Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
appnotes:authmenus [2009/02/25 01:25] mcb30 |
appnotes:authmenus [2013/03/04 15:34] (current) genec Fix cmd.c32 -> gpxecmd.c32 |
||
|---|---|---|---|
| Line 13: | Line 13: | ||
| SSLRequireSSL | SSLRequireSSL | ||
| - | and a file "boot.php" containing | + | You must choose between being able to load vesamenu.c32 directly and loading the current version of vesamenu.c32. |
| + | ==== vesamenu.c32 current ==== | ||
| + | The current version of vesamenu.c32 can not be loaded directly from gPXE and requires PXELINUX as an intermediate layer. You will need two PHP files, a boot.php containing | ||
| - | <?php | + | <?php |
| - | + | ||
| - | header ( "Content-type: text/plain" ); | + | header ( "Content-type: text/plain" ); |
| - | + | echo "#!gpxe\n"; | |
| - | echo "#!gpxe\n"; | + | |
| - | echo "imgfree\n"; | + | $proto = "https"; |
| - | echo "login\n"; | + | // Comment out/remove the following if strictly using HTTPS |
| - | echo "kernel -n menu ". | + | if (!isset($_SERVER["HTTPS"])) |
| - | "https://\${username:uristring}:\${password:uristring}@". | + | $proto = "http"; |
| - | $_SERVER["SERVER_NAME"]. | + | |
| - | dirname ( $_SERVER["REQUEST_URI"] ). | + | // This assigns the host that gPXE should use using the most logical variables |
| - | "/vesamenu.c32 menu.php\n"; | + | if ( $_SERVER["HTTP_HOST"] != "" ) { |
| - | echo "boot menu\n"; | + | $host=$_SERVER["HTTP_HOST"]; |
| - | ?> | + | } else { |
| + | if ( $_SERVER["SERVER_NAME"] != 0) { | ||
| + | $host=$_SERVER["SERVER_NAME"]; | ||
| + | } else { | ||
| + | $host=$_SERVER["SERVER_ADDR"]; | ||
| + | } | ||
| + | } | ||
| + | |||
| + | // Comment out/remove the following if you are running on a standard port | ||
| + | if (!((! isset($_SERVER["HTTPS"]) ) && ($_SERVER["SERVER_PORT"] == 80)) | ||
| + | && !(isset($_SERVER["HTTPS"]) && ($_SERVER["SERVER_PORT"] == 443)) ){ | ||
| + | if (strrpos($host, ":") == FALSE) | ||
| + | $host=$host.":".$_SERVER["SERVER_PORT"]; | ||
| + | } | ||
| + | |||
| + | $uri=$_SERVER["REQUEST_URI"]; | ||
| + | $dir=substr ( $uri, 0, strrpos ($uri, "/") + 1); | ||
| + | |||
| + | echo "#!gpxe\n"; | ||
| + | echo "imgfree\n"; | ||
| + | echo "login\n"; | ||
| + | echo "set 209:string bootcfg.php\n"; | ||
| + | echo "set 210:string ". | ||
| + | $proto."://\${username:uristring}:\${password:uristring}@". | ||
| + | $host.$dir."\n"; | ||
| + | echo "chain \${210:string}pxelinux.0\n"; | ||
| + | ?> | ||
| + | |||
| + | and a bootcfg.php containing | ||
| + | |||
| + | <?php | ||
| + | |||
| + | header ( "Content-type: text/plain" ); | ||
| + | |||
| + | echo "UI runmenu\n\n"; | ||
| + | echo "LABEL runmenu\n"; | ||
| + | echo "COM32 vesamenu.c32\n"; | ||
| + | echo "APPEND menu.php\n"; | ||
| + | ?> | ||
| + | |||
| + | Selecting this method will require that you use gpxecmd.c32 to execute gPXE commands and scripts. | ||
| + | ==== vesamenu.c32 directly ==== | ||
| + | You will need a file "boot.php" containing | ||
| + | |||
| + | <?php | ||
| + | |||
| + | header ( "Content-type: text/plain" ); | ||
| + | |||
| + | $uri=$_SERVER["REQUEST_URI"]; | ||
| + | $dir=substr ( $uri, 0, strrpos ($uri, "/") + 1); | ||
| + | |||
| + | echo "#!gpxe\n"; | ||
| + | echo "imgfree\n"; | ||
| + | echo "login\n"; | ||
| + | echo "chain ". | ||
| + | "https://\${username:uristring}:\${password:uristring}@". | ||
| + | $_SERVER["HTTP_HOST"].$dir. | ||
| + | "vesamenu.c32 menu.php\n"; | ||
| + | ?> | ||
| + | |||
| + | In order to use vesamenu.c32 directly from gPXE, you must use Syslinux-3.86 from [[http://www.kernel.org/pub/linux/utils/boot/syslinux/3.xx/]] and not the latest version. | ||
| + | ==== Setup part 1 continued ==== | ||
| Configure your DHCP server to hand out //boot.php// as the boot file, using something like (for ISC dhcpd)((If you are using PXE-chaining, you may want to investigate the various methods for avoiding infinite loops described in the [[:pxechaining|PXE chainloading]] HowTo.)): | Configure your DHCP server to hand out //boot.php// as the boot file, using something like (for ISC dhcpd)((If you are using PXE-chaining, you may want to investigate the various methods for avoiding infinite loops described in the [[:pxechaining|PXE chainloading]] HowTo.)): | ||
| filename "https://my.web.server/boot/boot.php"; | filename "https://my.web.server/boot/boot.php"; | ||
| - | Download the latest //syslinux// tarball from [[http://www.kernel.org/pub/linux/utils/boot/syslinux/]] and build it. Copy the files //com32/menu/vesamenu.c32// and //com32/modules/cmd.c32//((At the time of writing, //cmd.c32// is not yet integrated into a //syslinux// release; you will need to apply the patch from [[http://rom.etherboot.org/share/mcb30/syslinux-cmd.patch]] before building //syslinux//, or just grab the prebuilt //cmd.c32// binary from [[http://rom.etherboot.org/share/mcb30/cmd.c32]].)) into the "boot" directory on the web server. | + | Download the latest //syslinux// tarball from [[http://www.kernel.org/pub/linux/utils/boot/syslinux/]] and extract it. Copy the files //com32/menu/vesamenu.c32// and //com32/modules/gpxecmd.c32// into the "boot" directory on the web server. |
| ===== Setup (interesting part) ===== | ===== Setup (interesting part) ===== | ||
| Line 71: | Line 134: | ||
| function sanboot ( $label, $root_path ) { | function sanboot ( $label, $root_path ) { | ||
| label ( $label ); | label ( $label ); | ||
| - | echo " kernel cmd.c32\n"; | + | echo " kernel gpxecmd.c32\n"; |
| echo " append sanboot ".$root_path."\n"; | echo " append sanboot ".$root_path."\n"; | ||
| echo "\n"; | echo "\n"; | ||
| Line 172: | Line 235: | ||
| label item1 | label item1 | ||
| menu label ^1 MS-DOS 6.22 | menu label ^1 MS-DOS 6.22 | ||
| - | kernel cmd.c32 | + | kernel gpxecmd.c32 |
| append sanboot iscsi:chipmunk.tuntap::::iqn.2007-07.chipmunk:msdos622 | append sanboot iscsi:chipmunk.tuntap::::iqn.2007-07.chipmunk:msdos622 | ||
| | | ||
| label item2 | label item2 | ||
| menu label ^2 Windows 2k3 | menu label ^2 Windows 2k3 | ||
| - | kernel cmd.c32 | + | kernel gpxecmd.c32 |
| append sanboot iscsi:chipmunk.tuntap::::iqn.2007-07.chipmunk:win2k3 | append sanboot iscsi:chipmunk.tuntap::::iqn.2007-07.chipmunk:win2k3 | ||
| | | ||
| Line 196: | Line 259: | ||
| The credentials do get passed to the loaded OS via the iBFT, so we get single sign-on through to the iSCSI runtime stage for free. | The credentials do get passed to the loaded OS via the iBFT, so we get single sign-on through to the iSCSI runtime stage for free. | ||
| - | For extra bonus points, it would be possible to write a Windows driver (very similar in structure to [[http://git.etherboot.org/?p=sanbootconf.git;a=summary|sanbootconf]]) that would pick up the username and password from the iBFT, and store them in the registry as the autologon credentials; this would give you single sign-on right through to the desktop. The relevant registry entries are all found in //HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon//, and should be set as follows: | + | For extra bonus points, it would be possible to write a Windows driver (very similar in structure to [[:sanbootconf|sanbootconf]]) that would pick up the username and password from the iBFT, and store them in the registry as the autologon credentials; this would give you single sign-on right through to the desktop. The relevant registry entries are all found in //HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon//, and should be set as follows: |
| * //DefaultUserName// - set to user name from iBFT | * //DefaultUserName// - set to user name from iBFT | ||
| * //DefaultPassword// - set to password from iBFT | * //DefaultPassword// - set to password from iBFT | ||
| - | |||
| * //AutoAdminLogon// - set to 1 | * //AutoAdminLogon// - set to 1 | ||
| - | * //AutoLogonCount// - set to 1, so that Windows erases((Hopefully Windows will erase the credentials. If it doesn't then this single sign-on approach would be a really bad idea, since the //Winlogon// key is by default readable by all users on the system.)) the credentials from the registry as soon as they have been used | + | * //AutoLogonCount// - set to 1, so that Windows erases((Hopefully Windows will erase the credentials. If it doesn't then this single sign-on approach would be a really bad idea, since the //Winlogon// key is by default readable by all users on the system.)) the credentials from the registry as soon as they have been used. |
| + | Note that Windows imposes a minimum password length of 12 characters, and a maximum of 16 characters, for iSCSI authentication; this scheme will silently break unless your password policy enforces an appropriate min/max password length of 12<-->16 characters. | ||
