Re: How to use Host Based Attributes with Class of Service

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 07/21/2015 06:19 AM, Paul Tobias wrote:

Hi guys,

In short: Can I use Class of Service[1] together with Host Based Attributes[2]? It doesn't work for me.

The directory server uses Host Based Attributes to give different loginshell on servers and desktops. The idea is that on a desktop machine a user can use /bin/bash as the shell. But on a server the users get /bin/bash4, which is a patched bash with audit logging. (And is not installed on desktops).

So a user entry looks like this:
  dn: uid=paul.tobias,ou=People,dc=example,dc=com
  loginShell: /bin/bash
  loginShell;bash4: /bin/bash4

And then on a server there is this line in sssd.conf:
  ldap_user_shell = loginShell;bash4

And everybody is happy.

The problem is I have to remember to add the `loginShell` and `loginShell;bash4` attributes to all new users, otherwise the user cannot log in and not everybody is happy.

To achieve this I've added Class of Service to have defaults for both of those loginshell attributes like this:
  dn: cn=user defaults cos,ou=people,dc=example,dc=com
  costemplatedn: cn=cos template,cn=user defaults cos,ou=people,dc=example,dc=com
  cosattribute: loginshell
  cosattribute: loginshell;bash4 override

And the matching template:
  dn: cn=cos template,cn=user defaults cos,ou=people,dc=example,dc=com
  loginshell: /bin/bash
  loginshell;bash4: /bin/bash4

After this I deleted both `loginShell` and `loginShell;bash4` attributes from the user entries. And this works well for the `loginshell` attribute, ldapsearch returns `loginShell: /bin/bash`, even if the user doesn't have `loginShell` at all, this is exactly what I want. But it doesn't work for the `loginshell;bash4` attribute, ldapsearch doesn't return `loginShell;bash4`, even if I try to query it directly. Is this a limitation of the implementation or am I doing something wrong?


Sounds like https://fedorahosted.org/389/ticket/69



Have a nice day,
Paul

[1] http://directory.fedoraproject.org/docs/389ds/howto/howto-classofservice.html
[2] http://www.port389.org/docs/389ds/howto/howto-hostbasedattributes.html
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux