On Wed, Aug 03, 2005 at 12:56:36PM +0200, Tomas Fasth wrote: > Steve Langasek skrev: > > On Tue, Aug 02, 2005 at 03:01:39PM +0200, Tomas Fasth wrote: > >> Andreas Barth skrev: > >>> * Thijs Kinkhorst (kink@squirrelmail.org) [050802 13:41]: > >>>> And even then, appearently the DAM works like this: I > >>>> approve person X, let's check his box, but I'll add the > >>>> account at some point later on (this takes weeks on > >>>> average). When you check the box you might add the account > >>>> aswell when you're at it, right? > >>> Just that the person who checks the reports is not root in > >>> Debian's ldap system. > >> There is delegation and group access available in OpenLDAP. So, > >> one would not need to have write access to the whole directory > >> tree, only to the necessary branches. > > I'm amused that you think there's anything in Debian's LDAP > > directory *besides the user accounts themselves that you're > > proposing to give people access to* that would warrant this level > > of granular access control. > I'm equally amused that you think there isn't. > tomfa@gluck:~$ ldapsearch -x objectclass=* | grep dn: | cut -d ' ' > - -f 2- | sort | uniq -t = -W 1 > cn=LDAP Administrator,ou=users,dc=debian,dc=org > dc=debian,dc=org > gid=Debian,ou=users,dc=debian,dc=org > host=auric,ou=hosts,dc=debian,dc=org > ou=hosts,dc=debian,dc=org > uid=93sam,ou=users,dc=debian,dc=org And which of these are you claiming it's worthwhile to protect from someone who has write access to the user DNs? I know quite well what data is stored in the LDAP directory, and I can't think of anything else that holds a candle to the amount of damage that person could do by editing the attributes on user DNs. > Thijs suggested to allow the DAM to create the account directly > instead of just passing the stick on to yet another person causing > yet more delays. You were implying that it can't be done without > root access I did not. Kindly re-read your own quote markers above. > which I interpreted as giving write access to the whole > database. More likely, the implication is that giving someone the necessary write access to LDAP is *equivalent* to giving them root access on the Debian servers. > And if you feel uncomfortable to give DAM write access to > ou=users,dc=debian,dc=org directly, then let DAM create new accounts > in a sandbox node from where entries can be moved to the right > place by a cron script that can be programmed to make sure no > existing accounts is tampered with. You'd need more sanity checking than just preventing tampering with existing accounts. In any case, I hardly think it would be worth the effort. -- Steve Langasek postmodern programmer
Attachment:
signature.asc
Description: Digital signature