[Freeipa-users] deny to change shell
Rob Crittenden
rcritten at redhat.com
Tue Jun 2 13:02:01 UTC 2015
Ivars Strazdiņš wrote:
> Hi,
> just another basic question, I am sorry to spam the list.
> Noticed that regular users can change their login shell in account settings.
> Is it possible to lock login shell property for a regular user?
> For a unix system, using standard PAM authentication, use of chsh
> command can be restricted.
> I could not find anything regarding this in IPA manual.
From the command-line on my 4.1 box:
$ kinit admin
$ ipa selfservice-show 'User Self service'
Copy the list of attributes and submit a new list without loginshell
$ ipa selfservice-mod
--attrs={givenname,sn,cn,displayname,title,initials,gecos,homephone,mobile,pager,facsimiletelephonenumber,telephonenumber,street,roomnumber,l,st,postalcode,manager,secretary,description,carlicense,labeleduri,inetuserhttpurl,seealso,employeetype,businesscategory,ou}
'User Self service'
Probably easier in the web UI: IPA Server -> RBAC -> drop down -> Self
service Permissions
rob
More information about the Freeipa-users
mailing list