22 Nov
2012
22 Nov
'12
midnight
Jason White wrote:
Is there a good reason not simply to spawn
useradd/groupadd and let
them allocate the ids?
I think you missed the part where he said it's LDAP.
useradd only knows about the flat files backend.
A great annoyance of LDAP/krb is the lack of solid, portable
management solutions. There's e.g. a webmin module, but yecch. So,
you solve it... with Yet Another site-specific LDAP management UI.
If you're concerned that someone might run
useradd/groupadd at the
same time as your tool is operating, I don't see how this could be
prevented easily other than opening and locking /etc/passwd or
/etc/group.
You could dpkg-divert --rename /usr/sbin/useradd, and replace it with
a little script that prints "YOU IDIOT! You're supposed to add
accounts to LDAP!"
Of course, that'll break package installs that try to create system
groups, so then you extend your wrapper to parse useradd arguments and
look for --system, and if it's there pass "$@" to useradd.distrib.
That way lies madness...