|Free Software at Schools: Installing and Maintaining a Skolelinux/Debian-edu Network; Based on Debian Sarge, prerelease pr05|
During the installation of Skolelinux/Debian-edu, see Figure 7-6 you were asked to set a password. This password is the basis for 2 different passwords. One of them you use to login to Webmin, at the same time it is also the root password. The other is the LDAP password. To change the root/Webmin password, you can either use the command line with the command passwd or you can use the program kdepasswd, which you find in -> -> .
tjener:~# passwd Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully
To change the LDAP-admin password, aka the one you use once inside Webmin, when you want do add/delete/modify users, you use a script from the commandline,
tjener:~# /usr/share/debian-edu-config/tools/passwd admin Enter new password for user admin: Reenter new password: Enter LDAP Password:
You could also use this script to change the password of users.
This should later be moved to Services out-of-the-box
There are several systems for user information and administration in Skolelinux/Debian-edu, but now we use LDAP and the utility WLUS, and not /etc/passwd and its accompanying commands such as adduser, useradd, etc.
To get access to Webmin, point your favourite web browser to the address https://tjener .intern:10000/ldap-users You can use any webbrowser you want. You can also connect a Mac machine and run it from there, as long as the machine is within either of the Skolelinux/Debian-edu networks 10.0.2.0/23 or one of the 192.168.0.0/24, otherwise you need some advanced portforwarding on your firewall/router.
In the rare case that the link above doesn't take you directly to the correct Webmin module (Administrate users in ldap), but rather to the general Webmin startpage, then you find it under the tab System
If you login as a regular user, you may change your own password. This is actually the only way a users password should be changed, do not use the command passwd to change a users password.
Never let the webbrowser remember this password!!!
Because we haven't added any users yet, it would be natural for us to choose "New User(s)". But before we do that, we may want to adapt WLUS to our needs.
All these configuration is stored in the file /etc/webmin/ldap-users/config, which you can edit directly with a texteditor, such as nano
If you prefer to have you users grouped into different directories, maybe according to which group they belong to, then you change that here, in the files with The prefix of the user home directory. Make sure you first create that sub-directory, with mkdir /skole/tjener/home0/2006, then you can use in the prefix-field /skole/tjener/home0/2006. From then on, all users that you create will be placed in /skole/tjener/home0/2006, change that later when you want users placed elsewhere.
If you forget to use the right prefix in the configuration, you have the possibility of running a script on the commandline that will rectify that error.
Lets take as example the user demo4, let's say we would like him to have homedirectory in /skole/tjener/home0/2006 , but we forgot to change the prefix parameter in the config file, so we must do it manually later. Fist we must create the directory 2006 in /skole/tjener/home0, then we must move the users homedir, and update the info in the ldap-database.
First lets see what kind of info we have on the user demo4.
tjener:~# getent passwd demo4 demo4:x:10016:10016:Test User:/skole/tjener/home0/demo4:/bin/bashHere we clearly see that the users have homedirectory in /skole/tjener/home0/demo4. Then we run the script without any arguments, so that it tells us what arguments it expects:
tjener:~# /usr/share/debian-edu-config/tools/movehome usage:\n\t/usr/share/debian-edu-config/tools/movehome <username> <newhome>Now that we know the arguments it expects, lets use that
tjener:~# /usr/share/debian-edu-config/tools/movehome demo4 /skole/tjener/home0/2006 ldap_initialize( ldaps://ldap/ ) Enter LDAP Password: replace homeDirectory: /skole/tjener/home0/2006/demo4 modifying entry "uid=demo4,ou=People,dc=skole,dc=skolelinux,dc=no" modify completeNotice that the argument <newhome> doesn't include the username portion of the homedirectory. Lets now restart the name service caching daemon, to speedup the updating of this new userinformation
tjener:~# /etc/init.d/nscd restartNow lets see if this user has a new location of it's homedir, and that this information also is reflected in the ldap-database.
tjener:~# ls -lh /skole/tjener/home0/2006/ total 4,0K drwxr-xr-x 5 demo4 demo4 4,0K 2005-11-21 17:47 demo4The homedirectory has been moved.
tjener:~# getent passwd demo4 demo4:x:10016:10016:Test User:/skole/tjener/home0/2006/demo4:/bin/bashThe info has been updated in the ldap-database as well.
Although this seemed relatively easy to do, the implication of doing something wrong is huge. If you type the wrong password, the homedirectory will be moved, but the info in the ldap-database will not change, you are then left with a user where the system thinks the homedirectory is somewhere else than it actually is. The solution; call someone who can hack your ldap-database, or delete and add that user again. The script itself contains these calming words:
# This tools take 2 parameters # User name and the location of the new home directory # use at own risk
Now you should be ready to create new users. The first thing you should do is to create a test user. This is a user that you use as a template for setting up things exactly the way you want things to be for all of your users. Have a look at Chapter 10. There are two different ways to add new users, either one at a time, or a whole bunch at once using a fileimport with a so-called semicolon-separated file(;). By clicking on "New User(s)" you get up a rather long page. At the top is the possibility to add users manually one by one, by providing first/last name, together with password, if desired. A little farther down the page, you find the possibility to add several users at once, "Add users from file"
When you add a user in this way, the computer provides the username, and if you want, the password as well. But you can override this by ticking "Common password - Yes" and then typing in the password you want.
Remember to also choose what kind of role you want the new user to have.
Be very careful with whom you add to the group admin, there will one day be in place a regime where those who are members of that group will be able to change the password of other users.
Make sure that a normal user doesn't get the role admin, that user may then possibly in the future be able to change passwords of other users.
This file is formatted with the different fields separated by a semicolon. You can create this file by exporting it to a semicolon-separated file from the school's database of attending pupils, or by exporting from OpenOffice.org Calc/Excel, or by using a regular, simple text editor such as nano. Most schooladministrative systems also have option of exporting to csv-format.
not done by WLUS. See manually move homedirectory
If you had search based on groups, you would have the possibility to disable a whole group of users with just one click.
The result of having chosen "Disable Login" is seen as a fine red cross for that user.
You first search for the users in question, either by his fullname, or by his loginname, once you have found him, click on "User Data", this will bring up a interface where you can change the users password.
If the users knows his password, his can himself change it to something else, also using any webbrowser and the address https://tjener.intern:10000/ldap-users
The users uses his own username and password to login to Webmin
When an ordinary user logins into webmin, he only has access to wlus, and only to the part concerning himself.
The new desired password must be entered twice, once in the field "User's Password", and again the same in "Reconfirm User's Password, and also the old password in the field "Old Password", and also do not forget to press "Commit User Data Changes".
Look out for the feedback written in red at the top, saying "Change was successful!!". If you don't see this, something went wrong.
You can change the password for a user from the command line if you know the person's username.
/usr/share/debian-edu-config/tools/passwd usernameYou will be asked to type in a new password twice, and then finally you must type in the LDAP-administrator password.
In order to make changes in LDAP, such as adding users, changing passwords, etc, you must give a password, the so-called LDAP-admin password. This password is created during installation; see Figure 7-6. This password is one of 2 administrative passwords. The other is the root password, see Figure 7-6, which also is the one you use to login to Webmin with.
The LDAP-admin password is changed from the command line with this command
/usr/share/debian-edu-config/tools/passwd adminThen you will be asked to provide the new password twice, as well as to type in the old one.
/usr/share/debian-edu-config/tools/passwd admin Enter new password for user admin: Reenter new password: Enter bind password:
By using the command
slapcat -l /root/users.ldifyou will get a pure text file that contains the LDAP database. In this case, this is in the file named /root/users.ldif. This is a so-called ldif-file, ergo the file type "ldif". You must stop the slapd LDAP daemon, before you bring up this ldif-file This is, along with stopping nscd (Name Service Cache Daemon) is done with the commands
slapcat -l /root/users.ldif
You can edit this file /root/userer.ldif with the help of your favourite text editor, for example nano Section 8.2.2
In this file you can make changes in usernames, home directories, groups, etc., the same as when you use the user administration module in Webmin, Chapter 11. The advantage of using an ldif-file is that you can change several things at once. This is the file you use if you have to reinstall and want to use the same usernames and passwords again- it is a little tedious to have to hand out 1000 new usernames and passwords.
This doesn't currently work as expected in Sarge, due to some problematic Samba SID that changes across reinstallations.
Sometimes you just have to do a reinstallation. In order not to inconvenience the users too much, it's nice to let them keep using their old passwords and usernames. If you have that specific ldif-file from LDAP, then you can just put it in the new installation and your users will be able to continue to use their old usernames and passwords.
Recipe for Carrying Over the LDAP Database
On the old server, before you do the reinstallation, take out an ldif-file from LDAP,
slapcat -l /root/users.ldif
Remember that whenslapd is stopped, no one can login.
Move this file, /root/users.ldif, over to the new installation, either by using a USB-pendrive, or by using a CD.
In order to be able to put in the old LDAP database with the help of your users.ldif, you have to delete the one that is already there. The database files are found in /var/lib/ldap. A good way to get rid of them is to move them to another directory, just in case you need them later.
mv /var/lib/ldap/* /root/dbb
slapadd -l users.ldif
Sometimes you can get in a situation where someone has experimented a little too much with various configurations, maybe so much that reinstallation would be the easiest thing to do.
If that happens with LDAP, there is a simpler way to "start from scratch" than to reinstall the whole system. You can delete your LDAP database that doesn't function the way you want it to, and then put in a new and unused one, in the same condition as it was right after installation. This means that all of your current users will be deleted.
The first thing you have to do is to make a copy of your current LDAP database, no matter whether it functions or not.
Stop slapd-daemon and nscd
Make a copy of the old LDAP database, that is create a so-called ldif-file
slapcat -l /root/ldap.old.ldif
Delete the old LDAP database
mv /var/lib/ldap/* /root/dbb.old
Now you can put in a new, clean LDAP database with the command
Delete the home directories for the users whom you have just thrown out, 'rm -rf' deletes the entire directory, without asking any questions. Be careful!
rm -rf /skole/tjener/home/user1
rm -rf /skole/tjener/home/user2
Be aware that you are now permanently deleting these home directories. Just in case you might regret this action later, it's wise to take a backup before you delete them. See Section 9.4
If this doesn't work, you can put in the old LDAP database again
mv /var/lib/ldap/* /root/dbb2.old
slapadd -l /root/ldap.old.ldif
Once in a while, it's wise to make a copy of the LDAP database,
slapcat -l /root/ldap.TodaysDate.ldif
If you want to delete users, you have to choice of deleting one by one, or deleting a whole group of users at once. When you just want to delete one user, you first find that user, then place a mark in the selection box, and delete him, simple. If you want to delete a whole group of users, then you search based on groups, you then see a new option: "Delete Selected and all users in groups", this will delete that group and all users in that group as well.
Notice that when you delete a user in WLUS, it doesn't relay get deleted, it is more like a permanent form of disabling. The user is still in the LDAP-database, and the homedirectory is still there. This makes it not possible to re-create a user with the same username, because it's already there, but disabled. Have a look at the contents of /skole/tjener/home0
d--------- 5 10013 10013 4096 2005-11-21 17:47 demo1 d--------- 5 10022 10022 4096 2005-11-21 17:47 demo10 d--------- 5 10014 10014 4096 2005-11-21 17:47 demo2 d--------- 5 10015 10015 4096 2005-11-21 17:47 demo3 d--------- 5 10017 10017 4096 2005-11-21 17:47 demo5 d--------- 5 10019 10019 4096 2005-11-21 17:47 demo7 d--------- 5 10020 10020 4096 2005-11-21 17:47 demo8 d--------- 5 10021 10021 4096 2005-11-21 17:47 demo9The just deleted users homedirectories are still there, but, notice the permissions, they are ownerless and without any permissions at all.
If you relay want to remove and delete this users from the system, remove their homedirectories and usernames from the LDAP-database, then there is a script that will do that for you: /usr/share/debian-edu-config/tools/ldap-user-clean-attic.sh, lets run it without any arguments, see what it expects:
tjener:~# /usr/share/debian-edu-config/tools/ldap-user-clean-attic.sh usage: /usr/share/debian-edu-config/tools/ldap-user-clean-attic.sh <NUMBER_OF_DAYS> where NUMBER_OF_DAYS is the limit of which to delete users users will be delete from the "attic" and their home directory will be removedSo running it with the argument 0 will delete all deleted users.
tjener:~# /usr/share/debian-edu-config/tools/ldap-user-clean-attic.sh 0 Enter LDAP Password: