Users, groups and management
Concepts of administrator
- Root user on machine
- Unix admin user on machine (but OK since is in LDAP)
- LDAP administrator
- Samba Administrator (user in LDAP)
- This Administrator password is used on Windows clients that are being configured as members of the domain.
- Cyrus administrator (by default, user not in LDAP)
We probably want to replace the concept of Cyrus administrator by that of "Administrator" in LDAP.
Mark blathers about administrators... probably needs severe reality check...
- The "administrator of administrators" is the LDAP administrator, as
- all other admins can be in LDAP
- other systems on the network can authenticate their administrators against LDAP. They use SSL to verify they're talking to the right server.
- LDAP integration of Samba and perhaps the IMAP server require the LDAP administrator password to be embedded into scripts
- so the key password is that of root or any user who can sudo root
- and the LDAP administrator password cannot be changed if it is embedded in scripts
- Possible ways out of this conundrum:
- All software that interacts with LDAP has this password coded into its scripts - in which case the software must authenticate its user against LDAP.
- Can LDAP administration be delegated - preferably by sub-tree? YES
- Could these subsystems interact with OpenLDAP via an account other than the top-level administrator account?
- Root is not needed on Ubuntu, one can just rely on capability of "admin" user to sudo
- Samba
- Arbitrary users can be designated as domain admins (see http://lists.samba.org/archive/samba/2003-September/073608.html)
- Cyrus
- If all interactions with Cyrus can be scripted, this password can be embedded in the scripts like the LDAP administrator password.
- If not, can the Cyrus admin user be the same as the Samba admin user, and the Samba admin scripts receive that password and use it for Cyrus admin?
- If scripts need an embedded password, can this be kept in a one file and read in by all the scripts that need it?
It seems that there are two kinds of administrator role:
- Server Administrator
- Performs integration and maintenance of the server
- the only user allowed to login to the server
- Linux skills required
- needs server "admin" password (which unlocks LDAP administrator too.)
- User Administrator - day to day admin
- Adds client computers to the domain
- Adds users and groups
- Configures mail collection and forwarding
- Manages backups and recovery of user files from backup
- On reboot of a VM host, must enter password(s) for encrypted file systems
- Could be a hassle... maybe we can make the VM hosts retrieve password from a server? YES, using client cert for authentication.
- Other than this, only knows Microsoft systems (and Mac if we're lucky!)
- Needs Samba & Cyrus admin password (hence ideal if these are one and the same - or Cyrus password is embedded)
