[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: User Administration

* Finn-Arne Johansen (faj@bzz.no) [041102 08:34]:
> First lets see what we want to achive:
>  Someone that dont have root access be allowed to update the ldap DB.
> Problem: By default root account password is the same as the root unix
>          account password.
> Solution:Set a new password for the ldap account
> Problem: To be allowed to change the info in ldap other than the users
>          own password (and maybe the users fullname), you have to be
>          authenticated as root to webmin. By design, webmin root
>          account is the same account as unix root account and thus uses
>          the same password
> Solution:Create a webmin root account, and stop using pam for
>          authenticating root to webmin (this used to be the setup). But
>          this leads to a new problem ->
> Problem: Letting someone authenticate as root to webmin will also give
>          them actual root access to the system
> Solution:Extend wlus to allow user to authenticate as ldap admin with
>          the ldap-admin password, even though the user has
>          authenticated as themself. 

that approach has the fundamental drawback to have several people
operate on the same account with root/admin authority. that
increases the danger of password leakage and makes abuse harder
to detect. i would not want to persue this solution for that

> > | 2) with the future cerebrum backend and ldap as the directory
> > |    frontend, and webmin as the gui

the gui will look just like wlus, but we should not call it wlus
but wcus (which is even harder to pronounce) because we dont use
ldap but cerebrum. we would have to switch the ldap-backend
(today ldap-users.pl) with a cerebrum backend.

> > |    - switch webmin-ldap-user-simple to use cerebrum as a backend.
> > |      (2-4 weeks)
> > |    - get the cerebrum package up to speed 3-5 weeks including
> > |      preconfiguration, a debian-edu profile with spreads etc,
> > |      (work in progress)
> > |    - get import and export filters written (uncertain, might take
> > |      only a week)
> > |    - provide an upgrade path from flat files (2 weeks?) or
> > |      present WLUS setup with data stored in ldap (4 weeks)
> > |    - more work which i am unaware of atm
> > |    this option is the one i pursue right now and that i would
> > |    recommened to consider more closely. see also
> > |    http://developer.skolelinux.no/~andreas/wishlist.txt
> By this, you would create another gui that would export an ldif, and
> then use the ldif to update the ldap in some way ? 

uh, no. how did i create that impression? do you think of the
incremental updates to ldap, using ldifs? that is not something
we will have to care about; cerebrum will do that on its own and
there wont be a gui for that.

Reply to: