On Tuesday, Feb 11, 2003, at 07:52 America/Vancouver, Ace Suares wrote:
HI blaine,The problem with this is that given ldap access, a malicious domain administrator could give themselves (or others) excessive permissions; for example, they could add themselves to the posixAccount objectclass, and thereby give themselves shell access. The list of possible exploits goes on...
I've been working along similar lines.
I use the followinf tree structure, at the moment:
c=nl
|------o=domain1,c=NL
| |-----cn=ace@domain1,o=domain1,c=NL
|------o=domain2,c=NL
etc etc
To let people administer their own domain is fairly easy: just give ldap
access to the subtree where their domain is under. I use a self-written
php/ldap webinterface called ' emailmanager' and it's running at great
satisfaction now for over 2 years.
The ideal situation, as I see it, is that the "domain administrator" (who may or may not be someone I trust) should be given access only to a single attribute of a single LDAP record, rather than a whole tree.
That said, the system you describe above is exactly what I've implemented, although my implementation is much more rudimentary. ;-)
Is there some way to submit feature requests to the Qmail-LDAP crew? If so, this is a feature request! :-)
PS Did you check out the admin tools that Turbo Fredrikson wrote (PHPQLAdmin IYes. I was using it earlier, when it was run by the german group (the name escapes me right now), but stopped using it for awhile. I can't get the recent Fredrikson version to work, but I've only tried for a total of about five minutes ;-)
believe).
