Hi Jonathan,
Yes so the issue is that user who is binding does not have read
permission to shadowExpire. Directory Manager bypasses any aci
restrictions.
So you need an aci something like this:
dn: ou=people,dc=example,dc=com
aci:
(target="ldap:///ou=people,dc=example,dc=com")(targetattr="shadowExpire")(version
3.0; acl "aci for shadowExpire";
allow(all) userdn="ldap:///uid=your_user,ou=people,dc=example,dc=com";)
HTH,
Mark
On 10/31/25 10:43 AM, Jonathan Buzzard via 389-users wrote:
>
> Some background, for the last ~20 years we have used NIS in
> combination with Kerberos against the Universities AD for AAA on our
> HPC systems. For a variaty of reasons when we get a new user we create
> an account in NIS with the same username as they have in the AD. For
> about the last 10 years this has been automated with a Perl script so
> you just provide the username and the account in NIS is created.
>
> With the advent of RHEL9 NIS is gone so we are replacing the NIS
> servers with a LDAP setup using 389-ds. Pass through authentication to
> the AD is for another day.
>
> I have one more task before the project is finished. There is a Perl
> script that is run daily which iterates through all the users and for
> those that are not passed the expiry date in shadow checks against the
> AD and if they are expired in the AD sets the shadow expiry date to
> the day before. This needs porting to work against the LDAP servers.
>
> We also use the shadow expiry to set an expiry date on the accounts of
> certain classes of users at account creation time.
>
> The problem is when my Perl script is iterating through the users in
> LDAP using Net::LDAP unless I bind with Directory Manager the
> shadowExpire attribute is not returned.
>
> LDAP is not my thing but I get the feeling I need to use an ACI to
> allow the account I am using to bind to search the LDAP access to the
> shadow attributes. Note actually changing of the attributes is a
> "cheat" system call to dsidm from the Perl script because it runs as
> root on the LDAP servers themselves but that doesn't provide a nice
> interface to iterate through the users. I am also setting
> nsAccountLock to true for good measure.
>
> My question is am I correct that an ordinary LDAP user cannot see the
> shadow attributes of another account? Secondly if I am right in the
> first question how do I setup an ACI so a particular user can indeed
> see the shadowExpire of all the users?
>
>
> JAB.
>
--
Identity Management Development Team
--
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
No comments:
Post a Comment