Setting runtime variables in user profiles

Access Manager maintains a set of predefined runtime variables that you can use in place of specific values in Active Directory user profiles and local user profiles. Using the variables simplifies the process of defining profile attributes. The Centrify UNIX agent resolves the runtime variables defined in a profile with appropriate values when a computer joins a domain and zone.

The predefined runtime variables you can use in profiles are:

Use this variable To specify this

%{domain}

The domain to which the computer is joined.

%{home}

The root home directory. By default, this directory is /home on most Linux and UNIX computers. For Mac OS X computers, the default home directory is /Users. On Solaris computers, the default home directory is /export/home).

%{host}

The host name of the joined computer.

%{shell}

The default login shell for the user. By default, the shell is /bin/bash on most Linux and UNIX computers. On Solaris and HP computers, the default shell is /bin/sh. On AIX computers, the default shell is /usr/bin/ksh.

%{site}

The Active Directory site of the joined computer.

%{user}

The user’s UNIX login name. Note: This variable is supported only for Active Directory users. It is not supported for local users.

%{zone}

The zone to which the computer is joined.

You can use these predefined runtime variables or custom variables at any point in the zone hierarchy, including a parent zone, a child zone, or on individual computers. At runtime, the adclient process resolves the variables based on how the following configuration parameters are set and where the variables are defined in the zone hierarchy:

  • nss.runtime.defaultvalue.var.variableName

    These parameters — one for each predefined variable — defines the default value for each parameter as shown in the table. These are the values are used if the variable is not explicitly defined in the zone or by the nss.runtime.var.variableName parameter in the configuration file. For example:

    nss.runtime.defaultvalue.var.home: /home
    nss.runtime.defaultvalue.var.shell: /bin/bash
  • nss.runtime.var.variableName

    These parameters allow you to specify a specific value for any of the predefined variables in the configuration file. The value in the configuration file is essentially a computer‑specific override because it applies only to the computer on which it is defined and overrides any other setting for the variable, including the default value, or a specific value in a zone Properties page. For example:

    nss.runtime.var.home: /Users
    nss.runtime.var.shell: /bin/sh

To override the default definition for any predefined variable in a zone, you can simply add a variable with the same name to the zone by using the zone Properties page or by using ADEdit. Zone variables and zone variable definitions are inherited down the profile tree, which means that a variable could have one definition at the top of the tree and a different definition at the bottom. The value that is applied depends at which level of the zone hierarchy a computer joins the domain.

To define values for predefined variables in a parent or child zone:

  1. Open Access Manager.
  2. Expand Zones and any parent or child zones required to select the zone name in which you want to override a profile attribute.

    For example, if you want to override the default login shell in the child zone that only AIX computers join, you might expand Child Zones to view and select the IBM AIX Only zone.

  3. Select the zone, right-click, then click Properties.
  4. Click the Variables tab, then click Add.
  5. Type the name of the predefined variable and the custom value you want to use, then click OK to save the variable definition.

    For example, type shell and set the value to /usr/bin/ksh to modify the default shell definition.

  6. Click OK to close the zone properties.