Ivars Strazdiņš wrote:
just another basic question, I am sorry to spam the list.
Noticed that regular users can change their login shell in account settings.
Is it possible to lock login shell property for a regular user?
For a unix system, using standard PAM authentication, use of chsh
command can be restricted.
I could not find anything regarding this in IPA manual.

From the command-line on my 4.1 box:

$ kinit admin
$ ipa selfservice-show 'User Self service'

Copy the list of attributes and submit a new list without loginshell

$ ipa selfservice-mod --attrs={givenname,sn,cn,displayname,title,initials,gecos,homephone,mobile,pager,facsimiletelephonenumber,telephonenumber,street,roomnumber,l,st,postalcode,manager,secretary,description,carlicense,labeleduri,inetuserhttpurl,seealso,employeetype,businesscategory,ou} 'User Self service'

Probably easier in the web UI: IPA Server -> RBAC -> drop down -> Self service Permissions


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to