removed old lamdaemon

This commit is contained in:
Roland Gruber 2009-10-10 13:02:55 +00:00
parent 861e022538
commit aefb7e45b3
5 changed files with 3 additions and 473 deletions

View File

@ -3,6 +3,7 @@ October 2009 2.8.0
- compatibility with PHP 5.3 - compatibility with PHP 5.3
- one central button to change passwords on account pages - one central button to change passwords on account pages
- removed support for Samba 2 accounts - removed support for Samba 2 accounts
- removed lamdaemonOld script
05.08.2009 2.7.0 05.08.2009 2.7.0

View File

@ -1,14 +1,8 @@
This document describes the installation of lamdaemon which is responsible This document describes the installation of lamdaemon which is responsible
for managing quotas and creating home directories. for managing quotas and creating home directories.
Attention! The old version of lamdaemon is no longer supported. However,
if you do not install libssh2 then LAM will fall back to the old mechanismn.
If you want to stay with the old lamdaemon then change your /etc/sudoers entries
to point to lamdaemonOld.pl.
Do NOT mix lamdaemon and lamdaemonOld.pl!
Setting up lamdaemon: Setting up lamdaemon:
===================== =====================

View File

@ -1,139 +0,0 @@
ATTENTION! This version of lamdaemon is no longer supported, please use the new lamdaemon instead!
Setting up lamdaemon:
LamdaemonOld.pl is used to modify quota and home directories on a remote or local host via ssh.
If you want wo use it you have to set up some things to get it to work:
1. Setup values in LDAP Account Manager
* Set the remote or local host in the configuration
(e.g. 127.0.0.1)
* Path to lamdaemonOld.pl, e.g. /srv/www/htdocs/lam/lib/lamdaemonOld.pl
If you installed a Debian or RPM package then the script may be located at
/usr/share/ldap-account-manager/lib or /var/www/html/lam/lib.
2. Set up sudo
The perl script has to run as root. Therefore we need
a wrapper, sudo.
Edit /etc/sudoers on host where homedirs or quotas should be used
and add the following line:
$admin All= NOPASSWD: $path
$admin is the adminuser from LAM and $path is the path to lamdaemonOld.pl
e.g. "$admin All= NOPASSWD: /srv/www/htdocs/lam/lib/lamdaemonOld.pl"
At the moment the password is a paramteter of lamdaemonOld.pl
therefore you should disable logging so the password does not
appear in any logfile.
This can be done by adding the following line to /etc/sudoers:
Defaults:$admin !syslog
3. Set up Perl
We need some external Perl modules, Quota and Net::SSH::Perl
To install them, run:
perl -MCPAN -e shell
install Quota # required
install Net::SSH::Perl # required
install Math::BigInt::GMP # optional but very poor performance if not installed
If your Perl executable is not located in /usr/bin/perl you will have to edit
the path in the first line of lamdaemonOld.pl.
If you have problems compiling the Perl modules try installing a newer release
of your GCC compiler and the "make" application.
Debian users can install Net::SSH:Perl with dh-make-perl:
apt-get install dh-make-perl
dh-make-perl --build --cpan Net::SSH::Perl
dpkg -i libnet-ssh-perl_1.25-1_all.deb
4. Set up SSH
Your SSH daemon must offer the password authentication method.
To activate it just use this configuration option in /etc/ssh/sshd_config:
PasswordAuthentication yes
5. Test lamdaemonOld.pl
There is a test-function in lamdaemonOld.pl. Please run lamdaemonOld.pl
with the following parameters to test it:
lamdaemonOld.pl $ssh-server $lam_path_on_host $admin-username $admin-password *test
$ssh-server is the remote host lamdaemonOld.pl should be run on
$lam_path_on_host is the path to lamdaemonOld.pl on remote host
$admin-username is the name of the user which is allowed to run lamdaemonOld.pl
as root. It is the same user as in /etc/sudoers
$admin-password is the password of the admin user
*test is the command which tells lamdaemonOld.pl to test settings
You have to run the command as the user your webserver is running, e.g.
wwwrun@tilo:/srv/www/htdocs/lam/lib> /srv/www/htdocs/lam/lib/lamdaemonOld.pl \
127.0.0.1 /srv/www/htdocs/lam/lib/lamdaemonOld.pl adminuser secret *test
You should get the following response:
Net::SSH::Perl successfully installed.
Perl quota module successfully installed.
If you have not seen any error lamdaemonOld.pl should be set up successfully.
!!! Attention !!!
Your password in LDAP has to be hashed with CRYPT. If you use something like SSHA
you will probably get "Access denied.".
Now everything should work fine.
6. Debugging lamdaemon
If you set up all things as documented before and still get "Access denied"
then you can try to debug the problem.
- Check /var/log/auth.log or the equivalent on your system
This file contains messages about all logins. If the ssh login
failed then you will find a description about the reason here.
- Enable debug output in lamdaemon
In line 235 of lamdaemonOld.pl change the SSH options like this:
my $ssh = Net::SSH::Perl->new($hostname, options=>[
"UserKnownHostsFile /dev/null"],
protocol => "2,1", debug => 1 );
This will produce a lot of output when you do the lamdaemon test.
Check that there is a line like this:
Authentication methods that can continue: publickey,password,keyboard-interactive.
The "password" is the one which is important.
- Set sshd in debug mode
In /etc/ssh/sshd_conf add these lines:
SyslogFacility AUTH
LogLevel DEBUG3
Now check /var/log/syslog for messages from sshd.
- Update Openssh
A Suse Linux user reported that upgrading Openssh solved the problem.
Security warning:
-----------------
If you use PHP < 4.3 your admin user and password are passed as commandline argument.
This can be a security risk. Upgrade your PHP version for productive use.
Please send a mail to TiloLutz@gmx.de if you have any suggestions.

View File

@ -3,7 +3,7 @@
$Id$ $Id$
This code is part of LDAP Account Manager (http://www.sourceforge.net/projects/lam) This code is part of LDAP Account Manager (http://www.sourceforge.net/projects/lam)
Copyright (C) 2004 - 2006 Roland Gruber Copyright (C) 2004 - 2009 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -40,61 +40,6 @@ $Id$
* *
*/ */
function lamdaemon($commands, $server) { function lamdaemon($commands, $server) {
// use new PHP SSH mechanismn
if (function_exists("ssh2_connect")) {
return lamdaemonSSH($commands, $server);
}
// get username and password of the current lam-admin
$ldap_q = $_SESSION['ldap']->decrypt_login();
$userstring = implode ("\n", $commands);
$output_array = array();
$towrite = escapeshellarg($server)." ".escapeshellarg($_SESSION['config']->get_scriptPath())." - -";
$descriptorspec = array(
0 => array("pipe", "r"), // stdin
1 => array("pipe", "w"), // stout
2 => array("file", "/dev/null", "a") // sterr
);
$process = proc_open(escapeshellarg($_SESSION['lampath']."lib/lamdaemonOld.pl")." ".$towrite,
$descriptorspec,
$pipes);
if (is_resource($process)) {
/* perl-script is running
* $pipes[0] is writeable handle to child stdin
* $pipes[1] is readable handle to child stdout
* any error is send to /dev/null
*/
// user+passwd
fwrite($pipes[0], $ldap_q[0] . "\n");
fwrite($pipes[0], $ldap_q[1] . "\n");
// Write to stdin
fwrite($pipes[0], $userstring);
}
fclose($pipes[0]);
while (!feof($pipes[1])) {
$output = fgets($pipes[1], 1024);
if ($output!='') $output_array[] = $output;
}
fclose($pipes[1]);
proc_close($process);
if (sizeof($output_array) > 0) {
return $output_array;
}
else {
return false;
}
}
/**
* Sends commands to lamdaemon script via PHP SSH functions.
*
* @param array $commands List of command lines
* @param string $server remote server
* @return array Output of lamdaemon
*
*/
function lamdaemonSSH($commands, $server) {
$commands = implode("\n", $commands) . "\n"; $commands = implode("\n", $commands) . "\n";
// get username and password of the current lam-admin // get username and password of the current lam-admin
$credentials = $_SESSION['ldap']->decrypt_login(); $credentials = $_SESSION['ldap']->decrypt_login();

View File

@ -1,271 +0,0 @@
#! /usr/bin/perl
# $Id$
#
# This code is part of LDAP Account Manager (http://www.sourceforge.net/projects/lam)
# Copyright (C) 2003 - 2006 Tilo Lutz
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
#
# LDAP Account Manager daemon to create and delete homedirecotries and quotas
# set a known path
my $path = "";
if (-d "/sbin") {
if ($path eq "") { $path = "/sbin"; }
else { $path = "$path:/sbin"; }
}
if (-d "/usr/sbin") {
if ($path eq "") { $path = "/usr/sbin"; }
else { $path = "$path:/usr/sbin"; }
}
if (-l "/bin") {
if ($path eq "") { $path = "/usr/bin"; }
else { $path = "$path:/usr/bin"; }
}
else {
if ($path eq "") { $path = "/bin:/usr/bin"; }
else { $path = "$path:/bin:/usr/bin"; }
}
if (-d "/opt/sbin") { $path = "$path:/opt/sbin"; }
if (-d "/opt/bin") { $path = "$path:/opt/bin"; }
$ENV{"PATH"} = $path;
#use strict; # Use strict for security reasons
@quota_grp;
@quota_usr; # Filesystems with enabled userquotas
# vals = DN, PAssword, user, home, (add|rem),
# quota, (set|get),(u|g), (mountpoint,blocksoft,blockhard,filesoft,filehard)+
# chown options
$|=1; # Disable buffering
sub get_fs { # Load mountpoints from mtab if enabled quotas
Quota::setmntent();
my $i=0;
my @args;
while (my @temp = Quota::getmntent()) {
$args[$i][0] = $temp[0];
$args[$i][1] = $temp[1];
$args[$i][2] = $temp[2];
$args[$i][3] = $temp[3];
$i++;
}
Quota::endmntent();
my $j=0; my $k=0; $i=0;
while ($args[$i][0]) {
if ( $args[$i][3] =~ m/usrquota/ ) {
$quota_usr[$j][0] = $args[$i][0];
$quota_usr[$j][1] = $args[$i][1];
$quota_usr[$j][2] = $args[$i][2];
$quota_usr[$j][3] = $args[$i][3];
$j++;
}
if ( $args[$i][3] =~ m/grpquota/ ) {
$quota_grp[$k][0] = $args[$i][0];
$quota_grp[$k][1] = $args[$i][1];
$quota_grp[$k][2] = $args[$i][2];
$quota_grp[$k][3] = $args[$i][3];
$k++;
}
$i++;
}
}
# ***************** Check values
if ($< == 0 ) { # we are root
# Drop root Previleges
($<, $>) = ($>, $<);
if ($ARGV[0] eq "*test") {
use Quota; # Needed to get and set quotas
print "Perl quota module successfully installed.\n";
print "If you haven't seen any errors lamdaemon.pl was set up successfully.\n";
}
else {
# loop for every transmitted user
my $string = do {local $/;<STDIN>};
@input = split ("\n", $string );
for ($i=0; $i<=$#input; $i++) {
$return = "";
@vals = split (' ', $input[$i]);
switch: {
# Get user information
if (($vals[3] eq 'user') || ($vals[1] eq 'home')) { @user = getpwnam($vals[0]); }
else { @user = getgrnam($vals[0]); }
$vals[1] eq 'home' && do {
switch2: {
$vals[2] eq 'add' && do {
# split homedir to set all directories below the last dir. to 0755
my $path = $user[7];
$path =~ s,/(?:[^/]*)$,,;
($<, $>) = ($>, $<); # Get root privileges
if (! -e $path) {
system 'mkdir', '-m', '0755', '-p', $path; # Create paths to homedir
}
if (! -e $user[7]) {
system 'mkdir', '-m', '0755', $user[7]; # Create homedir itself
system ("(cd /etc/skel && tar cf - .) | (cd $user[7] && tar xmf -)"); # Copy /etc/sekl into homedir
system 'chown', '-hR', "$user[2]:$user[3]" , $user[7]; # Change owner to new user
if (-e '/usr/sbin/useradd.local') {
system '/usr/sbin/useradd.local', $user[0]; # run useradd-script
}
system 'chmod', $vals[3], $user[7]; # Edit chmod rights
}
else {
$return = "ERROR,Lamdaemon,Homedirectory already exists.:$return";
}
($<, $>) = ($>, $<); # Give up root previleges
last switch2;
};
$vals[2] eq 'rem' && do {
($<, $>) = ($>, $<); # Get root previliges
if (-d $user[7] && $user[7] ne '/') {
if ((stat($user[7]))[4] eq $user[2]) {
system 'rm', '-R', $user[7]; # Delete Homedirectory
if (-e '/usr/sbin/userdel.local') {
system '/usr/sbin/userdel.local', $user[0];
}
}
else {
$return = "ERROR,Lamdaemon,Homedirectory not owned by $user[2].:$return";
}
}
else {
$return = "ERROR,Lamdaemon,Homedirectory doesn't exists.:$return";
}
($<, $>) = ($>, $<); # Give up root previleges
last switch2;
};
}
# Show error if undfined command is used
$return = "ERROR,Lamdaemon,Unknown command $vals[2].:$return";
last switch;
};
$vals[1] eq 'quota' && do {
use Quota; # Needed to get and set quotas
get_fs(); # Load list of devices with enabled quotas
# Store quota information in array
@quota_temp1 = split (':', $vals[4]);
$group=0;
$i=0;
while ($quota_temp1[$i]) {
$j=0;
@temp = split (',', $quota_temp1[$i]);
while ($temp[$j]) {
$quota[$i][$j] = $temp[$j];
$j++;
}
$i++;
}
if ($vals[3] eq 'user') { $group=false; }
else {
$group=1;
@quota_usr = @quota_grp;
}
switch2: {
$vals[2] eq 'rem' && do {
$i=0;
($<, $>) = ($>, $<); # Get root privileges
while ($quota_usr[$i][0]) {
$dev = Quota::getqcarg($quota_usr[$i][1]);
$return = Quota::setqlim($dev,$user[2],0,0,0,0,1,$group);
$i++;
}
($<, $>) = ($>, $<); # Give up root previleges
last switch2;
};
$vals[2] eq 'set' && do {
$i=0;
($<, $>) = ($>, $<); # Get root privileges
while ($quota_usr[$i][0]) {
$dev = Quota::getqcarg($quota[$i][0]);
$return = Quota::setqlim($dev,$user[2],$quota[$i][1],$quota[$i][2],$quota[$i][3],$quota[$i][4],1,$group);
$i++;
}
($<, $>) = ($>, $<); # Give up root previleges
last switch2;
};
$vals[2] eq 'get' && do {
$i=0;
($<, $>) = ($>, $<); # Get root privileges
while ($quota_usr[$i][0]) {
if ($vals[0]ne'+') {
$dev = Quota::getqcarg($quota_usr[$i][1]);
@temp = Quota::query($dev,$user[2],$group);
if ($temp[0]ne'') {
$return = "$quota_usr[$i][1],$temp[0],$temp[1],$temp[2],$temp[3],$temp[4],$temp[5],$temp[6],$temp[7]:$return";
}
else { $return = "$quota_usr[$i][1],0,0,0,0,0,0,0,0:$return"; }
}
else { $return = "$quota_usr[$i][1],0,0,0,0,0,0,0,0:$return"; }
$i++;
}
($<, $>) = ($>, $<); # Give up root previleges
last switch2;
};
$return = "ERROR,Lamdaemon,Unknown command $vals[2].:$return";
}
};
last switch;
$return = "ERROR,Lamdaemon,Unknown command $vals[1].:$return";
};
print "$return\n";
}
}
}
else {
$hostname = shift @ARGV;
$remotepath = shift @ARGV;
use Net::SSH::Perl;
if ($ARGV[2] eq "*test") { print "Net::SSH::Perl successfully installed.\n"; }
if (($ARGV[0] eq "-") and ($ARGV[1] eq "-")) { # user+passwd are in STDIN
$username = <STDIN>;
chop($username);
@username = split (',', $username);
$username[0] =~ s/uid=//;
$username[0] =~ s/cn=//;
$username = $username[0];
$password = <STDIN>;
chop($password);
}
else {
@username = split (',', $ARGV[0]);
$username[0] =~ s/uid=//;
$username[0] =~ s/cn=//;
$username = $username[0];
$password = $ARGV[1];
}
# Put all transfered lines in one string
if ($ARGV[2] ne "*test") {
$string = do {local $/;<STDIN>};
}
else {
$argv = "*test\n";
$string = " \n";
}
my $ssh = Net::SSH::Perl->new($hostname, options=>[
"UserKnownHostsFile /dev/null"],
protocol => "2,1", debug => 0 );
$ssh->login($username, $password);
# Change needed to prevent buffer overrun
@string2 = split ("\n", $string);
for ($i=0; $i<=$#string2; $i++) {
($stdout2, $stderr, $exit) = $ssh->cmd("sudo $remotepath $argv", $string2[$i]);
$stdout .= $stdout2;
}
#($stdout, $stderr, $exit) = $ssh->cmd("sudo $remotepath $argv", $string);
print $stdout;
}