Novell Linux Client Tricks
Novell Cool Solutions: AppNote
By Peter Van den Wildenbergh
Reader Rating 
from 4 ratings
|
Digg This -
Slashdot This
Posted: 3 Apr 2006 |
License and Disclaimer
See http://www.opencontent.org/opl.shtml for the full software and documentation license. Basically, you can copy, redistribute, or modify this "how to," provided that modified versions, if redistributed, are also covered by the OpenContent License. Please e-mail a copy of your modified document to pvdw <@> criticalcontrol <.> com. Use this document at your own risk; it comes with no warranty. See the OpenContent License mentioned above.
Goal: Single sign-on for Novell Linux Client 1.0
The Novell Linux Client is out now for a couple of months and works great, the biggest drawback however is that users have to log in twice first in KDE and then again using the NCL to get to there Novell shares etc. This can be bypassed with some scripting at the right moment.
Below is a framework to get this going in a NX/KDE environment. With some minor tweaking this can be made available on regular desktops using KDE or Gnome.
Prerequisites:
- A working SUSE installation (tested on SUSE 9.3 and 10.0)
- that uses eDirectory acting as an LDAP server for authentication purposes.
- Plenty of documentation is available on the net to get that working.
- NCL 1.x needs to be installed. http://download.novell.com/Download?buildid=2RE4wvXCwqQ%7E (This solution is tested with version 1.0 only)
Solution:
Download pam_script from http://www.bofs.co.za/~iburger/pam_script/index.html
(homepage on freshmeat: http://freshmeat.net/projects/pam_script)
su -
cd /usr/local/src
wget http://freshmeat.net/redir/pam_script/22413/url_tgz/pam-script-0.1.7.tar.gz
cd pam-script-0.1.7
less README
From that important README file:
"You need to install the pam development files on your distro or building will fail, for example, on debian you need to install libpam-dev using apt."
SUSE users use YaST.
yast
Navigate to Software Management.
Do a search
pam-dev is what we need.
Install as per usual.
Quitting YaST should bring you back to /usr/local/src/pam-script-0.1.7
Time to compile the package.
make
if you are not root, become root and copy pam_script.so to /lib/security:
cp pam_script.so /lib/security
In my set-up I only want to mount the Novell shares when working on the system via NX.
(see http://www.novell.com/coolsolutions/feature/16247.html)
As NX runs entirely over SSH, I only need to adjust /etc/pam.d/sshd
(make a copy before you alter pam configurations, you can easily lock out yourself when things are not working as advertised...)
You can adjust the files common-auth and common-session.
My sshd file in /etc/pam.d
#%PAM-1.0
auth include common-auth
auth required pam_script.so expose=1
auth required pam_nologin.so
account include common-account
password include common-password
session include common-session
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required pam_script.so
# Enable the following line to get resmgr support for
# ssh sessions (see /usr/share/doc/packages/resmgr/README.SUSE)
#session optional pam_resmgr.so fake_ttyname
The auth required pam_script.so expose=1 line will execute the script onauth in /etc/security once it is created.
The session required pam_script.so line will execute the scripts onsessionopen and onsessionclose in /etc/securityif they are created.
cd /etc/security
ls -l
-rwxr-xr-x 1 root root 447 Nov 16 14:11 onauth
-rwxr-xr-x 1 root root 209 Nov 16 14:15 onsessionclose
-rwxr-xr-x 1 root root 98 Nov 1 08:26 onsessionopen
The most important script is onauth:
|
#!/bin/bash # This script is called by # /etc/pam.d/sshd # session required pam_script ### if user = nx bail out USER=$1 if [ $USER -eq "nx" ] ; then exit 0 fi FQN=`ldapsearch -x cn=${USER} objectclass=dn | grep ^dn | sed -e "s/^dn: \ cn=${USER},//i" -e "s/ou=//g" -e "s/o=//g" -e "s/,/./g"` echo "/opt/novell/ncl/bin/nwlogin -t TestTree -s 10.1.1.7 -u $USER -c $FQN -p \ $PAM_AUTHTOK -r" > /home/${USER}/.nw chmod 700 /home/${USER}/.nw exit 0 |
What voodoo do we do here?
First we check if the user is 'nx' as said, in my environment this get used by 'remote' users. For every login the script actually runs twice, once as the nx system authenticates the nx user and the second time as the user itself. I am only interested in the user itself so that explains the little test.
FQN=`ldapsearch -x cn=${USER} objectclass=dn | grep ^dn | sed -e "s/^dn: \
cn=${USER},//i" -e "s/ou=//g" -e "s/o=//g" -e "s/,/./g"`
This one line does it all, lets break it up:
ldapsearch -x cn=${USER} objectclass=dn
This does an ldapsearch for the user that just logged in, and filters on objectclass=dn.
Assume that ${USER} = testuser then the system return something like:
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: cn=test-user
# requesting: objectclass=d
#
# test-user, TestOrg, TestComp
dn: cn=test-user,ou=TestOrg,o=TestComp
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
The grep ^dn
reduces the output to
dn: cn=test-user,ou=TestOrg,o=TestComp
This is still not the fully qualified name we need.
sed -e "s/^dn: cn=${USER},//i" -e "s/ou=//g" -e "s/o=//g" -e "s/,/./g"
does the rest of the work.
First we strip-off the "dn: cn=test-user,"
Than we get rid off the "ou=" (multiple instances are possible) and the "o="
Last step is to replace all the comma's with points.
So now we have:
TestOrg.TestComp
in the variable FQN
Now the scripts make an other executable script with the name .nw in the users home directory.
echo "/opt/novell/ncl/bin/nwlogin -t TestTree -s 10.1.1.7 -u $USER -c $FQN -p \
$PAM_AUTHTOK -r" > /home/${USER}/.nw
For more information on nwlogin see the man pages.
Warning!
This stores the users password plain text in /home/user/.nw
There are ways to encrypt the password but I leave that as an exercise for the reader.
In the last command the onauth script makes the above mentioned script executable.
Note:
Executing the nwlogin at this point will fail, so that's why I use this little trick to execute the nwlogin when KDE is launched.
Looks like nwlogin needs a graphical environment or it fails.
As a reference I copied the contents of my onsessionclose script below.
The onsessionclose cleans up the .nw script generated in the onauth script.
The onsessionopen script is empty.
|
:::::::::::::: onsessionclose :::::::::::::: #!/bin/bash # This script is called by # /etc/pam.d/sshd # session required pam_script USER=$1 if [ $USER -eq "nx" ] ; then exit 0 fi /opt/novell/ncl/bin/nwlogout -t TestT rm /home/$USER/.nw -f exit 0 |
Last piece of the puzzle a definition called mountNovell.desktop
in /opt/kde3/share/autostart.
[Desktop Entry]
Type=Application
Exec=$HOME/.nw
Terminal=true
Name=Mount Novell Drives
X-KDE-StartupNotify=false
X-KDE-autostart-after=panel
This entry will force KDE to execute the .nw file in a users home directory.
During the log in process you will see that a console window opens briefly and executes the nwlogin magic.
Additional documentation
http://linux.bononline.nl/linux/pamscript/01/build.html
http://www.novell.com/documentation/linux_client/index.html
http://www.novell.com/coolsolutions/feature/1645.html
http://linuxgazette.net/issue93/pesin.html
About the author
Peter Van den Wildenbergh is a Senior Linux Administrator and a long time Linux advocate. He specializes in integrating Linux solution in existing environments and can be reached at: pvdw <@> criticalcontrol <.> com.
Reader Comments
- Very useful, cant thank you enough.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com