Re: User Administration

To: Runo Forrisdahl <runof@infostream.no>, Debian Edu Mailinglist <debian-edu@lists.debian.org>
Subject: Re: User Administration
From: andreas@schuldei.org (Andreas Schuldei)
Date: Tue, 2 Nov 2004 15:05:55 +0100
Message-id: <20041102140555.GA26709@schuldei.org>
In-reply-to: <20041102131529.GA8510@bzzware.org>
References: <20041029100432.GA7203@infostream.no> <20041029195410.GB7112@bzzware.org> <20041029201157.GA619@saruman.uio.no> <200410301319.11791.rgx@gmx.de> <20041101094611.GB9603@infostream.no> <20041102062737.GB6645@infostream.no> <20041102073307.GB24549@bzzware.org> <20041102123155.GF6645@infostream.no> <20041102131529.GA8510@bzzware.org>

i seem to miss parts of this mail exchange. i did not get runo`s
mail that finn-arne is quoting here.

On Tue, Nov 02, 2004 at 02:15:29PM +0100, Finn-Arne Johansen wrote:
> > Why do they need a ldap-admin password. If they are member of admins or jr.
> > admins group schouldn't that be sufficient?

the admin is empowered by the acls in slapd.conf. you can empower
others by giving them the same access rights as admin. i would
not do that automatically because of robustness and danger
reasons.

> I'm not sure how much effort is put into the use fine-graining acl in
> Skolelinux. 

i cant parse that. what does this mean?

> 
> The long term solution is either to add something on top of ldap/wlus,
> like cerebrum, feide or something like that, 

yes

> or find some way to add
> acl with groups in openldap configuration file /etc/ldap/slapd.conf. 

that option is not as good since ACLs have the potential to
consume cpu and slow down slapd, if it happens on a bigger scale.

> The short term solution is to modify wlus to let the admin group authenticate as
> ldap admin, using the ldap admin password, 

danger, will robinson!

> or to extend the acl in /etc/ldap/slapd.conf.

you can add individual users to slapd.conf, giving them jradmin
or admin rights by granting them the required access rights. i
would not do that automatically, though. otherwise it would be a
solution to the problem, eventhough it works by granting
individuals access, not whole groups. that is why i did not list
it as a third option originally.

> I would guess that the work involved with the short term solution is
> 8-24 hours of work.

yes, could well be.

> > Even though it's a drawback and danger I would render the gain this
> > functionality gives greater. After all it's only the LDAP that's going to be
> > currupted, and with a sane backup rutine you'll be online sooner rather than
> > later.
> 
> I Agree

it is not about corrupting the ldap db but compromising security,
which you cant recreate with restoring a backup.

> > Will this option 2 be backported into Skolelinux 1.0?

i doubt it; we tried to make cerebrum run on woody and did not
have success.

> I dont know this. I currently focus on bringing a sarge based
> Debian-edu. I guess that will come before cerbrum. 

right now cerebrum depends on sarge and would therefore come
together with the sarge version, not before it.

Reply to:

Follow-Ups:
- Re: User Administration
  - From: Runo Forrisdahl <runo@infostream.no>

References:
- Re: User Administration
  - From: Runo Forrisdahl <runo@infostream.no>
- Re: User Administration (Forwarded message from Andreas Schuldei <andreas@schuldei.org>)
  - From: Runo Forrisdahl <runo@infostream.no>
- Re: User Administration
  - From: Finn-Arne Johansen <faj@bzz.no>
- Re: User Administration
  - From: Finn-Arne Johansen <faj@bzz.no>

Prev by Date: Re: User Administration
Next by Date: Re: Reported install prob with Rev 1
Previous by thread: Re: User Administration
Next by thread: Re: User Administration
Index(es):
- Date
- Thread