Re: User Administration
i seem to miss parts of this mail exchange. i did not get runo`s
mail that finn-arne is quoting here.
On Tue, Nov 02, 2004 at 02:15:29PM +0100, Finn-Arne Johansen wrote:
> > Why do they need a ldap-admin password. If they are member of admins or jr.
> > admins group schouldn't that be sufficient?
the admin is empowered by the acls in slapd.conf. you can empower
others by giving them the same access rights as admin. i would
not do that automatically because of robustness and danger
reasons.
> I'm not sure how much effort is put into the use fine-graining acl in
> Skolelinux.
i cant parse that. what does this mean?
>
> The long term solution is either to add something on top of ldap/wlus,
> like cerebrum, feide or something like that,
yes
> or find some way to add
> acl with groups in openldap configuration file /etc/ldap/slapd.conf.
that option is not as good since ACLs have the potential to
consume cpu and slow down slapd, if it happens on a bigger scale.
> The short term solution is to modify wlus to let the admin group authenticate as
> ldap admin, using the ldap admin password,
danger, will robinson!
> or to extend the acl in /etc/ldap/slapd.conf.
you can add individual users to slapd.conf, giving them jradmin
or admin rights by granting them the required access rights. i
would not do that automatically, though. otherwise it would be a
solution to the problem, eventhough it works by granting
individuals access, not whole groups. that is why i did not list
it as a third option originally.
> I would guess that the work involved with the short term solution is
> 8-24 hours of work.
yes, could well be.
> > Even though it's a drawback and danger I would render the gain this
> > functionality gives greater. After all it's only the LDAP that's going to be
> > currupted, and with a sane backup rutine you'll be online sooner rather than
> > later.
>
> I Agree
it is not about corrupting the ldap db but compromising security,
which you cant recreate with restoring a backup.
> > Will this option 2 be backported into Skolelinux 1.0?
i doubt it; we tried to make cerebrum run on woody and did not
have success.
> I dont know this. I currently focus on bringing a sarge based
> Debian-edu. I guess that will come before cerbrum.
right now cerebrum depends on sarge and would therefore come
together with the sarge version, not before it.
Reply to: