We have an LDAP server set up with our Active Directory. When users login to a Linux machine with LDAP client installed as root, they are able to su – into any Active Directory account without needing that users password. This is a big security risk, does anyone know why this is or how to prevent this?
Preventing root access is not an option unfortunately as it is required by some users in some cases.
Best Answer
This is standard Unix design and you can't really prevent root from doing anything he wants.
A more secure design would have users use
sudoand for the sudo configuration to allow users only to perform the specific tasks they need to perform. Unrestrictedsudoshould be limited to specific IT staff who need it for maintaining the servers, and the actual root password should be kept in a safe somewhere.