Novell Home

Novell Linux Client Tricks

Novell Cool Solutions: AppNote
By Peter Van den Wildenbergh

Digg This - Slashdot This

Posted: 3 Apr 2006
 

License and Disclaimer

See http://www.opencontent.org/opl.shtml for the full software and documentation license. Basically, you can copy, redistribute, or modify this "how to," provided that modified versions, if redistributed, are also covered by the OpenContent License. Please e-mail a copy of your modified document to pvdw <@> criticalcontrol <.> com. Use this document at your own risk; it comes with no warranty. See the OpenContent License mentioned above.

Goal: Single sign-on for Novell Linux Client 1.0

The Novell Linux Client is out now for a couple of months and works great, the biggest drawback however is that users have to log in twice first in KDE and then again using the NCL to get to there Novell shares etc. This can be bypassed with some scripting at the right moment.

Below is a framework to get this going in a NX/KDE environment. With some minor tweaking this can be made available on regular desktops using KDE or Gnome.

Prerequisites:

  • A working SUSE installation (tested on SUSE 9.3 and 10.0)
  • that uses eDirectory acting as an LDAP server for authentication purposes.
  • Plenty of documentation is available on the net to get that working.
  • NCL 1.x needs to be installed. http://download.novell.com/Download?buildid=2RE4wvXCwqQ%7E (This solution is tested with version 1.0 only)

Solution:

Download pam_script from http://www.bofs.co.za/~iburger/pam_script/index.html

(homepage on freshmeat: http://freshmeat.net/projects/pam_script)

su -

cd /usr/local/src

wget http://freshmeat.net/redir/pam_script/22413/url_tgz/pam-script-0.1.7.tar.gz

cd pam-script-0.1.7

less README

From that important README file:

"You need to install the pam development files on your distro or building will fail, for example, on debian you need to install libpam-dev using apt."

SUSE users use YaST.

yast



Navigate to Software Management.



Do a search



pam-dev is what we need.



Install as per usual.

Quitting YaST should bring you back to /usr/local/src/pam-script-0.1.7

Time to compile the package.

make

if you are not root, become root and copy pam_script.so to /lib/security:

cp pam_script.so /lib/security

In my set-up I only want to mount the Novell shares when working on the system via NX.

(see http://www.novell.com/coolsolutions/feature/16247.html)

As NX runs entirely over SSH, I only need to adjust /etc/pam.d/sshd

(make a copy before you alter pam configurations, you can easily lock out yourself when things are not working as advertised...)

You can adjust the files common-auth and common-session.

My sshd file in /etc/pam.d

#%PAM-1.0

auth include common-auth

auth required pam_script.so expose=1

auth required pam_nologin.so

account include common-account

password include common-password

session include common-session

session required pam_mkhomedir.so skel=/etc/skel/ umask=0077

session required pam_script.so

# Enable the following line to get resmgr support for

# ssh sessions (see /usr/share/doc/packages/resmgr/README.SUSE)

#session optional pam_resmgr.so fake_ttyname

The auth required pam_script.so expose=1 line will execute the script onauth in /etc/security once it is created.

The session required pam_script.so line will execute the scripts onsessionopen and onsessionclose in /etc/securityif they are created.

cd /etc/security

ls -l

-rwxr-xr-x 1 root root 447 Nov 16 14:11 onauth

-rwxr-xr-x 1 root root 209 Nov 16 14:15 onsessionclose

-rwxr-xr-x 1 root root 98 Nov 1 08:26 onsessionopen

The most important script is onauth:

#!/bin/bash

# This script is called by

# /etc/pam.d/sshd

# session required pam_script

### if user = nx bail out

USER=$1

if [ $USER -eq "nx" ] ; then

exit 0

fi

FQN=`ldapsearch -x cn=${USER} objectclass=dn | grep ^dn | sed -e "s/^dn: \

cn=${USER},//i" -e "s/ou=//g" -e "s/o=//g" -e "s/,/./g"`

echo "/opt/novell/ncl/bin/nwlogin -t TestTree -s 10.1.1.7 -u $USER -c $FQN -p \

$PAM_AUTHTOK -r" > /home/${USER}/.nw

chmod 700 /home/${USER}/.nw

exit 0

What voodoo do we do here?

First we check if the user is 'nx' as said, in my environment this get used by 'remote' users. For every login the script actually runs twice, once as the nx system authenticates the nx user and the second time as the user itself. I am only interested in the user itself so that explains the little test.

FQN=`ldapsearch -x cn=${USER} objectclass=dn | grep ^dn | sed -e "s/^dn: \

cn=${USER},//i" -e "s/ou=//g" -e "s/o=//g" -e "s/,/./g"`

This one line does it all, lets break it up:

ldapsearch -x cn=${USER} objectclass=dn

This does an ldapsearch for the user that just logged in, and filters on objectclass=dn.

Assume that ${USER} = testuser then the system return something like:

# extended LDIF

#

# LDAPv3

# base <> with scope sub

# filter: cn=test-user

# requesting: objectclass=d

#

# test-user, TestOrg, TestComp

dn: cn=test-user,ou=TestOrg,o=TestComp

# search result

search: 2

result: 0 Success

# numResponses: 2

# numEntries: 1

The grep ^dn

reduces the output to

dn: cn=test-user,ou=TestOrg,o=TestComp

This is still not the fully qualified name we need.

sed -e "s/^dn: cn=${USER},//i" -e "s/ou=//g" -e "s/o=//g" -e "s/,/./g"

does the rest of the work.

First we strip-off the "dn: cn=test-user,"

Than we get rid off the "ou=" (multiple instances are possible) and the "o="

Last step is to replace all the comma's with points.

So now we have:

TestOrg.TestComp

in the variable FQN

Now the scripts make an other executable script with the name .nw in the users home directory.

echo "/opt/novell/ncl/bin/nwlogin -t TestTree -s 10.1.1.7 -u $USER -c $FQN -p \

$PAM_AUTHTOK -r" > /home/${USER}/.nw

For more information on nwlogin see the man pages.

Warning!

This stores the users password plain text in /home/user/.nw

There are ways to encrypt the password but I leave that as an exercise for the reader.

In the last command the onauth script makes the above mentioned script executable.

Note:

Executing the nwlogin at this point will fail, so that's why I use this little trick to execute the nwlogin when KDE is launched.

Looks like nwlogin needs a graphical environment or it fails.

As a reference I copied the contents of my onsessionclose script below.

The onsessionclose cleans up the .nw script generated in the onauth script.

The onsessionopen script is empty.

::::::::::::::

onsessionclose

::::::::::::::

#!/bin/bash

# This script is called by

# /etc/pam.d/sshd

# session required pam_script

USER=$1

if [ $USER -eq "nx" ] ; then

exit 0

fi

/opt/novell/ncl/bin/nwlogout -t TestT

rm /home/$USER/.nw -f

exit 0

Last piece of the puzzle a definition called mountNovell.desktop

in /opt/kde3/share/autostart.

[Desktop Entry]

Type=Application

Exec=$HOME/.nw

Terminal=true

Name=Mount Novell Drives

X-KDE-StartupNotify=false

X-KDE-autostart-after=panel

This entry will force KDE to execute the .nw file in a users home directory.

During the log in process you will see that a console window opens briefly and executes the nwlogin magic.

Additional documentation

http://linux.bononline.nl/linux/pamscript/01/build.html
http://www.novell.com/documentation/linux_client/index.html
http://www.novell.com/coolsolutions/feature/1645.html
http://linuxgazette.net/issue93/pesin.html

About the author

Peter Van den Wildenbergh is a Senior Linux Administrator and a long time Linux advocate. He specializes in integrating Linux solution in existing environments and can be reached at: pvdw <@> criticalcontrol <.> com.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell