Different login shells in LDAP

zaxxon · March 19, 2009, 11:26am

Hi folks,

we have a very heterogenous server environment. There are also lots of AIX and Linux servers which usually have different login shells and all servers have to be integrated into LDAP. The LDAP Meta Directory is hosted by a Novell eDirectory.
On our Linux boxes it is usually bash, on AIX ksh. We also don't want to change it in that way, so that we only use one type of shell on all servers. We want to be flexible, judging by type of host and/or by user, which login shell the user would get. There is also the possibility that users just get a /bin/false so they don't have a login that easy.

So we could just go add new attributes in LDAP to a user. This could be mapped locally to the attribute the LDAP client of the OS needs.
Downside is, that our department for permissions wants to have permissions and rights, like which shell on which host etc. set by assigning users to a group. They don't want to handle each user's attributes seprately.
They want it the way they just put users into groups like they do it already.

We currently have no idea how to set attributes like LoginShell, HomeDirectory etc. for the same user on different hosts and even different OS'es while keeping it easy for the permissions department to assing users just to groups etc.

Also we tried filtering the group a user is in by shell script which was very easy but by no way being able to set the Login Shell with this method. You can add it witch chsh, write it into /etc/shells or on AIX /etc/security/login.cfg but we can't get a working shell for the user by this at all.

So if anyone would like to share his/her experience with such an LDAP environment I would be very thankful for any insight.

The IBM Redbook for AIX in a heterogenous LDAP enviroment was a big help in setting up everything, but no hint in it for the problem described above. Also not in the IBM LDAP White Papers incl. the troubleshooting part.

Also on Google I found no solution for this.

zaxxon · March 23, 2009, 7:56am

We found out that the shell script was simply missing a Shebang (/selfslap) so when trying to interpret the shell script it didn't know which program it should use.

So sorting out groups and assigning a shell to a user locally on a host works without problems so far on AIX and Linux.

fcannini · December 17, 2009, 4:03pm

Hi Zaxxon.

I'm in the same situation here at a client. How did you do that ? Can you make your script available ?

zaxxon · December 18, 2009, 4:48am

I can make it available to you but I have to warn you since we threw it aboard. On Linux boxes we got problems that some applications were not able to launch properly and on AIX we had same problems with Eclipse even though on both OS'es the parameters for the login shell seemed ok.
After all the experimenting with the script we took the advise in the Redbook that you should just use /bin/sh for all users. On Linux it usually translates to bash and on AIX to ksh. Exceptions like developers that need csh etc. we wanted to spare out of LDAP since our permission management that control the permissions via LDAP groups on some front end are not in the mood to administer different shells for users.

fcannini · December 18, 2009, 7:26am

No problem to me. Our machines that use ldap are all Linux, and only acessed through shell (ssh).
I'll keep in touch to tell if it worked out ok, and reveal any caveat to watch for when doing so.

Thanks again man.

nabramovitz · December 25, 2009, 7:10pm

We are also going the route of a single home directory and a single login shell for our AIX/HPUX/Solaris/SuSE/Redhat across i686, ia64, powerpc, sparc hardware boxes but we are using NIS instead of LDAP.

How are your user profile files ($HOME/.profile/.login/.cshrc, etc, etc) being designed so your users can start their shell of choice?

How are you planning handle the user's private bin directories?,

How are you going to handle the issue the user wants unique home directories verses having a common home directory for all machines?

How are you handling shell variables defined by the LDAP login shell that do not belong to the user's defined shell that have been exported?

How are you handling the shell command history file?

How are you handling programs that look in the user's HOME directory for startup files?

Do you know if the .Xauthority file can be shared across all your environments?

I started working this issue by having the initial user profile define variables for hostname, ostype, platform and osversion.

From these values the code decides which shell to run.

I also use these values to make shell variables unique to the level the user wants such as the HISTFILE and HOME variables.

I needed to create small c programs that would call the proper shell as a login shell to allow the proper shell initialization to occur. Also the profile file needed to call these c programs using the exec builtin to replace the original shell. The c program also adds a shell variable to deal with the recursion issue since the user's profile will be called a second time.

A function was written for adding to PATH style variables to avoid adding the same directory twice.

Figuring out which shell variables that need to be removed from the environment is a work in progress.

I have not worked the BSD C shell issues yet but expect that I will need to use the source command to separate Bourne shell style syntax away from the BSD C shell style syntax.

Have you considered using the Korn shell for the all platforms as your LDAP login shell? At least for us either the ATT version the PD version exists on our servers.

What other issues do you know of we might run into?