lightdm not compatible with ldap based user accounts

Reported by perpetualrabbit on 2012-03-01
158
This bug affects 31 people
Affects Status Importance Assigned to Milestone
Light Display Manager
Medium
Canonical Desktop Team

Bug Description

I am preparing a Precise Pangolin image for installation on university workstations (many of them). The user and groups and their passwords (hundreds of them) are registered in an LDAP server, not in passwd/shadow. No local user accounts are used, there are only system accounts in passwd/shadow/group. The home directory comes from an nfs server, that is, /home is an NFS mount.

PROBLEM:
-----------
There is no way to log in as a user coming from LDAP. There is simply no field to type a username. There is only a guest user shown in the login screen. The only possible action is to click on LOGIN and become the guest user.

Furthermore, there is no lightdm man page. There is the file /usr/share/doc/lightdm/lightdm.conf, but it provides me no information how to fix this problem, or if the problem is caused by a configuration error.

THINGS I TRIED:
-----------------
1. So, I googled around and put allow-guest=false into /etc/lightdm/lightdm.conf. Then I restart lightdm. Result: the login screen does not come up. The screen keeps flashing between a textmode and a graphical mode. So apparently lightdm now cannot start because there is no valid user in passwd/shadow at all. It does not seem to consider LDAP users.

2. I defined some users in /etc/passwd and /etc/shadow. These are picked up by lightdm, but only if their UID is greater or equal to 1000. This despite the line in /etc/lightdm/users.conf reading: minimum-uid=500. This seems like another bug to me.
However, there is still no option to log in as an arbitrary user. That is, there is still no way to type a user name. Also, even if the LDAP users _were_ picked up (but they're not), this would not be a solution because these users will collide with the LDAP users. Or, copying all the LDAP users into passwd/shadow would defeat the purpose of having LDAP in the first place.

CONSEQUENCES:
-------------------
1. In this form, I cannot install precise pangolin on any workstation. In any organisation having more than say five linux workstations, the system management will have a central user account system. Usually this is Openldap, or Microsoft Active Directory, or Kerberos, or some of the other directory servers like the one from SuSE.
2. Therefore, any display manager or login screen that cannot cope with even Openldap is completely useless for organisations.
3. So, if it turns out that LDAP authentication is simply not implemented in lightdm, then I am going to have to skip Precise Pangolin, or revert to GDM, or possibly install another linux distro altogether, like Fedora.
4. How can Canonical ever hope to sell support contracts for university seats and the like, when sysadmins like me have to basically rebuild the distro to make it work in a managed workstation setting?

RECOMMENDATIONS:
------------------------
1. Developers at Canonical should keep the managed workstation in mind. Missing things like LDAP authentication and Kerberos are MAJOR reasons not to choose Ubuntu in an organisation. Similar problems exist with support for NFS: untested crap, for instance ubuntu NFS4 clients and a redhat server is a non-working combination and has been non-working since at least Hardy Heron. Central account management is simply non-existant in Ubuntu server. Setting up Openldap is a pain in Ubuntu server. There is not even a tested howto for setting up an Openldap or Kerberos authentication server from Canonical, and what there is, is confusing and conflicting.
2. It is quite simple to fix really; get you engineers on ubuntu workstations that are centrally managed using Openldap, and they will quickly find out what works or not. Lightdm not working with LDAP, missing HOWTO for LDAP authentication and/or Kerberos: your engineers will stumble over it inevitably. Thus they will be forced to fix it and document it.
3. I cannot believe that Ubuntu is being developed since 2004, and enterprise-critical things like setting up Openldap/Kerberos authentication are still basically non-implemented in the server version (where is the GUI??) and totally disregarded in the desktop version. It proves that workgroups and workstations are simply a non-supported category by Canonical.
Home-desktops, laptops: yes. Webservers, Virtualization servers: yes.
Authentication and fileservers for large numbers of workstations: strictly do-it-yourself. Workstations depending on NFS and LDAP: major adaptations are needed, and usually regression to the 2.2 version of GDM is needed (to get multiseat working for instance).

In the mean time, I have been able to get a login screen where you can actually type a username.
However, problems remain.

PROBLEMS:
-------------
1. Instead of `Type your username´ or `Welcome to Ubuntu´ or something like that, the login screen
now reads `Other...´. Do you think that some hundreds of students and scientist are going to understand what this `Other...´ means? It looks ridiculous, and they will ridicule the sysadmins if I would leave it like that.
How can I get rid of this stupid `Other...´ string, and configure it to say `Username:´ or something like that?

2. After login, there appears no desktop. The screen stays black. This is in KVM, with the cirrus driver. I tried both the normal ubuntu and the ubuntu 2D session. Now this could possibly be a separate bug, non-related to lightdm, so I may have to report it separately. I suspect that if you use existing user accounts, without copying over the skel files, the unity shell will not work.
Which is of course the normal situation with workstations with NFS mounted /home.

Sebastien Bacher (seb128) wrote :

Thank you for your bug, if you use the unity-greeter try to define "greeter-hide-users = True"

Could you open a bug about the "Other..." wording, that should be easy to fix

the second issue is probably a different one, can you add your session .xsession-errors from one of those empty session login?

I indeed edited /etc/lightdm/lightdm.conf :
    [SeatDefaults]
    user-session=ubuntu
    greeter-session=unity-greeter
    allow-guest=false
    greeter-hide-users=true

Now at least I get a field for a username. Of course, it should just work with LDAP, and pick the usernames
there. Also, when there are many usernames (say more than 10), it should default to either not show them,
or to only the ones who recently logged in to this particular workstation. There may be hundreds or even
thousands of users in an LDAP server. But a particular workstation in a professor's room, only one or two may
actually use that machine. At least the console, people may of course log in with ssh, or vnc, or xdmcp.
Also, in a classroom where many student may use a machine, it may be not sensible to show all users, so if many
different people use a machine, say more than ten, lightdm could also decide to only show a username field.

In all those cases, simply displaying `Other...´ is just silly. There is a real use-case for a normal username/password dialog.

So. the confusing `Other...´ issue remains, and also the fact that at least under kvm (with the cirrus driver), many desktops
will not start. At least not: ubuntu, ubuntu2D, gnome shell, cinnamon. I get a black screen, or a spinner with nothing happening.

Nelson Lago (lago) wrote :

Just to note that (as might be expected) this happens when using NIS as well.

Changed in lightdm:
status: New → Triaged
importance: Undecided → Medium
Renzo Bagnati (renbag) wrote :

I have the same problem with Active Directory.
To me it would be sufficient to restore the possibility of login by entering the username and password through a 'Other username ...' dialog, as it was in oneiric and gdm.

Sebastien Bacher (seb128) wrote :

Did the ldap and active directory cases worked out of the box before? One rational behind hidding the "other" prompt by default is that it was confusing users in user testing and it was argued that for ldap or active directory configurations to work it would require a sysadmin to set those up anyway and so the system could as well tweak the lightdm configuration, if that's not the case is there an heuristic which could be used to know when remote login should be configured?

Changed in lightdm:
assignee: nobody → Canonical Desktop Team (canonical-desktop-team)
Renzo Bagnati (renbag) wrote :

Integration into Active Directory requires an authorized administrator and some PAM and samba configurations.
Once the workstation is joined to a domain, in oneiric (with lightdm) and previously (with gdm), active directory users could login by entering username and password. The presence of the 'Other username ...' dialog is essential here, unless the workstation is used mainly by a single user, which can be listed by lightdm by adding it to /etc/passwd.
I think that a good solutions could be to leave off that dialog in the default configuration, but add an option in lightdm.conf to restore it without hiding local users (as it is now).

Darryl Weaver (dweaver) wrote :

I would prefer a configuration option for /etc/lightdm/lightdm.conf where we can specify if to show the "other" entry positively so the greeter automatically shows any local users who have already logged onto the workstation, but we can specify the "other" entry is always displayed so someone can also type in login username.

The usual corporate use case being that a desktop or laptop is normally used by one or the same group of people, but sometimes might be borrowed by a different LDAP user.

So, how about a new config entry:
greeter-show-other=true
for clarity for corporate users.

Robert Ancell (robert-ancell) wrote :

@Darryl, the greeter-show-manual-login option was added in 1.1.7, is this what you want?

Renzo Bagnati (renbag) wrote :

@Robert, the greeter-show-manual-login option is exactly what I was asking in comment #7. Thank you.

Darryl Weaver (dweaver) wrote :

Yes, that's great!
So, for corporate workstations use the following in /etc/lisghtdm/lightdm.conf:
[SeatDefaults]
    user-session=ubuntu
    greeter-session=unity-greeter
    allow-guest=false
    greeter-show-manual-login=true

This will always show the manual login option and a list of users who have recently logged in, with no option to log in as a guest.

denuel (pdenuel) wrote :

I get a precise installation with ldap authentication and an nfs home mounted.
- No problem to log in for a local user
- When I'm trying to log as a ldap user, once the password is entered, I get a blank screen (without unity dock) and nothing more happens.

Nicolas Rannou (huko-rannou) wrote :

I can login as LDAP user but once I am logged in:
 - no "left panel"
 - not top tool bar
 - if I double click on the terminal icon, the window goes to the top lefet corner and I can not move it

(I have dual screens and local user works perfect)

Thanks!

Nicolas Rannou (huko-rannou) wrote :

#13

Same issue as denuel (#12):
precise installation with ldap authentication and an nfs home mounted.
After entering the password, the login process hangs.
The workaround is to kill the following sleeping process in a separate console:
gsettings get org.gnome.desktop.interface toolkit-accessibility
Then the session starts correctly.

Sebastien Bacher (seb128) wrote :

@yanok: thanks for your comment, it seems a bit of a different issue, could you open a new bug and add a stacktrace of the gsettings process to it?

lunamystry (mandla) wrote :

This seems to have solved my problems:
https://help.ubuntu.com/community/LDAPClientAuthentication

I am using Ubuntu Precise (12.04) and I can successfully authenticate using ldap accounts.
Previously after login in, the computer would just hand and show the lightdm/kdm background.

I tested it to work with kdm and lightdm. I first did the lightdm config mentioned here and then
went on to the instructions.

 I just seem to have a shutdown issue now. Users can't shutdown the computer after login.

Vincent Fortier (th0ma7) wrote :

Is there any way to make lightdm show the LDAP user list instead of local ones, perhaps even with a search (if you have too many)
AND
have a manual login box?

I was hoping I could provide that sort of functionality with lightdm.

On Tue, Jun 19, 2012 at 2:48 PM, Vincent Fortier
<email address hidden> wrote:
> Is there any way to make lightdm show the LDAP user list instead of local ones, perhaps even with a search (if you have too many)
> AND
> have a manual login box?
>
> I was hoping I could provide that sort of functionality with lightdm.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/944041
>
> Title:
>  lightdm not compatible with ldap based user accounts
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/lightdm/+bug/944041/+subscriptions
In principle all that was needed is a `getent passwd´, and do some
filtering. But the lightdm makers did nothing of the sort, it looks
like.
Could it be that they simply read the /etc/passwd file? Getent will
give you all the users, local and network.

Users photos would be tricky: most places where you use ldap, you
would use nfs too, and that is mounted
with root_squash, and lightdm has to run as root, so you can't read
the photos out of the users homedirs.
I'm pretty sure that is where the login photo (or picture) is kept.

alice (komalapa) on 2012-08-22
no longer affects: ubuntu

Hello,

I would like to mention that there is actually a somewhat related bug report, namely bug #837002 which discusses with the handling of the last session and language of a user. With the switch from .dmrc to AccountsService to store the information about the last session and language (bug #823718), lightdm has basically become less usable in a networked environment with LDAP/NIS-based user accounts since AccountsService stores the information about last session and language locally, inaccessible on the network. I have proposed a change to make the use of .dmrc or AccountsService configurable (bug #106949).

Cheers,

Adrian

Raul Dias (raul-dias) wrote :

echo -e "[SeatDefaults]\ngreeter-show-manual-login=true\n" > /etc/lightdm/lightdm.conf.d/11-thanks-rsd.conf;service lightdm restart

-rsd

Ritesh Khadgaray (khadgaray) wrote :

Let me know, if the last comment helps.

Changed in lightdm:
status: Triaged → Incomplete
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers