How to Override LDAP-configured Login Shell for Specific Machines


28 views

When managing user authentication through LDAP, the login shell is typically defined in the loginShell attribute of user entries. However, there are legitimate scenarios where you might need to override this setting for specific machines while maintaining centralized user management through LDAP.

The most straightforward approach is to create local user entries that shadow the LDAP users:

# /etc/passwd entry example
ldapuser:x:1001:1001::/home/ldapuser:/bin/zsh

For a more elegant solution, modify the PAM stack to override the shell:

# /etc/pam.d/system-auth addition
session    required     pam_exec.so /etc/override_shell.sh

Create the override script:

#!/bin/bash
# /etc/override_shell.sh
if [ "$PAM_USER" = "specificuser" ] && [ "$(hostname)" = "specialmachine" ]; then
    export SHELL=/bin/zsh
fi

If using SSSD for LDAP integration, leverage its override capabilities:

# /etc/sssd/sssd.conf
[override]
ldap_user_extra_attrs = loginShell
override_shell = /bin/zsh
override_shell_hosts = specialmachine1,specialmachine2

For SSH logins specifically, use ForceCommand in sshd_config:

Match User ldapuser Host specialmachine
    ForceCommand /bin/zsh -c "$SSH_ORIGINAL_COMMAND"
  • Document all overrides clearly in your configuration management system
  • Test shell changes thoroughly to avoid login loops
  • Consider maintaining a whitelist of allowed alternative shells
  • Audit shell usage regularly to maintain security

When debugging shell overrides:

# Check effective shell
getent passwd username
# Verify PAM stack execution
journalctl -f -u sshd
# Test SSSD cache
sssctl user-checks username

When managing user authentication through LDAP, the loginShell attribute typically governs which shell users receive upon login. However, infrastructure requirements often demand exceptions where certain machines need to enforce different shells regardless of the LDAP configuration. This creates a need for conditional shell assignment.

Two robust approaches exist for overriding the LDAP-specified shell:

1. PAM Stack Modification

Edit /etc/pam.d/system-auth or equivalent PAM configuration to insert logic before the LDAP module:

# Example for RHEL/CentOS
auth        required      pam_shells.so
auth        sufficient    pam_exec.so quiet /usr/local/bin/custom_shell_selector.sh
auth        sufficient    pam_ldap.so

The custom_shell_selector.sh script might contain:

#!/bin/bash
# Override shell for specific hosts
case $(hostname -s) in
    specialhost1|specialhost2)
        echo "/bin/zsh"
        exit 0
        ;;
    *)
        exit 1
        ;;
esac

2. SSSD Conditional Overrides

For systems using SSSD, configure conditional overrides in /etc/sssd/sssd.conf:

[domain/yourdomain]
override_shell = /usr/bin/true
shell_fallback = /bin/bash
shell_override_hosts = specialhost1.example.com, specialhost2.example.com
shell_override = /bin/zsh

For SSH logins specifically, add to /etc/ssh/sshd_config:

Match Host specialhost1,specialhost2
    ForceCommand /bin/zsh

After implementation, verify with:

getent passwd username | cut -d: -f7
ssh -v username@specialhost

Remember that some applications (like cron) may behave differently with non-standard shells. Test:

  • Interactive vs non-interactive sessions
  • SUDO operations
  • Remote command execution