[Fedora-directory-users] putting root account in FDS
David Hollis
dhollis at davehollis.com
Fri Jan 6 18:40:46 UTC 2006
On Fri, 2006-01-06 at 07:31 -0800, Susan wrote:
> I was just wondering what the community thoughts are on the subject of root accounts in LDAP vs.
> local. Some SAs in the company insist on keeping root passwords local in case of LDAP outage,
> saying that root is too critical to be handed over to FDS. Personally, I think it's no big deal.
> We have it local right now and every time an SA or a mgr quits, we've to login to every unix/linux
> box and change root's password which is a real pain.
>
> What are your thoughts on the subject? Are there some accounts that you insist on keeping local
> or is that line of thinking anachronistic?
Keeping root local does make sense. Giving every SA the root password
doesn't. Use something like sudo to restrict and log SA administrative
tasks. They then use their own password to switch up to root privs to
perform a task, it gets logged, etc. When they leave, their account
gets disabled and they no longer have any way to get to root. You still
need to ensure that they don't do bad stuff like create another acct
with UID 0 or something that gives them a backdoor.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060106/b59590a9/attachment.sig>
More information about the Fedora-directory-users
mailing list