[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ldap and root access on workstations

Justin Ryan wrote:
On Mon, Sep 15, 2008 at 5:37 PM, Nick Rathke<nick.rathke@gmail.com> wrote:

I have what I hope is an easy question ( and I hope this is the right place
to post this ).

I have a situation where we are using openldap and a large number of users
who also have local root level access to their own workstations.

Is there a way in ldap to allow root access without letting them su to
another user ? Is there some ACL that I can put into place that would
prevent this ?

You want the root account to be stored in LDAP, or to give some people access to sudo, but only to root?

Once you give away root, usually all bets are off, but you might find
that SElinux or AppArmor can help with this, if you control sudo's
behaviour, or somesuch.

You can configure any authorization you want based on some attributes
in LDAP, but you need some software to implement that - libnss_ldap
doesn't do that for you. ;)

All of the above is true. Once you give someone root access, whether their credentials came from LDAP, local files, NIS, or wherever is totally irrelevant. As such, the original question (can I compartmentalize superuser access) really has nothing to do with LDAP.

PS - I hope you are using something more secure than LDAP to store
your secrets, like Kerberos, esp if you are granting root access.
Once you're mucking with LDAP, KRB5 is not much trouble at all and
available trouble-free on most GNU/Linux distros which support LDAP.

That's a pretty empty statement. "More secure than LDAP" creates the false implication that there is something inherently insecure about LDAP storage. In fact anything stored in LDAP is as secure as you choose to make it. And of course, there are plenty of sites out there running Kerberos using LDAP as the data store of their KDC.

Facts are good. FUD is not.
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/