[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Too many admin users in Debian Edu/Squeeze?

[Mike Gabriel]
> Hi Petter,

Hi, Mike.

> I agree with the confusion factor here.

Great.  Then lets try to reduce it. :)

> When I set up LDAP based networks, I always have a local user that is
> not in LDAP and not root. Since Ubuntu, using sudo is common practice
> and I rather would like to propose that the root account is not used
> at all, but to provide (continue providing) a fully functional local
> sudo-able account (like localadmin, the name may be different, of
> course).

When it is impossible to log into the root account, having another local
account in /etc/passwd definitely make sense.  But each local user on
each system come with the burden of keeping the password for that user
up-to-date.  Where I work, we do not provide such local users as the
poin of changing the passwords outweight the advantages.  If we need to
log in and the root user is broken, we fetch a rescue USB stick.  I can
not remember when that happened the last time.

> GOsa² won't authenticate against Kerberos credentials. GOsa² uses
> x_simple_bind.

Right.  Too bad, but then we will just have to handle that. :/

> My suggestion would be instead:
>    1. rename localadmin -> admin, keep it locally, on every machine in
>       /etc/passwd, force it to uidNumber 1000, gidNumber 1000
>    2. drop the super-admin DN for GOsa and use
>       cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no
>    3. add posixAccount and Kerberos information to
>       cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no
>       with duplicate uidNumber 1000, gidNumber 1000
>       but keep the cn=admin item hidden from GOsa²

Having two different users with different passwords string but the same
name is going to lead to most admins only changing the password in
LDAP/Kerberos, and leaving the local admin user behind.  That is too
high a security risk to put on the school admins.

I believe it is better to drop the localadmin account completely, ask
the admin during installation of the main-server for his name, username
and password, create a LDAP/Kerberos user using this information.  This
way the local admin will get his normal account right away, and at least
one non-personal account go away.  I am quite close to having this

We will still have the root, admin and super-admin accounts with the
initial root password, but at least one step closer.

We could consider merging the first user and the super-admin user to
reduse the set to 'root' in /etc/passwd and 'admin' in LDAP.

This way the first time user/admin will know which username and password
to use when logging into GOsa to create the rest of the users.
Happy hacking
Petter Reinholdtsen

Reply to: