IRC log of #schooltool for Wednesday, 2014-02-26

*** menesis has quit IRC02:51
*** menesis has joined #schooltool11:48
*** th1a has joined #schooltool12:44
*** menesis has quit IRC12:53
*** menesis has joined #schooltool12:54
*** menesis has quit IRC14:35
*** th1a has quit IRC14:45
*** rmccorkell has joined #schooltool15:18
*** psharrad has joined #schooltool15:24
*** rmccorkell is now known as Xeno15:26
*** Xeno is now known as Xenopathic15:26
psharradHello everyone15:26
*** Xenopathic is now known as Xeno15:27
*** Xeno is now known as rmccorkell15:27
*** menesis has joined #schooltool15:27
rmccorkellhow does python work with Kerberos?15:30
*** replaceafill has joined #schooltool15:31
replaceafillgood afternoon15:31
replaceafilloh Tom is not here yet :)15:31
psharradits been very quiet so far!15:31
rmccorkellis Justas coming today?15:41
replaceafilli don't think so15:41
replaceafillthese days it's usually just Tom and me15:42
replaceafilland sometimes Gediminas (who's in charge of packages)15:42
psharradhopefully he'll turn up in a minute15:42
rmccorkellI see some python and zope devs here, are they here for the Kerberos?15:42
replaceafillwell, i am :)15:43
rmccorkellso, to introduce ourselves:15:43
replaceafillmenesis (Gediminas) is probably at work15:43
rmccorkellI'm the Karoshi Client maintainer15:44
rmccorkellhowever I work closely with psharrad on the server-client integration15:44
psharradI'm Paul from the Linux Schools Project - I'm the server maintainer15:44
psharradI'm also the Linux Schools project leader15:45
rmccorkellshould we start in 5 minutes?15:46
replaceafillI'm Douglas, and i'm a SchoolTool developer15:46
psharradWe met Tom when he did a demo talk about school tool in London.15:46
replaceafilli'm not really familiar with Kerberos15:48
menesishello, I'm Gediminas, responsible for releasing SchoolTool and packaging it for Ubuntu15:48
rmccorkellit's an authentication method that uses 'tickets' containing encrypted data instead of passwords, hashes or anything else15:50
psharradwe've had some experience with kerberos but are not experts - we've got kerberos working with quite a lot of systems such as moodle, postfix etc15:51
replaceafillthe goal would be to create a SchoolTool server module, correct?15:52
rmccorkellthe first step is getting it integrated with the technologies we use15:53
psharradWe wondered if schooltool could use a similar kerberos method of authentication to moodle.15:53
psharradSorry to back track - we could do schooltool as a server module it means they would get a completed schooltool setup at a click of a button that has ldap and kerberos automatically configured for authentication to the school's primary domain controller.15:55
rmccorkellshall we begin?15:57
rmccorkellright, so the way Moodle does it seems to be pretty reliable from our testing15:57
*** mibofra has joined #schooltool15:57
rmccorkellit has an LDAP plugin that connects to a server for user and group information, but also has the option of delegating authentication to Apache15:58
*** mibofra has quit IRC15:59
*** mibofra has joined #schooltool15:59
rmccorkellit is labelled as 'NTLM', but has an option for Kerberos15:59
rmccorkellwhen a client attempts to get the login page, they are redirected to '/auth/ldap/ntlmsso_attempt.php'16:00
*** AndChat|601929 has joined #schooltool16:00
rmccorkellit has a bit of a fudge that attempts to load '/auth/ldap/ntlmsso_magic.php' as an image16:01
rmccorkellthat file needs to be configured in Apache to perform authentication16:02
rmccorkell(using a standard <Files> declaration)16:02
psharradHere is our apache part:16:02
psharrad<Directory /var/www/html/moodle/auth/ldap/>16:04
psharrad<Files ntlmsso_magic.php>16:04
psharradAuthName "Moodle"16:04
psharradAuthType Kerberos16:04
psharradKrb5Keytab /etc/keytabs/moodle.keytab16:04
psharradKrbMethodNegotiate on16:04
psharradKrbMethodK5Passwd off16:04
psharradKrbAuthoritative on16:04
psharradKrbServiceName HTTP/sherlock.baker.street.com16:04
psharradrequire valid-user16:04
rmccorkellso Apache performs the authentication and allows the 'image' to load, which is just an empty filler so the web browser doesn't get confused16:05
rmccorkellat this point the REMOTE_USER variable is set, and Moodle just redirects and can authorize the user16:05
rmccorkella similar thing could be done for SchoolTool, integrating with the LDAP plugin16:06
replaceafilli see16:06
replaceafillif i download the server version of Karoshi, could i test this in a virtual machine?16:07
replaceafillthe moodle-ldap-apache auth16:07
psharradyes we have moodle built in as a server module.16:07
rmccorkellfor proper testing you will need a Kerberos client - the easiest way is probably to use Karoshi Client16:08
replaceafillah, ok16:08
psharradOnce you have applied the module on the server moodle gets put in /var/www/html/moodle16:08
replaceafillif i may ask, what does the karoshi client do?16:09
replaceafillset up a GUI for users?16:09
replaceafilli mean, a desktop environment?16:10
rmccorkellthe client is the counterpart to the server, configuring it to use whatever modules have been installed, along with transparently doing menial stuff like authentication16:10
psharradthe client acts the same way as a windows client computer joined to the domain in your network16:11
rmccorkellthe client does have a customized GUI for school use, however it is just a standard XFCE desktop16:12
replaceafilloh, "The client uses the XFCE desktop environment"16:13
replaceafilli'll install both parts using virtualbox16:14
replaceafillthat should work, right?16:14
psharradYes that will work - we do all of our testing in virtualbox16:15
rmccorkellof course, you just need to change the network adapter from NAT to bridged or internal16:15
replaceafillwhat happens after the 'image' is loaded and the REMOTE_USER is set16:15
rmccorkellMoodle has a 3 second redirect on the 'ntmlsso_attempt.php' page16:16
rmccorkellit redirects to 'ntlmsso_finish.php', which either tells the user that auto login failed (redirecting to the normal login page) or to the main Moodle page16:17
replaceafilland moodle gets all the user info from the ldap server?16:19
replaceafilli need to get familiar with our ldap plugin :D16:19
menesisDo I understand correctly: the server runs Samba 4 as an Active Directory alternative. It provides LDAP server for user/group storage and Kerberos for authentication. User logs in to a Domain at the display manager (LightDM) and no further authentication through the browser is needed.16:20
psharradyes that is correct16:20
rmccorkellwell, authentication is still done in the browser, but it is all handled by the single sign on capabilities of Kerberos16:20
menesisNone of OpenLDAP, MIT Kerberos or Heimdal is used?16:21
psharradAll the ldap and kerberos is through samba4.16:21
rmccorkellMIT Kerberos is used on the client16:21
rmccorkellI think Samba4 uses MIT Kerberos internally anyway16:22
menesiswell ok some libraries are the same16:22
menesisI was interested what's on the server16:22
menesisOur ldap plugin is simple, and was tested only with openldap. It should autoconfigure itself on Zentyal.16:24
psharradWe can test the schooltool ldap plugin with samba4.16:24
rmccorkellalthough Samba4 uses an internal LDAP server it is heavily based off OpenLDAP, so compatibility should be high16:24
*** rmccorkell is now known as Xenopathic16:25
Xenopathicsorry, just changing my nick16:26
menesisThat's good. But /etc/ldap.conf (as created by ldap-auth-config) file is probably somewhere else16:27
Xenopathicsamba4 completely ignores ldap.conf16:28
Xenopathicwhen we were testing SchoolTool the first time, we configured the LDAP plugin in the web interface16:28
menesisDid it work?16:29
psharradUnfortunately we had a massive flood in the server room just at this point!16:29
psharrad£40000 worth of damage16:30
psharradWe had to put the schooltool work on the back burner until we had everything sorted out16:30
psharradIt wont take us long to set it up again and test ldap.16:30
psharradWe'll test it again tomorrow and let you know the results.16:32
menesisI should install a Karoshi server in a virtual machine, too, to see what you have and be able to test it16:34
menesisalso a Zentyal server because people also have problems with it16:34
menesisNone of us have experience with LDAP unfortunately, and the plugin was written by Justas who is no longer working on SchoolTool.16:35
menesisbut it is simple and does not do much16:36
Xenopathichow easy is python to learn to a standard for this project?16:37
psharradis the plugin written in python?16:37
menesisso, Kerberos and LDAP go together, and we need to add ability to authenticate though a browser ticket to the existing plugin16:37
Xenopathicsounds about right16:38
menesisyes, all of schooltool is written in python16:38
menesisI've seen an example, and the kerberos part on the client is only a few lines of code16:41
menesisThe setup is done on Apache side16:42
menesisthere is a VirtualHost (or Directory) for schooltool16:42
psharradWe can add the kerberos info into that virtualhost16:43
menesiswith some Krb5 directives16:43
menesisand then when browser tries to access schooltool16:44
menesisit sends a 401 response with a WWW-Authenticate: Negotiate header16:44
Xenopathicyou may want to do it like Moodle does it, and only require Apache authentication on a particular page16:46
Xenopathicso that you can still fall back to a standard login page should Kerberos fail16:46
menesisthat would be simpler than to autodetect that Kerberos auth is possible16:47
*** AndChat|601929 has quit IRC16:48
menesisbut then you need some school homepage with a link to
Xenopathicthe way Moodle does it is with a GET parameter16:49
Xenopathicif the login page is accessed normally it redirects to the Kerberos magic page16:49
Xenopathicif it has a certain parameter it just gives the login page16:50
Xenopathicoh, and one thing that should be implemented if you do this - only redirect for clients matching a certain IP range16:51
Xenopathic(that can be configured)16:51
menesisSchoolTool would be accessible from outside the school network, but then SSO is not available?16:54
psharradThats a good approach since staff and students at home wouldnt have a kerberos ticket.16:55
Xenopathicthe Apache authentication dialog (accessible by setting `KrbMethodK5Passwd on`) is really ugly16:57
menesisis it not the same like using Basic auth?16:58
Xenopathicugly :D16:59
menesisI think we should install the Karoshi Server, set up ldap and then try to add Kerberos17:07
Xenopathicright, well it sounds like you have a good grasp of Kerberos17:08
Xenopathicwe'll have a go at SchoolTool again17:08
Xenopathichow should we get back in touch?17:09
menesisreplaceafill: here is a tutorial I found, looks simple
replaceafillah thanks menesis17:09
menesiswe don't use 'requests' but that does not matter17:09
menesisWe will need help setting up LDAP with those Bind DN and user queries17:11
menesisBecause they look cryptic ;-)17:11
Xenopathicah yes, Samba4 doesn't strictly use the same schemas as OpenLDAP17:12
Xenopathichave a look at we did a bit of testing with our original Thunderbird integration17:13
Xenopathicalthough you probably need to tweak the queries a bit, this is what we used originally to get Thunderbird reading Samba4 LDAP information17:14
menesisnice, that's a lot of documentation17:19
psharradUnfortunately I've got to go to another meeting now :( Nice chatting to you and we'll feed back with some ldap testing on schooltool.17:21
*** psharrad has quit IRC17:21
Xenopathicwell I'm off also. Nice chatting with you17:23
*** Xenopathic has left #schooltool17:24
*** replaceafill has quit IRC17:54
*** replaceafill has joined #schooltool18:02
*** replaceafill has joined #schooltool18:03
*** khildin has joined #schooltool18:24
*** replaceafill has quit IRC19:12
*** replaceafill has joined #schooltool19:17
*** replaceafill has quit IRC19:37
*** replaceafill has joined #schooltool19:49
*** menesis has quit IRC21:06
*** khildin has quit IRC21:11
*** menesis has joined #schooltool21:45
*** replaceafill has quit IRC22:01
*** replaceafill has joined #schooltool22:01
*** replaceafill has quit IRC22:01
*** replaceafill has joined #schooltool22:01
*** replaceafill_ has joined #schooltool22:11
*** replaceafill_ has joined #schooltool22:11
*** replaceafill has quit IRC22:15
*** replaceafill has joined #schooltool22:15
*** menesis has quit IRC23:10
*** menesis1 has joined #schooltool23:10
*** replaceafill has quit IRC23:51

Generated by 2.15.1 by Marius Gedminas - find it at!