How to automatically run scripts upon user login without administrative intervention.
Please refer to the pam_vas section when running `man pam_vas`:
post-auth-script =<file></file>
Default value: none
The path to a script which will be executed after pam_vas successfully authenticates a user during the pam_authenticate() call or during the pam_open_session() call. By default, if this option is set, then this script is run during pam_authenticate() unless the no_postauth_script option is set in the service specific PAM authenticate configuration for pam_vas. The script will be run during pam_open_session() if the run_postauth_script option is set in the service specific PAM session configuration for pam_vas. When executed, the script is passed the following 2 arguments:
<unix-name></unix-name><krb5-name></krb5-name><UNIX-name> <krb5-name>
Where UNIX-name is the users Unix login name, and krb5-name is the users Kerberos principal name. The users password will be written to stdin of the script. If the password is not available then an empty string will be written. The exit code of the script or program specified is not checked and will not impact the result of the pam_authenticate() or pam_open_session() calls. The following example shows how to configure a custom post-authentication script.
For example:
The following link shows how to setup Solaris RBAC manually:http://rc.vintela.com/topics/howto/rbac/
You would like to set it up automatically so that upon or before each users first logon to the Solaris environment, you would like to have a line added to the /etc/user_attr file on each Solaris machine automatically, such that they get added to an appropriate Solaris 10 profile for Maintainers.
Steps:
1. Run the following command (one line below):
# vastool configure vas pam_vas post-auth-script /opt/quest/libexec/vas/scripts/profile.sh
The above command will create an entry with 2 lines in /etc/opt/quest/vas/vas.conf as shown below:
[pam_vas]
post-auth-script = /opt/quest/libexec/vas/scripts/profile.sh
2. Now, create the /opt/quest/libexec/vas/scripts/profile.sh file with the following contents:
#!/bin/sh
USERNAME=$1
if [ -z $1 ] ; then
exit
fi
grep -i $USERNAME /etc/user_attr >/dev/null
if [ $? -ne 0 ] ; then
echo ${USERNAME.EN}::::type=normal;profiles=Maintainer Profile >> /etc/user_attr
fi
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center