Unity Greeter - Add Network Login option

What is the network login supposed to do?

Also, you can't display both a username and password box at the same time - you don't know what authentication method (if any) will be performed until after the username is entered.

This looks related to bug 844039. If that is supposed to replace the "Other.." option, it is confusing: It is not only network users who do not appear in the greeter's user list, it can also be system users or even root. You might also have PAM modules which identify you by fingerprint, bluetooth devices, or what not.

This is a separate bug; the 'other' login option is a optional feature users can switch on if they do not want an usernames to be displayed in the greeter for security/privacy reasons, or the rare corner case there are far too many local user accounts to be displayed.

This 'Network Login' option is for use with a corporate network login service.

There is no distinction with PAM between local and remote accounts. When we initiate a login attempt we just ask PAM for access, and that may check locally or remotely or do anything the system administrator has determined (e.g. accounts can be locked at certain times).

As we don't know what the sysadmin has chosen, we let them switch the greeter to manual mode and just have a text entry for username.

This would essentially revert bug 844039. +1 for this from desktop team POV, as removing the Other/network login/you name it option does no harm and is a must if you use any non-default authentication system (which will be the case in any non-home environment).

Targetting to precise. This is a pretty major regression for any non-home setup compared to 10.04 LTS; users must continue to be able to log into the computer.

If all else fails, let's bring back the "Other..." option in the user chooser.

Just don’t call it »Other«.

With out LDAP setup epople don’t realize that a bit of white text »Other« is where they log in. In particular when it is not part of a list, where it could be inferred from context. If there’s only »Guest« and »Other« it looks really bad.

Personally I would be fine with »Network Login« and »Network Password«, but just »Login« and »Password« would work too.

Please do not confuse "hiding user list" with "providing a user-name entry box".

We want a user list *and* we want the ability to enter a user-name by hand if the person logging in is not in the list.

Thomas,

"We want a user list *and* we want the ability to enter a user-name by hand" - could you define who "we" are and some use-cases where you have a list of users and and also other accounts not in the list but useful to log in as?

LightDM (and by extension Unity Greeter) assumes if the OS provides a list of user accounts (via getpwent()) then that provides all the possible accounts available on that system. From the getpwent manual page:

"The getpwent() function returns a pointer to a structure containing the broken-out fields of a record from the password database (e.g., the local password file /etc/passwd, NIS, and LDAP)"

The "greeter-hide-users" option in lightdm.conf requests that the greeter hide the list of users (even if it is provided by the OS) and instead show a manual entry. The emphasis is not on showing the manual entry, that is merely what the greeter does if there appears to be no users on the system (bug 919298 fixed this). It's not a "show user-name entry" option.

I've added a "greeter-show-manual-login" option to lightdm 1.1.7 so a system administrator can indicate to the the greeter that it should always show a manual username option. In the branch lp:~robert-ancell/unity-greeter/bug-844044 I've proposed support for this in Unity Greeter which would have the default install show as in the screenshot below.

However, this does not solve this request of this bug. The request is to add a specific "Network" option. There are two issues with this currently:
a) We cannot tell what the system administrator has configured PAM to do, thus we cannot detect if this machine can or cannot access network accounts.
b) We cannot restrict this "Network" entry to only network accounts (*). So the naming is confusing.

(*) techincally not true as we could make a special PAM service that only allowed network logins, however I don't think this is really what this bug is requesting.

Robert, I think that will be very great for our case. I agree completely that it is not plausible to distinguish a "network" account. For our part, we are not concerned so much with the labeling, and whatever looks good to the designers is fine with us. I'm very pleased that this change will let us have a user list *and* a generic login box at the same time, and I think our users will be very happy with it. Thanks!

LFTM, Robert.

>>"We want a user list *and* we want the ability to enter a user-name by hand"
- could you define who "we" are and some use-cases where you have a list of users and and also other accounts not in the list but useful to log in as?<<

I can give you a use case, though it may be different than that of Thomas. We have LDAP authentication in place (with NSS as well), though this does not seem to pull the users to the list - and it makes no sense as there are hundreds of those. So in Lucid people clicked "Other", logged in and next time they would see their user on the logon screen and the "Other" user on the bottom.

Although mostly there is just 1 user per machine, sometimes other people need to be able to login to it as well, I hope you understand that. I saw your screenshot, this should be ok for us, I guess.

"greeter-show-manual-login" sounds and looks great.

I found it entered the official package in precise. Thanks, it looks very good.

Thanks for this Robert; it works great!

I added the line to /etc/lightdm/lightdm.conf

But I cannot authenticate against Active directory using likewise-open. This was working with Precise in the early alpha versions and previous versions of Ubuntu.

[SeatDefaults]
greeter-session=unity-greeter
user-session=ubuntu
autologin-user=
greeter-show-manual-login=true

Actually, I needed a reboot and can now authenticate against AD as described in this related issue.

https://bugs.launchpad.net/ubuntu/+source/likewise-open/+bug/946755

I cannot however, run sudo with that AD user.

It says that I am not in the sudoers file even though I have already added the "Domain^Users".
This worked previously in early Alphas of 12.04 and all previous versions of Ubuntu.