Some background, for the last ~20 years we have used NIS in combination with Kerberos against the Universities AD for AAA on our HPC systems. For a variaty of reasons when we get a new user we create an account in NIS with the same username as they have in the AD. For about the last 10 years this has been automated with a Perl script so you just provide the username and the account in NIS is created.
With the advent of RHEL9 NIS is gone so we are replacing the NIS servers with a LDAP setup using 389-ds. Pass through authentication to the AD is for another day.
I have one more task before the project is finished. There is a Perl script that is run daily which iterates through all the users and for those that are not passed the expiry date in shadow checks against the AD and if they are expired in the AD sets the shadow expiry date to the day before. This needs porting to work against the LDAP servers.
We also use the shadow expiry to set an expiry date on the accounts of certain classes of users at account creation time.
The problem is when my Perl script is iterating through the users in LDAP using Net::LDAP unless I bind with Directory Manager the shadowExpire attribute is not returned.
LDAP is not my thing but I get the feeling I need to use an ACI to allow the account I am using to bind to search the LDAP access to the shadow attributes. Note actually changing of the attributes is a "cheat" system call to dsidm from the Perl script because it runs as root on the LDAP servers themselves but that doesn't provide a nice interface to iterate through the users. I am also setting nsAccountLock to true for good measure.
My question is am I correct that an ordinary LDAP user cannot see the shadow attributes of another account? Secondly if I am right in the first question how do I setup an ACI so a particular user can indeed see the shadowExpire of all the users?
JAB. -- Jonathan A. Buzzard Tel: +44141-5483420 HPC System Administrator, ARCHIE-WeSt. University of Strathclyde, John Anderson Building, Glasgow. G4 0NG -- _______________________________________________ 389-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
