Charles Hedrick via FreeIPA-users wrote:
> given the way sssd is designed, if we could restrict in IPA to a list, sssd 
> could map anything that’s not on the local system to a fallback. But sssd 
> isn’t set up so that random typos can get mapped to a fallback.

It is probably best to prevent bad data from getting in the entry in the
first place. A fallback would be nice though.

rob

> 
>> On Jan 25, 2018, at 3:17 PM, Charles Hedrick via FreeIPA-users 
>> <freeipa-users@lists.fedorahosted.org> wrote:
>>
>> ugh. valid_shells is carefully designed so it can’t be used for this. But 
>> doing it in sshd is probably the right answer.
>>
>>> On Jan 25, 2018, at 3:15 PM, Charles Hedrick via FreeIPA-users 
>>> <freeipa-users@lists.fedorahosted.org> wrote:
>>>
>>> looks like the real solution is valid_shells in sssd.conf. That will 
>>> prevent people from damaging themselves.
>>>
>>>> On Jan 25, 2018, at 3:12 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
>>>>
>>>> Charles Hedrick via FreeIPA-users wrote:
>>>>> One of my staff made a typo in his shell in “ipa user-mod —shell” It can 
>>>>> be hard to recover from, since you can’t login.
>>>>>
>>>>> Is there a way to restrict what they can use? Traditionally only shells 
>>>>> in /etc/shells were valid.
>>>>
>>>> There is no way currently.
>>>>
>>>> Note that part of the problem is which /etc/shells to use? Remember that
>>>> IPA is centralized and users may be using a number of different
>>>> operating systems. This is why the default shell is /bin/sh, because it
>>>> is nearly universal.
>>>>
>>>> It probably isn't a ton of work to add a new config option to provide a
>>>> set of valid shells so feel free to file an RFE I just don't know that
>>>> this sort of thing would be prioritized.
>>>>
>>>> We could probably help if you want to contribute something.
>>>>
>>>> rob
>>>
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to