On Mon, Sep 15, 2008 at 5:37 PM, Nick Rathke<nick.rathke@gmail.com> wrote:
HI,
I have what I hope is an easy question ( and I hope this is the right place
to post this ).
I have a situation where we are using openldap and a large number of users
who also have local root level access to their own workstations.
Is there a way in ldap to allow root access without letting them su to
another user ? Is there some ACL that I can put into place that would
prevent this ?
You want the root account to be stored in LDAP, or to give some people
access to sudo, but only to root?
Once you give away root, usually all bets are off, but you might find
that SElinux or AppArmor can help with this, if you control sudo's
behaviour, or somesuch.
You can configure any authorization you want based on some attributes
in LDAP, but you need some software to implement that - libnss_ldap
doesn't do that for you. ;)
PS - I hope you are using something more secure than LDAP to store
your secrets, like Kerberos, esp if you are granting root access.
Once you're mucking with LDAP, KRB5 is not much trouble at all and
available trouble-free on most GNU/Linux distros which support LDAP.