[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: User Administration

On Tue, Nov 02, 2004 at 09:14:14AM +0100, Andreas Schuldei wrote:
> * Finn-Arne Johansen (faj@bzz.no) [041102 08:34]:
> > First lets see what we want to achive:
> >  Someone that dont have root access be allowed to update the ldap DB.
> > 
> > Problem: By default root account password is the same as the root unix
> >          account password.
> > Solution:Set a new password for the ldap account
> > Problem: To be allowed to change the info in ldap other than the users
> >          own password (and maybe the users fullname), you have to be
> >          authenticated as root to webmin. By design, webmin root
> >          account is the same account as unix root account and thus uses
> >          the same password
> > Solution:Create a webmin root account, and stop using pam for
> >          authenticating root to webmin (this used to be the setup). But
> >          this leads to a new problem ->
> > Problem: Letting someone authenticate as root to webmin will also give
> >          them actual root access to the system
> > Solution:Extend wlus to allow user to authenticate as ldap admin with
> >          the ldap-admin password, even though the user has
> >          authenticated as themself. 
> 
> that approach has the fundamental drawback to have several people
> operate on the same account with root/admin authority. that
> increases the danger of password leakage and makes abuse harder
> to detect. i would not want to persue this solution for that
> reason.

I know, and I'm not saying that this should be enabled by default. I'm
not even sure if it this should be configurable by the config-module
for wlus. 

> > > | 2) with the future cerebrum backend and ldap as the directory
> > > |    frontend, and webmin as the gui
> 
> the gui will look just like wlus, but we should not call it wlus
> but wcus (which is even harder to pronounce) because we dont use
> ldap but cerebrum. we would have to switch the ldap-backend
> (today ldap-users.pl) with a cerebrum backend.
> 
> > > |    - switch webmin-ldap-user-simple to use cerebrum as a backend.
> > > |      (2-4 weeks)
> > > |    - get the cerebrum package up to speed 3-5 weeks including
> > > |      preconfiguration, a debian-edu profile with spreads etc,
> > > |      (work in progress)
> > > |    - get import and export filters written (uncertain, might take
> > > |      only a week)
> > > |    - provide an upgrade path from flat files (2 weeks?) or
> > > |      present WLUS setup with data stored in ldap (4 weeks)
> > > |    - more work which i am unaware of atm
> > > |    this option is the one i pursue right now and that i would
> > > |    recommened to consider more closely. see also
> > > |    http://developer.skolelinux.no/~andreas/wishlist.txt
> > 
> > By this, you would create another gui that would export an ldif, and
> > then use the ldif to update the ldap in some way ? 
> 
> uh, no. how did i create that impression? do you think of the
> incremental updates to ldap, using ldifs? that is not something
> we will have to care about; cerebrum will do that on its own and
> there wont be a gui for that.

Well, there is another gui (called wcus) that is used, that dont work
directly with ldap, but some other DB backend, possibly postgres. 
And at some point the information from the DB is feed to ldap. or is
ldap set to use the same Db backend as cerebrum ? 

-- 
Finn-Arne Johansen 
faj@bzz.no
http://bzz.no/
Reply to: