Re: other authority groups?
<zitiere wer="Andreas Schuldei">
> I am working on the access control handling for user passwords (and other
> i am just now trying to come up with a generic algorythm to determine who is
> allowed to
> write to a user's ldap entry, depending on which authority groups he is in.
> right now we have theses authority groups by default: admins, jradmins,
> teachers and students
> the basic rule is simple:
> - if a person is in the admins group , no one can write to his
> - if he is in jradmins, his entry is writeable by members of the
> group admins and
> - if he is in student or teacher he is writeable by both admins
> and jradmins.
> but we have authority_groups as a flexible thing. that means
> people can add new authority groups.
> question: what other authority groups are possible/likey? would
> they interfer with the above algorithm? what would be a good way
> to make this configurable by the local admin? (a config file in
> /etc/? how could that look like?)
> To UNSUBSCRIBE, email to debian-edu-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org
By having my teachers working with skolelinux since summer 2004, i can tell my
needs on wlus:
For wlus i need admin users to be able to do all the things now done by
root.(for now i'm forced to give away the root password, because i can't do
this part of administration alone.)
Jradmins in my understanding are students, so they've got to be able to change
the classes/courses of teachers and students. Eventually they can create new
Accounts for those authorities.(e.g. new students or teachers appear in the
during the year)
In my schools (classes 0-10) teachers _must_ be able to give a _new_ password
to the students _without_ knowing the old one. Now i've got to come to one of
3 PC-rooms on 2 schoolbuildings if someone forgot his one. It would be nice,
if they had a button 'generate password', so they don't have to deal with
password rules ;-) Also a teacher should be able to put a student to his
class/course or take him out. And - as i learned yesterday - he needs to
create new student-accounts sometimes.