Admin roles in Debian Edu
What kind of admin roles should we provide out of the box in Debian
Edu/Squeeze?
In Woody, Etch and Lenny, we have provided four admin levels for
users.
admin LDAP user
This user can do anything with every LDAP object. Its default
password is the installation root password.
admins posixGroup
Members of the posixGroup admins would have full access to do
changes to the LDAP objects. This allowed them to create users,
change group membership and change passwords of other users.
jradmins posixGroup
Members of the posixGroup jradmins could change the password for
non-privileged users, ie users not member of the admins group and
not the smbadmin user.
all others
Without membership of admins or jradmins, a user could only change
its own password.
In Squeeze, this setup is partly represented in slapd.conf, but
because we have changed the LDAP structure quite a bit, I suspect we
have lost some of these settings.
For Gosa, Andreas has proposed a completely different setup, if I
understand this correctly.
super-admin LDAP user
This user can do anything with every LDAP object. Its default
password is the installation root password.
Gosa admin role
Entities with this role can do anything to every LDAP object. Not
quite sure what these entities are, if they are members of a group
or something else.
Gosa jradmin role
Entities with this role can modify some attributes of user and
group objects.
user objects in teachers subtree
Users here got the Gosa jradmin role over all objecst in the
students subtree.
user objects in students subtree
Users in this subtree can only change their own password.
The access control with Gosa is done by Gosa itself, and not by
OpenLDAP/slapd, while the original setup enforced the access control
using the LDAP server.
I'm not sure which setup make most sense, but the original setup is
simpler and I suspect it fits schools better, allowing the sysadmin to
grant privileges on an individual basis instead of granting it to all
teachers. I also suspect it is best to control access on the LDAP
level, to make sure any LDAP tool can be used to update LDAP with the
correct privileges.
Any opinions on what the future setup for administrative privileges
should look like?
Happy hacking,
--
Petter Reinholdtsen
Reply to: