Re: User Administration
On Tue, Nov 02, 2004 at 07:27:37AM +0100, Runo Forrisdahl wrote:
> ----- Forwarded message from Andreas Schuldei <firstname.lastname@example.org> -----
> Forwarded on request from Andreas.
> | Date: Mon, 1 Nov 2004 13:48:59 +0100
> | From: Andreas Schuldei <email@example.com>
> | Subject: Re: User Administration
> | To: Runo Forrisdahl <firstname.lastname@example.org>
> | On Mon, Nov 01, 2004 at 10:46:11AM +0100, Runo Forrisdahl wrote:
> | > How much work needs to be done to enable anyone in group admins to
> | > create/delete/modify user(s)/group(s) and passwords?
> | well, it is hard to estimate that time and work volume. are you
> | interested in doing it? i would love to hear more from you.
> | there are two ways i see just now.
> | 1) with the present layout based on ldap
> | - you need to extend openldap ACLs to be able to operate both
> | based on posix-group membership *granting* the access and on
> | posix-group membership as a target for access. example:
> | members in the jradmina group (granting) are allowed to change
> | passwords for members in the teachers and students group
> | (target). (? weeks)
> | - then only some minor tweaks in the webmin-ldap-user-simple
> | module are needed. (1-2 days)
> | this option requires some insight into the inner working of
> | openldap. One would guess that it had been done allready had
> | it been easy. It should be possible, though.
I guess it should be possible, but I'm not sure.
I think we could take another approach here that would be easier to
First lets see what we want to achive:
Someone that dont have root access be allowed to update the ldap DB.
Problem: By default root account password is the same as the root unix
Solution:Set a new password for the ldap account
Problem: To be allowed to change the info in ldap other than the users
own password (and maybe the users fullname), you have to be
authenticated as root to webmin. By design, webmin root
account is the same account as unix root account and thus uses
the same password
Solution:Create a webmin root account, and stop using pam for
authenticating root to webmin (this used to be the setup). But
this leads to a new problem ->
Problem: Letting someone authenticate as root to webmin will also give
them actual root access to the system
Solution:Extend wlus to allow user to authenticate as ldap admin with
the ldap-admin password, even though the user has
authenticated as themself.
> | 2) with the future cerebrum backend and ldap as the directory
> | frontend, and webmin as the gui
> | - switch webmin-ldap-user-simple to use cerebrum as a backend.
> | (2-4 weeks)
> | - get the cerebrum package up to speed 3-5 weeks including
> | preconfiguration, a debian-edu profile with spreads etc,
> | (work in progress)
> | - get import and export filters written (uncertain, might take
> | only a week)
> | - provide an upgrade path from flat files (2 weeks?) or
> | present WLUS setup with data stored in ldap (4 weeks)
> | - more work which i am unaware of atm
> | this option is the one i pursue right now and that i would
> | recommened to consider more closely. see also
> | http://developer.skolelinux.no/~andreas/wishlist.txt
By this, you would create another gui that would export an ldif, and
then use the ldif to update the ldap in some way ?