Am 21.11.2011 18:52, schrieb Michael Ströder:
Christian Manal wrote:
As for custom code, I already need that to change the other attributes I mentioned, plus some from a homebrew schema. So, at least for my environment, it doesn't really matter.
You can make the other attributes invisible by ACL too...
Yeah, I could restrict access to the appropriate Samba and Kerberos attributes. But if I "hide" loginShell, users will just get a default shell and therefore still be able to login via ssh public key. So I either set an invalid shell or change permissions for the keyfiles in their home directory. Both require custom code and by changing the shell, I keep everything inside LDAP.
And as I said, I have a custom schema in my DIT that needs some attributes set for locked accounts, so I need custom code anyway. And since everything that doesn't use simple bind in my environment honors the 'D' flag in sambaAcctFlags, it is imho just as clean as using ACLs, for those applications.
Regards, Christian Manal