Re: [Freeipa-users] nsAccountLock attribute
Hi Jan, Thanks for your response. But my problem is AmazonLinux does not support ipa-client or sssd. No binaries available, lots of dependency issues compiling from source. So the route I have taken is to use FreeIPA on Fedora21. And use authconfig to enumerate users/groups. And have a SSH command to lookup the keys. Thanks. --Prashant On 1 April 2015 at 11:06, Jan Cholasta jchol...@redhat.com wrote: Hi, Dne 1.4.2015 v 07:09 Prashant Bapat napsal(a): Hi , Is there a way of making the nsAccountLock attribute (User enable/disable) to be anonymously readable ? I'm trying to implement a SSH key lookup sshd authorized key command script. Based on this attribute the user will be allowed to login. I need this to be anonymously readable. Tried setting the permissions but it does not work. Any other ideas on this ? If your SSH server is a properly configured IPA host (i.e. you had run ipa-client-install or ipa-server-install on it), rejecting locked user login should work automatically, without having to configure anything. Thanks for your help. --Prashant -- Jan Cholasta -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] nsAccountLock attribute
On 04/01/2015 07:09 AM, Prashant Bapat wrote: Hi , Is there a way of making the nsAccountLock attribute (User enable/disable) to be anonymously readable ? I'm trying to implement a SSH key lookup sshd authorized key command script. Based on this attribute the user will be allowed to login. I need this to be anonymously readable. Tried setting the permissions but it does not work. Permissions should just work. You can either switch System: Read User Addressbook Attributes permission for anonymous user, with knowing all consequences it brings to your system, all create a new read permission just for this attribute. BTW, note that this attribute is operational and has to be searched out explicitly in the ldapsearch, e.g.: # ldapsearch -Y GSSAPI -h `hostname` -b uid=fbar,cn=users,cn=accounts,dc=f21 nsaccountlock SASL/GSSAPI authentication started SASL username: admin@F21 SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base uid=fbar,cn=users,cn=accounts,dc=f21 with scope subtree # filter: (objectclass=*) # requesting: nsaccountlock # # fbar, users, accounts, f21 dn: uid=fbar,cn=users,cn=accounts,dc=f21 nsaccountlock: TRUE # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 Final note, new users do not have this attribute until the first time they are enabled/disabled. HTH, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] nsAccountLock attribute
On 1.4.2015 11:43, Prashant Bapat wrote: Hi Jan, Thanks for your response. But my problem is AmazonLinux does not support ipa-client or sssd. No binaries available, lots of dependency issues compiling from source. So the route I have taken is to use FreeIPA on Fedora21. And use authconfig to enumerate users/groups. And have a SSH command to lookup the keys. Interesting. Please complain to Amazon support about this, it will improve situation for others too. Petr^2 Spacek Thanks. --Prashant On 1 April 2015 at 11:06, Jan Cholasta jchol...@redhat.com wrote: Hi, Dne 1.4.2015 v 07:09 Prashant Bapat napsal(a): Hi , Is there a way of making the nsAccountLock attribute (User enable/disable) to be anonymously readable ? I'm trying to implement a SSH key lookup sshd authorized key command script. Based on this attribute the user will be allowed to login. I need this to be anonymously readable. Tried setting the permissions but it does not work. Any other ideas on this ? If your SSH server is a properly configured IPA host (i.e. you had run ipa-client-install or ipa-server-install on it), rejecting locked user login should work automatically, without having to configure anything. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] nsAccountLock attribute
Hi , Is there a way of making the nsAccountLock attribute (User enable/disable) to be anonymously readable ? I'm trying to implement a SSH key lookup sshd authorized key command script. Based on this attribute the user will be allowed to login. I need this to be anonymously readable. Tried setting the permissions but it does not work. Any other ideas on this ? Thanks for your help. --Prashant -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] nsAccountLock attribute
Hi, Dne 1.4.2015 v 07:09 Prashant Bapat napsal(a): Hi , Is there a way of making the nsAccountLock attribute (User enable/disable) to be anonymously readable ? I'm trying to implement a SSH key lookup sshd authorized key command script. Based on this attribute the user will be allowed to login. I need this to be anonymously readable. Tried setting the permissions but it does not work. Any other ideas on this ? If your SSH server is a properly configured IPA host (i.e. you had run ipa-client-install or ipa-server-install on it), rejecting locked user login should work automatically, without having to configure anything. Thanks for your help. --Prashant -- Jan Cholasta -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project