Chapter 11. Useradministration with WLUS in Webmin

During the installation of Skolelinux/Debian-edu, see Figure 7-6 you were asked to set a password. This password is the basis for 2 different passwords. One of them you use to login to Webmin, at the same time it is also the root password. The other is the LDAP password. To change the root/Webmin password, you can either use the command line with the command passwd or you can use the program kdepasswd, which you find in K-menu->Run command ...->kdepasswd.


tjener:~# passwd
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

To change the LDAP-admin password, aka the one you use once inside Webmin, when you want do add/delete/modify users, you use a script from the commandline,


tjener:~# /usr/share/debian-edu-config/tools/passwd admin
Enter new password for user admin:
Reenter new password:
Enter LDAP Password:

Note

You could also use this script to change the password of users.

Note

This should later be moved to Services out-of-the-box

11.1.

There are several systems for user information and administration in Skolelinux/Debian-edu, but now we use LDAP and the utility WLUS, and not /etc/passwd and its accompanying commands such as adduser, useradd, etc.

To get access to Webmin, point your favourite web browser to the address https://tjener .intern:10000/ldap-users You can use any webbrowser you want. You can also connect a Mac machine and run it from there, as long as the machine is within either of the Skolelinux/Debian-edu networks 10.0.2.0/23 or one of the 192.168.0.0/24, otherwise you need some advanced portforwarding on your firewall/router.

Note

In the rare case that the link above doesn't take you directly to the correct Webmin module (Administrate users in ldap), but rather to the general Webmin startpage, then you find it under the tab System

The first thing you see is a dialogue box where you log yourself in as the user root, with the password you created during installation, see Figure 7-6

If you login as a regular user, you may change your own password. This is actually the only way a users password should be changed, do not use the command passwd to change a users password.

Warning

Never let the webbrowser remember this password!!!

After you have logged in to Webmin you will see this welcome screen for WLUS.

Because we haven't added any users yet, it would be natural for us to choose "New User(s)". But before we do that, we may want to adapt WLUS to our needs.

By clicking on "Module Config" we can change how strict we want our password policy to be, as well as where we want to put our users' home directories, plus other things. When you are done making your changes, click on "Save". Then you are ready to create new users. The first thing you need to do is make a test user. This is a user that functions as a template for setting up things exactly the way you want it to be for all of your users. Have a look at Chapter 10

Note

All these configuration is stored in the file /etc/webmin/ldap-users/config, which you can edit directly with a texteditor, such as nano

11.1.1. Manually move homedirectory and update info in ldap

If you prefer to have you users grouped into different directories, maybe according to which group they belong to, then you change that here, in the files with The prefix of the user home directory. Make sure you first create that sub-directory, with mkdir /skole/tjener/home0/2006, then you can use in the prefix-field /skole/tjener/home0/2006. From then on, all users that you create will be placed in /skole/tjener/home0/2006, change that later when you want users placed elsewhere.

If you forget to use the right prefix in the configuration, you have the possibility of running a script on the commandline that will rectify that error.

Lets take as example the user demo4, let's say we would like him to have homedirectory in /skole/tjener/home0/2006 , but we forgot to change the prefix parameter in the config file, so we must do it manually later. Fist we must create the directory 2006 in /skole/tjener/home0, then we must move the users homedir, and update the info in the ldap-database.

First lets see what kind of info we have on the user demo4.


tjener:~# getent passwd demo4
demo4:x:10016:10016:Test User:/skole/tjener/home0/demo4:/bin/bash
Here we clearly see that the users have homedirectory in /skole/tjener/home0/demo4. Then we run the script without any arguments, so that it tells us what arguments it expects:

tjener:~# /usr/share/debian-edu-config/tools/movehome
usage:\n\t/usr/share/debian-edu-config/tools/movehome <username> <newhome>
Now that we know the arguments it expects, lets use that

tjener:~# /usr/share/debian-edu-config/tools/movehome demo4 /skole/tjener/home0/2006
ldap_initialize( ldaps://ldap/ )
Enter LDAP Password:
replace homeDirectory:
        /skole/tjener/home0/2006/demo4
modifying entry "uid=demo4,ou=People,dc=skole,dc=skolelinux,dc=no"
modify complete
Notice that the argument <newhome> doesn't include the username portion of the homedirectory. Lets now restart the name service caching daemon, to speedup the updating of this new userinformation

tjener:~# /etc/init.d/nscd restart

Now lets see if this user has a new location of it's homedir, and that this information also is reflected in the ldap-database.
tjener:~# ls -lh /skole/tjener/home0/2006/
total 4,0K
drwxr-xr-x  5 demo4 demo4 4,0K 2005-11-21 17:47 demo4
The homedirectory has been moved.

tjener:~# getent passwd demo4
demo4:x:10016:10016:Test User:/skole/tjener/home0/2006/demo4:/bin/bash
The info has been updated in the ldap-database as well.

Warning

Although this seemed relatively easy to do, the implication of doing something wrong is huge. If you type the wrong password, the homedirectory will be moved, but the info in the ldap-database will not change, you are then left with a user where the system thinks the homedirectory is somewhere else than it actually is. The solution; call someone who can hack your ldap-database, or delete and add that user again. The script itself contains these calming words:


# This tools take 2 parameters
# User name and the location of the new home directory
# use at own risk

11.1.2. New user

Now you should be ready to create new users. The first thing you should do is to create a test user. This is a user that you use as a template for setting up things exactly the way you want things to be for all of your users. Have a look at Chapter 10. There are two different ways to add new users, either one at a time, or a whole bunch at once using a fileimport with a so-called semicolon-separated file(;). By clicking on "New User(s)" you get up a rather long page. At the top is the possibility to add users manually one by one, by providing first/last name, together with password, if desired. A little farther down the page, you find the possibility to add several users at once, "Add users from file"

When you add a user in this way, the computer provides the username, and if you want, the password as well. But you can override this by ticking "Common password - Yes" and then typing in the password you want.

Remember to also choose what kind of role you want the new user to have.

Warning

Be very careful with whom you add to the group admin, there will one day be in place a regime where those who are members of that group will be able to change the password of other users.

Note

Make sure that a normal user doesn't get the role admin, that user may then possibly in the future be able to change passwords of other users.

When new users have been added using WLUS, you get a receipt with information about name, username and password, in a format that makes it easy to print it out, clip it up and give it to the user.

11.1.3. New users

It is also possible to add an entire class of users, or even a whole school. By using the other way of adding users, that is the so-called semicolon-separated file. You can use a spreadsheet to create your batch of users, and then "save as" csv/comma separated value. 10 users, with username, first name, last name and password might look like this.

This file is formatted with the different fields separated by a semicolon. You can create this file by exporting it to a semicolon-separated file from the school's database of attending pupils, or by exporting from OpenOffice.org Calc/Excel, or by using a regular, simple text editor such as nano. Most schooladministrative systems also have option of exporting to csv-format.

In order to use the file import function, you have to scroll down to the bottom of the page where you find a dialogue box for adding users from file. Click on browse to find your file with the semicolon-separated users. When you have found that file, click on "Add users from file"

When you have got the file with the users, you will see the different semicolon-separated items listed in different columns. At the top of each column you choose the name for its content; as a minimum you should have first name and last name.

When you add users from file, you get a nice list of the new users' usernames and passwords, in a format that is easy to print out and distribute to the user.

11.1.7. Changing the LDAP-Admin Password

In order to make changes in LDAP, such as adding users, changing passwords, etc, you must give a password, the so-called LDAP-admin password. This password is created during installation; see Figure 7-6. This password is one of 2 administrative passwords. The other is the root password, see Figure 7-6, which also is the one you use to login to Webmin with.

The LDAP-admin password is changed from the command line with this command

/usr/share/debian-edu-config/tools/passwd admin

Then you will be asked to provide the new password twice, as well as to type in the old one.
/usr/share/debian-edu-config/tools/passwd admin
Enter new password for user admin: 
Reenter new password: 
Enter bind password:

11.1.8. Direct Editing of Files in the LDAP-Database.

By using the command

slapcat -l /root/users.ldif

you will get a pure text file that contains the LDAP database. In this case, this is in the file named /root/users.ldif. This is a so-called ldif-file, ergo the file type "ldif". You must stop the slapd LDAP daemon, before you bring up this ldif-file This is, along with stopping nscd (Name Service Cache Daemon) is done with the commands

/etc/init.d/slapd stop
/etc/init.d/nscd stop
slapcat -l /root/users.ldif

Be aware the when you stop slapd, no one can login. Then you have to start it up again.

/etc/init.d/slapd start
/etc/init.d/nscd start

You can edit this file /root/userer.ldif with the help of your favourite text editor, for example nano Section 8.2.2

In this file you can make changes in usernames, home directories, groups, etc., the same as when you use the user administration module in Webmin, Chapter 11. The advantage of using an ldif-file is that you can change several things at once. This is the file you use if you have to reinstall and want to use the same usernames and passwords again- it is a little tedious to have to hand out 1000 new usernames and passwords.

11.1.9. How to Start with a New "Fresh" LDAP Database?

Sometimes you can get in a situation where someone has experimented a little too much with various configurations, maybe so much that reinstallation would be the easiest thing to do.

If that happens with LDAP, there is a simpler way to "start from scratch" than to reinstall the whole system. You can delete your LDAP database that doesn't function the way you want it to, and then put in a new and unused one, in the same condition as it was right after installation. This means that all of your current users will be deleted.

The first thing you have to do is to make a copy of your current LDAP database, no matter whether it functions or not.

11.1.10. Delete a user, or group of users

If you want to delete users, you have to choice of deleting one by one, or deleting a whole group of users at once. When you just want to delete one user, you first find that user, then place a mark in the selection box, and delete him, simple. If you want to delete a whole group of users, then you search based on groups, you then see a new option: "Delete Selected and all users in groups", this will delete that group and all users in that group as well.

Notice that when you delete a user in WLUS, it doesn't relay get deleted, it is more like a permanent form of disabling. The user is still in the LDAP-database, and the homedirectory is still there. This makes it not possible to re-create a user with the same username, because it's already there, but disabled. Have a look at the contents of /skole/tjener/home0


d---------   5   10013   10013  4096 2005-11-21 17:47 demo1
d---------   5   10022   10022  4096 2005-11-21 17:47 demo10
d---------   5   10014   10014  4096 2005-11-21 17:47 demo2
d---------   5   10015   10015  4096 2005-11-21 17:47 demo3
d---------   5   10017   10017  4096 2005-11-21 17:47 demo5
d---------   5   10019   10019  4096 2005-11-21 17:47 demo7
d---------   5   10020   10020  4096 2005-11-21 17:47 demo8
d---------   5   10021   10021  4096 2005-11-21 17:47 demo9
The just deleted users homedirectories are still there, but, notice the permissions, they are ownerless and without any permissions at all.

If you relay want to remove and delete this users from the system, remove their homedirectories and usernames from the LDAP-database, then there is a script that will do that for you: /usr/share/debian-edu-config/tools/ldap-user-clean-attic.sh, lets run it without any arguments, see what it expects:


tjener:~# /usr/share/debian-edu-config/tools/ldap-user-clean-attic.sh

usage: /usr/share/debian-edu-config/tools/ldap-user-clean-attic.sh <NUMBER_OF_DAYS>
  where NUMBER_OF_DAYS is the limit of which to delete users
  users will be delete from the "attic"
  and their home directory will be removed
So running it with the argument 0 will delete all deleted users.

tjener:~# /usr/share/debian-edu-config/tools/ldap-user-clean-attic.sh 0
Enter LDAP Password: