[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Too many admin users in Debian Edu/Squeeze?

Hi Petter,

On Mi 11 Jan 2012 23:36:25 CET Petter Reinholdtsen wrote:


I suspect these many administrative users will confuser the local

I agree with the confusion factor here.

I propose we drop the localadmin user, and instead set up a LDAP user
for the same purpose.

When I set up LDAP based networks, I always have a local user that is not in LDAP and not root. Since Ubuntu, using sudo is common practice and I rather would like to propose that the root account is not used at all, but to provide (continue providing) a fully functional local sudo-able account (like localadmin, the name may be different, of course).

I propose we drop the current admin user, and rename the super-admin GOsa user to admin. We should also try to make
this user authenticate using Kerberos.

GOsa² won't authenticate against Kerberos credentials. GOsa² uses x_simple_bind.

This way we end up with a user
with 8 characters or less in the name (avoids problems with top, w and
other command line tools), we get a user that can have its password
changed in GOsa, and provide a non-root user that can be used for the
initial login to create more LDAP users.  We also reduce the password
change required to one on each machine and one in LDAP.  And the admins
used with our Lenny version will still be able to use the 'admin' user
for the LDAP administration.  In addition, the initial user will have a
Kerberos ticket we can use in the future to log into Gosa, Nagios, CUPS,
etc and get single sign on for these web services. :)

My suggestion would be instead:

  1. rename localadmin -> admin, keep it locally, on every machine in
     /etc/passwd, force it to uidNumber 1000, gidNumber 1000
  2. drop the super-admin DN for GOsa and use
  3. add posixAccount and Kerberos information to
     with duplicate uidNumber 1000, gidNumber 1000
     but keep the cn=admin item hidden from GOsa²
  4. Provide a script in debian-edu-config to change the password
       -> for admin in /etc/passwd
       -> + on main-server: for Kerberos principal admin
       -> + on main-server: for userPassword of the LDAP object
       -> + (maybe?): local root account(?)

The trick is the duplicate entry of ,,admin'' in /etc/passwd and LDAP. With this hack you can have a global ,,admin'' password on site and a local ,,admin'' password per workstation. You can still use the local ,,admin''s password to login to a workstation, but if you decide to change the site password for ,,admin'' then that one should work as well.

Did I misunderstand the purpose of some of these users?  Anyone see a
problem with this new proposal?

I guess the history is to implement new features without touching already existing setups (so probably it was just being careful with the already performed work of other developers). My guess.

I am aware that this will require changes to the documentation, but
believe the resulting documentation will be easier to write and easier
to understand, as the local administrator only need to cope with two
administrative users.  There will be one local (root), and one in LDAP

Yes. Would be sexy... ;-)



mike gabriel, dorfstr. 27, 24245 barmissen
fon: +49 (4302) 281418, fax: +49 (4302) 281419

GnuPG Key ID 0xB588399B
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de


Attachment: pgpR60fNVSckh.pgp
Description: Digitale PGP-Unterschrift

Reply to: