Hi Michael, Thank you for the detailed and informative reply. Its good to hear from you!
I will be looking at the "/opt/initscripts-tcos/rc2345.d/pam_lda" in details accordingly. However, just to confirm the configuration that I did. The openLDAP is installed on remote server and i configure it on my local OTS as secondary directory server. In OTC; Secondary directory server: ldap://REMOTE_IP_of_OPENLDAP/dc=domain,dc=com Secondary read-only principal: cn=Manager,dc=domain,dc=com password: secret And i set the Login behaviour to read user and groups from the Secondary Directory Server. With these setup and openLDAP at remote running remotely, I am able to connect to OpenLDAP alone with the above credentials by using LDAP client (like softera ldap admin) and browse the contents. However, OTC fails to authenticate with that credentials, what i see on the remote OPENldap logs is OTC sends cn=Manager only BUT not the ,dc=domain,dc=com part (i.e. ONLY the first part of the read only principal). For that reason the authentication to openLDAP fails. What i have done is remove the username and password requirement from OPENldap slapd.conf and then remove the read only principal and password from OTC configuration. Then i can login and authenticate users fine with the thinclients... Now, that is a bit mysterious to me on why OTC would behave as such to send only cn=Manager part of the secondary directory read-only principal.... If you have a pointer kindly let me know. I will be reading through the files you mentioned to better understand the process, although i am not necessarily fantastic with python or shell. One important question, related to the topic. Assuming i get the authentication to the Secondary Directory server working, which i can without specifying read-only-principal and password, user logs-in but there is NO assigment of Applications (i.e. the desktop and shortcuts are empty) I guess the same will apply for Active Directory authentication as secondary... My question is how do we configure the Application right for users authentication from secondary directory server? I tried, creating Users and Groups on the secondary directory server, cn=username with relevant properties cn=groupname with relevant properties then assign groupname membership to the username. on LDAP admin browser (softera) i can see the relation is OK. Now on OTC, if i create the same groupname and assign Application Group to it, it won't work. I am a bit lost on how to assign the Applications or Application Groups (better) to a user authenticating from Secondary Directory Server. I figured if i assign applications to ThinClient, than it works because there is no assignment to user or group. But its far from ideal as you will agree. Do you have any pointers or I am missing something crucial in the config? Looking forward to hear from you. All the best! Martin Kreiner wrote: > > hi cuneyt, > > cuneytm schrieb: >> Just wanted to update you on my attempts to authenticate against an >> openLDAP >> server as secondary directory server (but not an Active Directory Server) >> for users and groups; >> >> I managed to get it working, with compromising greatly on the security =) >> >> I was using wireshark to understand how openthinclient send the LDAP bind >> request from the login screen to the openLDAP server (setup as secodary >> directory). >> >> It seems that loginscreen sends only "cn=Manager" part even though Read >> only principal (under thinclient server) is complete with dn suffix (such >> as >> cn=Manager,dc=mydomain,dc=com). >> I have no idea why this is happening, perhaps You can shed some light on >> it. >> >> On openthinclient server, i setup the Secondary Directory Server as >> following; >> Secondary Directory >> LDAP URL: ldap://localhost:389/dc=mydomain,dc=com >> Read only principal: [empty] >> Password: [empty] >> > be careful using "localhost"! > this LDAP URL is evaluated by the initscripts-tcos package (in detail: > "/opt/initscripts-tcos/rc2345.d/pam_ldap"). this script builds the pam > ldap > config file "/etc/pam_ldap.conf" used for authentication. for further > information see its manual page (man pam_ldap.conf). > > you definitely have to use your openldap server name or IP instead of > "localhost". otherwise the thin client tries to authenticate against > itself. > > my advice is to start the thin client, log in as root remotely using ssh > and > manually modify the file /etc/pam_ldap.conf with "vim" until your > gdm-login > works (so you don't need to restart the thin client or gdm). > > if you have found a working config you can start modifying the > initscripts-tcos > package to support openLDAP authentication. > > > here some basic configuration options for pam_ldap.conf with comments: > > # Your LDAP server. Must be resolvable without using LDAP. > # Multiple hosts may be specified, each separated by a > # space. How long nss_ldap takes to failover depends on > # whether your LDAP client library supports configurable > # network or connect timeouts (see bind_timelimit). > host <your ldap server> > > # The distinguished name of the search base. > base <dc=yourdomain,dc=com> > > # The distinguished name to bind to the server with. > # Optional: default is to bind anonymously. > #binddn cn=proxyuser,dc=yourdomain,dc=com > > # The credentials to bind with. > # Optional: default is no credential. > #bindpw secret > > # Filter to AND with uid=%s > #pam_filter objectclass=account > > # The user ID attribute (defaults to uid) > #pam_login_attribute uid > > > a minimal config file for a openLDAP server that permits anonymous binds > just > needs "host" and "base" configured. > > > cheers, > martin > > p.s. before you start editing files with vim/vi please have at least a > look at > some quick guides like http://www.arekdreyer.com/help/vi.html > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the > world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > The Open Source Thin Client Solution http://openthinclient.org > [email protected] > https://lists.sourceforge.net/lists/listinfo/openthinclient-user > > -- View this message in context: http://www.nabble.com/Secondary-Directory-%3E-Bind-Req.-doesn%27t-send-the-full-principal-tp19477692p19736772.html Sent from the openthinclient.org users' mailing list mailing list archive at Nabble.com. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ The Open Source Thin Client Solution http://openthinclient.org [email protected] https://lists.sourceforge.net/lists/listinfo/openthinclient-user
