Zentyal Forum, Linux Small Business Server

Zentyal Server => Installation and Upgrades => Topic started by: -pekr- on November 23, 2011, 06:31:30 pm

Title: Admin username selection?
Post by: -pekr- on November 23, 2011, 06:31:30 pm
Hi, I am kind of confused about how Zentyal (Ubuntu) aproaches its administration.

1) I choosed my nick to be an admin, thinking I can use such an account regularly. But I can't - the user can't be seen in the user list. Why? Just to not accidentally delete it or because of security measures?

2) OK, I thought to myself - such an user, is not normal user, so no other settings like adding it to certain group, providing the account with the email, fileshare, etc., are not welcomed. So next time I tried to install Zentyal over the ESXi, I decided to go with the "admin" name, as we use such an account on many mikrotik routers. What a bummer - the name is taken - installator did not allow me to choose "admin" for the account name. Why the heck is Zentyal internally taking such a good name to have admin account? I don't want to come-up with any articifial name for an admin, just to be an admin.

3) Taken from docs: "Any user you later add to the admin group can access the Zentyal interface and has sudo privileges in the system." - what admin group? There's not any predefined one in the dashboard part. If I am supposed to add "admin" group myself, now this is pretty artificial, and should be noted in docs as well imo ...

-pekr-
Title: Re: Admin username selection?
Post by: J. A. Calvo on November 23, 2011, 06:50:33 pm
1) The user does not appear in the list because it is a local system user, and that list is only for the LDAP users (used to authenticate in the different Zentyal services)

2) Zentyal do not forbids the admin name, I suppose it is a restriction of the Ubuntu installer, if you don't want an artificial name, try with administrator ;) but as the system can have more than one admin accounts, is probably a better idea to just use your name, for example "john" or "jsmith".

3) You don't have to add the admin group, it already exists by default on all the Ubuntu installations. The user you create during the installation already belongs to the admin group, so you don't need to do anything extra. If you want to add any other, you just need to do: sudo -s; adduser newusername ; adduser newusername admin
Title: Re: Admin username selection?
Post by: christian on November 24, 2011, 07:34:47 am
What is confusing for most new Zentyal users it that local accounts and groups, used at system level to, e.g; run application or process, differ from Zentyal accounts and groups, stored in (Zentyal) LDAP and used to access services Zentyal is offering.
Title: Re: Admin username selection?
Post by: -pekr- on November 24, 2011, 08:21:43 am
I work with many systems, and as far as design goes, I very often can see, that architects are not able to protect user from hiding system complexities. I tend to be vocal and harsh sometimes, but what I am used for is a consistency review or quick testing, finding misconceptions in seconds or minutes. Now - I am not fully fluent with Linux, so I might be wrong in some opinions and sorry for that, but if I am eventually right about some inconsistencies, those should be imo cured, as it helps to provide smoother user experience, and such a factor should not be depreciated ...

So it is a "feature" of Ubuntu to not allow local "admin" username, you said. This is what I regard being an artificial limitation user should NOT be dragged into. The limitation should be either removed by Zentyal, or noted in the documentation. Docs state: "Later, the administrator name is requested.". It is pretty obvious, one will try with "admin", as a shortcut to longer form "administrator". Sentence like "Note: you can't use "admin" name, as it is taken by Ubuntu installer. Use a longer form "administrator", or any other name" ... voila, done.

Quote
"You don't have to add the admin group, it already exists by default on all the Ubuntu installations."

Well, now it is another confusion. I can easily add "admin" group in the Zentyal portal. This group surely is different from the local admin group. I don't see a reason, why should I go to console to do any set-up work manually - should be definitely part of the portal, e.g. in System/Main section¨, so that I can add LDAP defined user to local admin group. Or even better - just add one column (parameter) to user/group section - (LDAP | Local), but definitely list added users and related existing groups in the portal - no hidden entities as far as administration of the system goes?

Another confusion - you say, that those user lists differ (LDAP vs local), but when I try to add "administrator" user in the LDAP, it screams that such a user name already exists (choosed during installation), whereas when I try to add "admin" group, it can be added to LDAP with no problem, although you state, that "admin" group already exists. This is inconsistent at best imo ;-)
Title: Re: Admin username selection?
Post by: Javier Amor Garcia on November 25, 2011, 01:02:53 pm
Hello -pekr-,

thanks a lots for you comments. As you see this confusion stems for the fact that we have the 'local' users and the LDAP stored users (if we have user modules enabled).

Maybe the solution would be show both types of users in the user screen?. But in this case other problem arise: you cannot do th same operations with 'local' user than with LDAP users (and some local users you would not be allowed to modify at all). This will also be confusing, but it will be less or it will be more than the actual situation?. The work to arrange a solution along this lines will be worth or not?


Quote
ut when I try to add "administrator" user in the LDAP, it screams that such a user name already exists (choosed during installation), whereas when I try to add "admin" group, it can be added to LDAP with no problem, although you state, that "admin" group already exists

I have to look to this but probably it is a bug.

Regards,
Javier
Title: Re: Admin username selection?
Post by: -pekr- on November 26, 2011, 11:03:17 am
Hello -pekr-,

thanks a lots for you comments. As you see this confusion stems for the fact that we have the 'local' users and the LDAP stored users (if we have user modules enabled).

Maybe the solution would be show both types of users in the user screen?. But in this case other problem arise: you cannot do th same operations with 'local' user than with LDAP users (and some local users you would not be allowed to modify at all). This will also be confusing, but it will be less or it will be more than the actual situation?. The work to arrange a solution along this lines will be worth or not?

Hmm, difficult to say, as I am not able to foresee all the consequences. The main reason why I objected, was because of my lack of understanding from docs. So first time I did install the system, I entered "pekr" user as an admin. But then, of course, I wanted to have emails, aliases configured. So I tried to add it in LDAP, but system did not allow me to. So my opinion in general is:

1) Improve eventually docs. One or two sentences, stating you are entering local administrator account, which you will not be able to modify/configure easily later.

2) Allow the same name to exist, as an LDAP user. But here, I am not sure it is possible, and I am not sure, it would not be confusing. Because having two "pekr" users in the system, one being local admin, the second one being regular user, is not probably good aproach. E.g. what about emails going to local admin - would those two names share the same one? Or is LDAP user still a regular system user, so we can't have two users of the same name, one being local, one in LDAP?

3) You have System/main section, which server for some general settings purposes. You could add new section here - local admin, allowing to enter new users here, being local admins, plus their respective configuration, which is different from LDAP needs

4) The most complex - during the user set-up, choose if the user is in LDAP or local. Then in user list, one column would differentiate it by "local" | "LDAP" text. But this solution might turn being complex, and maybe 3) is easier solution ...

Best regards,
Petr
Title: Re: Admin username selection?
Post by: Javier Amor Garcia on November 28, 2011, 08:59:53 am
Well, that this should be better documented it is really self-evident. As for the other suggestions:


Quote
2) Allow the same name to exist, as an LDAP use

This will cause a lot of troubles and maintainance pains. In fact previously it was allowed and we forbid it to avoid those problems

Quote
ou could add new section here - local admin, allowing to enter new users here, being local admins, plus their respective configuration, which is different from LDAP needs

Any 'local' user which belongs to the admin group could be used as administrator. So this will be like the user screen but with less options. I am not sure about this.
Quote
The most complex - during the user set-up, choose if the user is in LDAP or local. Then in user list, one column would differentiate it by "local" | "LDAP" text. But this solution might turn being complex, and maybe

This is not a good idea because you force to use LDAP, which is not needed in all Zentyal setups, and the LDAP is more fragile than 'local' users so is better to have the admin as  'loca' user.

Another thing, that we are calling here 'local' users are the user which its data resides in files under /etc . Actually, except in slave systems, the LDAP is running locally so are users would be 'local'.

Title: Re: Admin username selection?
Post by: peetsmail on December 10, 2011, 03:16:33 pm
hmmm, this is indeed a bit of a hassle.

I now have 2 logins. . . 1 for administration, and 1 for LDAP access.
The good thing about it was that I discovered that 'root' is by default enabled. Wonder why?