Set $PATH as OpenLDAP attribute
Clash Royale CLAN TAG#URR8PPP
I need to set $PATH
for OpenLDAP users (CentOS6/7). Not in .profile
, not in .bashrc
on client machine, but as attribute in LDAP on the LDAP server so it is set whenever the user logs onto any host via ssh
. Nothing on client side -- LDAP server only. Is it possible? How to do it?
centos users path openldap
add a comment |
I need to set $PATH
for OpenLDAP users (CentOS6/7). Not in .profile
, not in .bashrc
on client machine, but as attribute in LDAP on the LDAP server so it is set whenever the user logs onto any host via ssh
. Nothing on client side -- LDAP server only. Is it possible? How to do it?
centos users path openldap
this will require code on the client that gets some attribute from LDAP and sticks it into the environment list, somehow
– thrig
Dec 13 at 16:05
add a comment |
I need to set $PATH
for OpenLDAP users (CentOS6/7). Not in .profile
, not in .bashrc
on client machine, but as attribute in LDAP on the LDAP server so it is set whenever the user logs onto any host via ssh
. Nothing on client side -- LDAP server only. Is it possible? How to do it?
centos users path openldap
I need to set $PATH
for OpenLDAP users (CentOS6/7). Not in .profile
, not in .bashrc
on client machine, but as attribute in LDAP on the LDAP server so it is set whenever the user logs onto any host via ssh
. Nothing on client side -- LDAP server only. Is it possible? How to do it?
centos users path openldap
centos users path openldap
edited Dec 13 at 13:45
Jeff Schaller
38.5k1053125
38.5k1053125
asked Dec 13 at 13:00
just_a_noob
163
163
this will require code on the client that gets some attribute from LDAP and sticks it into the environment list, somehow
– thrig
Dec 13 at 16:05
add a comment |
this will require code on the client that gets some attribute from LDAP and sticks it into the environment list, somehow
– thrig
Dec 13 at 16:05
this will require code on the client that gets some attribute from LDAP and sticks it into the environment list, somehow
– thrig
Dec 13 at 16:05
this will require code on the client that gets some attribute from LDAP and sticks it into the environment list, somehow
– thrig
Dec 13 at 16:05
add a comment |
2 Answers
2
active
oldest
votes
An LDAP directory only stores data, you need the LDAP client layer (e.g. pam_ldap
) to do things with it. Unlike NetWare/ActiveDirectory, having a login script in the directory as a user property isn't a standard thing in other environments, and there is no standard attribute to store [a path to] such a script (though labelledURI
is a candidate).
With PAM+NSS, only a handful of "databases" which you can point to LDAP are supported (passwd, groups, etc see nsswitch.conf(5)
) none of which might make this easier.
Neither PADL pam_ldap
nor nss-pam-ldap
offer any flexible kind of LDAP attribute processing beyond filling out the basic getpwent()
password
structure fields.
But, there are perhaps a couple of workarounds, though none can meet your "nothing on client side" requirement.
Use
pam_exec
orpam_script
, as these are run as child processes of login they cannot effect environment changes directly, but you could script something that made sure that the correctPATH
always appeared within or at the end of.profile
(depending on robustness requirements)Use
/etc/profile
to fetch user attributes from LDAP, then setPATH
accordingly (though you may find it tricky to prevent.profile
overwriting it)Modify
pam_unix
to allow and support misuse of theloginShell
attribute prefixed with variables, likePATH=/opt/thing/bin /bin/bash
(will not work with PADL, AFAICT)Modify
pam_umask
, the Linux PAMpam_umask
already processes extra information from the gecos field like "umask=nnnn,ulimit=nnnn" so there's some precedent here.Modify
pam_ldap
to save LDAP attributes as PAM "data" viapam_set_data()
, then usepam_get_data()
in another PAM module to process them (I did this a long time ago, in my case it was to create users on-demand in an SQL user database using details from their LDAP attributes).pam_env
is a good candidate here.There's a similar concept for PAM "items" (
pam_set_item()
/pam_get_item()
) for a small set of data items (the previous PAM data concept is for arbitrary name/value data),pam_env
supports a syntax of@PAM_itemname
to set environment values using these - you might be able to misuse an item likePAM_XDISPLAY
.pam_ldap
already sets a handful of items, so this is likely the simplest code change.
(To be clear, by "modify" I mean "change the source", so those solutions entail both configuration and binary deployments on clients.)
Here's a (robust-ish) bash example that could be made to work with the first two options:
while read line; do
[[ "$line" =~ ^description: setenv ([a-zA-Z_][a-zA-Z0-9_]+)=(.*) ]] &&
export "$BASH_REMATCH[1]"="$BASH_REMATCH[2]"
done < <(ldapsearch -LLL -o ldif-wrap=no -H ldap://ldap0/ -b $LDAPBASE
-s sub "(&(objectClass=posixAccount)(uid=$USER))" description
given one or more "description" attributes per-user of the form:
setenv MYVAR=MYVALUE
Here we're engaging in the dubious practise of stuffing non-description data into the "description" attribute, a handy way to store up to 1024 characters in a multi-valued attribute. This is a simple approach, using ldapsearch
you will likely run into trouble if/when values/types cause base64 encoding output.
Thank you for your advice, mr.spuratic. I will try them tomorrow and report back.
– just_a_noob
Dec 13 at 18:07
add a comment |
Problem solved, althrough not the way I wanted.
Used puppet to populate .profile files containing export PATH=$PATH:/xxxxxxxx directive.
Combined with removal of ldap entry "shell=binbash" it enabled correct setting of PATH variable.
Thank you for your extensive answer mr spuratic, it was a pleasure to delve into the matter.
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f487755%2fset-path-as-openldap-attribute%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
An LDAP directory only stores data, you need the LDAP client layer (e.g. pam_ldap
) to do things with it. Unlike NetWare/ActiveDirectory, having a login script in the directory as a user property isn't a standard thing in other environments, and there is no standard attribute to store [a path to] such a script (though labelledURI
is a candidate).
With PAM+NSS, only a handful of "databases" which you can point to LDAP are supported (passwd, groups, etc see nsswitch.conf(5)
) none of which might make this easier.
Neither PADL pam_ldap
nor nss-pam-ldap
offer any flexible kind of LDAP attribute processing beyond filling out the basic getpwent()
password
structure fields.
But, there are perhaps a couple of workarounds, though none can meet your "nothing on client side" requirement.
Use
pam_exec
orpam_script
, as these are run as child processes of login they cannot effect environment changes directly, but you could script something that made sure that the correctPATH
always appeared within or at the end of.profile
(depending on robustness requirements)Use
/etc/profile
to fetch user attributes from LDAP, then setPATH
accordingly (though you may find it tricky to prevent.profile
overwriting it)Modify
pam_unix
to allow and support misuse of theloginShell
attribute prefixed with variables, likePATH=/opt/thing/bin /bin/bash
(will not work with PADL, AFAICT)Modify
pam_umask
, the Linux PAMpam_umask
already processes extra information from the gecos field like "umask=nnnn,ulimit=nnnn" so there's some precedent here.Modify
pam_ldap
to save LDAP attributes as PAM "data" viapam_set_data()
, then usepam_get_data()
in another PAM module to process them (I did this a long time ago, in my case it was to create users on-demand in an SQL user database using details from their LDAP attributes).pam_env
is a good candidate here.There's a similar concept for PAM "items" (
pam_set_item()
/pam_get_item()
) for a small set of data items (the previous PAM data concept is for arbitrary name/value data),pam_env
supports a syntax of@PAM_itemname
to set environment values using these - you might be able to misuse an item likePAM_XDISPLAY
.pam_ldap
already sets a handful of items, so this is likely the simplest code change.
(To be clear, by "modify" I mean "change the source", so those solutions entail both configuration and binary deployments on clients.)
Here's a (robust-ish) bash example that could be made to work with the first two options:
while read line; do
[[ "$line" =~ ^description: setenv ([a-zA-Z_][a-zA-Z0-9_]+)=(.*) ]] &&
export "$BASH_REMATCH[1]"="$BASH_REMATCH[2]"
done < <(ldapsearch -LLL -o ldif-wrap=no -H ldap://ldap0/ -b $LDAPBASE
-s sub "(&(objectClass=posixAccount)(uid=$USER))" description
given one or more "description" attributes per-user of the form:
setenv MYVAR=MYVALUE
Here we're engaging in the dubious practise of stuffing non-description data into the "description" attribute, a handy way to store up to 1024 characters in a multi-valued attribute. This is a simple approach, using ldapsearch
you will likely run into trouble if/when values/types cause base64 encoding output.
Thank you for your advice, mr.spuratic. I will try them tomorrow and report back.
– just_a_noob
Dec 13 at 18:07
add a comment |
An LDAP directory only stores data, you need the LDAP client layer (e.g. pam_ldap
) to do things with it. Unlike NetWare/ActiveDirectory, having a login script in the directory as a user property isn't a standard thing in other environments, and there is no standard attribute to store [a path to] such a script (though labelledURI
is a candidate).
With PAM+NSS, only a handful of "databases" which you can point to LDAP are supported (passwd, groups, etc see nsswitch.conf(5)
) none of which might make this easier.
Neither PADL pam_ldap
nor nss-pam-ldap
offer any flexible kind of LDAP attribute processing beyond filling out the basic getpwent()
password
structure fields.
But, there are perhaps a couple of workarounds, though none can meet your "nothing on client side" requirement.
Use
pam_exec
orpam_script
, as these are run as child processes of login they cannot effect environment changes directly, but you could script something that made sure that the correctPATH
always appeared within or at the end of.profile
(depending on robustness requirements)Use
/etc/profile
to fetch user attributes from LDAP, then setPATH
accordingly (though you may find it tricky to prevent.profile
overwriting it)Modify
pam_unix
to allow and support misuse of theloginShell
attribute prefixed with variables, likePATH=/opt/thing/bin /bin/bash
(will not work with PADL, AFAICT)Modify
pam_umask
, the Linux PAMpam_umask
already processes extra information from the gecos field like "umask=nnnn,ulimit=nnnn" so there's some precedent here.Modify
pam_ldap
to save LDAP attributes as PAM "data" viapam_set_data()
, then usepam_get_data()
in another PAM module to process them (I did this a long time ago, in my case it was to create users on-demand in an SQL user database using details from their LDAP attributes).pam_env
is a good candidate here.There's a similar concept for PAM "items" (
pam_set_item()
/pam_get_item()
) for a small set of data items (the previous PAM data concept is for arbitrary name/value data),pam_env
supports a syntax of@PAM_itemname
to set environment values using these - you might be able to misuse an item likePAM_XDISPLAY
.pam_ldap
already sets a handful of items, so this is likely the simplest code change.
(To be clear, by "modify" I mean "change the source", so those solutions entail both configuration and binary deployments on clients.)
Here's a (robust-ish) bash example that could be made to work with the first two options:
while read line; do
[[ "$line" =~ ^description: setenv ([a-zA-Z_][a-zA-Z0-9_]+)=(.*) ]] &&
export "$BASH_REMATCH[1]"="$BASH_REMATCH[2]"
done < <(ldapsearch -LLL -o ldif-wrap=no -H ldap://ldap0/ -b $LDAPBASE
-s sub "(&(objectClass=posixAccount)(uid=$USER))" description
given one or more "description" attributes per-user of the form:
setenv MYVAR=MYVALUE
Here we're engaging in the dubious practise of stuffing non-description data into the "description" attribute, a handy way to store up to 1024 characters in a multi-valued attribute. This is a simple approach, using ldapsearch
you will likely run into trouble if/when values/types cause base64 encoding output.
Thank you for your advice, mr.spuratic. I will try them tomorrow and report back.
– just_a_noob
Dec 13 at 18:07
add a comment |
An LDAP directory only stores data, you need the LDAP client layer (e.g. pam_ldap
) to do things with it. Unlike NetWare/ActiveDirectory, having a login script in the directory as a user property isn't a standard thing in other environments, and there is no standard attribute to store [a path to] such a script (though labelledURI
is a candidate).
With PAM+NSS, only a handful of "databases" which you can point to LDAP are supported (passwd, groups, etc see nsswitch.conf(5)
) none of which might make this easier.
Neither PADL pam_ldap
nor nss-pam-ldap
offer any flexible kind of LDAP attribute processing beyond filling out the basic getpwent()
password
structure fields.
But, there are perhaps a couple of workarounds, though none can meet your "nothing on client side" requirement.
Use
pam_exec
orpam_script
, as these are run as child processes of login they cannot effect environment changes directly, but you could script something that made sure that the correctPATH
always appeared within or at the end of.profile
(depending on robustness requirements)Use
/etc/profile
to fetch user attributes from LDAP, then setPATH
accordingly (though you may find it tricky to prevent.profile
overwriting it)Modify
pam_unix
to allow and support misuse of theloginShell
attribute prefixed with variables, likePATH=/opt/thing/bin /bin/bash
(will not work with PADL, AFAICT)Modify
pam_umask
, the Linux PAMpam_umask
already processes extra information from the gecos field like "umask=nnnn,ulimit=nnnn" so there's some precedent here.Modify
pam_ldap
to save LDAP attributes as PAM "data" viapam_set_data()
, then usepam_get_data()
in another PAM module to process them (I did this a long time ago, in my case it was to create users on-demand in an SQL user database using details from their LDAP attributes).pam_env
is a good candidate here.There's a similar concept for PAM "items" (
pam_set_item()
/pam_get_item()
) for a small set of data items (the previous PAM data concept is for arbitrary name/value data),pam_env
supports a syntax of@PAM_itemname
to set environment values using these - you might be able to misuse an item likePAM_XDISPLAY
.pam_ldap
already sets a handful of items, so this is likely the simplest code change.
(To be clear, by "modify" I mean "change the source", so those solutions entail both configuration and binary deployments on clients.)
Here's a (robust-ish) bash example that could be made to work with the first two options:
while read line; do
[[ "$line" =~ ^description: setenv ([a-zA-Z_][a-zA-Z0-9_]+)=(.*) ]] &&
export "$BASH_REMATCH[1]"="$BASH_REMATCH[2]"
done < <(ldapsearch -LLL -o ldif-wrap=no -H ldap://ldap0/ -b $LDAPBASE
-s sub "(&(objectClass=posixAccount)(uid=$USER))" description
given one or more "description" attributes per-user of the form:
setenv MYVAR=MYVALUE
Here we're engaging in the dubious practise of stuffing non-description data into the "description" attribute, a handy way to store up to 1024 characters in a multi-valued attribute. This is a simple approach, using ldapsearch
you will likely run into trouble if/when values/types cause base64 encoding output.
An LDAP directory only stores data, you need the LDAP client layer (e.g. pam_ldap
) to do things with it. Unlike NetWare/ActiveDirectory, having a login script in the directory as a user property isn't a standard thing in other environments, and there is no standard attribute to store [a path to] such a script (though labelledURI
is a candidate).
With PAM+NSS, only a handful of "databases" which you can point to LDAP are supported (passwd, groups, etc see nsswitch.conf(5)
) none of which might make this easier.
Neither PADL pam_ldap
nor nss-pam-ldap
offer any flexible kind of LDAP attribute processing beyond filling out the basic getpwent()
password
structure fields.
But, there are perhaps a couple of workarounds, though none can meet your "nothing on client side" requirement.
Use
pam_exec
orpam_script
, as these are run as child processes of login they cannot effect environment changes directly, but you could script something that made sure that the correctPATH
always appeared within or at the end of.profile
(depending on robustness requirements)Use
/etc/profile
to fetch user attributes from LDAP, then setPATH
accordingly (though you may find it tricky to prevent.profile
overwriting it)Modify
pam_unix
to allow and support misuse of theloginShell
attribute prefixed with variables, likePATH=/opt/thing/bin /bin/bash
(will not work with PADL, AFAICT)Modify
pam_umask
, the Linux PAMpam_umask
already processes extra information from the gecos field like "umask=nnnn,ulimit=nnnn" so there's some precedent here.Modify
pam_ldap
to save LDAP attributes as PAM "data" viapam_set_data()
, then usepam_get_data()
in another PAM module to process them (I did this a long time ago, in my case it was to create users on-demand in an SQL user database using details from their LDAP attributes).pam_env
is a good candidate here.There's a similar concept for PAM "items" (
pam_set_item()
/pam_get_item()
) for a small set of data items (the previous PAM data concept is for arbitrary name/value data),pam_env
supports a syntax of@PAM_itemname
to set environment values using these - you might be able to misuse an item likePAM_XDISPLAY
.pam_ldap
already sets a handful of items, so this is likely the simplest code change.
(To be clear, by "modify" I mean "change the source", so those solutions entail both configuration and binary deployments on clients.)
Here's a (robust-ish) bash example that could be made to work with the first two options:
while read line; do
[[ "$line" =~ ^description: setenv ([a-zA-Z_][a-zA-Z0-9_]+)=(.*) ]] &&
export "$BASH_REMATCH[1]"="$BASH_REMATCH[2]"
done < <(ldapsearch -LLL -o ldif-wrap=no -H ldap://ldap0/ -b $LDAPBASE
-s sub "(&(objectClass=posixAccount)(uid=$USER))" description
given one or more "description" attributes per-user of the form:
setenv MYVAR=MYVALUE
Here we're engaging in the dubious practise of stuffing non-description data into the "description" attribute, a handy way to store up to 1024 characters in a multi-valued attribute. This is a simple approach, using ldapsearch
you will likely run into trouble if/when values/types cause base64 encoding output.
edited Dec 14 at 10:59
answered Dec 13 at 17:28
mr.spuratic
6,7561028
6,7561028
Thank you for your advice, mr.spuratic. I will try them tomorrow and report back.
– just_a_noob
Dec 13 at 18:07
add a comment |
Thank you for your advice, mr.spuratic. I will try them tomorrow and report back.
– just_a_noob
Dec 13 at 18:07
Thank you for your advice, mr.spuratic. I will try them tomorrow and report back.
– just_a_noob
Dec 13 at 18:07
Thank you for your advice, mr.spuratic. I will try them tomorrow and report back.
– just_a_noob
Dec 13 at 18:07
add a comment |
Problem solved, althrough not the way I wanted.
Used puppet to populate .profile files containing export PATH=$PATH:/xxxxxxxx directive.
Combined with removal of ldap entry "shell=binbash" it enabled correct setting of PATH variable.
Thank you for your extensive answer mr spuratic, it was a pleasure to delve into the matter.
add a comment |
Problem solved, althrough not the way I wanted.
Used puppet to populate .profile files containing export PATH=$PATH:/xxxxxxxx directive.
Combined with removal of ldap entry "shell=binbash" it enabled correct setting of PATH variable.
Thank you for your extensive answer mr spuratic, it was a pleasure to delve into the matter.
add a comment |
Problem solved, althrough not the way I wanted.
Used puppet to populate .profile files containing export PATH=$PATH:/xxxxxxxx directive.
Combined with removal of ldap entry "shell=binbash" it enabled correct setting of PATH variable.
Thank you for your extensive answer mr spuratic, it was a pleasure to delve into the matter.
Problem solved, althrough not the way I wanted.
Used puppet to populate .profile files containing export PATH=$PATH:/xxxxxxxx directive.
Combined with removal of ldap entry "shell=binbash" it enabled correct setting of PATH variable.
Thank you for your extensive answer mr spuratic, it was a pleasure to delve into the matter.
answered Dec 18 at 14:44
just_a_noob
163
163
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f487755%2fset-path-as-openldap-attribute%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
this will require code on the client that gets some attribute from LDAP and sticks it into the environment list, somehow
– thrig
Dec 13 at 16:05