SUSE Conversations


Novell Linux Client Tricks



By: Peter Van den Wildenbergh

April 3, 2006 12:00 am

Reads:477

Comments:0

Score:Unrated

Print/PDF

License and Disclaimer

See http://www.opencontent.org/opl.shtml for the full software and
documentation license. Basically, you can copy, redistribute, or
modify this "how to," provided that modified versions, if
redistributed, are also covered by the OpenContent License. Please
e-mail a copy of your modified document to pvdw <@>
criticalcontrol <.> com. Use this document at your own risk; it
comes with no warranty. See the OpenContent License mentioned above.

Goal: Single sign-on for Novell Linux Client 1.0

The Novell Linux Client is out now for
a couple of months and works great, the biggest drawback however is
that users have to log in twice first in KDE and then again using the
NCL to get to there Novell shares etc. This can be bypassed with some
scripting at the right moment.

Below is a framework to get this going
in a NX/KDE environment. With some minor tweaking this can be made
available on regular desktops using KDE or Gnome.

Prerequisites:

  • A working SUSE installation (tested on SUSE 9.3 and 10.0)
  • that uses eDirectory acting as an LDAP server for authentication purposes.
  • Plenty of documentation is available on the net to get that working.
  • NCL 1.x needs to be installed. http://download.novell.com/Download?buildid=2RE4wvXCwqQ%7E (This solution is tested with version 1.0 only)

Solution:

Download pam_script from
http://www.bofs.co.za/~iburger/pam_script/index.html


(homepage on freshmeat:
http://freshmeat.net/projects/pam_script)

su


cd
/usr/local/src


wget
http://freshmeat.net/redir/pam_script/22413/url_tgz/pam-script-0.1.7.tar.gz


cd
pam-script-0.1.7


less
README

From that important README file:


“You need to install the pam
development files on your distro or building will fail, for example,
on debian you need to install libpam-dev using apt.”

SUSE users use YaST.

yast




Navigate to Software Management.

<




Do a search






pam-dev is what we need.






Install as per usual.

Quitting YaST should bring you back to
/usr/local/src/pam-script-0.1.7


Time to compile the package.

make

if you are not root, become root and
copy pam_script.so to /lib/security:

cp
pam_script.so /lib/security

In my set-up I only want to mount the
Novell shares when working on the system via NX.


(see
http://www.novell.com/coolsolutions/feature/16247.html)


As NX runs entirely over SSH, I only
need to adjust /etc/pam.d/sshd


(make a copy before you alter pam
configurations, you can easily lock out yourself when things are not
working as advertised…)


You can adjust the files common-auth
and common-session.

My sshd file in /etc/pam.d

#%PAM-1.0


auth
include common-auth


auth
required pam_script.so expose=1


auth
required pam_nologin.so


account
include common-account


password
include common-password


session
include common-session


session
required pam_mkhomedir.so skel=/etc/skel/ umask=0077


session
required pam_script.so


#
Enable the following line to get resmgr support for


# ssh
sessions (see /usr/share/doc/packages/resmgr/README.SUSE)


#session
optional pam_resmgr.so fake_ttyname

The
auth required pam_script.so expose=1
line will execute the script
onauth in
/etc/security
once it is created.


The
session required pam_script.so
line will execute the scripts onsessionopen and onsessionclose in
/etc/securityif they are created.

cd
/etc/security


ls -l


-rwxr-xr-x
1 root root 447 Nov 16 14:11 onauth


-rwxr-xr-x
1 root root 209 Nov 16 14:15 onsessionclose


-rwxr-xr-x
1 root root 98 Nov 1 08:26 onsessionopen

The most important script is onauth:

#!/bin/bash

#
This script is called by


#
/etc/pam.d/sshd


#
session required pam_script

###
if user = nx bail out

USER=$1

if
[ $USER -eq "nx" ] ; then


exit
0


fi

FQN=`ldapsearch
-x cn=${USER} objectclass=dn | grep ^dn | sed -e "s/^dn: \


cn=${USER},//i"
-e "s/ou=//g" -e "s/o=//g" -e "s/,/./g"`

echo
"/opt/novell/ncl/bin/nwlogin -t TestTree -s 10.1.1.7 -u $USER -c
$FQN -p \


$PAM_AUTHTOK
-r" > /home/${USER}/.nw

chmod
700 /home/${USER}/.nw

exit
0

What voodoo do we do here?


First we check if the user is ‘nx’ as
said, in my environment this get used by ‘remote’ users. For every
login the script actually runs twice, once as the nx system
authenticates the nx user and the second time as the user itself. I
am only interested in the user itself so that explains the little
test.

FQN=`ldapsearch
-x cn=${USER} objectclass=dn | grep ^dn | sed -e "s/^dn: \


cn=${USER},//i"
-e "s/ou=//g" -e "s/o=//g" -e "s/,/./g"`

This one line does it all, lets break
it up:


ldapsearch
-x cn=${USER} objectclass=dn


This does an ldapsearch for the user
that just logged in, and filters on objectclass=dn.


Assume that ${USER} = testuser then the
system return something like:

#
extended LDIF


#


#
LDAPv3


#
base <> with scope sub


#
filter: cn=test-user


#
requesting: objectclass=d


#

#
test-user, TestOrg, TestComp


dn:
cn=test-user,ou=TestOrg,o=TestComp

#
search result


search:
2


result:
0 Success

#
numResponses: 2


#
numEntries: 1

The grep ^dn

reduces the output to

dn: cn=test-user,ou=TestOrg,o=TestComp

This is still not the fully qualified name we need.

sed
-e "s/^dn: cn=${USER},//i" -e "s/ou=//g" -e
"s/o=//g" -e "s/,/./g"


does the rest of the work.


First we strip-off the “dn:
cn=test-user,”


Than we get rid off the “ou=”
(multiple instances are possible) and the “o=”


Last step is to replace all the comma’s
with points.

So now we have:


TestOrg.TestComp


in the variable FQN

Now the scripts make an other
executable script with the name .nw in the users home directory.


echo
"/opt/novell/ncl/bin/nwlogin -t TestTree -s 10.1.1.7 -u $USER -c
$FQN -p \


$PAM_AUTHTOK
-r" > /home/${USER}/.nw

For more information on nwlogin see the
man pages.

Warning!


This stores the users password plain
text in /home/user/.nw


There are ways to encrypt the password
but I leave that as an exercise for the reader.

In the last command the onauth script
makes the above mentioned script executable.

Note:


Executing the nwlogin at this point
will fail, so that’s why I use this little trick to execute the
nwlogin when KDE is launched.


Looks like nwlogin needs a graphical
environment or it fails.

As a reference I copied the contents of
my onsessionclose script below.


The onsessionclose cleans up the .nw
script generated in the onauth script.


The onsessionopen script is empty.

::::::::::::::


onsessionclose


::::::::::::::


#!/bin/bash

# This
script is called by


#
/etc/pam.d/sshd


#
session required pam_script

USER=$1

if [
$USER -eq "nx" ] ; then


exit
0


fi

/opt/novell/ncl/bin/nwlogout
-t TestT

rm
/home/$USER/.nw -f

exit 0

Last piece of the puzzle a definition
called mountNovell.desktop


in /opt/kde3/share/autostart.

[Desktop
Entry]


Type=Application


Exec=$HOME/.nw


Terminal=true


Name=Mount
Novell Drives


X-KDE-StartupNotify=false


X-KDE-autostart-after=panel

This entry will force KDE to execute
the .nw file in a users home directory.


During the log in process you will see
that a console window opens briefly and executes the nwlogin magic.

Additional documentation


http://linux.bononline.nl/linux/pamscript/01/build.html
http://www.novell.com/documentation/linux_client/index.html
http://www.novell.com/coolsolutions/feature/1645.html
http://linuxgazette.net/issue93/pesin.html

About the author


Peter Van den Wildenbergh is a Senior Linux Administrator and a
long time Linux advocate. He specializes in integrating Linux
solution in existing environments and can be reached at: pvdw <@>
criticalcontrol <.> com.

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Loading...Loading...

Categories: Uncategorized

Disclaimer: As with everything else at SUSE Conversations, this content is definitely not supported by SUSE (so don't even think of calling Support if you try something and it blows up).  It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.

Comment

RSS