On 04/01/2015 07:09 AM, Prashant Bapat wrote:
> Hi ,
> 
> Is there a way of making the nsAccountLock attribute (User enable/disable)
> to be anonymously readable ?
> 
> I'm trying to implement a SSH key lookup sshd authorized key command
> script. Based on this attribute the user will be allowed to login. I need
> this to be anonymously readable.
> 
> Tried setting the permissions but it does not work.

Permissions should just work. You can either switch "System: Read User
Addressbook Attributes" permission for anonymous user, with knowing all
consequences it brings to your system, all create a new read permission just
for this attribute.

BTW, note that this attribute is operational and has to be searched out
explicitly in the ldapsearch, e.g.:

# ldapsearch -Y GSSAPI -h `hostname` -b "uid=fbar,cn=users,cn=accounts,dc=f21"
nsaccountlock
SASL/GSSAPI authentication started
SASL username: admin@F21
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <uid=fbar,cn=users,cn=accounts,dc=f21> with scope subtree
# filter: (objectclass=*)
# requesting: nsaccountlock
#

# fbar, users, accounts, f21
dn: uid=fbar,cn=users,cn=accounts,dc=f21
nsaccountlock: TRUE

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1

Final note, new users do not have this attribute until the first time they are
enabled/disabled.

HTH,
Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to