Linux authentication with LDAP - select user's shell based on group membership
Hello, I'm supposed to set up LDAP authentication on over 200 linux servers, and I'd like to select the shell assigned to the user based on their group membership. For example, someone in the "Help Desk" group should get the /usr/local/bin/menu shell, while someone in the "Shop Systems" group should get the normal /bin/bash shell, and someone not in either group would have no login.
I could probably write a custom shell to do this, but I was wondering if there were any way to specify this using winbind? Thanks! |
I'm not aware of any schema extensions that tie loginshells to
netgroups; I'd write a perl-script and set the shell for the individuals based on their group memberships. May have interesting results if someone is part of several groups - you'd have to make sure you process the groups in whatever order you see fit. Cheers, Tink |
I've used the opposite approach to Tinkster on some servers: use Bash as the shell for all users, and modify /etc/bashrc to exec another shell if the user belongs to a specific group.
Because the exec'd program will replace the shell, there will be no extra processes lying around. It is a very clean and reliable solution. You can even allow SCP/SFTP connections at the same time, if you only do the exec for interactive/login shells. (Bash will only set PS1 if it is interactive. It will not be set if the user is using e.g. SCP or SFTP.) You will need to edit /etc/shells, removing (or at least commenting out) all other shells. Otherwise users can just use the chsh command to change to some other shell. (Or, you can make sure your users cannot change the shell attribute in your centralized user database. It all depends on how you're set up.) Since the common shell commands provide the groups the user belongs in as a string with spaces as separators, having spaces in the group names does cause problems. If you have groups named "Help Desk", "General Help", and "Desk Fixers", you cannot reliably check for "Help Desk" in the space separated list using the normal tools. For example, the list may contain "General Help Desk Fixers" but no "Help Desk"; this is not easy to resolve correctly. To avoid all that mess, I wrote a little helper in C you could use: Code:
#include <stdio.h> Code:
gcc -Wall -O3 -o memberof memberof.c Code:
/usr/local/bin/memberof "Help Desk" && exec /usr/local/bin/menu If you do not want to use my program, you can rely on id (utility, /usr/bin/id), but do recall the issues with group names containing spaces. Based on the group name: Code:
groups=" $(id -Gn) " Code:
groups=" $(id -G) " Note that if a user is a member of multiple such groups, the shell they get to depends on the order of the checks you implement: first match wins. Personally, I'd start with the least privileged, so that accidentally adding group memberships will not bump a user to a different shell. (You need to remove the "lower" membership too, to bump up the user.) Finally, /etc/shells and /etc/bashrc or /etc/bash.bashrc are of course local to each server you use. This allows you to specify different behaviours on different servers. Obviously you also need to keep the configuration in sync, if you want to have the same behaviour on different servers. Those files are fortunately "constant", same across all servers using the same distribution. I hope you find this useful, |
Thanks Nominal! I will try out your program. That might do the trick.
|
/me nods... Yes, it seems to me that a little "trampoline" program ought to do the trick. This program would be launched, perhaps as a profile script at login. It would look for another shell program, and, if it finds one, switches to it. Perhaps, if it does not, the trampoline can drop into some kind of a default. As long as it is both trouble-free and seamless, you ought to be in good shape.
|
All times are GMT -5. The time now is 10:10 AM. |