Justin Ryan wrote:
On Mon, Sep 15, 2008 at 5:37 PM, Nick Rathkenick.rathke@gmail.com wrote:
HI,
I have what I hope is an easy question ( and I hope this is the right place to post this ).
I have a situation where we are using openldap and a large number of users who also have local root level access to their own workstations.
Is there a way in ldap to allow root access without letting them su to another user ? Is there some ACL that I can put into place that would prevent this ?
You want the root account to be stored in LDAP, or to give some people access to sudo, but only to root?
Once you give away root, usually all bets are off, but you might find that SElinux or AppArmor can help with this, if you control sudo's behaviour, or somesuch.
You can configure any authorization you want based on some attributes in LDAP, but you need some software to implement that - libnss_ldap doesn't do that for you. ;)
All of the above is true. Once you give someone root access, whether their credentials came from LDAP, local files, NIS, or wherever is totally irrelevant. As such, the original question (can I compartmentalize superuser access) really has nothing to do with LDAP.
PS - I hope you are using something more secure than LDAP to store your secrets, like Kerberos, esp if you are granting root access. Once you're mucking with LDAP, KRB5 is not much trouble at all and available trouble-free on most GNU/Linux distros which support LDAP.
That's a pretty empty statement. "More secure than LDAP" creates the false implication that there is something inherently insecure about LDAP storage. In fact anything stored in LDAP is as secure as you choose to make it. And of course, there are plenty of sites out there running Kerberos using LDAP as the data store of their KDC.
Facts are good. FUD is not.