Charles Hedrick via FreeIPA-users wrote: > given the way sssd is designed, if we could restrict in IPA to a list, sssd > could map anything that’s not on the local system to a fallback. But sssd > isn’t set up so that random typos can get mapped to a fallback.
It is probably best to prevent bad data from getting in the entry in the first place. A fallback would be nice though. rob > >> On Jan 25, 2018, at 3:17 PM, Charles Hedrick via FreeIPA-users >> <freeipa-users@lists.fedorahosted.org> wrote: >> >> ugh. valid_shells is carefully designed so it can’t be used for this. But >> doing it in sshd is probably the right answer. >> >>> On Jan 25, 2018, at 3:15 PM, Charles Hedrick via FreeIPA-users >>> <freeipa-users@lists.fedorahosted.org> wrote: >>> >>> looks like the real solution is valid_shells in sssd.conf. That will >>> prevent people from damaging themselves. >>> >>>> On Jan 25, 2018, at 3:12 PM, Rob Crittenden <rcrit...@redhat.com> wrote: >>>> >>>> Charles Hedrick via FreeIPA-users wrote: >>>>> One of my staff made a typo in his shell in “ipa user-mod —shell” It can >>>>> be hard to recover from, since you can’t login. >>>>> >>>>> Is there a way to restrict what they can use? Traditionally only shells >>>>> in /etc/shells were valid. >>>> >>>> There is no way currently. >>>> >>>> Note that part of the problem is which /etc/shells to use? Remember that >>>> IPA is centralized and users may be using a number of different >>>> operating systems. This is why the default shell is /bin/sh, because it >>>> is nearly universal. >>>> >>>> It probably isn't a ton of work to add a new config option to provide a >>>> set of valid shells so feel free to file an RFE I just don't know that >>>> this sort of thing would be prioritized. >>>> >>>> We could probably help if you want to contribute something. >>>> >>>> rob >>> >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
