206 lines
7.0 KiB
XML
206 lines
7.0 KiB
XML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
||
|
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
|
||
|
<appendix id="a_lamdaemon">
|
||
|
<title>Setup for home directory and quota management</title>
|
||
|
|
||
|
<para>Lamdaemon.pl is used to modify quota and home directories on a
|
||
|
remote or local host via SSH (even if homedirs are located on
|
||
|
localhost).</para>
|
||
|
|
||
|
<para>If you want wo use it you have to set up the following things to get
|
||
|
it to work:</para>
|
||
|
|
||
|
<section>
|
||
|
<title>Installation</title>
|
||
|
|
||
|
<para>First of all, you need to install lamdaemon.pl on your remote
|
||
|
server where LAM should manage homedirs and/or quota. This is usually a
|
||
|
different server than the one where LAM is installed. But there is no
|
||
|
problem if it is the same.</para>
|
||
|
|
||
|
<screenshot>
|
||
|
<mediaobject>
|
||
|
<imageobject>
|
||
|
<imagedata fileref="images/lamdaemonServers.png" />
|
||
|
</imageobject>
|
||
|
</mediaobject>
|
||
|
</screenshot>
|
||
|
|
||
|
<para></para>
|
||
|
|
||
|
<para><emphasis role="bold">Debian based (e.g. also
|
||
|
Ubuntu)</emphasis></para>
|
||
|
|
||
|
<para>Please install the lamdaemon DEB package on your quota/homedir
|
||
|
server.</para>
|
||
|
|
||
|
<para><emphasis role="bold">RPM based (Fedora, CentOS, Suse,
|
||
|
...)</emphasis></para>
|
||
|
|
||
|
<para>Please install the lamdaemon RPM package on your quota/homedir
|
||
|
server.</para>
|
||
|
|
||
|
<para><emphasis role="bold">Other</emphasis></para>
|
||
|
|
||
|
<para>Please copy lib/lamdaemon.pl from the LAM tar.bz2 package to your
|
||
|
quota/homedir server. The location may be anywhere (e.g. use
|
||
|
/opt/lamdaemon). Please make the lamdaemon.pl script executable.</para>
|
||
|
</section>
|
||
|
|
||
|
<section id="a_lamdaemonConf">
|
||
|
<title>LDAP Account Manager configuration</title>
|
||
|
|
||
|
<itemizedlist>
|
||
|
<listitem>
|
||
|
<para>Set the remote or local host in the configuration (e.g.
|
||
|
127.0.0.1)</para>
|
||
|
</listitem>
|
||
|
|
||
|
<listitem>
|
||
|
<para>Path to lamdaemon.pl, e.g.
|
||
|
/srv/www/htdocs/lam/lib/lamdaemon.pl If you installed a Debian or
|
||
|
RPM package then the script will be located at
|
||
|
/usr/share/ldap-account-manager/lib/lamdaemon.pl.</para>
|
||
|
</listitem>
|
||
|
|
||
|
<listitem>
|
||
|
<para>Your LAM admin user must be a valid Unix account. It needs to
|
||
|
have the object class "posixAccount" and an attribute "uid". This
|
||
|
account must be accepted by the SSH daemon of your home directory
|
||
|
server. Do not create a second local account but change your system
|
||
|
to accept LDAP users. You can use LAM to add the Unix account part
|
||
|
to your admin user or create a new account. Please do not forget to
|
||
|
setup LDAP write access (<ulink
|
||
|
url="http://www.openldap.org/doc/admin24/access-control.html">ACLs</ulink>)
|
||
|
if you create a new account.</para>
|
||
|
</listitem>
|
||
|
</itemizedlist>
|
||
|
|
||
|
<para></para>
|
||
|
|
||
|
<screenshot>
|
||
|
<mediaobject>
|
||
|
<imageobject>
|
||
|
<imagedata fileref="images/lamdaemon.png" />
|
||
|
</imageobject>
|
||
|
</mediaobject>
|
||
|
</screenshot>
|
||
|
|
||
|
<para>Note that the builtin admin/manager entries do not work for
|
||
|
lamdaemon. You need to login with a Unix account.</para>
|
||
|
|
||
|
<screenshot>
|
||
|
<mediaobject>
|
||
|
<imageobject>
|
||
|
<imagedata fileref="images/lamdaemon1.png" />
|
||
|
</imageobject>
|
||
|
</mediaobject>
|
||
|
</screenshot>
|
||
|
|
||
|
<para><emphasis role="bold">OpenLDAP ACL location:</emphasis></para>
|
||
|
|
||
|
<para>The access rights for OpenLDAP are configured in
|
||
|
/etc/ldap/slapd.conf or
|
||
|
/etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif.</para>
|
||
|
</section>
|
||
|
|
||
|
<section>
|
||
|
<title>Setup sudo</title>
|
||
|
|
||
|
<para>The perl script has to run as root. Therefore we need a wrapper,
|
||
|
sudo. Edit /etc/sudoers on host where homedirs or quotas should be used
|
||
|
and add the following line:</para>
|
||
|
|
||
|
<para>$admin All= NOPASSWD: $path_to_lamdaemon *</para>
|
||
|
|
||
|
<para><emphasis condition="">$admin</emphasis> is the admin user from
|
||
|
LAM (must be a valid Unix account) and
|
||
|
<emphasis>$path_to_lamdaemon</emphasis> is the path to
|
||
|
lamdaemon.pl.</para>
|
||
|
|
||
|
<para><emphasis role="bold">Example:</emphasis></para>
|
||
|
|
||
|
<para>myAdmin ALL= NOPASSWD: /srv/www/htdocs/lam/lib/lamdaemon.pl
|
||
|
*</para>
|
||
|
|
||
|
<para>You might need to run the sudo command once manually to init sudo.
|
||
|
The command "sudo -l" will show all possible sudo commands of the
|
||
|
current user.</para>
|
||
|
|
||
|
<para><emphasis role="bold">Attention:</emphasis> Please do not use the
|
||
|
options "Defaults requiretty" and "Defaults env_reset" in /etc/sudoers.
|
||
|
Otherwise you might get errors like "you must have a tty to run sudo" or
|
||
|
"no tty present and no askpass program specified".</para>
|
||
|
</section>
|
||
|
|
||
|
<section>
|
||
|
<title>Setup Perl</title>
|
||
|
|
||
|
<para>We need an extra Perl module - Quota. To install it, run:</para>
|
||
|
|
||
|
<simplelist>
|
||
|
<member>perl -MCPAN -e shell</member>
|
||
|
|
||
|
<member>install Quota</member>
|
||
|
</simplelist>
|
||
|
|
||
|
<para>If your Perl executable is not located in /usr/bin/perl you will
|
||
|
have to edit the path in the first line of lamdaemon.pl. If you have
|
||
|
problems compiling the Perl modules try installing a newer release of
|
||
|
your GCC compiler and the "make" application.</para>
|
||
|
|
||
|
<para>Several Linux distributions already include a quota package for
|
||
|
Perl.</para>
|
||
|
</section>
|
||
|
|
||
|
<section>
|
||
|
<title>Set up SSH</title>
|
||
|
|
||
|
<para>Your SSH daemon must offer the password authentication method. To
|
||
|
activate it just use this configuration option in
|
||
|
/etc/ssh/sshd_config:</para>
|
||
|
|
||
|
<para>PasswordAuthentication yes</para>
|
||
|
</section>
|
||
|
|
||
|
<section>
|
||
|
<title>Troubleshooting</title>
|
||
|
|
||
|
<para>If you have problems managing quotas and home directories then
|
||
|
these points might help:</para>
|
||
|
|
||
|
<itemizedlist>
|
||
|
<listitem>
|
||
|
<para>There is a test page for lamdaemon: Login to LAM and open
|
||
|
Tools -> Tests -> Lamdaemon test</para>
|
||
|
</listitem>
|
||
|
|
||
|
<listitem>
|
||
|
<para>Check /var/log/auth.log or its equivalent on your system. This
|
||
|
file contains messages about all logins. If the ssh login failed
|
||
|
then you will find a description about the reason here.</para>
|
||
|
</listitem>
|
||
|
|
||
|
<listitem>
|
||
|
<para>Set sshd in debug mode. In /etc/ssh/sshd_conf add these
|
||
|
lines:</para>
|
||
|
|
||
|
<simplelist>
|
||
|
<member>SyslogFacility AUTH</member>
|
||
|
|
||
|
<member>LogLevel DEBUG3</member>
|
||
|
</simplelist>
|
||
|
|
||
|
<para>Now check /var/log/syslog for messages from sshd.</para>
|
||
|
</listitem>
|
||
|
</itemizedlist>
|
||
|
|
||
|
<para>Error message <emphasis role="bold">"Your LAM admin user (...)
|
||
|
must be a valid Unix account to work with lamdaemon!"</emphasis>: This
|
||
|
happens if you use the default LDAP admin/manager user to login to LAM.
|
||
|
Please see <link linkend="a_lamdaemonConf">here</link> and setup a Unix
|
||
|
account.</para>
|
||
|
</section>
|
||
|
</appendix>
|