Sorry for the strange subject, but I wasn't sure how to make this question pithy.
I have several hosts that authenticate off the same OpenLDAP server using
nss-ldap and pam-ldap. The problem is that not every shell that users may
want is installed on every single host. Some of the hosts aren't
Linux-based, and have the shells in various directories other than /bin.
Short of installing every shell on every host and coming up with a canonical
list of paths (which is a highly unpleasant prospect when looking at
networks with lots of machines from different vendors), is there a way to
get nss_ldap to "rewrite" the 'loginShell' attribute returned by the LDAP
server to something reasonable on the local server?
For example, if the user's configured shell is /bin/bash, and bash lives in
/usr/local/bin/bash on the local system, then I'd like a re-writing rule
similar to:
map loginShells: /bin/bash => /usr/local/bin/bash
Likewise, if the user wants /bin/zsh, but it isn't installed, then I'd like
to substitute bash with a rule like:
map loginShells: /bin/zsh => /bin/bash
Even better would be an "alternatives-like" list that could be shared across
machines, like:
when loginShells == /bin/bash try:
/bin/bash
/usr/local/bin/bash
/bin/sh
when loginShells == /bin/zsh try:
/bin/zsh
/usr/local/bin/zsh
/usr/ksh
/usr/local/bin/ksh
/bin/sh
so that, given a particular value of 'loginShells', the first available
entry is executed. I'm reasonably sure that this ideal solution doesn't
exist, but I've been pleasantly surprised before.
How have people in this situation managed this problem?
--
Kirk Strauser
In Googlis non est, ergo non est.
pgp00000.pgp
Description: PGP signature
