freeipaldap
I am using FreeIPA for Identity access management, i have to provide an active user list (audit requirement). I am using a ldapsearch but i am getting all the user (active+disabled) in the list. Kindly help me to get a user list which exclude disabled users from the list.
Query used:
ldapsearch -h -b "cn=users,cn=accounts,dc=example,dc=com" -D "uid=,cn=users,cn=accounts,dc=example,dc=com" -W -x "uid" "gecos" "ntUserLastLogon" "displayName" "employeeType=ENABLED"
On your domain object, you need to assign the querying user the "Read MemberOf" right to User objects.
That should set it up so that the specified account can read the group memberships of all User accounts in the domain.
You are aware that you can move into the sysadm_r role as staff_u right?
For example, the following below would work.
myuser ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r PASSWD: ALL
This will allow you to do (almost) what you can do as root as unconfined.
Oh and one final tip. Using su is a bit tricky with RBAC (it does a lot of stuff which gets it into all sorts of places). Instead you can use the runuser command which does the same thing without a lot of su overheads.
I actually restrict su use in sudoers like so;
%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r NOPASSWD: ALL, ! /bin/su
Because by default the SELinux policy doesn't allow the sudo transition to manage the necessary signals. Really people should probably just use sudo -i anyway.
I normally hardlink runuser to ru as a two-letter replacement for people who prefer to run sudo su - out of a bad habit (like me!).
Best Answer
Try with
"(nsaccountlock=TRUE)"instead of"employeetype=enabled"