LDAPAccountManager/lam/docs/README.lamdaemon.txt


   Setting up lamdaemon:


 Lamdaemon.pl is used to modify quota and home directories on a remote or local host via ssh.
 If you want wo use it you have to set up some things to get it to work:


1. Setup values in LDAP Account Manager
   * Set the remote or local host in the configuration
    (e.g. 127.0.0.1)
   * Path to lamdaemon.pl, e.g. /srv/www/htdocs/lam/lib/lamdaemon.pl


2. Set up sudo
   The perl script has to run as root. Therefore we need
   a wrapper, sudo.
   Edit /etc/sudoers on host where homedirs or quotas should be used
   and add the following line:
   
   $admin All= NOPASSWD: $path
   
   $admin is the adminuser from LAM and $path is the path to lamdaemon.pl
   e.g. "$admin All= NOPASSWD: /srv/www/htdocs/lam/lib/lamdaemon.pl"
   At the moment the password is a paramteter of lamdaemon.pl
   therefore you should disable logging so the password does not
   appear in any logfile.
   This can be done by adding the following line to /etc/sudoers:

   Defaults:$admin !syslog


3. Set up Perl
   We need some external Perl modules, Quota and Net::SSH::Perl
   To install them, run:

   perl -MCPAN -e shell
   install Quota
   install Net::SSH::Perl
   install Math::BigInt::GMP

   If your Perl executable is not located in /usr/bin/perl you will have to edit
   the path in the first line of lamdaemon.pl.
   If you have problems compiling the Perl modules try installing a newer release
   of your GCC compiler and the "make" application.

   Debian users can install Net::SSH:Perl with dh-make-perl:

   apt-get install dh-make-perl
   dh-make-perl --build --cpan Net::SSH::Perl
   dpkg -i libnet-ssh-perl_1.25-1_all.deb


4. Set up SSH
   Your SSH daemon must offer the password authentication method.
   To activate it just use this configuration option in /etc/ssh/sshd_config:

   PasswordAuthentication yes


5. Test lamdaemon.pl
   There is a test-function in lamdaemon.pl. Please run lamdaemon.pl
   with the following parameters to test it:

   lamdaemon.pl $ssh-server $lam_path_on_host $admin-username $admin-password *test

   $ssh-server is the remote host lamdaemon.pl should be run on
   $lam_path_on_host is the path to lamdaemon.pl on remote host
   $admin-username is the name of the user which is allowed to run lamdaemon.pl
                   as root. It is the same user as in /etc/sudoers
   $admin-password is the password of the admin user
   *test is the command which tells lamdaemon.pl to test settings

   You have to run the command as the user your webserver is running, e.g.

   wwwrun@tilo:/srv/www/htdocs/lam/lib> /srv/www/htdocs/lam/lib/lamdaemon.pl \
     127.0.0.1 /srv/www/htdocs/lam/lib/lamdaemon.pl adminuser secret *test

   You should get the following response:

     Net::SSH::Perl successfully installed.
     Perl quota module successfully installed.
     If you have not seen any error lamdaemon.pl should be set up successfully.
 
 
   !!! Attention !!!
   Your password in LDAP has to be hashed with CRYPT. If you use something like SSHA
   you will probably get "Access denied.".

   Now everything should work fine.


6. Debugging lamdaemon
   If you set up all things as documented before and still get "Access denied"
   then you can try to debug the problem.

   - Check /var/log/auth.log or the equivalent on your system
     This file contains messages about all logins. If the ssh login
     failed then you will find a description about the reason here.

   - Enable debug output in lamdaemon
     In line 235 of lamdaemon.pl change the SSH options like this:

     my $ssh = Net::SSH::Perl->new($hostname, options=>[
       "UserKnownHostsFile /dev/null"],
       protocol => "2,1", debug => 1 );

     This will produce a lot of output when you do the lamdaemon test.
     Check that there is a line like this:
  
     Authentication methods that can continue: publickey,password,keyboard-interactive.

     The "password" is the one which is important.

   - Set sshd in debug mode
     In /etc/ssh/sshd_conf add these lines:

     SyslogFacility AUTH
     LogLevel DEBUG3

     Now check /var/log/syslog for messages from sshd.

   - Update Openssh
     A Suse Linux user reported that upgrading Openssh solved the problem.


Security warning:
-----------------

   If you use PHP < 4.3 your admin user and password are passed as commandline argument.
   This can be a security risk. Upgrade your PHP version for productive use.


Please send a mail to TiloLutz@gmx.de if you have any suggestions.
updated lamdaemon description 2005-07-06 11:07:53 +00:00
			`Setting up lamdaemon:`


			`Lamdaemon.pl is used to modify quota and home directories on a remote or local host via ssh.`
			`If you want wo use it you have to set up some things to get it to work:`

added correct file endings, updated documentation 2004-02-25 19:49:41 +00:00
			`1. Setup values in LDAP Account Manager`
			`* Set the remote or local host in the configuration`
			`(e.g. 127.0.0.1)`
			`* Path to lamdaemon.pl, e.g. /srv/www/htdocs/lam/lib/lamdaemon.pl`


			`2. Set up sudo`
			`The perl script has to run as root. Therefore we need`
			`a wrapper, sudo.`
			`Edit /etc/sudoers on host where homedirs or quotas should be used`
			`and add the following line:`
updated lamdaemon description 2005-07-06 11:07:53 +00:00
added correct file endings, updated documentation 2004-02-25 19:49:41 +00:00			`$admin All= NOPASSWD: $path`
updated lamdaemon description 2005-07-06 11:07:53 +00:00
			`$admin is the adminuser from LAM and $path is the path to lamdaemon.pl`
			`e.g. "$admin All= NOPASSWD: /srv/www/htdocs/lam/lib/lamdaemon.pl"`
added correct file endings, updated documentation 2004-02-25 19:49:41 +00:00			`At the moment the password is a paramteter of lamdaemon.pl`
			`therefore you should disable logging so the password does not`
			`appear in any logfile.`
			`This can be done by adding the following line to /etc/sudoers:`
updated lamdaemon description 2005-07-06 11:07:53 +00:00
added correct file endings, updated documentation 2004-02-25 19:49:41 +00:00			`Defaults:$admin !syslog`

added hint for CRYPT problem 2004-05-26 17:17:44 +00:00
added correct file endings, updated documentation 2004-02-25 19:49:41 +00:00			`3. Set up Perl`
			`We need some external Perl modules, Quota and Net::SSH::Perl`
			`To install them, run:`
added hint for CRYPT problem 2004-05-26 17:17:44 +00:00
added correct file endings, updated documentation 2004-02-25 19:49:41 +00:00			`perl -MCPAN -e shell`
			`install Quota`
			`install Net::SSH::Perl`
added Math::BigInt::GMP 2005-12-20 13:23:26 +00:00			`install Math::BigInt::GMP`
added correct file endings, updated documentation 2004-02-25 19:49:41 +00:00
added hint for CRYPT problem 2004-05-26 17:17:44 +00:00			`If your Perl executable is not located in /usr/bin/perl you will have to edit`
			`the path in the first line of lamdaemon.pl.`
added note about gcc and make 2005-12-17 12:19:20 +00:00			`If you have problems compiling the Perl modules try installing a newer release`
			`of your GCC compiler and the "make" application.`
added hint for CRYPT problem 2004-05-26 17:17:44 +00:00
added Debian way to install Net::SSH::Perl 2004-12-06 17:31:09 +00:00			`Debian users can install Net::SSH:Perl with dh-make-perl:`

			`apt-get install dh-make-perl`
			`dh-make-perl --build --cpan Net::SSH::Perl`
fixed Debian install command 2005-12-15 19:07:24 +00:00			`dpkg -i libnet-ssh-perl_1.25-1_all.deb`
added Debian way to install Net::SSH::Perl 2004-12-06 17:31:09 +00:00
added hint for CRYPT problem 2004-05-26 17:17:44 +00:00
updated lamdaemon description 2005-07-06 11:07:53 +00:00			`4. Set up SSH`
			`Your SSH daemon must offer the password authentication method.`
			`To activate it just use this configuration option in /etc/ssh/sshd_config:`

			`PasswordAuthentication yes`


			`5. Test lamdaemon.pl`
added hint for CRYPT problem 2004-05-26 17:17:44 +00:00			`There is a test-function in lamdaemon.pl. Please run lamdaemon.pl`
			`with the following parameters to test it:`

added correct file endings, updated documentation 2004-02-25 19:49:41 +00:00			`lamdaemon.pl $ssh-server $lam_path_on_host $admin-username $admin-password *test`
added hint for CRYPT problem 2004-05-26 17:17:44 +00:00
added correct file endings, updated documentation 2004-02-25 19:49:41 +00:00			`$ssh-server is the remote host lamdaemon.pl should be run on`
			`$lam_path_on_host is the path to lamdaemon.pl on remote host`
			`$admin-username is the name of the user which is allowed to run lamdaemon.pl`
			`as root. It is the same user as in /etc/sudoers`
			`$admin-password is the password of the admin user`
			`*test is the command which tells lamdaemon.pl to test settings`

			`You have to run the command as the user your webserver is running, e.g.`

			`wwwrun@tilo:/srv/www/htdocs/lam/lib> /srv/www/htdocs/lam/lib/lamdaemon.pl \`
implemented user+passwd in STDIN 2005-03-05 13:23:59 +00:00			`127.0.0.1 /srv/www/htdocs/lam/lib/lamdaemon.pl adminuser secret *test`
added correct file endings, updated documentation 2004-02-25 19:49:41 +00:00
			`You should get the following response:`
added hint for CRYPT problem 2004-05-26 17:17:44 +00:00
added correct file endings, updated documentation 2004-02-25 19:49:41 +00:00			`Net::SSH::Perl successfully installed.`
			`Perl quota module successfully installed.`
			`If you have not seen any error lamdaemon.pl should be set up successfully.`
added hint for CRYPT problem 2004-05-26 17:17:44 +00:00

			`!!! Attention !!!`
			`Your password in LDAP has to be hashed with CRYPT. If you use something like SSHA`
			`you will probably get "Access denied.".`

updated lamdaemon description 2005-07-06 11:07:53 +00:00			`Now everything should work fine.`


			`6. Debugging lamdaemon`
			`If you set up all things as documented before and still get "Access denied"`
			`then you can try to debug the problem.`

			`- Check /var/log/auth.log or the equivalent on your system`
			`This file contains messages about all logins. If the ssh login`
			`failed then you will find a description about the reason here.`

			`- Enable debug output in lamdaemon`
updated debug documentation 2005-10-07 16:07:07 +00:00			`In line 235 of lamdaemon.pl change the SSH options like this:`
updated lamdaemon description 2005-07-06 11:07:53 +00:00
			`my $ssh = Net::SSH::Perl->new($hostname, options=>[`
			`"UserKnownHostsFile /dev/null"],`
updated debug documentation 2005-10-07 16:07:07 +00:00			`protocol => "2,1", debug => 1 );`
updated lamdaemon description 2005-07-06 11:07:53 +00:00
			`This will produce a lot of output when you do the lamdaemon test.`
			`Check that there is a line like this:`

			`Authentication methods that can continue: publickey,password,keyboard-interactive.`

			`The "password" is the one which is important.`

			`- Set sshd in debug mode`
			`In /etc/ssh/sshd_conf add these lines:`

			`SyslogFacility AUTH`
			`LogLevel DEBUG3`

			`Now check /var/log/syslog for messages from sshd.`
added correct file endings, updated documentation 2004-02-25 19:49:41 +00:00
updated lamdaemon description 2005-07-06 11:07:53 +00:00			`- Update Openssh`
			`A Suse Linux user reported that upgrading Openssh solved the problem.`
added correct file endings, updated documentation 2004-02-25 19:49:41 +00:00
implemented user+passwd in STDIN 2005-03-05 13:23:59 +00:00
			`Security warning:`
			`-----------------`

			`If you use PHP < 4.3 your admin user and password are passed as commandline argument.`
			`This can be a security risk. Upgrade your PHP version for productive use.`


added correct file endings, updated documentation 2004-02-25 19:49:41 +00:00			`Please send a mail to TiloLutz@gmx.de if you have any suggestions.`