Re: [GOsa] last(?) missing bit to use gosa in debian-edu out of the box

To: debian-edu@lists.debian.org
Subject: Re: [GOsa] last(?) missing bit to use gosa in debian-edu out of the box
From: "Andreas B. Mundt" <andi.mundt@web.de>
Date: Tue, 18 May 2010 16:56:35 +0200
Message-id: <[🔎] 20100518145635.GA28541@flashgordon>
Mail-followup-to: debian-edu@lists.debian.org
In-reply-to: <[🔎] 4BF24728.6050003@skolelinux.no>
References: <[🔎] 20100510101505.GA5457@flashgordon> <[🔎] 20100510124848.GA6111@flashgordon> <[🔎] 20100510125935.GA6312@flashgordon> <[🔎] 201005101507.02204.holger@layer-acht.org> <[🔎] 4BF24728.6050003@skolelinux.no>

On Tue, May 18, 2010 at 09:52:08AM +0200, Ronny Aasen wrote:
> Holger Levsen wrote:
> > On Montag, 10. Mai 2010, Andreas B. Mundt wrote:
> >>> after having thought a bit more about the password issue, I think
> >>> we perhaps should add one more question during
> >>> installation/configuration of the main server: Enter the LDAP
> >>> password. 
> > 
> > I think thats a bad idea, as we already ask for the root password.
> > 
> > We didnt want a(nother) password ldap-admin with lwat, so I dont see why we 
> > want it with gosa.
> > 
> >>> What do you think? Any better ideas?
> >> next idea: how about creating this (gosa-) password randomly and use
> >> the "old" root pw in addition for command line tools?
> > 
> > so the gosa password would be for an account with the same right as ldap 
> > admin, but with another name? (So that password can be random..)
> 
> I think a spesific service account similar to smbadmin (gosadmin?) with
> random password is the best option.
> 
> Why does gosa need this access anyway ? Could gosa not ask the user for
> the password to bind to ldap? In the same way that lwat does it today ?
> Or are there cronjobs _writing_ to ldap ?

Well, gosa handles the access permissions in a different way than
lwat. Where Lwat used access rules in slapd.conf, gosa handles its own 
access control lists (ACLs). So you can define pretty accurate what
rights a user has and which objects and attributes he is allowed to
read and/or write to.   

I haven't tested too much yet, but currently there is the super-admin
account which can do anything. All other accounts are allowed to
change only their password curently. I started defining predefined
ACLs for junior-admins and admins, but there is some more work needed.
Some more info is here:

http://oss.gonicus.de/screencasts/acl.html  

Concerning the password access to ldap:  
I am happy with the way it is done now, with a random password which
is saved on disk but you need read access to the key to decrypt it.  

I am looking forward to have all these things running in our testing
installation and to discuss improvements.

Regards, 

	 Andi

Reply to:

References:
- last(?) missing bit to use gosa in debian-edu out of the box
  - From: "Andreas B. Mundt" <andi.mundt@web.de>
- Re: [GOsa] last(?) missing bit to use gosa in debian-edu out of the box
  - From: "Andreas B. Mundt" <andi.mundt@web.de>
- Re: [GOsa] last(?) missing bit to use gosa in debian-edu out of the box
  - From: "Andreas B. Mundt" <andi.mundt@web.de>
- Re: [GOsa] last(?) missing bit to use gosa in debian-edu out of the box
  - From: Holger Levsen <holger@layer-acht.org>
- Re: [GOsa] last(?) missing bit to use gosa in debian-edu out of the box
  - From: Ronny Aasen <ronny@skolelinux.no>

Prev by Date: Re: access the cleartext root password during installation
Next by Date: Processing of libpam-mklocaluser_0.2_i386.changes
Previous by thread: Re: [GOsa] last(?) missing bit to use gosa in debian-edu out of the box
Next by thread: Hai ..
Index(es):
- Date
- Thread