You cannot prevent root to su to any other local user. This is why root is
called a superuser. This has nothing to do with Kerberos or LDAP, this is an
OS issue. If the idea is to prevent access by the sysadmin to the ldapuser,
you should simply be the sysadmin yourself. If you don't trust your sysadmin
I fear you have no other choice than being it.

2008/6/10 Rodrigo Castro :

> Hi, I don't know if this is the right place to ask, but I've been striving
> to prevent local root su ldapuser, although failed so far. I've already
> configured kerberos to work with ldap following this page
> http://www.bayour.com/LDAPv3-HOWTO.html
> Any help is appreciated.
>
> On Thu, May 29, 2008 at 10:37 AM, gaurav bagga
> wrote:
>
> > Hi Turbo,
> >
> > Thanks for the link...
> > I am able to link ldap and kerberos, I can add principals from kadmin and
> > they get added in ldap.
> >
> > But one problem still remains.
> > I want to mix in Kerberos principal attributes to a directory entry of

> the
> > people objectclass which has usserPassword. I want this password to be

> used
> > by kdc.
> >
> > Is such a thing possible? I went through the schema and found that
> > 'krbUPEnabled' helps in achieving this but how can one set this

> attribute.
> >
> > I am fairly new to this kerberos and ldap stuff so excuse me if I ask
> > something thats silly.
> >
> > If someone has to automate the process of adding principals what are the
> > possible solutions?
> > Using scripts? Is that a good way ?
> >
> > Thanks and Regards,
> > Gaurav
> >
> > On Thu, May 29, 2008 at 1:45 AM, Turbo Fredriksson
> > wrote:
> >
> > > >>>>> "gaurav" == gaurav bagga writes:
> > >
> > > gaurav> Hi all, I am trying to integrate Kerberos and Ldap but not
> > > gaurav> happy with what I have achieved till now.I'll really
> > > gaurav> appreciate if any one can help/guide by giving pointers
> > > gaurav> towards *good articles *which give information regarding
> > > gaurav> the steps to be performed in doing the same.
> > >
> > > Have a look at http://bayour.com/LDAPv3-HOWTO.html
> > >

> > ________________________________________________
> > Kerberos mailing list Kerberos@mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >

>
>
>
> --
> __________________________________
> Rodrigo de Castro Cosme
> Ciência da Computação - Universidade Federal do Espírito Santo
> Suporte mailing list - suporte@inf.ufes.br
> MSN - rdccosmo@gmail.com
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>




--
-----------------
Daniel Savard