lightdm not compatible with ldap based user accounts

In the mean time, I have been able to get a login screen where you can actually type a username.
However, problems remain.

PROBLEMS:
-------------
1. Instead of `Type your username´ or `Welcome to Ubuntu´ or something like that, the login screen
now reads `Other...´. Do you think that some hundreds of students and scientist are going to understand what this `Other...´ means? It looks ridiculous, and they will ridicule the sysadmins if I would leave it like that.
How can I get rid of this stupid `Other...´ string, and configure it to say `Username:´ or something like that?

2. After login, there appears no desktop. The screen stays black. This is in KVM, with the cirrus driver. I tried both the normal ubuntu and the ubuntu 2D session. Now this could possibly be a separate bug, non-related to lightdm, so I may have to report it separately. I suspect that if you use existing user accounts, without copying over the skel files, the unity shell will not work.
Which is of course the normal situation with workstations with NFS mounted /home.

Thank you for your bug, if you use the unity-greeter try to define "greeter-hide-users = True"

Could you open a bug about the "Other..." wording, that should be easy to fix

the second issue is probably a different one, can you add your session .xsession-errors from one of those empty session login?

I indeed edited /etc/lightdm/lightdm.conf :
    [SeatDefaults]
    user-session=ubuntu
    greeter-session=unity-greeter
    allow-guest=false
    greeter-hide-users=true

Now at least I get a field for a username. Of course, it should just work with LDAP, and pick the usernames
there. Also, when there are many usernames (say more than 10), it should default to either not show them,
or to only the ones who recently logged in to this particular workstation. There may be hundreds or even
thousands of users in an LDAP server. But a particular workstation in a professor's room, only one or two may
actually use that machine. At least the console, people may of course log in with ssh, or vnc, or xdmcp.
Also, in a classroom where many student may use a machine, it may be not sensible to show all users, so if many
different people use a machine, say more than ten, lightdm could also decide to only show a username field.

In all those cases, simply displaying `Other...´ is just silly. There is a real use-case for a normal username/password dialog.

So. the confusing `Other...´ issue remains, and also the fact that at least under kvm (with the cirrus driver), many desktops
will not start. At least not: ubuntu, ubuntu2D, gnome shell, cinnamon. I get a black screen, or a spinner with nothing happening.

Just to note that (as might be expected) this happens when using NIS as well.

I have the same problem with Active Directory.
To me it would be sufficient to restore the possibility of login by entering the username and password through a 'Other username ...' dialog, as it was in oneiric and gdm.

Did the ldap and active directory cases worked out of the box before? One rational behind hidding the "other" prompt by default is that it was confusing users in user testing and it was argued that for ldap or active directory configurations to work it would require a sysadmin to set those up anyway and so the system could as well tweak the lightdm configuration, if that's not the case is there an heuristic which could be used to know when remote login should be configured?

Integration into Active Directory requires an authorized administrator and some PAM and samba configurations.
Once the workstation is joined to a domain, in oneiric (with lightdm) and previously (with gdm), active directory users could login by entering username and password. The presence of the 'Other username ...' dialog is essential here, unless the workstation is used mainly by a single user, which can be listed by lightdm by adding it to /etc/passwd.
I think that a good solutions could be to leave off that dialog in the default configuration, but add an option in lightdm.conf to restore it without hiding local users (as it is now).

I would prefer a configuration option for /etc/lightdm/lightdm.conf where we can specify if to show the "other" entry positively so the greeter automatically shows any local users who have already logged onto the workstation, but we can specify the "other" entry is always displayed so someone can also type in login username.

The usual corporate use case being that a desktop or laptop is normally used by one or the same group of people, but sometimes might be borrowed by a different LDAP user.

So, how about a new config entry:
greeter-show-other=true
for clarity for corporate users.

@Darryl, the greeter-show-manual-login option was added in 1.1.7, is this what you want?

@Robert, the greeter-show-manual-login option is exactly what I was asking in comment #7. Thank you.

Yes, that's great!
So, for corporate workstations use the following in /etc/lisghtdm/lightdm.conf:
[SeatDefaults]
    user-session=ubuntu
    greeter-session=unity-greeter
    allow-guest=false
    greeter-show-manual-login=true

This will always show the manual login option and a list of users who have recently logged in, with no option to log in as a guest.

I get a precise installation with ldap authentication and an nfs home mounted.
- No problem to log in for a local user
- When I'm trying to log as a ldap user, once the password is entered, I get a blank screen (without unity dock) and nothing more happens.

I can login as LDAP user but once I am logged in:
 - no "left panel"
 - not top tool bar
 - if I double click on the terminal icon, the window goes to the top lefet corner and I can not move it

(I have dual screens and local user works perfect)

Thanks!

#13

Same issue as denuel (#12):
precise installation with ldap authentication and an nfs home mounted.
After entering the password, the login process hangs.
The workaround is to kill the following sleeping process in a separate console:
gsettings get org.gnome.desktop.interface toolkit-accessibility
Then the session starts correctly.

@yanok: thanks for your comment, it seems a bit of a different issue, could you open a new bug and add a stacktrace of the gsettings process to it?

This seems to have solved my problems:
https://help.ubuntu.com/community/LDAPClientAuthentication

I am using Ubuntu Precise (12.04) and I can successfully authenticate using ldap accounts.
Previously after login in, the computer would just hand and show the lightdm/kdm background.

I tested it to work with kdm and lightdm. I first did the lightdm config mentioned here and then
went on to the instructions.

 I just seem to have a shutdown issue now. Users can't shutdown the computer after login.

Is there any way to make lightdm show the LDAP user list instead of local ones, perhaps even with a search (if you have too many)
AND
have a manual login box?

I was hoping I could provide that sort of functionality with lightdm.

On Tue, Jun 19, 2012 at 2:48 PM, Vincent Fortier
<email address hidden> wrote:
> Is there any way to make lightdm show the LDAP user list instead of local ones, perhaps even with a search (if you have too many)
> AND
> have a manual login box?
>
> I was hoping I could provide that sort of functionality with lightdm.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/944041
>
> Title:
>  lightdm not compatible with ldap based user accounts
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/lightdm/+bug/944041/+subscriptions
In principle all that was needed is a `getent passwd´, and do some
filtering. But the lightdm makers did nothing of the sort, it looks
like.
Could it be that they simply read the /etc/passwd file? Getent will
give you all the users, local and network.

Users photos would be tricky: most places where you use ldap, you
would use nfs too, and that is mounted
with root_squash, and lightdm has to run as root, so you can't read
the photos out of the users homedirs.
I'm pretty sure that is where the login photo (or picture) is kept.

Hello,

I would like to mention that there is actually a somewhat related bug report, namely bug #837002 which discusses with the handling of the last session and language of a user. With the switch from .dmrc to AccountsService to store the information about the last session and language (bug #823718), lightdm has basically become less usable in a networked environment with LDAP/NIS-based user accounts since AccountsService stores the information about last session and language locally, inaccessible on the network. I have proposed a change to make the use of .dmrc or AccountsService configurable (bug #106949).

Cheers,

Adrian

echo -e "[SeatDefaults]\ngreeter-show-manual-login=true\n" > /etc/lightdm/lightdm.conf.d/11-thanks-rsd.conf;service lightdm restart

-rsd

Let me know, if the last comment helps.

No activity in years, unassigning the team, we are not working on it

Is that still an issue?

I seem to still be having this issue on Ubuntu 14.04. The workaround for me was to switch to GDM.

We have been using lightdm with LDAP, using the configuration reported above, and it has been working well (at least) since precise, and currently it´s working with trusty and xenial, no problems.

While it would be nice to show recent logins (for example those with an actual home directory) on the system, I believe this bug should be closed.

I'm affected by this bug as well (on Debian) and greeter-show-manual-login=true does not help.

It seems that the problem is the user list, which is being fetched with getpwent at least three times: 1) when lightdm daemon is started, 2) when a lightdm child (seat/session?) is started and 3) when a user moves focus in the greeter (gtk) from username to password field.

This attached patch eliminates fetching of the whole list. The whole test suite passes, but I'm afraid that some functionality could be broken. Feedback welcome.

Hi Michal - can you convert this patch into a merge request? It makes it easier to review. Let me know if you need any help doing that. You'll also need to sign the contributor agreement to have your changes accepted [1]

[1] https://www.ubuntu.com/legal/contributors/submit