Re: Adding delegation of authority to the current LDAP structure?

[andreas@schuldei.org (Andreas Schuldei)]

On Sat, Mar 05, 2005 at 09:01:44PM +0100, Petter Reinholdtsen wrote:
> > Now the problem is that we need slapd to do this:
> > 
> > members in group A can read/write to certain attributes of entries in
> > group B.
> > members in group C can read/write to certain attributes of entries in
> > group A and B and C.
> > 
> > So we filter both the subject and the object of our ACL based on
> > group membership.
> 
> Would it be ok for the users with extra rights to be able to modify
> the passwords of _all_ users, or should the extra rights be limited to
> the pupils only?  In short, should the junior admins be allowed to
> change the password of teachers, admins and junior admins in addition
> to changing the password of pupils, or should they only have access to
> changing passwords for pupils?
> 
> I suspect it might be easier to allow junior admins to change
> passwords of _all_ users.  What do you think?

that would open the door to a trivial privilige escalation
attack: the jradmin could change the password of an admin in
group Admins and log in as admin and become root. this could not
be easily avoided with further ACLs, i think, since it is the
same problem as before, but backwards.