[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: User Administration

i seem to miss parts of this mail exchange. i did not get runo`s
mail that finn-arne is quoting here.

On Tue, Nov 02, 2004 at 02:15:29PM +0100, Finn-Arne Johansen wrote:
> > Why do they need a ldap-admin password. If they are member of admins or jr.
> > admins group schouldn't that be sufficient?

the admin is empowered by the acls in slapd.conf. you can empower
others by giving them the same access rights as admin. i would
not do that automatically because of robustness and danger

> I'm not sure how much effort is put into the use fine-graining acl in
> Skolelinux. 

i cant parse that. what does this mean?

> The long term solution is either to add something on top of ldap/wlus,
> like cerebrum, feide or something like that, 


> or find some way to add
> acl with groups in openldap configuration file /etc/ldap/slapd.conf. 

that option is not as good since ACLs have the potential to
consume cpu and slow down slapd, if it happens on a bigger scale.

> The short term solution is to modify wlus to let the admin group authenticate as
> ldap admin, using the ldap admin password, 

danger, will robinson!

> or to extend the acl in /etc/ldap/slapd.conf.

you can add individual users to slapd.conf, giving them jradmin
or admin rights by granting them the required access rights. i
would not do that automatically, though. otherwise it would be a
solution to the problem, eventhough it works by granting
individuals access, not whole groups. that is why i did not list
it as a third option originally.

> I would guess that the work involved with the short term solution is
> 8-24 hours of work.

yes, could well be.

> > Even though it's a drawback and danger I would render the gain this
> > functionality gives greater. After all it's only the LDAP that's going to be
> > currupted, and with a sane backup rutine you'll be online sooner rather than
> > later.
> I Agree

it is not about corrupting the ldap db but compromising security,
which you cant recreate with restoring a backup.

> > Will this option 2 be backported into Skolelinux 1.0?

i doubt it; we tried to make cerebrum run on woody and did not
have success.

> I dont know this. I currently focus on bringing a sarge based
> Debian-edu. I guess that will come before cerbrum. 

right now cerebrum depends on sarge and would therefore come
together with the sarge version, not before it.

Reply to: