On Mon, Sep 15, 2008 at 5:37 PM, Nick Rathke nick.rathke@gmail.com wrote:
HI,
I have what I hope is an easy question ( and I hope this is the right place to post this ).
I have a situation where we are using openldap and a large number of users who also have local root level access to their own workstations.
Is there a way in ldap to allow root access without letting them su to another user ? Is there some ACL that I can put into place that would prevent this ?
You want the root account to be stored in LDAP, or to give some people access to sudo, but only to root?
Once you give away root, usually all bets are off, but you might find that SElinux or AppArmor can help with this, if you control sudo's behaviour, or somesuch.
You can configure any authorization you want based on some attributes in LDAP, but you need some software to implement that - libnss_ldap doesn't do that for you. ;)
Peace,
J
PS - I hope you are using something more secure than LDAP to store your secrets, like Kerberos, esp if you are granting root access. Once you're mucking with LDAP, KRB5 is not much trouble at all and available trouble-free on most GNU/Linux distros which support LDAP.