The context
I'd like to restrict some ADÂ users to a specific script, limiting what they can do on this particular machine.
So, instead of connecting them with /bin/bash
(for instance), I'd like to force them to use /path/to/my/script
. Those users are in a specific AD group.
Other people should be able to use the real shell.
The classic way
If those users where local users, I would just change the shell field in /etc/passwd
.
The sssd way
Is there a way to provide a different shell value only for the members of that group?
If not, how would you do it?
Best Answer
One way to achieve this goal is to declare several domains, restricting the first ones to just the members of a given group.
Members of
group1
use/shell/path/for/group1
, members ofgroup2
use/shell/path/for/group2
, all otherDOMAIN
users use/bin/bash
A downside is if a user is a member of both groups: it will always fall in the first "domain" DOMAIN_GROUP1.
EDIT: use of
ldap_user_search_base
instead of the deprecatedldap_user_search_filter
. It should be working on newer versions of sssd.