On 12/16/18 3:18 AM, Ryan Tandy wrote:
On Fri, Dec 14, 2018 at 03:24:17PM -0500, Jean-Francois Malouin
> I'm using libnss-ldap along with pam-ldap on Ubuntu and Debian clients.
I have not tried this myself, but recent versions of nss-pam-ldapd
appear to include a 'chsh.ldap' command in the nslcd-utils package.
However it looks like that would require you to be using libnss-ldapd
and libpam-ldapd with nslcd, rather than the old libnss-ldap and
Looking at its man page  it requires that nslcd has *write* access to
the user's entry, at least attribute 'loginShell'. IMO this is a
security-fail-by-design because any system rooted can change every user
entry. I would fire an admin who sets up an infrastructure like this.
Instead one should provide a decent self-service web interface and use
the correct OpenLDAP "by self write" ACLs instead.