lightdm not compatible with ldap based user accounts
|||Light Display Manager||
I am preparing a Precise Pangolin image for installation on university workstations (many of them). The user and groups and their passwords (hundreds of them) are registered in an LDAP server, not in passwd/shadow. No local user accounts are used, there are only system accounts in passwd/
There is no way to log in as a user coming from LDAP. There is simply no field to type a username. There is only a guest user shown in the login screen. The only possible action is to click on LOGIN and become the guest user.
Furthermore, there is no lightdm man page. There is the file /usr/share/
THINGS I TRIED:
1. So, I googled around and put allow-guest=false into /etc/lightdm/
2. I defined some users in /etc/passwd and /etc/shadow. These are picked up by lightdm, but only if their UID is greater or equal to 1000. This despite the line in /etc/lightdm/
However, there is still no option to log in as an arbitrary user. That is, there is still no way to type a user name. Also, even if the LDAP users _were_ picked up (but they're not), this would not be a solution because these users will collide with the LDAP users. Or, copying all the LDAP users into passwd/shadow would defeat the purpose of having LDAP in the first place.
1. In this form, I cannot install precise pangolin on any workstation. In any organisation having more than say five linux workstations, the system management will have a central user account system. Usually this is Openldap, or Microsoft Active Directory, or Kerberos, or some of the other directory servers like the one from SuSE.
2. Therefore, any display manager or login screen that cannot cope with even Openldap is completely useless for organisations.
3. So, if it turns out that LDAP authentication is simply not implemented in lightdm, then I am going to have to skip Precise Pangolin, or revert to GDM, or possibly install another linux distro altogether, like Fedora.
4. How can Canonical ever hope to sell support contracts for university seats and the like, when sysadmins like me have to basically rebuild the distro to make it work in a managed workstation setting?
1. Developers at Canonical should keep the managed workstation in mind. Missing things like LDAP authentication and Kerberos are MAJOR reasons not to choose Ubuntu in an organisation. Similar problems exist with support for NFS: untested crap, for instance ubuntu NFS4 clients and a redhat server is a non-working combination and has been non-working since at least Hardy Heron. Central account management is simply non-existant in Ubuntu server. Setting up Openldap is a pain in Ubuntu server. There is not even a tested howto for setting up an Openldap or Kerberos authentication server from Canonical, and what there is, is confusing and conflicting.
2. It is quite simple to fix really; get you engineers on ubuntu workstations that are centrally managed using Openldap, and they will quickly find out what works or not. Lightdm not working with LDAP, missing HOWTO for LDAP authentication and/or Kerberos: your engineers will stumble over it inevitably. Thus they will be forced to fix it and document it.
3. I cannot believe that Ubuntu is being developed since 2004, and enterprise-critical things like setting up Openldap/Kerberos authentication are still basically non-implemented in the server version (where is the GUI??) and totally disregarded in the desktop version. It proves that workgroups and workstations are simply a non-supported category by Canonical.
Home-desktops, laptops: yes. Webservers, Virtualization servers: yes.
Authentication and fileservers for large numbers of workstations: strictly do-it-yourself. Workstations depending on NFS and LDAP: major adaptations are needed, and usually regression to the 2.2 version of GDM is needed (to get multiseat working for instance).
|Changed in lightdm:|
|status:||New → Triaged|
|importance:||Undecided → Medium|
|Changed in lightdm:|
|assignee:||nobody → Canonical Desktop Team (canonical-desktop-team)|
|perpetualrabbit (roland-lorentz) wrote : Re: [Bug 944041] Re: lightdm not compatible with ldap based user accounts||#19|
|no longer affects:||ubuntu|
|Changed in lightdm:|
|assignee:||Canonical Desktop Team (canonical-desktop-team) → nobody|