Is it possible during the authentication phase of pam_ldap to map an arbitrary LDAP attribute of the user's record into the resulting user's environment?
The specifics of my situation, in case you see another approach to the problem, are that I've written a custom SFTP subsystem which maps SFTP commands to a Ceph/Rados Pool. I want this subsystem to use a key associated with the authenticated user to connect to the Ceph cluster (for controlling pool access, etc.)
I will already be authenticating users via LDAP for the SSH/SFTP connection, and believe I can lock down read access to their Ceph key attribute to only root and self. I'd prefer to not do another LDAP lookup using a shared LDAP bind account if possible.
Update:
While I haven't found a way to do exactly what I'm asking for here, I do have something "working" which uses pam_exec.so session module (as root) to pull the ldap attribute and writes it to /run/users/<UID>/<filename>.<SESSION_ID> (by chmod 400, chown <UID>:root). Then the custom subsystem (as authenticated user) reads and removes this file.
Though this works, are there considerable security concerns this raises?
