Re: Adding delegation of authority to the current LDAP structure?

To: debian-edu@lists.debian.org
Subject: Re: Adding delegation of authority to the current LDAP structure?
From: Trond Mæhlum <trond@mahlum.biz>
Date: Sat, 05 Mar 2005 14:58:31 +0100
Message-id: <[🔎] 1110031111.5005.12.camel@reliant>
In-reply-to: <[🔎] E1D7Xbp-00002g-EF@saruman.uio.no>
References: <[🔎] E1D7Xbp-00002g-EF@saruman.uio.no>

lør, 05,.03.2005 kl. 12.38 +0100, skrev Petter Reinholdtsen:
> Recently, on the norwegian user list, the wish for delegating access
> to change passwords have been expressed.  As far as I know such
> delegation need to be fixed in the LDAP database (slapd) with the
> current design of the user database in Debian Edu.  The plan for a
> long term solution for this problem is to start using Cerebrum, which
> give us more control over the access rights and the possibility to
> grant access to subgroups.
> 
> But Cerebrum isn't ready to go into Debian Edu yet, and it would be
> nice if we could find some short term solution as well.  Is it
> possible to adjust the current LDAP configuration to grant password
> change access to a group of LDAP users?  I would like to grant such
> access to all users in the teacher group.  I suspect this is
> impossible without changing the structure of the LDAP tree, and we do
> not want to do that as it would make the existing installations
> incompatible.

As far as I can see, the teacher group already has this authority. When
a member of teacher logs into webmin, the have access to the ldap user
module. There they can change the password for a student, but *only* if
they first type in the old user password (which the student has
lost...). This makes this function rather pointless. 

Forgive me if I have misunderstood this, I haven't tried it, but it
seems like it is like I described above.

I am the one who raised this on the Norwegian list, because I administer
2300 users in the town of Kongsvinger, Norway. The people at IT-
department are the only ones who know root's password. The teachers
don't. So when a student forgets his or her password (which actually
happens quite often), the teacher has to send an email to me, so I can
reset the password, and then email it back to the school. Instead I
would like that teacher-group could change the passwords for students
without typing in an old and forgotten password.


> Any suggestions or ideas?

none on how to solve this, but I'm still optimistic - as always.

Regards
Trond Mæhlum

>

Reply to:

Follow-Ups:
- Re: Adding delegation of authority to the current LDAP structure?
  - From: Petter Reinholdtsen <pere@hungry.com>

References:
- Adding delegation of authority to the current LDAP structure?
  - From: Petter Reinholdtsen <pere@hungry.com>

Prev by Date: Re: Locales and OpenOffice.
Next by Date: Re: Locales and OpenOffice.
Previous by thread: Adding delegation of authority to the current LDAP structure?
Next by thread: Re: Adding delegation of authority to the current LDAP structure?
Index(es):
- Date
- Thread