[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Slapd-config, jrpasswd and admins

Jonas Smedegaard wrote:
> On Fri, 17 Feb 2006 01:05:11 +0100
> Finn-Arne Johansen <faj@bzz.no> wrote:
>>>I've checked in a new slapd-sarge-debian-edu.conf. Those of you who
>>>knows anything about slapd configuration, please have a look.
>>>I've tested this one, and it will allow jradmins to change _every_
>>>password except the ldap-admin password.
>>>And I think it will allow admins to add users. We still need a decent
>>>tool for the admins and the jrAdmins to use, but this will at least
>>>allow them.
> Comparing against the version right before, it seems you have not
> only added access rights for jradmins, but also removed access rights
> for admins. Was that intended?

I also gave gave admins to write to everything _but_ the ldap admin
account (dn: cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no)

> (Just a simple question: I do imply that your change is somehow wrong).

It should not be wrong. I think you are misreading the config file.

The goal is
-Only ldap admin should be allowed to change the ldap admin account.
-The group admins should be allowed to do write to everything except the
 ldap admin account. (note - not read, only write)
-the group jrpasswd should be allowed to change the password of the
 users, and the other fields that are related
-a normal user should also be allowed to change his/her own password,
 and related fields
-everything but the passwords should be readable by everyone

That also implies that adding a person to the admin group, means that
the user could create a new account with userid 0, and thus be effective
root. So we have to be careful to whom we add to the admins group.
And jradmins is also allowed to change the password of an account which
is member of the admins group.

But this is the best way we have to delegate some admin right.
To prevent unauthorized access, we would have to stop adding users to
the admins group. and to prevent anyone from changing the password for
other users, we should not add anyone to the jradmins group.

Finn-Arne Johansen
faj@bzz.no http://bzz.no/
Debian-edu developer and Solution provider
EE2A71C6403A3D191FCDC043006F1215062E6642 062E6642

Reply to: