Using LDAP login to Gateway bash profile gets reset on every login
search cancel

Using LDAP login to Gateway bash profile gets reset on every login

book

Article ID: 267181

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

I have enabled LDAP login to the Gateway appliance. I then updated the .bash_profile for the ldap user with which I login to the debian server but every time I login the .bash_profile gets reverted to the original file.

How can that behavior be prevented?

Environment

Release : 11.0

Cause

According to the logic of bashProfileFileReplace.sh , it will overwrite the .bash_profile every login

Resolution

1. go to /opt/SecureSpan/Platform/bin/ folder
   - Save a copy of the original file and Edit configuser_profile_menu.sh
   - comment the line where appears GETROOT (line #24) and add this new one (GETROOT=bash) , this will redirect the login user without passing through the ssg gateway menu
      user will have restricted access to run certain commands only.

#GETROOT="su -"
GETROOT=bash

2. Rename this configuser_profile_menu.sh file as needed , example : ldap_profile_menu.sh and copy the file to your working directory, example : copied to  /etc/openldap/

3. got to  /etc/skel_ssg/ folder, 

   ls -la 

   ** rename .bash_profile file , as example .bash_profileOrig and do a copy of this file with a name .bash_profile

4. Edit and modify the .bash_profile , replace the following line 
source /opt/SecureSpan/Platform/bin/configuser_profile_menu.sh

by 

source /etc/openldap/ldap_profile_menu.sh

save and exit the file

5. go to /opt/SecureSpan/Platform/bin folder and edit the bashProfileFileReplace.sh file and comment out the following lines at the end of this file :
    checkIfFileExist
    checkIfUserInGroup
    compareChecksum
    replaceBashProfileFile

should appears this way
  # checkIfFileExist
  #  checkIfUserInGroup
  #  compareChecksum
  #  replaceBashProfileFile

save and exit 

6. Run test to login in
  a) check the current size of the .bash_profile into the /home/user01 folder
  b) login in again, and check if the .bash_profile size has changed.(should not) so maintaining the correct version of file (not overwritten)

Notes :

- user01 was created previously on LDAP or AD server so it is an existing domain user. 

- Need to use the following instructions depending if you will use AD or LDAP

Configure authentication method ssh to gateway with ldap users support

Additional Information

https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-1/learning-center/configure-the-gateway-for-kerberos-token-based-authentication/generate-a-kerberos-keytab-file.html