[29942] in Kerberos
Re: Kerberos Ldap Integration
daemon@ATHENA.MIT.EDU (Rodrigo Castro)
Tue Jun 10 10:08:23 2008
Message-ID: <a99e3f890806100706q13f96a7cv1d63e737d2027c89@mail.gmail.com>
Date: Tue, 10 Jun 2008 11:06:41 -0300
From: "Rodrigo Castro" <rdccosmo@gmail.com>
To: "Daniel Savard" <daniel.savard@gmail.com>
In-Reply-To: <1ba2520b0806100628j533d6e09gbfebf56e660b8b70@mail.gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
I guess I haven't made myself clear. In my work environment we have many
labs. Some of them have root priveleges to administrate their own lab. So
with their root account they can become any ldapuser. This is undesirable.
Is there any kerberos/ldap configuration to disable this?
On Tue, Jun 10, 2008 at 10:28 AM, Daniel Savard <daniel.savard@gmail.com>
wrote:
> You cannot prevent root to su to any other local user. This is why root is
> called a superuser. This has nothing to do with Kerberos or LDAP, this is
> an
> OS issue. If the idea is to prevent access by the sysadmin to the ldapuser,
> you should simply be the sysadmin yourself. If you don't trust your
> sysadmin
> I fear you have no other choice than being it.
>
> 2008/6/10 Rodrigo Castro <rdccosmo@gmail.com>:
>
> > Hi, I don't know if this is the right place to ask, but I've been
> striving
> > to prevent local root su ldapuser, although failed so far. I've already
> > configured kerberos to work with ldap following this page
> > http://www.bayour.com/LDAPv3-HOWTO.html
> > Any help is appreciated.
> >
> > On Thu, May 29, 2008 at 10:37 AM, gaurav bagga <gaurav.v.bagga@gmail.com
> >
> > wrote:
> >
> > > Hi Turbo,
> > >
> > > Thanks for the link...
> > > I am able to link ldap and kerberos, I can add principals from kadmin
> and
> > > they get added in ldap.
> > >
> > > But one problem still remains.
> > > I want to mix in Kerberos principal attributes to a directory entry of
> > the
> > > people objectclass which has usserPassword. I want this password to be
> > used
> > > by kdc.
> > >
> > > Is such a thing possible? I went through the schema and found that
> > > 'krbUPEnabled' helps in achieving this but how can one set this
> > attribute.
> > >
> > > I am fairly new to this kerberos and ldap stuff so excuse me if I ask
> > > something thats silly.
> > >
> > > If someone has to automate the process of adding principals what are
> the
> > > possible solutions?
> > > Using scripts? Is that a good way ?
> > >
> > > Thanks and Regards,
> > > Gaurav
> > >
> > > On Thu, May 29, 2008 at 1:45 AM, Turbo Fredriksson <turbo@bayour.com>
> > > wrote:
> > >
> > > > >>>>> "gaurav" == gaurav bagga <gaurav.v.bagga@gmail.com> writes:
> > > >
> > > > gaurav> Hi all, I am trying to integrate Kerberos and Ldap but not
> > > > gaurav> happy with what I have achieved till now.I'll really
> > > > gaurav> appreciate if any one can help/guide by giving pointers
> > > > gaurav> towards *good articles *which give information regarding
> > > > gaurav> the steps to be performed in doing the same.
> > > >
> > > > Have a look at http://bayour.com/LDAPv3-HOWTO.html
> > > >
> > > ________________________________________________
> > > Kerberos mailing list Kerberos@mit.edu
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> > >
> >
> >
> >
> > --
> > __________________________________
> > Rodrigo de Castro Cosme
> > Ciência da Computação - Universidade Federal do Espírito Santo
> > Suporte mailing list - suporte@inf.ufes.br
> > MSN - rdccosmo@gmail.com
> > ________________________________________________
> > Kerberos mailing list Kerberos@mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
>
>
>
> --
> -----------------
> Daniel Savard
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
__________________________________
Rodrigo de Castro Cosme
Ciência da Computação - Universidade Federal do Espírito Santo
Suporte mailing list - suporte@inf.ufes.br
MSN - rdccosmo@gmail.com
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
