LDAPAccountManager/lam/docs/README.lamdaemon.txt

132 lines
4.2 KiB
Plaintext
Raw Normal View History

2005-07-06 11:07:53 +00:00
Setting up lamdaemon:
Lamdaemon.pl is used to modify quota and home directories on a remote or local host via ssh.
If you want wo use it you have to set up some things to get it to work:
1. Setup values in LDAP Account Manager
* Set the remote or local host in the configuration
(e.g. 127.0.0.1)
* Path to lamdaemon.pl, e.g. /srv/www/htdocs/lam/lib/lamdaemon.pl
2. Set up sudo
The perl script has to run as root. Therefore we need
a wrapper, sudo.
Edit /etc/sudoers on host where homedirs or quotas should be used
and add the following line:
2005-07-06 11:07:53 +00:00
$admin All= NOPASSWD: $path
2005-07-06 11:07:53 +00:00
$admin is the adminuser from LAM and $path is the path to lamdaemon.pl
e.g. "$admin All= NOPASSWD: /srv/www/htdocs/lam/lib/lamdaemon.pl"
At the moment the password is a paramteter of lamdaemon.pl
therefore you should disable logging so the password does not
appear in any logfile.
This can be done by adding the following line to /etc/sudoers:
2005-07-06 11:07:53 +00:00
Defaults:$admin !syslog
2004-05-26 17:17:44 +00:00
3. Set up Perl
We need some external Perl modules, Quota and Net::SSH::Perl
To install them, run:
2004-05-26 17:17:44 +00:00
perl -MCPAN -e shell
install Quota
install Net::SSH::Perl
2004-05-26 17:17:44 +00:00
If your Perl executable is not located in /usr/bin/perl you will have to edit
the path in the first line of lamdaemon.pl.
Debian users can install Net::SSH:Perl with dh-make-perl:
apt-get install dh-make-perl
dh-make-perl --build --cpan Net::SSH::Perl
dpkg -i install libnet-ssh-perl_1.25-1_all.deb
2004-05-26 17:17:44 +00:00
2005-07-06 11:07:53 +00:00
4. Set up SSH
Your SSH daemon must offer the password authentication method.
To activate it just use this configuration option in /etc/ssh/sshd_config:
PasswordAuthentication yes
5. Test lamdaemon.pl
2004-05-26 17:17:44 +00:00
There is a test-function in lamdaemon.pl. Please run lamdaemon.pl
with the following parameters to test it:
lamdaemon.pl $ssh-server $lam_path_on_host $admin-username $admin-password *test
2004-05-26 17:17:44 +00:00
$ssh-server is the remote host lamdaemon.pl should be run on
$lam_path_on_host is the path to lamdaemon.pl on remote host
$admin-username is the name of the user which is allowed to run lamdaemon.pl
as root. It is the same user as in /etc/sudoers
$admin-password is the password of the admin user
*test is the command which tells lamdaemon.pl to test settings
You have to run the command as the user your webserver is running, e.g.
wwwrun@tilo:/srv/www/htdocs/lam/lib> /srv/www/htdocs/lam/lib/lamdaemon.pl \
2005-03-05 13:23:59 +00:00
127.0.0.1 /srv/www/htdocs/lam/lib/lamdaemon.pl adminuser secret *test
You should get the following response:
2004-05-26 17:17:44 +00:00
Net::SSH::Perl successfully installed.
Perl quota module successfully installed.
If you have not seen any error lamdaemon.pl should be set up successfully.
2004-05-26 17:17:44 +00:00
!!! Attention !!!
Your password in LDAP has to be hashed with CRYPT. If you use something like SSHA
you will probably get "Access denied.".
2005-07-06 11:07:53 +00:00
Now everything should work fine.
6. Debugging lamdaemon
If you set up all things as documented before and still get "Access denied"
then you can try to debug the problem.
- Check /var/log/auth.log or the equivalent on your system
This file contains messages about all logins. If the ssh login
failed then you will find a description about the reason here.
- Enable debug output in lamdaemon
2005-10-07 16:07:07 +00:00
In line 235 of lamdaemon.pl change the SSH options like this:
2005-07-06 11:07:53 +00:00
my $ssh = Net::SSH::Perl->new($hostname, options=>[
"UserKnownHostsFile /dev/null"],
2005-10-07 16:07:07 +00:00
protocol => "2,1", debug => 1 );
2005-07-06 11:07:53 +00:00
This will produce a lot of output when you do the lamdaemon test.
Check that there is a line like this:
Authentication methods that can continue: publickey,password,keyboard-interactive.
The "password" is the one which is important.
- Set sshd in debug mode
In /etc/ssh/sshd_conf add these lines:
SyslogFacility AUTH
LogLevel DEBUG3
Now check /var/log/syslog for messages from sshd.
2005-07-06 11:07:53 +00:00
- Update Openssh
A Suse Linux user reported that upgrading Openssh solved the problem.
2005-03-05 13:23:59 +00:00
Security warning:
-----------------
If you use PHP < 4.3 your admin user and password are passed as commandline argument.
This can be a security risk. Upgrade your PHP version for productive use.
Please send a mail to TiloLutz@gmx.de if you have any suggestions.