Hi folks,
we have a very heterogenous server environment. There are also lots of AIX and Linux servers which usually have different login shells and all servers have to be integrated into LDAP. The LDAP Meta Directory is hosted by a Novell eDirectory.
On our Linux boxes it is usually bash, on AIX ksh. We also don't want to change it in that way, so that we only use one type of shell on all servers. We want to be flexible, judging by type of host and/or by user, which login shell the user would get. There is also the possibility that users just get a /bin/false so they don't have a login that easy.
So we could just go add new attributes in LDAP to a user. This could be mapped locally to the attribute the LDAP client of the OS needs.
Downside is, that our department for permissions wants to have permissions and rights, like which shell on which host etc. set by assigning users to a group. They don't want to handle each user's attributes seprately.
They want it the way they just put users into groups like they do it already.
We currently have no idea how to set attributes like LoginShell, HomeDirectory etc. for the same user on different hosts and even different OS'es while keeping it easy for the permissions department to assing users just to groups etc.
Also we tried filtering the group a user is in by shell script which was very easy but by no way being able to set the Login Shell with this method. You can add it witch chsh, write it into /etc/shells or on AIX /etc/security/login.cfg but we can't get a working shell for the user by this at all.
So if anyone would like to share his/her experience with such an LDAP environment I would be very thankful for any insight.
The IBM Redbook for AIX in a heterogenous LDAP enviroment was a big help in setting up everything, but no hint in it for the problem described above. Also not in the IBM LDAP White Papers incl. the troubleshooting part.
Also on Google I found no solution for this.