LDAP + Virtualmin/Webmin/Usermin Authentication

25 posts / 0 new
Last post
#1 Wed, 07/23/2008 - 20:30
parsonscdt

LDAP + Virtualmin/Webmin/Usermin Authentication

Hi everyone,

Some system info: CentOS 5.2, 64-bit. Updated. Fresh install of Virtualmin Pro. Web hosting only, external LDAP server, external and independent mail server at this time.

I am new to Virtualmin and I am trying to get LDAP working with Virtualmin. Here is the situation: I have a OpenLDAP server that is external to the Virtualmin server. I have setup Virtualmin and the LDAP server through the LDAP client module, etc. I can view users, create users/groups, create a virtual servers (which does create the virtual server admin account in LDAP ok), getent <passwd/group> ok, login to the server via SSH/SFTP/console with LDAP users, and change passwords of the LDAP users via cli and Virtualmin.

BUT for the life of me I cannot login to Virtualmin/Webmin/Usermin interfaces with a created LDAP user. Even the default LDAP user created as administrator for a virtual server cannot login. Users created in the passwd/shadow files work just fine to login. This maybe a oversight or just my tired eyes missing something simple. I have seen the PAM usermin and webmin files that only include pam_unix.so directives. Do those need to be modified also?

One other question. I want to auto create MySQL dB's for normal LDAP users. These users are not the administrator accounts for virtual servers but normal users under a virtual server. Is that possible or do I need to script that.

Thanks ahead of time for all the help!!

Wed, 07/23/2008 - 22:12
parsonscdt

SOLVED -&gt;

Make sure all proper perl modules are installed such as: Authen::PAM, etc. This won't solve the immediate problem but the editing /etc/pam.d/usermin and webmin like below fixes the problem:

#%PAM-1.0
#auth required pam_unix.so nullok
#account required pam_unix.so
#session required pam_unix.so
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth

Can change login, change passwords, etc from usermin.

Now I need to figure out several more problems:

1. MySQL auto create dB for LDAP users.
2. Why File Manager gives a Java trust error for LDAP/system users except for root. Is it possible to run usermin without https?
3. Why postfix keeps starting when I have configured Sendmail (forward to a smtp gateway) to start instead.

Thanks!

Thanks!

Wed, 07/23/2008 - 22:56 (Reply to #2)
Joe
Joe's picture

Awesome. Thanks for the update!

<div class='quote'>1. MySQL auto create dB for LDAP users.</div>

I don't understand. Are you talking about Virtualmin virtual server users? You can already do so for new virtual servers--just enable MySQL databases. Or are you talking about Mail and FTP users? Those don't usually get databases...though it's possible, it's definitely not common. It makes me think maybe you're trying to push Virtualmin into a direction that doesn't really fit. But again, I don't really know what you're trying to accomplish.

<div class='quote'>2. Why File Manager gives a Java trust error for LDAP/system users except for root. Is it possible to run usermin without https?</div>

No idea. What's the exact error?

<div class='quote'>3. Why postfix keeps starting when I have configured Sendmail (forward to a smtp gateway) to start instead.</div>

I guess you still have it configured to start on boot, and possibly configured as the default MTA in alternatives.

Run the following:

chkconfig --level 345 postfix off
alternatives --config mta

And set the mta to sendmail.

--

Check out the forum guidelines!

Thu, 07/24/2008 - 05:36 (Reply to #3)
parsonscdt

<div class='quote'>1. MySQL auto create dB for LDAP users.

I don't understand. Are you talking about Virtualmin virtual server users? You can already do so for new virtual servers--just enable MySQL databases. Or are you talking about Mail and FTP users? Those don't usually get databases...though it's possible, it's definitely not common. It makes me think maybe you're trying to push Virtualmin into a direction that doesn't really fit. But again, I don't really know what you're trying to accomplish.</div>

Sorry for the confusion. The Virtualmin virutal server user does have a dB auto create when the virtual server is created. I am talking about the Mail/FTP users. Those users are also stored in LDAP. But in our situation, we have several different virtual servers, each managed by different departments and each of those virtual servers have users that need dB's and web spaces. Usermin is being used for each user so they can change passwords, use the MySQL module, see disk quatas etc. Just no mail accounts on this particular server. So basically each Mail/FTP user needs a dB created when the user is created in LDAP from Webmin. Then the User can setup there individual blog, etc.

<div class='quote'>2. Why File Manager gives a Java trust error for LDAP/system users except for root. Is it possible to run usermin without https?

No idea. What's the exact error?</div>

I am on a different computer right now and I am not getting the error. I believe it was something along the lines of &quot;Java cannot get the proper language files. something,something, Java trust error.&quot; On this computer (both computers are Mac OS X 10.5.4) is that Java had a pop up asking if I trust the File Manager application. I think it has to do with a Java security setting. I will look into that.

<div class='quote'>3. Why postfix keeps starting when I have configured Sendmail (forward to a smtp gateway) to start instead.

I guess you still have it configured to start on boot, and possibly configured as the default MTA in alternatives.

Run the following:

chkconfig --level 345 postfix off

alternatives --config mta

And set the mta to sendmail.</div>

Actually, I did turn off Postfix and turn on Sendmail through both the Webmin &quot;Bootup Module&quot; and through chkconfig. Also, set Sendmail to be the MTA for virtual servers in Virtualmin. I totally forgot the alternatives command! I am sure that is it. I will give it a try.

Also, I noticed MySQL fails on boot but after the system boots it does start. Should MySQL be set to start in init/chkconfig or does Virtualmin start it independently.

Thanks!

Sun, 06/07/2009 - 07:27 (Reply to #4)
Joe
Joe's picture

<div class='quote'>Usermin is being used for each user so they can change passwords, use the MySQL module, see disk quatas etc. Just no mail accounts on this particular server. So basically each Mail/FTP user needs a dB created when the user is created in LDAP from Webmin. Then the User can setup there individual blog, etc.</div>

Hmmm...interesting question and direction. So you're giving all users a website, but you don't want them to have their own domain (joe.department.example.com, for example)--presumably you'll use an Apache mod_userdir for http://example.com/~user style
websites? So these aren't users that should have their own domain, but you do want them to be able to build sites?

The MySQL problem is reasonably easy to solve...just make a simple script that creates databases and call it when modifying a user. In the Users and Groups module (Webmin:System:Users and Groups, click Module Config), select the &quot;Before and After Commands&quot; section, and fill in a script in the &quot;Command to run after making changes&quot; field. Something like &quot;/usr/local/bin/makedatabase.sh&quot; or something.

And, in /usr/local/bin/makedatabase.sh:
#!/bin/sh
[ &acirc;

--

Check out the forum guidelines!

Thu, 07/24/2008 - 11:54 (Reply to #5)
parsonscdt

alternatives fixed the MTA issue. Thanks!

Here is a screenshot of the JAVA error that happens on some Mac OS X computers. I have not figured out a work around yet.

Thu, 07/24/2008 - 11:57 (Reply to #6)
parsonscdt
Sun, 06/07/2009 - 07:27 (Reply to #7)
parsonscdt

<div class='quote'>Hmmm...interesting question and direction. So you're giving all users a website, but you don't want them to have their own domain (joe.department.example.com, for example)--presumably you'll use an Apache mod_userdir for http://example.com/~user style websites? So these aren't users that should have their own domain, but you do want them to be able to build sites?</div>

As of right now each user can't have there own separate sub-domain. This is a possibility in the future but for now I am stuck using mod_userdir. Each of the users are required to have a development area on the server, web space and one of several approved blogging environments.

<div class='quote'>But, this doesn't necessarily solve the problems of allowing scripts. I'm not sure if userdir can be configured with SuExec, so security might be an issue in a shared system like this. OK, good, it can:

http://httpd.apache.org/docs/2.0/suexec.html#usage

Ah, but it requires a compile time option (--with-suexec-userdir=DIR) that no standard packages include! Argh. Problematic.

Hmm, we'll need to think on this one a bit. We made need to get a custom Apache build for this to work securely.</div>

I was wondering about that. When I have setup previous systems for user environments, I did use the --with-suexec-userdir=DIR flag with the default being public_html for custom Apache installs. Is it possible to get the src and rpm spec file to build this?

<div class='quote'>The MySQL problem is reasonably easy to solve...just make a simple script that creates databases and call it when modifying a user. In the Users and Groups module (Webmin:System:Users and Groups, click Module Config), select the &quot;Before and After Commands&quot; section, and fill in a script in the &quot;Command to run after making changes&quot; field. Something like &quot;/usr/local/bin/makedatabase.sh&quot; or something.

And, in /usr/local/bin/makedatabase.sh:

#!/bin/sh

[ &acirc;

Sun, 06/07/2009 - 07:27 (Reply to #8)
parsonscdt

<div class='quote'>Hmmm...interesting question and direction. So you're giving all users a website, but you don't want them to have their own domain (joe.department.example.com, for example)--presumably you'll use an Apache mod_userdir for http://example.com/~user style websites? So these aren't users that should have their own domain, but you do want them to be able to build sites?</div>

As of right now each user can't have there own separate sub-domain. This is a possibility in the future but for now I am stuck using mod_userdir. Each of the users are required to have a development area on the server, web space and one of several approved blogging environments.

<div class='quote'>But, this doesn't necessarily solve the problems of allowing scripts. I'm not sure if userdir can be configured with SuExec, so security might be an issue in a shared system like this. OK, good, it can:

http://httpd.apache.org/docs/2.0/suexec.html#usage

Ah, but it requires a compile time option (--with-suexec-userdir=DIR) that no standard packages include! Argh. Problematic.

Hmm, we'll need to think on this one a bit. We made need to get a custom Apache build for this to work securely.</div>

I was wondering about that. When I have setup previous systems for user environments, I did use the --with-suexec-userdir=DIR flag with the default being public_html for custom Apache installs. Is it possible to get the src and rpm spec file to build this?

<div class='quote'>The MySQL problem is reasonably easy to solve...just make a simple script that creates databases and call it when modifying a user. In the Users and Groups module (Webmin:System:Users and Groups, click Module Config), select the &quot;Before and After Commands&quot; section, and fill in a script in the &quot;Command to run after making changes&quot; field. Something like &quot;/usr/local/bin/makedatabase.sh&quot; or something.

And, in /usr/local/bin/makedatabase.sh:

#!/bin/sh

[ &acirc;

Fri, 07/25/2008 - 14:19 (Reply to #9)
parsonscdt

<div class='quote'>For CentOS 5 (the GPL and Professional repos are identical, when it comes to everything except Virtualmin). I'm building an httpd package update for CentOS 5 at this very moment, though...I'll do a little research and see if this option will cause anyone any trouble, and if not, I'll roll it out for everyone.</div>

Good to know that info for the future. I will wait to see if you roll out a httpd update before I compile one.

Thanks!

Sun, 06/07/2009 - 07:27 (Reply to #10)
parsonscdt

<div class='quote'>#!/bin/sh

[ &acirc;

Sun, 06/07/2009 - 07:27 (Reply to #11)
parsonscdt

<div class='quote'>#!/bin/sh

[ &acirc;

Sat, 07/26/2008 - 10:30 (Reply to #12)
Joe
Joe's picture

That script should work fine - all the variables in it are OK.

However, if you are adding users to an LDAP database, make sure you set the path to it at Webmin -&gt; System -&gt; LDAP Users and Groups -&gt; Module Config.

--

Check out the forum guidelines!

Sun, 06/07/2009 - 07:27 (Reply to #13)
parsonscdt

<div class='quote'>OK, I've updated the Users and Groups module documentation to include all of the bits that were missing, including all of the available variables.

http://doxfer.com/Webmin/UsersAndGroups

The LDAP module is also documented at Doxfer, but just refers to Users and Groups for most of the details</div>.

Awesome, that helps a ton! I actually ended up finding this on the web too. I ordered the book also, just waiting for it to be delivered...

For reference here is the script I ended up adding to the LDAP Users and Groups -&gt; Module Config -&gt; Before/After Commands:

[code:1][ &acirc;

Sun, 06/07/2009 - 07:27 (Reply to #14)
parsonscdt

<div class='quote'>OK, I've updated the Users and Groups module documentation to include all of the bits that were missing, including all of the available variables.

http://doxfer.com/Webmin/UsersAndGroups

The LDAP module is also documented at Doxfer, but just refers to Users and Groups for most of the details</div>.

Awesome, that helps a ton! I actually ended up finding this on the web too. I ordered the book also, just waiting for it to be delivered...

For reference here is the script I ended up adding to the LDAP Users and Groups -&gt; Module Config -&gt; Before/After Commands:

[code:1][ &acirc;

Sun, 07/27/2008 - 13:54 (Reply to #15)
parsonscdt

<div class='quote'>When you disable a feature in a domain, it will remove the apache directives from the appropriate section of httpd.conf, just as it adds them when the feature is enabled.</div>

Ok. This works for some features but when I removed SVN and DAV access, I had to manually remove the directives from httpd.conf. It may have been caused by disabling both at the same time?

Sun, 07/27/2008 - 14:00 (Reply to #16)
Joe
Joe's picture

This sounds like a bug .. although when I test this, those directives are removed just fine.

--

Check out the forum guidelines!

Sun, 06/07/2009 - 07:27 (Reply to #17)
parsonscdt

I have a new problem. This one is very urgent. I need to batch create about 100 users tonight and one of the variables that work fine when manually adding a LDAP user is not working when batching.

The script below sends a e-mail when the LDAP user is created. But when I batch add the user the $USERADMIN_PASS does not show up in the e-mail. All the rest of the variables work fine. The strange thing is there is also the makedatabase.sh script being run (earlier in this thread) that still works great. $USERADMIN_PASS sets the MySQL dB in that script just fine with the batch. The password is NOT being encrypted in the batch file. Any ideas?

Batch file format is:

create:username:password::gid:realname:path:shell::::::givenName=name:sn=lname:mail=e-mail:telephoneNumber=number

###############BEGIN SCRIPT###############
#!/bin/sh

[ &acirc;

Sun, 06/07/2009 - 07:27 (Reply to #18)
parsonscdt

I have a new problem. This one is very urgent. I need to batch create about 100 users tonight and one of the variables that work fine when manually adding a LDAP user is not working when batching.

The script below sends a e-mail when the LDAP user is created. But when I batch add the user the $USERADMIN_PASS does not show up in the e-mail. All the rest of the variables work fine. The strange thing is there is also the makedatabase.sh script being run (earlier in this thread) that still works great. $USERADMIN_PASS sets the MySQL dB in that script just fine with the batch. The password is NOT being encrypted in the batch file. Any ideas?

Batch file format is:

create:username:password::gid:realname:path:shell::::::givenName=name:sn=lname:mail=e-mail:telephoneNumber=number

###############BEGIN SCRIPT###############
#!/bin/sh

[ &acirc;

Sun, 07/27/2008 - 20:15 (Reply to #19)
parsonscdt

<div class='quote'>Have you tried $USERADMIN_PLAINPASS ? That should contact the un-encrypted password ..</div>

Hmm.. I didn't see that variable in the list. I will give that a try.

What did solve the problem, though it takes a manual change, is to change the scripts to run before the LDAP batch add. When the scripts run before it will fail to add a user if the user is added manually. So just change the scripts to run after for manual adds.

I will give the $USERADMIN_PLAINPASS a try.

Thanks!!

Fri, 07/25/2008 - 14:07
Joe
Joe's picture

<div class='quote'>I was wondering about that. When I have setup previous systems for user environments, I did use the --with-suexec-userdir=DIR flag with the default being public_html for custom Apache installs. Is it possible to get the src and rpm spec file to build this?</div>

Yes, our SRPMs are available in the SRPMS directory of the repository for your OS.

For example:

http://software.virtualmin.com/gpl/centos/5/SRPMS/

For CentOS 5 (the GPL and Professional repos are identical, when it comes to everything except Virtualmin). I'm building an httpd package update for CentOS 5 at this very moment, though...I'll do a little research and see if this option will cause anyone any trouble, and if not, I'll roll it out for everyone.

--

Check out the forum guidelines!

Sat, 07/26/2008 - 10:22
Joe
Joe's picture

<div class='quote'>My question is where I can find information about the variables that you are passing to the script above. I am curious if I can write the script to create the db, add the user with the appropriate privileges and also pass the users password to the command. I looked on the site but couldn't find a doc with the variables. I may have just missed it though.</div>

Unfortunately, the tables that contained the examples of variable use (and lots of other stuff) from Jamie's book didn't make it into the wiki at Doxfer.com. I'm working through those manually now for that chapter, and it should be finished in an hour or two.

I'll ask Jamie to drop in on this thread, as well, as I'm not deeply familiar with the LDAP support. There may be something else needed when using LDAP.

--

Check out the forum guidelines!

Sat, 07/26/2008 - 14:48 (Reply to #22)
Joe
Joe's picture

OK, I've updated the Users and Groups module documentation to include all of the bits that were missing, including all of the available variables.

http://doxfer.com/Webmin/UsersAndGroups

The LDAP module is also documented at Doxfer, but just refers to Users and Groups for most of the details.

--

Check out the forum guidelines!

Sun, 07/27/2008 - 13:13
Joe
Joe's picture

When you disable a feature in a domain, it will remove the apache directives from the appropriate section of httpd.conf, just as it adds them when the feature is enabled.

--

Check out the forum guidelines!

Sun, 07/27/2008 - 20:10
Joe
Joe's picture

Have you tried $USERADMIN_PLAINPASS ? That should contact the un-encrypted password ..

--

Check out the forum guidelines!

Topic locked