On Wed, Aug 03, 2005 at 04:12:40AM -0700, Steve Langasek wrote: > More likely, the implication is that giving someone the necessary write > access to LDAP is *equivalent* to giving them root access on the Debian > servers. No, only if the person is allowed to write the uidNumber entry. > You'd need more sanity checking than just preventing tampering with existing > accounts. In any case, I hardly think it would be worth the effort. I have such a setup running. There are some people which are allowed to add items to the tree which are converted to real user objects by a script. They are not allowed to set uids/gids and generate groups. Bastian -- Pain is a thing of the mind. The mind can be controlled. -- Spock, "Operation -- Annihilate!" stardate 3287.2
Attachment:
signature.asc
Description: Digital signature