[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap user authentication, PAM and chsh (change shell): how to make it work?

To: openldap-technical@openldap.org
Subject: Re: ldap user authentication, PAM and chsh (change shell): how to make it work?
From: Derek Zhou <derek@shannon-data.com>
Date: Mon, 17 Dec 2018 11:40:07 +0800
Cc: Ryan Tandy <ryan@nardis.ca>
In-reply-to: <20181216021849.yh5dpn346bwlf72o@comet.nardis.ca>
References: <20181214202417.GA9807@bic.mni.mcgill.ca> <20181216021849.yh5dpn346bwlf72o@comet.nardis.ca>
User-agent: KMail/4.14.1 (Linux/3.16.0-4-amd64; KDE/4.14.2; x86_64; ; )

On Saturday, December 15, 2018 06:18:49 PM Ryan Tandy wrote:
> On Fri, Dec 14, 2018 at 03:24:17PM -0500, Jean-Francois Malouin wrote:
> >I'm using libnss-ldap along with pam-ldap on Ubuntu and Debian clients.
> 
> I have not tried this myself, but recent versions of nss-pam-ldapd 
> appear to include a 'chsh.ldap' command in the nslcd-utils package.  
> However it looks like that would require you to be using libnss-ldapd 
> and libpam-ldapd with nslcd, rather than the old libnss-ldap and 
> libpam-ldap.
> 
It is probably not a good idea to do chsh in a LDAP controlled site in the first place. What if the user chsh into
something not installed on every host, then realize she cannot login anymore?

local chsh at least is protected by the local /etc/shells. It is probably simpler and safer
to have a line of "exec zsh --login" in their .profile file
 

-- 
Derek Zhou

References:
- ldap user authentication, PAM and chsh (change shell): how to make it work?
  - From: Jean-Francois Malouin <Jean-Francois.Malouin@bic.mni.mcgill.ca>
- Re: ldap user authentication, PAM and chsh (change shell): how to make it work?
  - From: Ryan Tandy <ryan@nardis.ca>

Prev by Date: Re: ldap user authentication, PAM and chsh (change shell): how to make it work?
Next by Date: Antw: Re: Q: "deferring operation: too many executing" / "deferring operation: pending operations"
Index(es):
- Chronological
- Thread