Discussion:
[Ltsp-discuss] LTSP fat client LDAP authentication without ssh tunnel
Ivan Mincik
2014-12-28 20:07:33 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,
I am using LTSP in Fat client mode, with LDAP authentication [1]. I
see, that LDM is still using SSH tunnel for authentication.

I am wondering how hard is to authenticate directly with LDAP server
without using SSH tunnel and optionally replace LDM with LightDM.
I am using Ubuntu 12.04.

Can somebody point me to right direction ? Thank you.


1 -
https://github.com/imincik/gis-lab/blob/master/system/roles/client-desktop/files/static/system/ltsp/030-gislab-ldap


- --
Ivan Minčík
***@gmail.com GPG: 0x79529A1E
http://imincik.github.io/0x79529A1E.key
***@gista.sk GPG: 0xD714B02C
http://imincik.github.io/0xD714B02C.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUoGL/AAoJEPfdLsR5UpoekYkH/0WHLti1LosDdAGoyN2HL9hA
cmHwuC3UFXnGg4WKQc2DrXVdvuoxsJXPvVho46kr5CKrfJYuNXIHtXzn/8oxKcot
0tICIHihqgy1B2MzZOJEyXZDAXtrnKmEDZgEKRq2ghuc5Eu+loR5u3a8jmYgBQD/
EFspvipQM/CvLPDrAEvJ138KEmUdi/tfl7vpoVHCEI7gX8Lg+WM54NMps+uvS+uY
dlE5MeLYJFHiJ2u2Dgj31icTKk2ratqB1WuZKhov3MXHTdPcepVBh6j9Kn0SvS+W
WFIpBBmGD1HBA+Xk8mVDDsie8PzJlgtshMSuQqZU1KqvAyeax6GeJSj8vTFZEb8=
=Brjo
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_____________________________________________________________________
Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto:
https://lists.sourceforge.net/lists/listinfo/ltsp-discuss
For additional LTSP help, try #ltsp channel on irc.freenod
Vagrant Cascadian
2014-12-29 07:59:18 UTC
Permalink
Post by Ivan Mincik
I am using LTSP in Fat client mode, with LDAP authentication [1]. I
see, that LDM is still using SSH tunnel for authentication.
I am wondering how hard is to authenticate directly with LDAP server
without using SSH tunnel and optionally replace LDM with LightDM.
I am using Ubuntu 12.04.
The Debian-Edu project implemented LDAP authentication like this running
KDM on LTSP clients a while back; I'm not sure if they're still using
it.


If you've already got the LDAP infrastructure in place, it's probably
not terribly hard to get working... presuming you know how to do it for
a "regular" disked machine, there would only be a few additional steps
for an LTSP fat client. You'll need to configure some lts.conf settings:

# allow lightdm to be started
KEEP_SYSTEM_SERVICES=lightdm

# disable the default of SCREEN_07=ldm when no SCREEN_XX is set, by
# starting a debug shell on tty2.
SCREEN_02=shell

You'll probably want to create a no-op screen script to run with
SCREEN_02 instead of always having a root shell, but the debugging shell
should work for a proof-of-concept and proably will be useful for
troubleshooting.

You'll also probably need to figure out how to mount the user's
homedir. LTSP typically does this using sshfs through LDM hooks. You
could use NFS or some other remote filesystem protocol.


And then you'll need to do the typical changes to /etc/pam.d/lightdm* or
/etc/pam.d/common* for LDAP authentication... and possibly make other
changes, depending on your LDAP implementation. The only thing LTSP
specific here is that you might want to implement these using
init-ltsp.d hooks, or edit the files directly and rebuild your NBD
image after making changes.


So, there are no step-by-step guides that I'm aware of, but maybe those
pointers will give you a decent starting place.


live well,
vagrant
Ivan Mincik
2014-12-29 09:23:22 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vagrant, thank you very much for you very helpful information and time. It
will surely help me to move forward.
Post by Vagrant Cascadian
I am using LTSP in Fat client mode, with LDAP authentication [1]. I see,
that LDM is still using SSH tunnel for authentication.
I am wondering how hard is to authenticate directly with LDAP server
without using SSH tunnel and optionally replace LDM with LightDM. I am
using Ubuntu 12.04.
The Debian-Edu project implemented LDAP authentication like this running
KDM on LTSP clients a while back; I'm not sure if they're still using it.
If you've already got the LDAP infrastructure in place, it's probably not
terribly hard to get working... presuming you know how to do it for a
"regular" disked machine, there would only be a few additional steps for an
# allow lightdm to be started KEEP_SYSTEM_SERVICES=lightdm
# disable the default of SCREEN_07=ldm when no SCREEN_XX is set, by #
starting a debug shell on tty2. SCREEN_02=shell
You'll probably want to create a no-op screen script to run with SCREEN_02
instead of always having a root shell, but the debugging shell should work
for a proof-of-concept and proably will be useful for troubleshooting.
You'll also probably need to figure out how to mount the user's homedir.
LTSP typically does this using sshfs through LDM hooks. You could use NFS
or some other remote filesystem protocol.
And then you'll need to do the typical changes to /etc/pam.d/lightdm* or
/etc/pam.d/common* for LDAP authentication... and possibly make other
changes, depending on your LDAP implementation. The only thing LTSP
specific here is that you might want to implement these using init-ltsp.d
hooks, or edit the files directly and rebuild your NBD image after making
changes.
So, there are no step-by-step guides that I'm aware of, but maybe those
pointers will give you a decent starting place.
live well, vagrant
------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
Post by Vagrant Cascadian
sponsored by Intel and developed in partnership with Slashdot Media, is
your hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_____________________________________________________________________
https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional
LTSP help, try #ltsp channel on irc.freenode.net
- --
Ivan Minčík
***@gmail.com GPG: 0x79529A1E http://imincik.github.io/0x79529A1E.key
***@gista.sk GPG: 0xD714B02C http://imincik.github.io/0xD714B02C.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJUoR2DAAoJEPfdLsR5Upoeo18H/RcmAJnbanJQGDxDpUh8SFn4
3jbf58h7M+OgtaU2PxS3WtxyG8iJElMdfNdopCP/guJb6vQuz1uEEV77zO1rqD0/
c1SRZmFSUHSdietyftPp7uteYRHdWhfkjtjOJHnEPNVpNC68I4dUhFjIfBQS5Kx+
gLnDbKgutfJCcz3uFiyf+IlDJuDLaVr7FhSyqMt+15Dtrsm39OhPuWKuSYUoKFNX
YkLiksWy1/s6lAINvFX9N+jWP6VIgWKQaCHweORQkB0DULW0CKNkB8Tz3hqF9wp9
ifTi3O+MLTmOXE7PbwuUdmLqey6m4emXbmkf8lpqySIPqJOfirbtMBHSx/qI5y8=
=n6Wj
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_____________________________________________________________________
Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto:
https://lists.sourceforge.net/lists/listinfo/ltsp-discuss
For additional LTSP help

Loading...