[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Admin roles in Debian Edu

What kind of admin roles should we provide out of the box in Debian
Edu/Squeeze?

In Woody, Etch and Lenny, we have provided four admin levels for
users.

 admin LDAP user

    This user can do anything with every LDAP object.  Its default
    password is the installation root password.

 admins posixGroup

    Members of the posixGroup admins would have full access to do
    changes to the LDAP objects.  This allowed them to create users,
    change group membership and change passwords of other users.

 jradmins posixGroup

    Members of the posixGroup jradmins could change the password for
    non-privileged users, ie users not member of the admins group and
    not the smbadmin user.

 all others

    Without membership of admins or jradmins, a user could only change
    its own password.

In Squeeze, this setup is partly represented in slapd.conf, but
because we have changed the LDAP structure quite a bit, I suspect we
have lost some of these settings.

For Gosa, Andreas has proposed a completely different setup, if I
understand this correctly.

  super-admin LDAP user

    This user can do anything with every LDAP object.  Its default
    password is the installation root password.

  Gosa admin role

    Entities with this role can do anything to every LDAP object.  Not
    quite sure what these entities are, if they are members of a group
    or something else.

  Gosa jradmin role

    Entities with this role can modify some attributes of user and
    group objects.

  user objects in teachers subtree 

    Users here got the Gosa jradmin role over all objecst in the
    students subtree.

  user objects in students subtree

    Users in this subtree can only change their own password.

The access control with Gosa is done by Gosa itself, and not by
OpenLDAP/slapd, while the original setup enforced the access control
using the LDAP server.

I'm not sure which setup make most sense, but the original setup is
simpler and I suspect it fits schools better, allowing the sysadmin to
grant privileges on an individual basis instead of granting it to all
teachers.  I also suspect it is best to control access on the LDAP
level, to make sure any LDAP tool can be used to update LDAP with the
correct privileges.

Any opinions on what the future setup for administrative privileges
should look like?

Happy hacking,
-- 
Petter Reinholdtsen
Reply to: