We have an LDAP server set up with our Active Directory. When users login to a Linux machine with LDAP client installed as root, they are able to su - into any Active Directory account without needing that users password. This is a big security risk, does anyone know why this is or how to prevent this?
Preventing root access is not an option unfortunately as it is required by some users in some cases.
This is standard Unix design and you can't really prevent root from doing anything he wants.
A more secure design would have users use sudo and for the sudo configuration to allow users only to perform the specific tasks they need to perform. Unrestricted sudo should be limited to specific IT staff who need it for maintaining the servers, and the actual root password should be kept in a safe somewhere.
This is how it's supposed to work.
You CAN prevent or restrict root access, though. I work with healthcare systems, and am subject to all sorts of regulatory and compliance tasks. Our auditors are happy with LDAP authentication, but prefer that we enable sudo access to handle regular users who may need root escalation privileges on occasion.
My colleague was able to find a solution to the root accessing LDAP user accounts w/o password issue. There is a parameter in /etc/pam.d/su called pam_rootok.so. This needs to be commented out with #. After this is commented out, root will be prompted for the user's password when attempting to su to it.