadm : gives admin permissions on all applications

There is 'Account Admin' "system" group in LDAP, which allows any modification 
to any users. But, should system administration necessarily mean all access in 
all applications?

Regards,
Buchan