Some background, for the last ~20 years we have used NIS in combination
with Kerberos against the Universities AD for AAA on our HPC systems.
For a variaty of reasons when we get a new user we create an account in
NIS with the same username as they have in the AD. For about the last 10
years this has been automated with a Perl script so you just provide the
username and the account in NIS is created.
With the advent of RHEL9 NIS is gone so we are replacing the NIS servers
with a LDAP setup using 389-ds. Pass through authentication to the AD is
for another day.
I have one more task before the project is finished. There is a Perl
script that is run daily which iterates through all the users and for
those that are not passed the expiry date in shadow checks against the
AD and if they are expired in the AD sets the shadow expiry date to the
day before. This needs porting to work against the LDAP servers.
We also use the shadow expiry to set an expiry date on the accounts of
certain classes of users at account creation time.
The problem is when my Perl script is iterating through the users in
LDAP using Net::LDAP unless I bind with Directory Manager the
shadowExpire attribute is not returned.
LDAP is not my thing but I get the feeling I need to use an ACI to allow
the account I am using to bind to search the LDAP access to the shadow
attributes. Note actually changing of the attributes is a "cheat" system
call to dsidm from the Perl script because it runs as root on the LDAP
servers themselves but that doesn't provide a nice interface to iterate
through the users. I am also setting nsAccountLock to true for good measure.
My question is am I correct that an ordinary LDAP user cannot see the
shadow attributes of another account? Secondly if I am right in the
first question how do I setup an ACI so a particular user can indeed see
the shadowExpire of all the users?
JAB.
--
Jonathan A. Buzzard Tel: +44141-5483420
HPC System Administrator, ARCHIE-WeSt.
University of Strathclyde, John Anderson Building, Glasgow. G4 0NG
--
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
No comments:
Post a Comment