Hi all,
I'm banging my head against a wall trying to get one particular ACL setup. We want our users, with the exception of those that have a restricted shell, to be able to change their own shell values. A typical user looks like:
dn: uid=user,ou=people,dc=cs,dc=brown,dc=edu objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: krb5Principal objectClass: sambaSamAccount objectClass: ownCloudUser objectClass: mailUser ... loginShell: /bin/bash
We'd ideally like to have an ACL in place that looks like:
access to dn.subtree="ou=people,dc=cs,dc=brown,dc=edu" attrs=loginShell val.regex="/bin/[^f][^s][^h]" by ssf=128 self write by * read
The idea being that a user with a loginShell value of /bin/fsh would NOT be allowed to change their shell value. However, with this rule in place, no user is able to change their shell value. Even if I change the rule to be:
access to dn.subtree="ou=people,dc=cs,dc=brown,dc=edu" attrs=loginShell val.exact="/bin/bash" by ssf=128 self write by * read
users with loginShell of /bin/bash still can't change their own values. If I drop the val.<type>="<whatever>" restriction, users can change their shell values just fine. This the first time I've ever used and ACL with a val.<type>= restriction, but I've scoured the internet and I can't for the life of me figure out what I'm doing wrong. I'm happy to have someone here give me a dope slap... I'm just tired of the headaches ;)
Thanks!
Mark