[opensuse] Hacking Display Manager - Replacing GDM with ACDM
Hi, I'm trying to replace GDM with a smart card reader login screen ACDM. The software that came with the smart card reader doesn't work well on Linux. I'm thinking of hacking the configuration files manually to get things to work. In my workplace, I'm tasked with setting up a trial deployment with SLED and SLES at a rather big organization. They want to test whether their applications can run well on Linux; they are deliberating between Vista and Linux (notably SLED) as workstation replacements. One of their requirements is to use a smart card as the third authentication factor for users to login. Therefore, the normal GDM login screen that we see with default SLED/SLES/openSUSE need to be replaced with the display manager for the smart card reader. The software for the smart card reader in this case is ActivIdentity. Now ActivIdentity does provide the files for replacing the GDM. However, the installation script provided by them seems to be ill-tested. I say this because the installation is SUPPOSED to replace the GDM display manager with its display manager ACDM. Needless to say, it didn't work. I looked through the source code of their script and realised that one portion of the script that was supposed to patch the XDM file at /etc/init.d/xdm didn't run correctly. I then patched that part up manually. Lo and behold, it works! At least I thought it did. The display manager upon bootup shows ACDM instead of GDM. However, after entering my username and password, ACDM died and brought me to the console login screen (CTL+ALT+F1). The reason I'm enthusiastic about making this work is because this organization is quite big in my country, Singapore, and the deployment of Linux in their workplace will make the news, or encourage other organizations here to adopt Linux. What I can think of now is to hack the display manager configurations to find out what went wrong. I was wondering if any of you guys have any pointers for me or are able to direct me to any resource that describes the architecture of the display manager. I already tried to search online for anything related to ActivIdentity but there is nothing useful at all. The documentation that comes with the software is not helpful in solving this problem. Thanks in advance! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Nov 29, 2007 1:39 PM, Chee How Chua <chuacheehow@gmail.com> wrote:
The display manager upon bootup shows ACDM instead of GDM. However, after entering my username and password, ACDM died and brought me to the console login screen (CTL+ALT+F1). Try:
ln -s /etc/X11/xdm/Xsession /etc/X11/Xsession Cheers -J -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Nov 29, 2007 4:17 PM, CyberOrg <jigish.gohil@gmail.com> wrote:
On Nov 29, 2007 1:39 PM, Chee How Chua <chuacheehow@gmail.com> wrote:
The display manager upon bootup shows ACDM instead of GDM. However, after entering my username and password, ACDM died and brought me to the console login screen (CTL+ALT+F1). Try:
ln -s /etc/X11/xdm/Xsession /etc/X11/Xsession
Cheers
-J
Thanks. Unfortunately it doesn't work. ACDM still died. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chee How Chua wrote:
On Nov 29, 2007 4:17 PM, CyberOrg <jigish.gohil@gmail.com> wrote:
On Nov 29, 2007 1:39 PM, Chee How Chua <chuacheehow@gmail.com> wrote:
The display manager upon bootup shows ACDM instead of GDM. However, after entering my username and password, ACDM died and brought me to the console login screen (CTL+ALT+F1). Try:
ln -s /etc/X11/xdm/Xsession /etc/X11/Xsession
Cheers
-J
Thanks. Unfortunately it doesn't work. ACDM still died.
This is what I did to substitute Entrance for SuSE defaults. I would check what parameters the ACDM script (or the binary component of the script) require to work. ... I made two changes to /etc/init.d/xdm the three lines marked + where added with with the path to the entrance binary, in your case it should be the ACDM binary (approx line 90). case "${DISPLAYMANAGER##*/}" in kdm|kde|KDM|KDE) DISPLAYMANAGER=/opt/kde3/bin/kdm PIDFILE="/var/run/kdm.pid" ;; xdm) DISPLAYMANAGER=$XDM_BIN ;; gdm|GDM|Gnome|GNOME) DISPLAYMANAGER=/opt/gnome/sbin/gdm PIDFILE="/var/run/gdm.pid" ;; wdm|WDM) DISPLAYMANAGER=/usr/X11R6/bin/wdm ;; console) exit 0 ;; + entrance) DISPLAYMANAGER=/usr/sbin/entranced + PIDFILE="/var/run/entranced.pid" + ;; *) DISPLAYMANAGER=$XDM_BIN if test -x /opt/kde3/bin/kdm; then DISPLAYMANAGER=/opt/kde3/bin/kdm PIDFILE="/var/run/kdm.pid" fi ;; esac and (at approx line 125) I changed XDMOPTIONS which should contain the X options required by the ACDM binary to load... (and local environment setting may need to be included at this point)... BTW check whether the ACDM requires any hardware modules to be loaded, if this is the case, at this point you could insert a test to see if the module is loaded and either wait for the module to load or load the module... if [ "$DISPLAYMANAGER" = "/opt/gnome/sbin/gdm" -a \ "$DISPLAYMANAGER_REMOTE_ACCESS" = "yes" -a \ "$DISPLAYMANAGER_STARTS_XSERVER" = "no" ]; then XDMOPTIONS="--no-console" fi + if [ "$DISPLAYMANAGER" = "/usr/sbin/entranced" ]; then + XDMOPTIONS="-nodaemon" + fi Does this look anything like what you did? Finally set the DISPLAYMANAGER setting in the YaST sysconfig editor to whatever you choose to tag ACDM as... - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFHTtYYasN0sSnLmgIRAmlRAJ402KSEKACec+p+sUnFLSrk0APzyQCgnLYf F1mgwZOZdYzACutsPgeLVzU= =wI9U -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 2007-11-29 at 16:09 +0800, Chee How Chua wrote:
Hi, I'm trying to replace GDM with a smart card reader login screen ACDM. The software that came with the smart card reader doesn't work well on Linux. I'm thinking of hacking the configuration files manually to get things to work.
In my workplace, I'm tasked with setting up a trial deployment with SLED and SLES at a rather big organization. They want to test whether their applications can run well on Linux; they are deliberating between Vista and Linux (notably SLED) as workstation replacements.
One of their requirements is to use a smart card as the third authentication factor for users to login. Therefore, the normal GDM login screen that we see with default SLED/SLES/openSUSE need to be replaced with the display manager for the smart card reader.
Why? GDM supports full pam conversations to read smart cards in 10.3 and it should be able to detect when usb smart card readers are plugged in and reset the login screen. If you need this for SLED 10 SP1, we have done some test packages, please contact Novell. -JP -- JP Rosevear <jpr@novell.com> Novell, Inc. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
+ entrance) DISPLAYMANAGER=/usr/sbin/entranced + PIDFILE="/var/run/entranced.pid" + ;;
Yup, I did this. In fact the patch file provided by ActivIdentity had this patch, but the script that invokes this patch did not apply it correctly. But the patch did not contain the line with PIDFILE and I didn't apply it either. Is this PIDFILE compulsory? In the default XDM file, only KDM and GDM have this PID line; WDM and XDM do not have it. Can you explain what this line is for?
and (at approx line 125) I changed XDMOPTIONS which should contain the X options required by the ACDM binary to load... (and local environment setting may need to be included at this point)... BTW check whether the ACDM requires any hardware modules to be loaded, if this is the case, at this point you could insert a test to see if the module is loaded and either wait for the module to load or load the module...
if [ "$DISPLAYMANAGER" = "/opt/gnome/sbin/gdm" -a \ "$DISPLAYMANAGER_REMOTE_ACCESS" = "yes" -a \ "$DISPLAYMANAGER_STARTS_XSERVER" = "no" ]; then XDMOPTIONS="--no-console" fi
+ if [ "$DISPLAYMANAGER" = "/usr/sbin/entranced" ]; then + XDMOPTIONS="-nodaemon" + fi
Does this look anything like what you did?
Well, the patch file and the documentation do not have anything to say about the XDMOPTIONS. It appears that only GDM has XDMOPTIONS set. How does XDMOPTIONS affect XDM and the display manager that is loading?
Finally set the DISPLAYMANAGER setting in the YaST sysconfig editor to whatever you choose to tag ACDM as...
Did that. Naively thought that would be the only thing to change.
============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone.
Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFHTtYYasN0sSnLmgIRAmlRAJ402KSEKACec+p+sUnFLSrk0APzyQCgnLYf F1mgwZOZdYzACutsPgeLVzU= =wI9U -----END PGP SIGNATURE-----
On Nov 30, 2007 12:20 AM, JP Rosevear <jpr@novell.com> wrote:
Why? GDM supports full pam conversations to read smart cards in 10.3 and it should be able to detect when usb smart card readers are plugged in and reset the login screen.
If you need this for SLED 10 SP1, we have done some test packages, please contact Novell.
-JP -- JP Rosevear <jpr@novell.com> Novell, Inc.
The OS is SLED10 SP1, not 10.3. Pardon my ignorance, which contact point for Novell should I approach? My local office is unable to help me much here. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chee How Chua wrote:
+ entrance) DISPLAYMANAGER=/usr/sbin/entranced + PIDFILE="/var/run/entranced.pid" + ;;
Yup, I did this. In fact the patch file provided by ActivIdentity had this patch, but the script that invokes this patch did not apply it correctly. But the patch did not contain the line with PIDFILE and I didn't apply it either. Is this PIDFILE compulsory? In the default XDM file, only KDM and GDM have this PID line; WDM and XDM do not have it. Can you explain what this line is for?
IIRC As far as I could work out this is used to determine whether a process is running or not... this is the first parameter passed to startproc later on after the -p option... man startproc gives some more info.... (I have no idea what would happen if the -p option gets the executable as the pid file but I do not think it would be good...) but early on in the script this variable is set for xdm so I would think it a rather good idea to set it for the the ACDM module as a discrete PID file (it cannot do any harm, I cannot remember whether I found out that entranced crashed without it or not, and I had a fair few crashes getting this to work).
and (at approx line 125) I changed XDMOPTIONS which should contain the X options required by the ACDM binary to load... (and local environment setting may need to be included at this point)... BTW check whether the ACDM requires any hardware modules to be loaded, if this is the case, at this point you could insert a test to see if the module is loaded and either wait for the module to load or load the module...
if [ "$DISPLAYMANAGER" = "/opt/gnome/sbin/gdm" -a \ "$DISPLAYMANAGER_REMOTE_ACCESS" = "yes" -a \ "$DISPLAYMANAGER_STARTS_XSERVER" = "no" ]; then XDMOPTIONS="--no-console" fi
+ if [ "$DISPLAYMANAGER" = "/usr/sbin/entranced" ]; then + XDMOPTIONS="-nodaemon" + fi
Does this look anything like what you did?
Well, the patch file and the documentation do not have anything to say about the XDMOPTIONS. It appears that only GDM has XDMOPTIONS set. How does XDMOPTIONS affect XDM and the display manager that is loading?
This is variable is where options for the executable (rather the startproc) are passed if you have none you do not need pass any... entranced required -nodaemon (never did find out exactly what the option was supposed to do, e17 docs tend to be a bit thin on the ground)
Finally set the DISPLAYMANAGER setting in the YaST sysconfig editor to whatever you choose to tag ACDM as...
Did that. Naively thought that would be the only thing to change.
ditto first time tound...
============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone.
Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFHTtYYasN0sSnLmgIRAmlRAJ402KSEKACec+p+sUnFLSrk0APzyQCgnLYf F1mgwZOZdYzACutsPgeLVzU= =wI9U -----END PGP SIGNATURE-----
On Nov 30, 2007 12:20 AM, JP Rosevear <jpr@novell.com> wrote:
Why? GDM supports full pam conversations to read smart cards in 10.3 and it should be able to detect when usb smart card readers are plugged in and reset the login screen.
If you need this for SLED 10 SP1, we have done some test packages, please contact Novell.
-JP -- JP Rosevear <jpr@novell.com> Novell, Inc.
The OS is SLED10 SP1, not 10.3. Pardon my ignorance, which contact point for Novell should I approach? My local office is unable to help me much here.
This was my error not JPs - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFHTvX9asN0sSnLmgIRAubYAKDhf0cNdJ92soet1ePGOPJkM8VPFwCg+XRU P5i+N+DGe7u4sJhYvDNvgqs= =he0Z -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 2007-11-29 at 16:09 +0800, Chee How Chua wrote:
The display manager upon bootup shows ACDM instead of GDM. However, after entering my username and password, ACDM died and brought me to the console login screen (CTL+ALT+F1).
One thing you could try is to strace the display manager from the command line and see if it's failing to find some important file - typically looking for ENOENT and other errors from system calls. The log is usually huge, so it could be time-consuming, though. Apart from that I'd like to second JP's comment - try to get hold of GDM packages that can do it (though I don't know exactly who you'd need to talk to at Novell). -- Hans Petter -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (5)
-
Chee How Chua -
CyberOrg -
G T Smith -
Hans Petter Jansson -
JP Rosevear