LDAP user auto creation: A way to set (default) login shell for LDAP users?

[msi]

Hi there

I've realized that while LDAP autocreation of (in my case admin) users work pretty well (definitely appreciate it!) and newly-created accounts get the right permissions in the Web UI based on LDAP group memberships, even sudo worked - but the login shell defaults to /sbin/nologin.

The result is that even if they add their SSH keys such users cannot log in via SSH nor can they log into a shell on i.e. the local VGA or serial console. 

I've realized this on our OPNsense cluster on 22.4 but was able to reproduce this on my personal system running 22.7 I know it's minor but I tried finding options in the UI and source code for either:

• Define the login shell based on an LDAP attribute mapping (this can have disadvantages if LDAP is unavailable)
• Set a selectable default shell for new-ly created users in the auth server?

It took me some time to realize what (seems) was happening at first. Looking forward to an input, maybe I can figure out a small addition to the Authentication code in the core repository.

Any other/better ideas?