[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: fresh blood gets congested: long way to become DD

On Wed, Aug 03, 2005 at 12:56:36PM +0200, Tomas Fasth wrote:
> Steve Langasek skrev:
> > On Tue, Aug 02, 2005 at 03:01:39PM +0200, Tomas Fasth wrote:
> >> Andreas Barth skrev:
> >>> * Thijs Kinkhorst (kink@squirrelmail.org) [050802 13:41]:
> >>>> And even then, appearently the DAM works like this: I
> >>>> approve person X, let's check his box, but I'll add the
> >>>> account at some point later on (this takes weeks on
> >>>> average). When you check the box you might add the account 
> >>>> aswell when you're at it, right?
> >>> Just that the person who checks the reports is not root in
> >>> Debian's ldap system.
> >> There is delegation and group access available in OpenLDAP. So,
> >> one would not need to have write access to the whole directory
> >> tree, only to the necessary branches.
> > I'm amused that you think there's anything in Debian's LDAP
> > directory *besides the user accounts themselves that you're
> > proposing to give people access to* that would warrant this level
> > of granular access control.

> I'm equally amused that you think there isn't.

> tomfa@gluck:~$ ldapsearch -x objectclass=* | grep dn: | cut -d ' '
> - -f 2- | sort | uniq -t = -W 1
> cn=LDAP Administrator,ou=users,dc=debian,dc=org
> dc=debian,dc=org
> gid=Debian,ou=users,dc=debian,dc=org
> host=auric,ou=hosts,dc=debian,dc=org
> ou=hosts,dc=debian,dc=org
> uid=93sam,ou=users,dc=debian,dc=org

And which of these are you claiming it's worthwhile to protect from someone
who has write access to the user DNs?

I know quite well what data is stored in the LDAP directory, and I can't
think of anything else that holds a candle to the amount of damage that
person could do by editing the attributes on user DNs.

> Thijs suggested to allow the DAM to create the account directly
> instead of just passing the stick on to yet another person causing
> yet more delays. You were implying that it can't be done without
> root access

I did not.  Kindly re-read your own quote markers above.

> which I interpreted as giving write access to the whole
> database.

More likely, the implication is that giving someone the necessary write
access to LDAP is *equivalent* to giving them root access on the Debian

> And if you feel uncomfortable to give DAM write access to
> ou=users,dc=debian,dc=org directly, then let DAM create new accounts
> in a sandbox node from where entries can be moved to the right
> place by a cron script that can be programmed to make sure no
> existing accounts is tampered with.

You'd need more sanity checking than just preventing tampering with existing
accounts.  In any case, I hardly think it would be worth the effort.

Steve Langasek
postmodern programmer

Attachment: signature.asc
Description: Digital signature

Reply to: