On Monday 23 February 2004 06:51 pm, Kirk Strauser wrote: > Sorry for the strange subject, but I wasn't sure how to make this question > pithy. > > I have several hosts that authenticate off the same OpenLDAP server using > nss-ldap and pam-ldap. The problem is that not every shell that users may > want is installed on every single host. Some of the hosts aren't > Linux-based, and have the shells in various directories other than /bin. > > Short of installing every shell on every host and coming up with a > canonical list of paths (which is a highly unpleasant prospect when looking > at networks with lots of machines from different vendors), is there a way > to get nss_ldap to "rewrite" the 'loginShell' attribute returned by the > LDAP server to something reasonable on the local server? > > For example, if the user's configured shell is /bin/bash, and bash lives in > /usr/local/bin/bash on the local system, then I'd like a re-writing rule > similar to: > > map loginShells: /bin/bash => /usr/local/bin/bash > > Likewise, if the user wants /bin/zsh, but it isn't installed, then I'd like > to substitute bash with a rule like: > > map loginShells: /bin/zsh => /bin/bash > > Even better would be an "alternatives-like" list that could be shared > across machines, like: > > when loginShells == /bin/bash try: > /bin/bash > /usr/local/bin/bash > /bin/sh > > when loginShells == /bin/zsh try: > /bin/zsh > /usr/local/bin/zsh > /usr/ksh > /usr/local/bin/ksh > /bin/sh > > so that, given a particular value of 'loginShells', the first available > entry is executed. I'm reasonably sure that this ideal solution doesn't > exist, but I've been pleasantly surprised before. > > How have people in this situation managed this problem?
Check out this link: www.cit.gu.edu.au/~anthony/info/apps/LDAP_unix.notes John -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
