Hi,
I would like to able to disable some Linux commands for LDAP users. One of those commands is passwd. Because of some specific needs, when the LDAP users have to change their password a special script has been created for this purpose. They MUST not use passwd but this command is still required by local users.
Does one of you might have an idea to disable Linux commands for LDAP users only?
Thanks, Bernard
Unix doesn't really work that way but maybe you make your special ldap user password script check if the user is in LDAP: if they are, do LDAP password, if they are not, wrap around Unix password.
Easier lazy solution is to have a passwd-ldap and a passwd-unix command, then replace passwd with a little script that tells the user to invoke the appropriate command.
-danny
On Thu, Oct 20, 2016 at 9:15 AM, Bernard Fay bernard.fay@gmail.com wrote:
Hi,
I would like to able to disable some Linux commands for LDAP users. One of those commands is passwd. Because of some specific needs, when the LDAP users have to change their password a special script has been created for this purpose. They MUST not use passwd but this command is still required by local users.
Does one of you might have an idea to disable Linux commands for LDAP users only?
Thanks, Bernard
Am Thu, 20 Oct 2016 12:15:59 -0400 schrieb Bernard Fay bernard.fay@gmail.com:
Hi,
I would like to able to disable some Linux commands for LDAP users. One of those commands is passwd. Because of some specific needs, when the LDAP users have to change their password a special script has been created for this purpose. They MUST not use passwd but this command is still required by local users.
Does one of you might have an idea to disable Linux commands for LDAP users only?
This is simple Linux system administration, put our ldap users in a specific group and disable some functions for this group.
-Dieter
Hi,
passwd goes through pam so there may be a pam module that lets you disallow passwd changes based on e.g. group membership (which you could set for all your ldap users). Maybe worth to ask at the pam mailinglist! https://listman.redhat.com/mailman/listinfo/pam-list
Best, Luke
I like this idea Lukas. That sounds a good way to go.
In the mean time, I create a environment function called passwd that simply print a message explaining the users how to change their passwords.
Thanks, Bernard
On Sat, Oct 22, 2016 at 5:56 AM, Lukas Erlacher erlacher@in.tum.de wrote:
Hi,
passwd goes through pam so there may be a pam module that lets you disallow passwd changes based on e.g. group membership (which you could set for all your ldap users). Maybe worth to ask at the pam mailinglist! https://listman.redhat.com/mailman/listinfo/pam-list
Best, Luke
openldap-technical@openldap.org
-
Bernard Fay -
Daniel Howard -
Dieter Klünter -
Lukas Erlacher