Hi Jonathan,
Yes so the issue is that user who is binding does not have read
permission to shadowExpire. Directory Manager bypasses any aci
restrictions.
So you need an aci something like this:
dn: ou=people,dc=example,dc=com
aci:
(target="ldap:///ou=people,dc=example,dc=com";)(targetattr="shadowExpire")(version
3.0; acl "aci for shadowExpire";
allow(all) userdn="ldap:///uid=your_user,ou=people,dc=example,dc=com";;)
HTH,
Mark
On 10/31/25 10:43 AM, Jonathan Buzzard via 389-users wrote:
Some background, for the last ~20 years we have used NIS in
combination with Kerberos against the Universities AD for AAA on our
HPC systems. For a variaty of reasons when we get a new user we create
an account in NIS with the same username as they have in the AD. For
about the last 10 years this has been automated with a Perl script so
you just provide the username and the account in NIS is created.
With the advent of RHEL9 NIS is gone so we are replacing the NIS
servers with a LDAP setup using 389-ds. Pass through authentication to
the AD is for another day.
I have one more task before the project is finished. There is a Perl
script that is run daily which iterates through all the users and for
those that are not passed the expiry date in shadow checks against the
AD and if they are expired in the AD sets the shadow expiry date to
the day before. This needs porting to work against the LDAP servers.
We also use the shadow expiry to set an expiry date on the accounts of
certain classes of users at account creation time.
The problem is when my Perl script is iterating through the users in
LDAP using Net::LDAP unless I bind with Directory Manager the
shadowExpire attribute is not returned.
LDAP is not my thing but I get the feeling I need to use an ACI to
allow the account I am using to bind to search the LDAP access to the
shadow attributes. Note actually changing of the attributes is a
"cheat" system call to dsidm from the Perl script because it runs as
root on the LDAP servers themselves but that doesn't provide a nice
interface to iterate through the users. I am also setting
nsAccountLock to true for good measure.
My question is am I correct that an ordinary LDAP user cannot see the
shadow attributes of another account? Secondly if I am right in the
first question how do I setup an ACI so a particular user can indeed
see the shadowExpire of all the users?
JAB.
--
Identity Management Development Team
--
_______________________________________________
389-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
