UDS Maverick: Call for Blueprints for Ubuntu Server

Javier Palacios javiplx at gmail.com
Thu Apr 29 13:59:27 UTC 2010


On Thu, Apr 29, 2010 at 2:17 PM, Andreas Hasenack <andreas at canonical.com> wrote:
>>> - - basic ACLs to protect content that is not even there yet (like
>>> userPassword, krb5key, samba hashes, etc)
>>> - - basic ACLs to allow for group-delegated based administration
>>
>> The two points above probably discard using phpldapadmin (and most web
>
> The ACLs?
>
>> tools). I haven't looked for long, but it used a special user with
>> global privileges, so once you log in the web, you can do (nearly)
>> anything.
>
> They probably ask for the rootdn. In that case, just give them the DN of
> a user that is a member of the ldap admin group, it has the exact same
> effect.

Yes, the ACLs, because I'm not thinking on a single user with full
privileges and many users without any privileges.

Let say, I would like the DNS admins to modify their entries, and the
"user" administrator to create or modify user entries. That means
giving any of them only partial privileges. If you use any kind of
'proxy' (as phpldapadmin) it must be aware of existing ACL and the
most sensible way to acomplish that is to let the ldap server evaluate
them, using direct identification against the ldap server.
The phpldapadmin I remember (it might have evolved) has a single user
and wasn't capable to do this.

Javier Palacios




More information about the ubuntu-server mailing list