[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: User Administration

On Tue, Nov 02, 2004 at 07:27:37AM +0100, Runo Forrisdahl wrote:
> ----- Forwarded message from Andreas Schuldei <andreas@schuldei.org> -----
> Forwarded on request from Andreas.
> | Date: Mon, 1 Nov 2004 13:48:59 +0100
> | From: Andreas Schuldei <andreas@schuldei.org>
> | Subject: Re: User Administration
> | To: Runo Forrisdahl <runo@infostream.no>
> | 
> | On Mon, Nov 01, 2004 at 10:46:11AM +0100, Runo Forrisdahl wrote:
> | > How much work needs to be done to enable anyone in group admins to
> | > create/delete/modify user(s)/group(s) and passwords?
> | 
> | well, it is hard to estimate that time and work volume. are you
> | interested in doing it? i would love to hear more from you.
> | 
> | there are two ways i see just now.
> | 
> | 1) with the present layout based on ldap
> |    - you need to extend openldap ACLs to be able to operate both
> |      based on posix-group membership *granting* the access and on
> |      posix-group membership as a target for access. example:
> |      members in the jradmina group (granting) are allowed to change
> |      passwords for members in the teachers and students group
> |      (target). (? weeks)
> |    - then only some minor tweaks in the webmin-ldap-user-simple
> |      module are needed. (1-2 days)
> |    this option requires some insight into the inner working of
> |    openldap. One would guess that it had been done allready had
> |    it been easy. It should be possible, though.

I guess it should be possible, but I'm not sure.

I think we could take another approach here that would be easier to

First lets see what we want to achive:
 Someone that dont have root access be allowed to update the ldap DB.

Problem: By default root account password is the same as the root unix
         account password.
Solution:Set a new password for the ldap account
Problem: To be allowed to change the info in ldap other than the users
         own password (and maybe the users fullname), you have to be
         authenticated as root to webmin. By design, webmin root
         account is the same account as unix root account and thus uses
         the same password
Solution:Create a webmin root account, and stop using pam for
         authenticating root to webmin (this used to be the setup). But
         this leads to a new problem ->
Problem: Letting someone authenticate as root to webmin will also give
         them actual root access to the system
Solution:Extend wlus to allow user to authenticate as ldap admin with
         the ldap-admin password, even though the user has
         authenticated as themself. 

> | 2) with the future cerebrum backend and ldap as the directory
> |    frontend, and webmin as the gui
> |    - switch webmin-ldap-user-simple to use cerebrum as a backend.
> |      (2-4 weeks)
> |    - get the cerebrum package up to speed 3-5 weeks including
> |      preconfiguration, a debian-edu profile with spreads etc,
> |      (work in progress)
> |    - get import and export filters written (uncertain, might take
> |      only a week)
> |    - provide an upgrade path from flat files (2 weeks?) or
> |      present WLUS setup with data stored in ldap (4 weeks)
> |    - more work which i am unaware of atm
> |    this option is the one i pursue right now and that i would
> |    recommened to consider more closely. see also
> |    http://developer.skolelinux.no/~andreas/wishlist.txt

By this, you would create another gui that would export an ldif, and
then use the ldif to update the ldap in some way ? 

Finn-Arne Johansen 

Reply to: