Ldap auth issue with veyon-master on Ubuntu 16.04
-
Hi,
I just tried Veyon for the classrooms I have in charge, on ubuntu PCs.
When I try to launch veyon (configurator or master) from the icons in whisker menu, it asks me for a login/password. whatever I try, it doesn't work ("connection failed with this password and login").
I connected a root session, and started veyon-configurator. I configured users/LDAP options, clicked on "test" button and verified it works like I wish : for a user I want to be able to connect, it says OK, and for a user I don't want to be able, it says this user can't.
Then (always on a root session), I launched veyon master, type the login/password I want to be authorized to connect, and it worked, veyon-master started.Finally, I closed root session and open a new session on PC with authorized user (the one I just tested in root session), and no way to launch veyon-master : "Connection failed with this username/password".
If someone could explain me what I got to do to access veyon from a non-root session, it would help
Thank you
E.T. -
First of all, welcome to the Veyon community!
Did you install Veyon from our PPA? Logon authentication works by authenticating the given user at the local system (via PAM on Linux) and is not related to LDAP. For the PAM authentication mechanism to work it is required to have the sticky bit set for the veyon-auth-helper binary. So try to run
sudo chmod +s /usr/bin/veyon-auth-helper.Have you tried to use key file authentication instead?
-
Hi,
I restart Veyon installation from the beginning, to be sure starting from a clean conf.
This time, I installed the 4.0.4 .deb package I downloaded a few months ago on your site (because I tried it a few months ago, and I'm pretty sure I didn't meet such issues).
I configured everything (veyon-configurator run as root), and I set the sticky bit to veyon-auth-helper as you told me.
Then I ran veyon-master as user, and I got two new Error message (in terminal) :
First :
[WARN] JsonStore::load(): could not open /home/myuser/.veyon/Config/UserConfig.json
[ERR] LdapDirectory::queryAttributes(): attribute is emptyI'm really surprised when you tell me that logon auth is local and not LDAP, as veyon-configurator allows you to configure a large amount of parameters concerning user's ldap data, including ldap groups authorized users must be part of.
For your information (not really part of my problem, but not helping) :
It seems there is a bug in veyon-configurator, in auth menu :
There is a button "Test" for auth with a login. Whatever login/password I tried, the test is succesful, even with unexisting logins/password. -
For further information, if it can help :
The installation of the PCs in my classrooms is automatic and remote : I put installation scripts on my server, and when a PC starts, it connects to the server, executes the installation scripts that concern its room, and have not been already executed on the machine.
There is no real teacher's PC. There are PCs for students, and the teacher connect to one of them if he needs to.
There are many teachers using this classrooms, and they log with their login/password from our LDAP.I need to allow every teacher to run veyon-master. But I don't want to allow students.
Further more, in an ideal configuration, I'd like too that computer technicians were allowed to run veyon-configuration, but neither teacher, nor student.
-
Regarding logon authentication: it is not necessarily for local users only. It uses PAM so if your systems are configured to authenticate LDAP users via
pam_ldap,pam_winbindor whatever Veyon should be able to authenticate any user in your network environment. I appreciate your suggestion to add native LDAP authentication support though. Currently LDAP is "only" used for determining group memberships as well as retrieving computer and room information.Once authentication works you can configure access control such that only members of special groups are allowed to access client computers. For this to work the LDAP module has to be set up to properly resolve groups and group memberships of a given user. Use the integration test for this. There's currently a bug in all versions including 4.1.3 which may return all groups for a user if a user can't be resolved in the directory properly. This will be fixed in 4.1.4.
When enabling the Perform access control at program start option (https://docs.veyon.io/projects/admin-manual/en/latest/reference.html#behaviour) even the Master program can be started by authorized users only.
-
Hi,
Sorry for this long period of silence, but I had no time for Veyon tests last weeks.
I made new tests today, and I can confirm that ldap auth was working in previous versions, exactly as I need it to.
I could restrain Veyon Master access to LDAP groups.
I kept the veyon_4.0.4-ubuntu-xenial_amd64.deb file et the .json file I used, and it perfectly works. A user in the right posix-group is allowed to launch veyon-master, the others can't.
I did nothing else than :apt-get install libqca-qt5-2 libqca-qt5-2-plugins dpkg -i veyon_4.0.4-ubuntu-xenial_amd64.deband then :
veyon-ctl config import veyon-conf-test.jsonOf course, I tried the same config file with 4.1.2 and 4.1.4 deb files, but auth didn't work with those versions.
If you've got an idea of which changes between 4.0 and 4.1 versions produced this, and if it's a bug or a functionality, it interests me.
I would like to know too, if it's still possible to get the 4.0.4 version for 18.04 (bionic), because that's the next ubuntu version I'm going to install in my classrooms, and if I could get a working version of Veyon on this distrib, it would be fine
best regards
E.T. -
Ok, perfect!
I also suggest to use our PPA at https://launchpad.net/~veyon/+archive/ubuntu/stable so you always receive updates for the latest stable release automatically. -
@tobydox said in Ldap auth issue with veyon-master on Ubuntu 16.04:
Ok, perfect!
I also suggest to use our PPA at https://launchpad.net/~veyon/+archive/ubuntu/stable so you always receive updates for the latest stable release automatically.Hum, I won't use ppa, because it seems that in this case, for example, ldap auth works with 4.0, but no more with 4.1.... I prefer to keep a version which I know is working than have a bad surprise after an update
Thanks for your help.
E.T. -
Hi Tobias,
I just described a similar issue here: [https://github.com/veyon/veyon/issues/455](link url)
Thanks in advance,
Julius