Hello everyone,
I would like to set-up a couple of PC in the school where I work with a full Manjaro system.
To do that I need to understand if it would be possible to allow users (students and teachers) to log into the PC using their Google Account (the school has activated Google Workspace).
I already have done that in all Windows PC (see GCPW…), but I’m quite confused in Linux as far as I’m not so smart with it.
I have already made LDAP certificates in the Google Console and uploaded them into my own PC (in /var). I have installed sssd, configured and enabled the service. But I’m not sure this is the right way to get the point.
Can you give me some help?
Thanks in advance for the time you will spend on this and pardon my bad English!
Hello,
So you followed this ? NFTF: Google Workspace | Secure LDAP and Linux Sign-In - Google Dokument
1 Like
I am also not an expert on this, but as I understand it, you have to install openldap on the server and let that take care of authentication. 
From there on, it would probably be possible to have openldap import the pertinent Google accounts and use them for logins.
https://unix.stackexchange.com/questions/528229/how-auth-in-linux-with-google-account
1 Like
yes. But I still don’t understand how to authenticate myself into the PC using my Google Account. I’m confused
I even don’t have a clear idea about how LDAP works. Anyway, it should represent the bridge that let users to connect to Google servers to authenticate themselves. If i correctly understand, my PC should be the “client” and Google Console the “server”. Is that right?
I have configured sssd.conf…but NOW? I would like to see something in the login screen that let me authenticate with my Google account.
No, the server is the machine that handles the authentication. As I understand you, you want people to log into your local network, so that would make your network’s server into the LDAP server.
If that is not what you have in mind, then by all means, correct me. 
All PC in my school are like the one I use in my home. Directly linked to the web. No LAN. I don’t need a LDAP server in my school.
To do this in Windows PC I followed the article that you can find if you search “gcpw google windows 10” in google search engine. (i see i can’t post links here…)
I wish i could explain in a better way. I have to improve my English!
I don’t think that is possible in GNU/Linux, or for that matter, any other type of UNIX.
You have to understand that UNIX is a fundamentally very different platform to Microsoft Windows. Windows authentication and multiuser functionality was only added on later, because Windows was initially designed to only be a graphical user interface on top of DOS, a single-user, single-tasking, non-networked operating system.
Conversely, UNIX was designed from the ground up as a multitasking and multiuser platform, with its own authentication handling. And this authentication can be offloaded onto a centralized LDAP server in a LAN, but it wasn’t designed to offload authentication to your local system via a web-based authentication host.
Besides — but this is my personal comment — do you really trust Google with handling the access to your computer? 
Meaning you have a LDAP-as-a-service from Google, available on G Suite Enterprise, G Suite Education Enterprise, or Cloud Identity Premium … that is why you do not need a local LDAP server. Either way, you have to access the Admin Console on your G Suite Service, and as stated in the first link i shared, you add there your clients and their details …
Then on your Manjaro installed linux boxes you have to set up the client. In that link is described how to do that on Ubuntu and linux Mint, starting with some packages to install.
On Arch based distribution, as Manjaro, you will need sssd package installed and then everything as described here for the client:
https://wiki.archlinux.org/title/LDAP_authentication#Client_Setup
And what is described here as more in depth also about the certificates and client side of things.
https://wiki.archlinux.org/title/OpenLDAP
You will have to do that on all your machines that will be clients.
1 Like
I need to use Google accounts cause in that way I can control what students do. Plus there is a privacy point of view.
Great, I’m going to study everything. I’ll ask your help if I don’t understand something.
Many many thanks
1 Like