Re: Ldap and root access on workstations

["Justin Ryan" <justizin@vongogo.org>]

On Mon, Sep 15, 2008 at 5:37 PM, Nick Rathke <nick.rathke@gmail.com> wrote:
> HI,
>
> I have what I hope is an easy question ( and I hope this is the right place
> to post this ).
>
> I have a situation where we are using openldap and a large number of users
> who also have local root level access to their own workstations.
>
> Is there a way in ldap to allow root access without letting them su to
> another user ? Is there some ACL that I can put into place that would
> prevent this ?
>

You want the root account to be stored in LDAP, or to give some people
access to sudo, but only to root?

Once you give away root, usually all bets are off, but you might find
that SElinux or AppArmor can help with this, if you control sudo's
behaviour, or somesuch.

You can configure any authorization you want based on some attributes
in LDAP, but you need some software to implement that - libnss_ldap
doesn't do that for you. ;)

Peace,

J

PS - I hope you are using something more secure than LDAP to store
your secrets, like Kerberos, esp if you are granting root access.
Once you're mucking with LDAP, KRB5 is not much trouble at all and
available trouble-free on most GNU/Linux distros which support LDAP.

-- 
Justin Alan Ryan
Independent Interaction Architect
http://www.bitmonk.net/
* : +1-415-226-1199 x2600

"All because of a bunch of stuff that happened.."
 -Homer Simpson
"The best way to get in touch with me is PayPal.
 -Alexander Limi

This communication is Proprietary and Confidential and may not be
reproduced under any terms without direct prior written consent of
its' author, unless implied by participation on a publicly archived
mailing list.