It’s all in the flow – a script running in the OOD webserver context has talked to LDAP, and gotten a “yeah, that id is ok” response. That script then needs to create processes in the context of the approved user. Once that’s done, then
an ssh to someplace could happen. Whether that works or not depends on the sshd configuration on the target end – does it blindly trust a presented username from another system as ok because the other system liked it (meaning the target accepts logins from
the source based on host level trust of the source), or does the target require some kind of verification (like a pre-shared pub key or a password)?
Being “ric” on OOD doesn’t grant me any access any other system without an ssh key or a password in my environment. Your setup may be different though. Regardless, there’s still the question of making ood spawn an ssh or a “su –“ or pay
attention to the PAM stack. Any of those could (given the presence of PAM’s “pam_oddjob_mkhomedir.so” in the stacks for those apps) cause a home directory to be created.
Since the OOD webserver creates a per-user instance of nginx and a couple other things, maybe you could do something there. However, I’m not versed enough on how ood works under the covers to even begin to guess if that’s possible.