On 12/16/18 3:18 AM, Ryan Tandy wrote:
On Fri, Dec 14, 2018 at 03:24:17PM -0500, Jean-Francois Malouin wrote:
I'm using libnss-ldap along with pam-ldap on Ubuntu and Debian clients.
I have not tried this myself, but recent versions of nss-pam-ldapd appear to include a 'chsh.ldap' command in the nslcd-utils package. However it looks like that would require you to be using libnss-ldapd and libpam-ldapd with nslcd, rather than the old libnss-ldap and libpam-ldap.
Looking at its man page [1] it requires that nslcd has *write* access to the user's entry, at least attribute 'loginShell'. IMO this is a security-fail-by-design because any system rooted can change every user entry. I would fire an admin who sets up an infrastructure like this.
Instead one should provide a decent self-service web interface and use the correct OpenLDAP "by self write" ACLs instead.
Ciao, Michael.