Setting Runtime Variables in User Profiles

Access Manager maintains a set of predefined runtime variables that you can use in place of specific values in Active Directory user profiles and local user profiles. Using the variables simplifies the process of defining profile attributes. The Delinea Agent for *NIX resolves the runtime variables defined in a profile with appropriate values when a computer joins a domain and zone.

The predefined runtime variables you can use in profiles are:

Use this variable To specify this
%{domain} The domain to which the computer is joined.
%{home} The root home directory. By default, this directory is /home on most Linux and UNIX computers. For Mac OS X computers, the default home directory is /Users. On Solaris computers, the default home directory is /export/home).
%{host} The host name of the joined computer.
%{shell} The default login shell for the user. By default, the shell is /bin/bash on most Linux and UNIX computers. On Solaris and HP computers, the default shell is /bin/sh. On AIX computers, the default shell is /usr/bin/ksh.
%{site} The Active Directory site of the joined computer.
%{user} The user’s UNIX login name. Note: This variable is supported only for Active Directory users. It is not supported for local users.
%{zone} The zone to which the computer is joined.

You can use these predefined runtime variables or custom variables at any point in the zone hierarchy, including a parent zone, a child zone, or on individual computers. At runtime, the adclient process resolves the variables based on how the following configuration parameters are set and where the variables are defined in the zone hierarchy:

  • nss.runtime.defaultvalue.var.variableName

    These parameters — one for each predefined variable — defines the default value for each parameter as shown in the table. These are the values are used if the variable is not explicitly defined in the zone or by thenss.runtime.var.variableName parameter in the configuration file. For example:

    nss.runtime.defaultvalue.var.home: /home

    nss.runtime.defaultvalue.var.shell: /bin/bash

  • nss.runtime.var.variableName

    These parameters allow you to specify a specific value for any of the predefined variables in the configuration file. The value in the configuration file is essentially a computer specific override because it applies only to the computer on which it is defined and overrides any other setting for the variable, including the default value, or a specific value in a zone Properties page. For example:

    nss.runtime.var.home: /Users

    nss.runtime.var.shell: /bin/sh

To override the default definition for any predefined variable in a zone, you can simply add a variable with the same name to the zone by using the zone Properties page or by using ADEdit. Zone variables and zone variable definitions are inherited down the profile tree, which means that a variable could have one definition at the top of the tree and a different definition at the bottom. The value that is applied depends at which level of the zone hierarchy a computer joins the domain.

To define values for predefined variables in a parent or child zone:

  1. Open Access Manager.

  2. Expand Zones and any parent or child zones required to select the zone name in which you want to override a profile attribute.

    For example, if you want to override the default login shell in the child zone that only AIX computers join, you might expand Child Zones to view and select the IBM AIX Only zone.

  3. Select the zone, right-click, then click Properties.

  4. Click the Variables tab, then click Add.

  5. Type the name of the predefined variable and the custom value you want to use, then click OK to save the variable definition.

    For example, type shell and set the value to /usr/bin/ksh to modify the default shell definition.

  6. Click OK to close the zone properties.

Using Active Directory Attributes as Variables

You can also use any Active Directory user attributes as variables by specifying the attribute name in the following format:

%{u:attributeName}

For example, if you want to populate the GECOS field of a user’s zone profile with the information from the user’s department attribute, you could specify the variable as follows:

%{u:department}

By default, only a subset of common user object attributes can be retrieved and resolved by the adclient process. The default set of attributes you can use in a user profile are:

  • mail

  • department

  • description

  • mobile

  • title

  • telephoneNumber

The most common format for the GECOS field in a user profile contains the user's full name, building number, and office phone number separated by commas. Depending on the operating system and desktop manager you are using, the information from the GECOS field might also be used to display the user name when logging on. If you specify an attribute for the GECOS field that includes a comma, you might see the first part of the attribute treated as the user's full name and displayed in the login screen. For example, if you are using the department attribute in the GECOS field and the attribute is defined as “Cendura, San Francisco, Engineering, 25th floor, office 202”, you might see Cendura listed as a user on the login screen.

Using Other Attributes in a Profile

The default user attributes are recognized by adclient without requiring any modification to the managed computer or Active Directory. If you want to use any other attribute, whether it is a standard schema attribute like company or homePhone or a custom attribute that you have added to the Active Directory schema such as supervisorId, you must add an entry for the attribute to the adclient.custom.attributes.user parameter in centrifydc.conf file, then restart adclient and flush the cache.

For example, you might add the following attributes to the centrifydc.conf file:

adclient.custom.attributes.user: company supervisorId

After modifying the file, you would run the following commands to restart the agent and clear the cache:

/usr/share/centrifydc/bin/centrifydcrestart

adflush -f

For more information about defining custom attributes, see the Configuration and Tuning Reference Guide.

Attributes for Users in a Forest with a One-Way Trust

Keep in mind when using attribute variables that if you add users to a zone from a one way trusted forest, the Delinea Agent will only be able to retrieve values for the userPrincipalName and samAccountName attributes. Therefore, at runtime, when the adclient process resolves variable definitions, fields that contain any other variables will be blank for a user from a one-way trusted forest.

Adding custom variables to a zone

You can also create your own variables at any point in the zone hierarchy, including a parent zone, a child zone, or on individual computers. You can add custom variable names and values in exactly the same way you define new values for the predefined runtime variables, except that you type a custom variable name and value.