$Cambridge: hermes/doc/cyrus_mailstore/useradmin/changes,v 1.4 2004/07/28 16:49:57 dpc22 Exp $ Things that we want to add. (See Prerequisites below) ===================================================== Switch to using SSH for Jackdaw interactions DONE Split useradmin script into two halves: NIS updates and directory creation belong on canvas (connecting to cyrus-N and hermes-v to create quotas, directories and NIS maps). Finger database updates belong on hermes-N. Might be initiated from the main useradmin job above, but all the data lives on hermes-N NO: do everything in single script, push tables out to Hermes-N + PPSW when we are done. Password tokens Canvas should fetch a password token and return when passwords committed to shadow file. Needed because at the moment nothing is returned to Jackdaw if an account is cancelled and later restored. (See below though). DONE Home directory creation: Indirect through hermes-v DONE Automatically balance users across servers when adding DONE Account creation in the Cyrus world [mkuser] Distribution of the cyrus.cdb file mapping users to Cyrus servers Useradmin job should only ever add to this list: Data migration and replication failover can manipulate the map. Additions should be idempotent: rewrite to .NEW and rename Automatically balance users across servers when adding Need cache of Cyrus quotas on Canvas so that we can compare and make sure all okay. At the moment, Cyrus master, replica, backup are only copies. (Though if we lose all three unusual quotas are the least of our concern). Directory flag should live in master Things that have been mentioned in the past =========================================== Create fresh passwords for accounts which have been cancelled for given number of weeks/months. Can we use Existing password return mechanism for accounts which have been cancelled? Would appear to conflict with password token scheme. Ask Charles for advice. Charles says don't bother! Store more on Jackdaw so that Pat can do bulk updates. Things we might want: Cyrus and home quotas. Location of home directories and cyrus backend. Passwords Quotas were the thing that Pat specifically asked for. Disadvantage would be long delay for Cyrus quota updates compared to current immediate change. Really don't want to store passwords, home dir/cyrus location on Jackdaw, which means that we need some authoritative state on Canvas. Check with Pat. Prerequisites ============= [mkuser] DONE Small cyrus program that creates an account and causes it to be replicated. Could do this using IMAP session, but would require admin password. Could do this using replication engine, but error handling harder. Use: ssh -anx cyrus@cyrus-N-intramail mkuser [list] Is existing account an error? Probably not if we want uadmin scripts to be idempotent. Probably so for manual runs. Command line switch? [accounts] DONE Useradmin staff need accounts on Canvas, SSH access from 131.111.10.0/23 provides: [msshell] [msshell] DONE Cut down MSshell (Perl only). Change own canvas password + [reset] [reset] DONE Admin staff need ability to change [passwords] and [quotas] [passwords] DONE Need to port existing Hermes password program. Adapt from passwd.adjunct to shadow format (fewer ':'s needed) Switch to MD5 passwords [accountd] [quotas] DONE Update quotas.master (group reset write access) Update Cyrus mailstore directly using setuid programs. - possibility: migrate both type of quota to Jackdaw. - immediate updates of Cyrus quotas are a benefit. [accountd] DONE Prayer accountd needs to run on this system, provide password and GeCOS updates.