Hi Marcelo,
Even though LiPi has been very gentle and the kind of person you
(don't) want on this list, let me explain what I think is happening.
LiP is right in that this isn't a specific LDAP issue.
On most any default Unix system, one can type su - username and become
that user which is what I've always done to debug env issues relating
to users, user login behavior, etc...
I say most any as I've not played around with all of the Unix/Linux
systems in the world.
However your question is more of a "how do I harden my Unix system?"
which is for another list.
Do a search for "hardening systems from root users" or something like
that.
I would also refrain from giving your system specifics which LiP
requested as those can potentially pose a security threat as I'm sure
there are evil-doers watching any list.
You may also want to explore SELinux.
- Brian
On Mar 23, 2009, at 11:56 AM, LiPi - wrote:
You MUST give more information about your system, configs, etc. if
you
want an answer.
I supose that you have an openldap server acting as a user account
store, and it's allowing the users of ldap to log in the system. So if
you do a getent passwd you will get all users from the server
(local+ldap).
Logging as root gives you all the privileges (uid 0), and if you don't
uninstall su I think that you will not be able to do what you want.
Root user must be only logged by the root.
I also think that this is not an ldap question.
2009/3/23 Marcelo Gomes <marmitsbr(a)yahoo.com.br>:
>
> Hi!
>
> In my network, when some client do login as root (local) he can
> type "su -l" and be all another user from ldap.
>
> How can i block this ?
>
>
> thanks
>
> Marcelo Gomes
>
>
>
>
>
>