| *** menesis has quit IRC | 02:51 | |
| *** menesis has joined #schooltool | 11:48 | |
| *** th1a has joined #schooltool | 12:44 | |
| *** menesis has quit IRC | 12:53 | |
| *** menesis has joined #schooltool | 12:54 | |
| *** menesis has quit IRC | 14:35 | |
| *** th1a has quit IRC | 14:45 | |
| *** rmccorkell has joined #schooltool | 15:18 | |
| *** psharrad has joined #schooltool | 15:24 | |
| *** rmccorkell is now known as Xeno | 15:26 | |
| *** Xeno is now known as Xenopathic | 15:26 | |
| psharrad | Hello everyone | 15:26 |
|---|---|---|
| *** Xenopathic is now known as Xeno | 15:27 | |
| *** Xeno is now known as rmccorkell | 15:27 | |
| *** menesis has joined #schooltool | 15:27 | |
| rmccorkell | how does python work with Kerberos? | 15:30 |
| *** replaceafill has joined #schooltool | 15:31 | |
| replaceafill | good afternoon | 15:31 |
| rmccorkell | hello | 15:31 |
| psharrad | hello | 15:31 |
| replaceafill | oh Tom is not here yet :) | 15:31 |
| psharrad | its been very quiet so far! | 15:31 |
| rmccorkell | is Justas coming today? | 15:41 |
| replaceafill | i don't think so | 15:41 |
| replaceafill | these days it's usually just Tom and me | 15:42 |
| replaceafill | and sometimes Gediminas (who's in charge of packages) | 15:42 |
| psharrad | hopefully he'll turn up in a minute | 15:42 |
| rmccorkell | I see some python and zope devs here, are they here for the Kerberos? | 15:42 |
| replaceafill | well, i am :) | 15:43 |
| rmccorkell | so, to introduce ourselves: | 15:43 |
| replaceafill | menesis (Gediminas) is probably at work | 15:43 |
| rmccorkell | I'm the Karoshi Client maintainer | 15:44 |
| rmccorkell | however I work closely with psharrad on the server-client integration | 15:44 |
| psharrad | I'm Paul from the Linux Schools Project - I'm the server maintainer | 15:44 |
| psharrad | I'm also the Linux Schools project leader | 15:45 |
| rmccorkell | should we start in 5 minutes? | 15:46 |
| replaceafill | I'm Douglas, and i'm a SchoolTool developer | 15:46 |
| psharrad | We met Tom when he did a demo talk about school tool in London. | 15:46 |
| replaceafill | i'm not really familiar with Kerberos | 15:48 |
| menesis | hello, I'm Gediminas, responsible for releasing SchoolTool and packaging it for Ubuntu | 15:48 |
| rmccorkell | it's an authentication method that uses 'tickets' containing encrypted data instead of passwords, hashes or anything else | 15:50 |
| psharrad | we've had some experience with kerberos but are not experts - we've got kerberos working with quite a lot of systems such as moodle, postfix etc | 15:51 |
| replaceafill | the goal would be to create a SchoolTool server module, correct? | 15:52 |
| rmccorkell | the first step is getting it integrated with the technologies we use | 15:53 |
| psharrad | We wondered if schooltool could use a similar kerberos method of authentication to moodle. | 15:53 |
| psharrad | Sorry to back track - we could do schooltool as a server module it means they would get a completed schooltool setup at a click of a button that has ldap and kerberos automatically configured for authentication to the school's primary domain controller. | 15:55 |
| rmccorkell | shall we begin? | 15:57 |
| replaceafill | sure | 15:57 |
| rmccorkell | right, so the way Moodle does it seems to be pretty reliable from our testing | 15:57 |
| *** mibofra has joined #schooltool | 15:57 | |
| rmccorkell | it has an LDAP plugin that connects to a server for user and group information, but also has the option of delegating authentication to Apache | 15:58 |
| *** mibofra has quit IRC | 15:59 | |
| *** mibofra has joined #schooltool | 15:59 | |
| rmccorkell | it is labelled as 'NTLM', but has an option for Kerberos | 15:59 |
| rmccorkell | when a client attempts to get the login page, they are redirected to '/auth/ldap/ntlmsso_attempt.php' | 16:00 |
| *** AndChat|601929 has joined #schooltool | 16:00 | |
| rmccorkell | it has a bit of a fudge that attempts to load '/auth/ldap/ntlmsso_magic.php' as an image | 16:01 |
| rmccorkell | that file needs to be configured in Apache to perform authentication | 16:02 |
| rmccorkell | (using a standard <Files> declaration) | 16:02 |
| psharrad | Here is our apache part: | 16:02 |
| psharrad | #moodle-kerberos-support | 16:04 |
| psharrad | <Directory /var/www/html/moodle/auth/ldap/> | 16:04 |
| psharrad | <Files ntlmsso_magic.php> | 16:04 |
| psharrad | AuthName "Moodle" | 16:04 |
| psharrad | AuthType Kerberos | 16:04 |
| psharrad | Krb5Keytab /etc/keytabs/moodle.keytab | 16:04 |
| psharrad | KrbMethodNegotiate on | 16:04 |
| psharrad | KrbMethodK5Passwd off | 16:04 |
| psharrad | KrbAuthoritative on | 16:04 |
| psharrad | KrbServiceName HTTP/sherlock.baker.street.com | 16:04 |
| psharrad | require valid-user | 16:04 |
| psharrad | </Files> | 16:04 |
| psharrad | </Directory> | 16:04 |
| rmccorkell | so Apache performs the authentication and allows the 'image' to load, which is just an empty filler so the web browser doesn't get confused | 16:05 |
| rmccorkell | at this point the REMOTE_USER variable is set, and Moodle just redirects and can authorize the user | 16:05 |
| rmccorkell | a similar thing could be done for SchoolTool, integrating with the LDAP plugin | 16:06 |
| replaceafill | i see | 16:06 |
| replaceafill | if i download the server version of Karoshi, could i test this in a virtual machine? | 16:07 |
| replaceafill | the moodle-ldap-apache auth | 16:07 |
| psharrad | yes we have moodle built in as a server module. | 16:07 |
| rmccorkell | for proper testing you will need a Kerberos client - the easiest way is probably to use Karoshi Client | 16:08 |
| replaceafill | ah, ok | 16:08 |
| psharrad | Once you have applied the module on the server moodle gets put in /var/www/html/moodle | 16:08 |
| replaceafill | if i may ask, what does the karoshi client do? | 16:09 |
| replaceafill | set up a GUI for users? | 16:09 |
| replaceafill | i mean, a desktop environment? | 16:10 |
| rmccorkell | the client is the counterpart to the server, configuring it to use whatever modules have been installed, along with transparently doing menial stuff like authentication | 16:10 |
| psharrad | the client acts the same way as a windows client computer joined to the domain in your network | 16:11 |
| rmccorkell | the client does have a customized GUI for school use, however it is just a standard XFCE desktop | 16:12 |
| replaceafill | oh, "The client uses the XFCE desktop environment" | 16:13 |
| replaceafill | i'll install both parts using virtualbox | 16:14 |
| replaceafill | that should work, right? | 16:14 |
| psharrad | Yes that will work - we do all of our testing in virtualbox | 16:15 |
| rmccorkell | of course, you just need to change the network adapter from NAT to bridged or internal | 16:15 |
| replaceafill | what happens after the 'image' is loaded and the REMOTE_USER is set | 16:15 |
| rmccorkell | Moodle has a 3 second redirect on the 'ntmlsso_attempt.php' page | 16:16 |
| rmccorkell | it redirects to 'ntlmsso_finish.php', which either tells the user that auto login failed (redirecting to the normal login page) or to the main Moodle page | 16:17 |
| replaceafill | and moodle gets all the user info from the ldap server? | 16:19 |
| rmccorkell | yes | 16:19 |
| replaceafill | i need to get familiar with our ldap plugin :D | 16:19 |
| menesis | Do I understand correctly: the server runs Samba 4 as an Active Directory alternative. It provides LDAP server for user/group storage and Kerberos for authentication. User logs in to a Domain at the display manager (LightDM) and no further authentication through the browser is needed. | 16:20 |
| rmccorkell | correct | 16:20 |
| psharrad | yes that is correct | 16:20 |
| rmccorkell | well, authentication is still done in the browser, but it is all handled by the single sign on capabilities of Kerberos | 16:20 |
| menesis | None of OpenLDAP, MIT Kerberos or Heimdal is used? | 16:21 |
| psharrad | All the ldap and kerberos is through samba4. | 16:21 |
| rmccorkell | MIT Kerberos is used on the client | 16:21 |
| rmccorkell | I think Samba4 uses MIT Kerberos internally anyway | 16:22 |
| menesis | well ok some libraries are the same | 16:22 |
| menesis | I was interested what's on the server | 16:22 |
| menesis | thanks | 16:22 |
| menesis | Our ldap plugin is simple, and was tested only with openldap. It should autoconfigure itself on Zentyal. | 16:24 |
| psharrad | We can test the schooltool ldap plugin with samba4. | 16:24 |
| rmccorkell | although Samba4 uses an internal LDAP server it is heavily based off OpenLDAP, so compatibility should be high | 16:24 |
| *** rmccorkell is now known as Xenopathic | 16:25 | |
| Xenopathic | sorry, just changing my nick | 16:26 |
| menesis | That's good. But /etc/ldap.conf (as created by ldap-auth-config) file is probably somewhere else | 16:27 |
| Xenopathic | samba4 completely ignores ldap.conf | 16:28 |
| Xenopathic | when we were testing SchoolTool the first time, we configured the LDAP plugin in the web interface | 16:28 |
| menesis | Did it work? | 16:29 |
| psharrad | Unfortunately we had a massive flood in the server room just at this point! | 16:29 |
| psharrad | £40000 worth of damage | 16:30 |
| menesis | =-O | 16:30 |
| psharrad | We had to put the schooltool work on the back burner until we had everything sorted out | 16:30 |
| psharrad | It wont take us long to set it up again and test ldap. | 16:30 |
| psharrad | We'll test it again tomorrow and let you know the results. | 16:32 |
| menesis | I should install a Karoshi server in a virtual machine, too, to see what you have and be able to test it | 16:34 |
| menesis | also a Zentyal server because people also have problems with it | 16:34 |
| menesis | None of us have experience with LDAP unfortunately, and the plugin was written by Justas who is no longer working on SchoolTool. | 16:35 |
| menesis | but it is simple and does not do much | 16:36 |
| Xenopathic | how easy is python to learn to a standard for this project? | 16:37 |
| psharrad | is the plugin written in python? | 16:37 |
| menesis | so, Kerberos and LDAP go together, and we need to add ability to authenticate though a browser ticket to the existing plugin | 16:37 |
| Xenopathic | sounds about right | 16:38 |
| menesis | yes, all of schooltool is written in python | 16:38 |
| menesis | I've seen an example, and the kerberos part on the client is only a few lines of code | 16:41 |
| menesis | The setup is done on Apache side | 16:42 |
| menesis | there is a VirtualHost (or Directory) for schooltool | 16:42 |
| psharrad | We can add the kerberos info into that virtualhost | 16:43 |
| menesis | with some Krb5 directives | 16:43 |
| menesis | and then when browser tries to access schooltool | 16:44 |
| menesis | it sends a 401 response with a WWW-Authenticate: Negotiate header | 16:44 |
| Xenopathic | you may want to do it like Moodle does it, and only require Apache authentication on a particular page | 16:46 |
| Xenopathic | so that you can still fall back to a standard login page should Kerberos fail | 16:46 |
| menesis | that would be simpler than to autodetect that Kerberos auth is possible | 16:47 |
| *** AndChat|601929 has quit IRC | 16:48 | |
| menesis | but then you need some school homepage with a link to schooltool.school.my/krb | 16:48 |
| Xenopathic | the way Moodle does it is with a GET parameter | 16:49 |
| Xenopathic | if the login page is accessed normally it redirects to the Kerberos magic page | 16:49 |
| Xenopathic | if it has a certain parameter it just gives the login page | 16:50 |
| Xenopathic | oh, and one thing that should be implemented if you do this - only redirect for clients matching a certain IP range | 16:51 |
| Xenopathic | (that can be configured) | 16:51 |
| menesis | SchoolTool would be accessible from outside the school network, but then SSO is not available? | 16:54 |
| Xenopathic | yes | 16:55 |
| psharrad | Thats a good approach since staff and students at home wouldnt have a kerberos ticket. | 16:55 |
| Xenopathic | the Apache authentication dialog (accessible by setting `KrbMethodK5Passwd on`) is really ugly | 16:57 |
| menesis | is it not the same like using Basic auth? | 16:58 |
| Xenopathic | yes | 16:59 |
| Xenopathic | ugly :D | 16:59 |
| menesis | Well. | 17:06 |
| menesis | I think we should install the Karoshi Server, set up ldap and then try to add Kerberos | 17:07 |
| Xenopathic | right, well it sounds like you have a good grasp of Kerberos | 17:08 |
| Xenopathic | we'll have a go at SchoolTool again | 17:08 |
| Xenopathic | how should we get back in touch? | 17:09 |
| menesis | replaceafill: here is a tutorial I found, looks simple http://python-notes.curiousefficiency.org/en/latest/python_kerberos.html | 17:09 |
| replaceafill | ah thanks menesis | 17:09 |
| menesis | we don't use 'requests' but that does not matter | 17:09 |
| replaceafill | sure | 17:09 |
| menesis | We will need help setting up LDAP with those Bind DN and user queries | 17:11 |
| menesis | Because they look cryptic ;-) | 17:11 |
| Xenopathic | ah yes, Samba4 doesn't strictly use the same schemas as OpenLDAP | 17:12 |
| Xenopathic | have a look at http://www.linuxschools.org.uk/karoshi/documentation/wiki/index.php?title=Samba4_Testing#LDAP_Contacts we did a bit of testing with our original Thunderbird integration | 17:13 |
| Xenopathic | although you probably need to tweak the queries a bit, this is what we used originally to get Thunderbird reading Samba4 LDAP information | 17:14 |
| menesis | nice, that's a lot of documentation | 17:19 |
| psharrad | Unfortunately I've got to go to another meeting now :( Nice chatting to you and we'll feed back with some ldap testing on schooltool. | 17:21 |
| *** psharrad has quit IRC | 17:21 | |
| Xenopathic | well I'm off also. Nice chatting with you | 17:23 |
| *** Xenopathic has left #schooltool | 17:24 | |
| *** replaceafill has quit IRC | 17:54 | |
| *** replaceafill has joined #schooltool | 18:02 | |
| *** replaceafill has joined #schooltool | 18:03 | |
| *** khildin has joined #schooltool | 18:24 | |
| *** replaceafill has quit IRC | 19:12 | |
| *** replaceafill has joined #schooltool | 19:17 | |
| *** replaceafill has quit IRC | 19:37 | |
| *** replaceafill has joined #schooltool | 19:49 | |
| *** menesis has quit IRC | 21:06 | |
| *** khildin has quit IRC | 21:11 | |
| *** menesis has joined #schooltool | 21:45 | |
| *** replaceafill has quit IRC | 22:01 | |
| *** replaceafill has joined #schooltool | 22:01 | |
| *** replaceafill has quit IRC | 22:01 | |
| *** replaceafill has joined #schooltool | 22:01 | |
| *** replaceafill_ has joined #schooltool | 22:11 | |
| *** replaceafill_ has joined #schooltool | 22:11 | |
| *** replaceafill has quit IRC | 22:15 | |
| *** replaceafill has joined #schooltool | 22:15 | |
| *** menesis has quit IRC | 23:10 | |
| *** menesis1 has joined #schooltool | 23:10 | |
| *** replaceafill has quit IRC | 23:51 | |
Generated by irclog2html.py 2.15.1 by Marius Gedminas - find it at mg.pov.lt!