> The problem with this is that given ldap access, a malicious domain > administrator could give themselves (or others) excessive permissions; > for example, they could add themselves to the posixAccount objectclass, > and thereby give themselves shell access. The list of possible exploits > goes on...
You definetely needs to go to the open-ldap list at openldap.org. ! The problems you describe are *not* there at all ! Depends, of course, how you write your ACL's and your webinterface. But it's very well possible to do it right. In the faq at openldap.org there's a lot of info now on writing good ACL's. In qwido, i plan such things as group administrators (those that administer multiple domains) and per service-administratotrs (those that only administer the email of one certain domain) etc etc. Greetings, ace
