Set $PATH as OpenLDAP attribute

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












2














I need to set $PATH for OpenLDAP users (CentOS6/7). Not in .profile, not in .bashrc on client machine, but as attribute in LDAP on the LDAP server so it is set whenever the user logs onto any host via ssh. Nothing on client side -- LDAP server only. Is it possible? How to do it?










share|improve this question























  • this will require code on the client that gets some attribute from LDAP and sticks it into the environment list, somehow
    – thrig
    Dec 13 at 16:05















2














I need to set $PATH for OpenLDAP users (CentOS6/7). Not in .profile, not in .bashrc on client machine, but as attribute in LDAP on the LDAP server so it is set whenever the user logs onto any host via ssh. Nothing on client side -- LDAP server only. Is it possible? How to do it?










share|improve this question























  • this will require code on the client that gets some attribute from LDAP and sticks it into the environment list, somehow
    – thrig
    Dec 13 at 16:05













2












2








2







I need to set $PATH for OpenLDAP users (CentOS6/7). Not in .profile, not in .bashrc on client machine, but as attribute in LDAP on the LDAP server so it is set whenever the user logs onto any host via ssh. Nothing on client side -- LDAP server only. Is it possible? How to do it?










share|improve this question















I need to set $PATH for OpenLDAP users (CentOS6/7). Not in .profile, not in .bashrc on client machine, but as attribute in LDAP on the LDAP server so it is set whenever the user logs onto any host via ssh. Nothing on client side -- LDAP server only. Is it possible? How to do it?







centos users path openldap






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 13 at 13:45









Jeff Schaller

38.5k1053125




38.5k1053125










asked Dec 13 at 13:00









just_a_noob

163




163











  • this will require code on the client that gets some attribute from LDAP and sticks it into the environment list, somehow
    – thrig
    Dec 13 at 16:05
















  • this will require code on the client that gets some attribute from LDAP and sticks it into the environment list, somehow
    – thrig
    Dec 13 at 16:05















this will require code on the client that gets some attribute from LDAP and sticks it into the environment list, somehow
– thrig
Dec 13 at 16:05




this will require code on the client that gets some attribute from LDAP and sticks it into the environment list, somehow
– thrig
Dec 13 at 16:05










2 Answers
2






active

oldest

votes


















0














An LDAP directory only stores data, you need the LDAP client layer (e.g. pam_ldap) to do things with it. Unlike NetWare/ActiveDirectory, having a login script in the directory as a user property isn't a standard thing in other environments, and there is no standard attribute to store [a path to] such a script (though labelledURI is a candidate).



With PAM+NSS, only a handful of "databases" which you can point to LDAP are supported (passwd, groups, etc see nsswitch.conf(5)) none of which might make this easier.



Neither PADL pam_ldap nor nss-pam-ldap offer any flexible kind of LDAP attribute processing beyond filling out the basic getpwent() password structure fields.



But, there are perhaps a couple of workarounds, though none can meet your "nothing on client side" requirement.



  1. Use pam_exec or pam_script, as these are run as child processes of login they cannot effect environment changes directly, but you could script something that made sure that the correct PATH always appeared within or at the end of .profile (depending on robustness requirements)


  2. Use /etc/profile to fetch user attributes from LDAP, then set PATH accordingly (though you may find it tricky to prevent .profile overwriting it)


  3. Modify pam_unix to allow and support misuse of the loginShell attribute prefixed with variables, like PATH=/opt/thing/bin /bin/bash (will not work with PADL, AFAICT)


  4. Modify pam_umask, the Linux PAM pam_umask already processes extra information from the gecos field like "umask=nnnn,ulimit=nnnn" so there's some precedent here.


  5. Modify pam_ldap to save LDAP attributes as PAM "data" via pam_set_data(), then use pam_get_data() in another PAM module to process them (I did this a long time ago, in my case it was to create users on-demand in an SQL user database using details from their LDAP attributes). pam_env is a good candidate here.


  6. There's a similar concept for PAM "items" (pam_set_item()/pam_get_item()) for a small set of data items (the previous PAM data concept is for arbitrary name/value data), pam_env supports a syntax of @PAM_itemname to set environment values using these - you might be able to misuse an item like PAM_XDISPLAY. pam_ldap already sets a handful of items, so this is likely the simplest code change.


(To be clear, by "modify" I mean "change the source", so those solutions entail both configuration and binary deployments on clients.)



Here's a (robust-ish) bash example that could be made to work with the first two options:



 while read line; do
[[ "$line" =~ ^description: setenv ([a-zA-Z_][a-zA-Z0-9_]+)=(.*) ]] &&
export "$BASH_REMATCH[1]"="$BASH_REMATCH[2]"

done < <(ldapsearch -LLL -o ldif-wrap=no -H ldap://ldap0/ -b $LDAPBASE
-s sub "(&(objectClass=posixAccount)(uid=$USER))" description


given one or more "description" attributes per-user of the form:



setenv MYVAR=MYVALUE


Here we're engaging in the dubious practise of stuffing non-description data into the "description" attribute, a handy way to store up to 1024 characters in a multi-valued attribute. This is a simple approach, using ldapsearch you will likely run into trouble if/when values/types cause base64 encoding output.






share|improve this answer






















  • Thank you for your advice, mr.spuratic. I will try them tomorrow and report back.
    – just_a_noob
    Dec 13 at 18:07


















0














Problem solved, althrough not the way I wanted.
Used puppet to populate .profile files containing export PATH=$PATH:/xxxxxxxx directive.
Combined with removal of ldap entry "shell=binbash" it enabled correct setting of PATH variable.



Thank you for your extensive answer mr spuratic, it was a pleasure to delve into the matter.






share|improve this answer




















    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f487755%2fset-path-as-openldap-attribute%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    An LDAP directory only stores data, you need the LDAP client layer (e.g. pam_ldap) to do things with it. Unlike NetWare/ActiveDirectory, having a login script in the directory as a user property isn't a standard thing in other environments, and there is no standard attribute to store [a path to] such a script (though labelledURI is a candidate).



    With PAM+NSS, only a handful of "databases" which you can point to LDAP are supported (passwd, groups, etc see nsswitch.conf(5)) none of which might make this easier.



    Neither PADL pam_ldap nor nss-pam-ldap offer any flexible kind of LDAP attribute processing beyond filling out the basic getpwent() password structure fields.



    But, there are perhaps a couple of workarounds, though none can meet your "nothing on client side" requirement.



    1. Use pam_exec or pam_script, as these are run as child processes of login they cannot effect environment changes directly, but you could script something that made sure that the correct PATH always appeared within or at the end of .profile (depending on robustness requirements)


    2. Use /etc/profile to fetch user attributes from LDAP, then set PATH accordingly (though you may find it tricky to prevent .profile overwriting it)


    3. Modify pam_unix to allow and support misuse of the loginShell attribute prefixed with variables, like PATH=/opt/thing/bin /bin/bash (will not work with PADL, AFAICT)


    4. Modify pam_umask, the Linux PAM pam_umask already processes extra information from the gecos field like "umask=nnnn,ulimit=nnnn" so there's some precedent here.


    5. Modify pam_ldap to save LDAP attributes as PAM "data" via pam_set_data(), then use pam_get_data() in another PAM module to process them (I did this a long time ago, in my case it was to create users on-demand in an SQL user database using details from their LDAP attributes). pam_env is a good candidate here.


    6. There's a similar concept for PAM "items" (pam_set_item()/pam_get_item()) for a small set of data items (the previous PAM data concept is for arbitrary name/value data), pam_env supports a syntax of @PAM_itemname to set environment values using these - you might be able to misuse an item like PAM_XDISPLAY. pam_ldap already sets a handful of items, so this is likely the simplest code change.


    (To be clear, by "modify" I mean "change the source", so those solutions entail both configuration and binary deployments on clients.)



    Here's a (robust-ish) bash example that could be made to work with the first two options:



     while read line; do
    [[ "$line" =~ ^description: setenv ([a-zA-Z_][a-zA-Z0-9_]+)=(.*) ]] &&
    export "$BASH_REMATCH[1]"="$BASH_REMATCH[2]"

    done < <(ldapsearch -LLL -o ldif-wrap=no -H ldap://ldap0/ -b $LDAPBASE
    -s sub "(&(objectClass=posixAccount)(uid=$USER))" description


    given one or more "description" attributes per-user of the form:



    setenv MYVAR=MYVALUE


    Here we're engaging in the dubious practise of stuffing non-description data into the "description" attribute, a handy way to store up to 1024 characters in a multi-valued attribute. This is a simple approach, using ldapsearch you will likely run into trouble if/when values/types cause base64 encoding output.






    share|improve this answer






















    • Thank you for your advice, mr.spuratic. I will try them tomorrow and report back.
      – just_a_noob
      Dec 13 at 18:07















    0














    An LDAP directory only stores data, you need the LDAP client layer (e.g. pam_ldap) to do things with it. Unlike NetWare/ActiveDirectory, having a login script in the directory as a user property isn't a standard thing in other environments, and there is no standard attribute to store [a path to] such a script (though labelledURI is a candidate).



    With PAM+NSS, only a handful of "databases" which you can point to LDAP are supported (passwd, groups, etc see nsswitch.conf(5)) none of which might make this easier.



    Neither PADL pam_ldap nor nss-pam-ldap offer any flexible kind of LDAP attribute processing beyond filling out the basic getpwent() password structure fields.



    But, there are perhaps a couple of workarounds, though none can meet your "nothing on client side" requirement.



    1. Use pam_exec or pam_script, as these are run as child processes of login they cannot effect environment changes directly, but you could script something that made sure that the correct PATH always appeared within or at the end of .profile (depending on robustness requirements)


    2. Use /etc/profile to fetch user attributes from LDAP, then set PATH accordingly (though you may find it tricky to prevent .profile overwriting it)


    3. Modify pam_unix to allow and support misuse of the loginShell attribute prefixed with variables, like PATH=/opt/thing/bin /bin/bash (will not work with PADL, AFAICT)


    4. Modify pam_umask, the Linux PAM pam_umask already processes extra information from the gecos field like "umask=nnnn,ulimit=nnnn" so there's some precedent here.


    5. Modify pam_ldap to save LDAP attributes as PAM "data" via pam_set_data(), then use pam_get_data() in another PAM module to process them (I did this a long time ago, in my case it was to create users on-demand in an SQL user database using details from their LDAP attributes). pam_env is a good candidate here.


    6. There's a similar concept for PAM "items" (pam_set_item()/pam_get_item()) for a small set of data items (the previous PAM data concept is for arbitrary name/value data), pam_env supports a syntax of @PAM_itemname to set environment values using these - you might be able to misuse an item like PAM_XDISPLAY. pam_ldap already sets a handful of items, so this is likely the simplest code change.


    (To be clear, by "modify" I mean "change the source", so those solutions entail both configuration and binary deployments on clients.)



    Here's a (robust-ish) bash example that could be made to work with the first two options:



     while read line; do
    [[ "$line" =~ ^description: setenv ([a-zA-Z_][a-zA-Z0-9_]+)=(.*) ]] &&
    export "$BASH_REMATCH[1]"="$BASH_REMATCH[2]"

    done < <(ldapsearch -LLL -o ldif-wrap=no -H ldap://ldap0/ -b $LDAPBASE
    -s sub "(&(objectClass=posixAccount)(uid=$USER))" description


    given one or more "description" attributes per-user of the form:



    setenv MYVAR=MYVALUE


    Here we're engaging in the dubious practise of stuffing non-description data into the "description" attribute, a handy way to store up to 1024 characters in a multi-valued attribute. This is a simple approach, using ldapsearch you will likely run into trouble if/when values/types cause base64 encoding output.






    share|improve this answer






















    • Thank you for your advice, mr.spuratic. I will try them tomorrow and report back.
      – just_a_noob
      Dec 13 at 18:07













    0












    0








    0






    An LDAP directory only stores data, you need the LDAP client layer (e.g. pam_ldap) to do things with it. Unlike NetWare/ActiveDirectory, having a login script in the directory as a user property isn't a standard thing in other environments, and there is no standard attribute to store [a path to] such a script (though labelledURI is a candidate).



    With PAM+NSS, only a handful of "databases" which you can point to LDAP are supported (passwd, groups, etc see nsswitch.conf(5)) none of which might make this easier.



    Neither PADL pam_ldap nor nss-pam-ldap offer any flexible kind of LDAP attribute processing beyond filling out the basic getpwent() password structure fields.



    But, there are perhaps a couple of workarounds, though none can meet your "nothing on client side" requirement.



    1. Use pam_exec or pam_script, as these are run as child processes of login they cannot effect environment changes directly, but you could script something that made sure that the correct PATH always appeared within or at the end of .profile (depending on robustness requirements)


    2. Use /etc/profile to fetch user attributes from LDAP, then set PATH accordingly (though you may find it tricky to prevent .profile overwriting it)


    3. Modify pam_unix to allow and support misuse of the loginShell attribute prefixed with variables, like PATH=/opt/thing/bin /bin/bash (will not work with PADL, AFAICT)


    4. Modify pam_umask, the Linux PAM pam_umask already processes extra information from the gecos field like "umask=nnnn,ulimit=nnnn" so there's some precedent here.


    5. Modify pam_ldap to save LDAP attributes as PAM "data" via pam_set_data(), then use pam_get_data() in another PAM module to process them (I did this a long time ago, in my case it was to create users on-demand in an SQL user database using details from their LDAP attributes). pam_env is a good candidate here.


    6. There's a similar concept for PAM "items" (pam_set_item()/pam_get_item()) for a small set of data items (the previous PAM data concept is for arbitrary name/value data), pam_env supports a syntax of @PAM_itemname to set environment values using these - you might be able to misuse an item like PAM_XDISPLAY. pam_ldap already sets a handful of items, so this is likely the simplest code change.


    (To be clear, by "modify" I mean "change the source", so those solutions entail both configuration and binary deployments on clients.)



    Here's a (robust-ish) bash example that could be made to work with the first two options:



     while read line; do
    [[ "$line" =~ ^description: setenv ([a-zA-Z_][a-zA-Z0-9_]+)=(.*) ]] &&
    export "$BASH_REMATCH[1]"="$BASH_REMATCH[2]"

    done < <(ldapsearch -LLL -o ldif-wrap=no -H ldap://ldap0/ -b $LDAPBASE
    -s sub "(&(objectClass=posixAccount)(uid=$USER))" description


    given one or more "description" attributes per-user of the form:



    setenv MYVAR=MYVALUE


    Here we're engaging in the dubious practise of stuffing non-description data into the "description" attribute, a handy way to store up to 1024 characters in a multi-valued attribute. This is a simple approach, using ldapsearch you will likely run into trouble if/when values/types cause base64 encoding output.






    share|improve this answer














    An LDAP directory only stores data, you need the LDAP client layer (e.g. pam_ldap) to do things with it. Unlike NetWare/ActiveDirectory, having a login script in the directory as a user property isn't a standard thing in other environments, and there is no standard attribute to store [a path to] such a script (though labelledURI is a candidate).



    With PAM+NSS, only a handful of "databases" which you can point to LDAP are supported (passwd, groups, etc see nsswitch.conf(5)) none of which might make this easier.



    Neither PADL pam_ldap nor nss-pam-ldap offer any flexible kind of LDAP attribute processing beyond filling out the basic getpwent() password structure fields.



    But, there are perhaps a couple of workarounds, though none can meet your "nothing on client side" requirement.



    1. Use pam_exec or pam_script, as these are run as child processes of login they cannot effect environment changes directly, but you could script something that made sure that the correct PATH always appeared within or at the end of .profile (depending on robustness requirements)


    2. Use /etc/profile to fetch user attributes from LDAP, then set PATH accordingly (though you may find it tricky to prevent .profile overwriting it)


    3. Modify pam_unix to allow and support misuse of the loginShell attribute prefixed with variables, like PATH=/opt/thing/bin /bin/bash (will not work with PADL, AFAICT)


    4. Modify pam_umask, the Linux PAM pam_umask already processes extra information from the gecos field like "umask=nnnn,ulimit=nnnn" so there's some precedent here.


    5. Modify pam_ldap to save LDAP attributes as PAM "data" via pam_set_data(), then use pam_get_data() in another PAM module to process them (I did this a long time ago, in my case it was to create users on-demand in an SQL user database using details from their LDAP attributes). pam_env is a good candidate here.


    6. There's a similar concept for PAM "items" (pam_set_item()/pam_get_item()) for a small set of data items (the previous PAM data concept is for arbitrary name/value data), pam_env supports a syntax of @PAM_itemname to set environment values using these - you might be able to misuse an item like PAM_XDISPLAY. pam_ldap already sets a handful of items, so this is likely the simplest code change.


    (To be clear, by "modify" I mean "change the source", so those solutions entail both configuration and binary deployments on clients.)



    Here's a (robust-ish) bash example that could be made to work with the first two options:



     while read line; do
    [[ "$line" =~ ^description: setenv ([a-zA-Z_][a-zA-Z0-9_]+)=(.*) ]] &&
    export "$BASH_REMATCH[1]"="$BASH_REMATCH[2]"

    done < <(ldapsearch -LLL -o ldif-wrap=no -H ldap://ldap0/ -b $LDAPBASE
    -s sub "(&(objectClass=posixAccount)(uid=$USER))" description


    given one or more "description" attributes per-user of the form:



    setenv MYVAR=MYVALUE


    Here we're engaging in the dubious practise of stuffing non-description data into the "description" attribute, a handy way to store up to 1024 characters in a multi-valued attribute. This is a simple approach, using ldapsearch you will likely run into trouble if/when values/types cause base64 encoding output.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited Dec 14 at 10:59

























    answered Dec 13 at 17:28









    mr.spuratic

    6,7561028




    6,7561028











    • Thank you for your advice, mr.spuratic. I will try them tomorrow and report back.
      – just_a_noob
      Dec 13 at 18:07
















    • Thank you for your advice, mr.spuratic. I will try them tomorrow and report back.
      – just_a_noob
      Dec 13 at 18:07















    Thank you for your advice, mr.spuratic. I will try them tomorrow and report back.
    – just_a_noob
    Dec 13 at 18:07




    Thank you for your advice, mr.spuratic. I will try them tomorrow and report back.
    – just_a_noob
    Dec 13 at 18:07













    0














    Problem solved, althrough not the way I wanted.
    Used puppet to populate .profile files containing export PATH=$PATH:/xxxxxxxx directive.
    Combined with removal of ldap entry "shell=binbash" it enabled correct setting of PATH variable.



    Thank you for your extensive answer mr spuratic, it was a pleasure to delve into the matter.






    share|improve this answer

























      0














      Problem solved, althrough not the way I wanted.
      Used puppet to populate .profile files containing export PATH=$PATH:/xxxxxxxx directive.
      Combined with removal of ldap entry "shell=binbash" it enabled correct setting of PATH variable.



      Thank you for your extensive answer mr spuratic, it was a pleasure to delve into the matter.






      share|improve this answer























        0












        0








        0






        Problem solved, althrough not the way I wanted.
        Used puppet to populate .profile files containing export PATH=$PATH:/xxxxxxxx directive.
        Combined with removal of ldap entry "shell=binbash" it enabled correct setting of PATH variable.



        Thank you for your extensive answer mr spuratic, it was a pleasure to delve into the matter.






        share|improve this answer












        Problem solved, althrough not the way I wanted.
        Used puppet to populate .profile files containing export PATH=$PATH:/xxxxxxxx directive.
        Combined with removal of ldap entry "shell=binbash" it enabled correct setting of PATH variable.



        Thank you for your extensive answer mr spuratic, it was a pleasure to delve into the matter.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Dec 18 at 14:44









        just_a_noob

        163




        163



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f487755%2fset-path-as-openldap-attribute%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown






            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?