Kerberos Ldap Integration

Rodrigo Castro rdccosmo at gmail.com
Tue Jun 10 10:06:41 EDT 2008


I guess I haven't made myself clear. In my work environment we have many
labs. Some of them have root priveleges to administrate their own lab. So
with their root account they can become any ldapuser. This is undesirable.
Is there any kerberos/ldap configuration to disable this?

On Tue, Jun 10, 2008 at 10:28 AM, Daniel Savard <daniel.savard at gmail.com>
wrote:

> You cannot prevent root to su to any other local user.  This is why root is
> called a superuser. This has nothing to do with Kerberos or LDAP, this is
> an
> OS issue. If the idea is to prevent access by the sysadmin to the ldapuser,
> you should simply be the sysadmin yourself. If you don't trust your
> sysadmin
> I fear you have no other choice than being it.
>
> 2008/6/10 Rodrigo Castro <rdccosmo at gmail.com>:
>
> > Hi, I don't know if this is the right place to ask, but I've been
> striving
> > to prevent local root su ldapuser, although failed so far. I've already
> > configured kerberos to work with ldap following this page
> > http://www.bayour.com/LDAPv3-HOWTO.html
> > Any help is appreciated.
> >
> > On Thu, May 29, 2008 at 10:37 AM, gaurav bagga <gaurav.v.bagga at gmail.com
> >
> > wrote:
> >
> > > Hi Turbo,
> > >
> > > Thanks for the link...
> > > I am able to link ldap and kerberos, I can add principals from kadmin
> and
> > > they get added in ldap.
> > >
> > > But one problem still remains.
> > > I want to mix in Kerberos principal attributes to a directory entry of
> > the
> > > people objectclass which has usserPassword. I want this password to be
> > used
> > > by kdc.
> > >
> > > Is such a thing possible? I went through the schema and found that
> > > 'krbUPEnabled' helps in achieving this but how can one set this
> > attribute.
> > >
> > > I am fairly new to this kerberos and ldap stuff so excuse me if I ask
> > > something thats silly.
> > >
> > > If someone has to automate the process of adding principals what are
> the
> > > possible solutions?
> > > Using scripts?  Is that a good way ?
> > >
> > > Thanks and Regards,
> > > Gaurav
> > >
> > > On Thu, May 29, 2008 at 1:45 AM, Turbo Fredriksson <turbo at bayour.com>
> > > wrote:
> > >
> > > > >>>>> "gaurav" == gaurav bagga <gaurav.v.bagga at gmail.com> writes:
> > > >
> > > >    gaurav> Hi all, I am trying to integrate Kerberos and Ldap but not
> > > >    gaurav> happy with what I have achieved till now.I'll really
> > > >    gaurav> appreciate if any one can help/guide by giving pointers
> > > >    gaurav> towards *good articles *which give information regarding
> > > >    gaurav> the steps to be performed in doing the same.
> > > >
> > > > Have a look at http://bayour.com/LDAPv3-HOWTO.html
> > > >
> > > ________________________________________________
> > > Kerberos mailing list           Kerberos at mit.edu
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> > >
> >
> >
> >
> > --
> > __________________________________
> > Rodrigo de Castro Cosme
> > Ciência da Computação - Universidade Federal do Espírito Santo
> > Suporte mailing list - suporte at inf.ufes.br
> > MSN - rdccosmo at gmail.com
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
>
>
>
> --
> -----------------
> Daniel Savard
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
__________________________________
Rodrigo de Castro Cosme
Ciência da Computação - Universidade Federal do Espírito Santo
Suporte mailing list - suporte at inf.ufes.br
MSN - rdccosmo at gmail.com



More information about the Kerberos mailing list