Category Archives: XRDP

Integrating LDAP support into XRDP on Ubuntu 12.04 LTS

I wanted to be able to setup something along the lines of a Linux Terminal server, to allow remote users the ability to execute long running jobs without the need to have any applications locally on their machines, or stay logged in/leave their machines at work.

This was more complicated than might be expected given that I also didnt want to take on the additional administrative overhead of adding new users and managing password change,etc.

I decided on using XRDP, but found that there were some problems with the authentication mechanisms when the user was not effectively local to the system, as XRDP needed to create a .vnc folder in the users home directory folder and also access a few files upon connection.

In my environment the LDAP server was OSX based, and it was more complex for several reasons to add additional ojects into the existing LDAP structure. So I needed to find a way to still use LDAP for the login authentication, but then once login had completed trick xrdp into seeing what it needed to for it to be able to continue through to displaying a VNC/RDP window.

In my test environment I used CoRD on my Mac to test the VNC/RDP connectivity. The host itself was an ESXi guest of Ubuntu Server 12.04 LTS, which I had also installed the GNOME  desktop modules.

I used the following post here as a reference for some of the steps needed to get PAM to allow the user to have a particular location as a home folder (i.e: one that wasnt on LDAP,etc).

How do I tell autofs to mount a home directory other than that described by LDAP

So my final process was:

apt-get install xrdp

I then added this to bottom of /etc/security/pam_env.conf on the Ubuntu server:

HOMEDEFAULT=”/home/@{PAM_USER}” – literally typing in “PAM_USER” not the name of the user you want the home directory created for.

Then add map passwd homeDirectory “/home/$uid” to end of /etc/nslcd.conf

Get the user to log in vi ssh to find out their LDAP locale information

In another terminal make the LDAP directory locally on the server. This will be the directory that you will get a could not chdir to directory error for. – Something like….

/Network/Servers/<serveraddress/name>/Volumes/Users_N-S/your_username/

Do a “mkdir -p /Network/Servers/<serveraddress/name>/Volumes/Users_N-S/your_username/” – Be careful that bash autocomplete doesnt cause any peculiarities if your OSX server has any whitespace in its naming conventions.

then create a link from /Network/Servers/<serveraddress/name>/Volumes/Users_N-S/your_username/ to /home/<username>. 

This will then make more sense when trying to look at why XRDP might not be working.

Then copy the .vnc directory from a non LDAP user to /home/<username>

 chown <username> /home/<username>/ .vnc the .vnc directory

 mv /home/<username>/.vnc/sesman<oldusername>_passwd to

/home/<username>/.vnc/sesman<username>_passwd – We need to do this as XRDP will check for the existence of the sesman_<username>_passwd file locally.

You may get some permissions errors if you forget to assign the correct owner/permissions to the users local home folder (the original /Network one, as changing the perms on the symbolic link wont do a lot 🙂  ). Typically this may warn on login that the server has been unable to create the ICEAuthority files.

The folder needs to be owned by “<username>:users”  and be “drwxr-xr-x” to get around this issue, although this may vary based on your individual setup.

Now you are ready to get your user to try to login from xVNC/RDP. You will probably find it useful to tail -f  /var/log/auth.log and /var/log/xrdp-sesman.log, as these will be pretty verbose in telling you that it cant read the sesman_passwd file for a particular user ( in which case you probably made a mistake creating the directory or the symlink, or the permissions and ownerships of that directory.)

I tested the above using the xVNC module in CoRD.

Once the user has successfully logged in to the RDP session they should be able to get a bulk standard Ubuntu desktop that you can then customise applications for their needs.

Next steps for me will be to find a way to automate this so that the users dont need to login initially to provide me with their LDAP home directory paths.

(c) Matt Palmer 19th Nov 2012