Free Software at Schools: Installing and Maintaining a Debian-Edu Network; Also Known as Skolelinux
Prev	Chapter 12. Daily Operation of Skolelinux/Debian-edu Network with Webmin	Next

12.3. wlus - Webmin Ldap User Simple

There are several systems for user information and administration in Skolelinux/Debian-edu, but now we use LDAP and the utility WLUS, and not /etc/passwd and its accompanying commands such as adduser, useradd, etc.

To get access to Webmin, point your favourite web browser to the address https://tjener .intern:10000/ldap-users You can use any web browser you want. You can also connect a Mac machine and run it from there.

Figure 12-11. Webmin Login

The first thing you see is a dialogue box where you log yourself in as the user root, with the password you created during installation, see Figure 6-4

Figure 12-12. Welcome Screen- Webmin LDAP User Simple (WLUS)

After you have logged in to Webmin you will see this welcome screen for WLUS.

Because we haven't added any users yet, it would be natural for us to choose "New User(s)". But before we do that, we may want to adapt WLUS to our needs.

Figure 12-13. Configuration of WLUS

By clicking on "Module Config" we can change how strict we want our password policy to be, as well as where we want to put our users' home directories, plus other things. When you are done making your changes, click on "Save". Then you are ready to create new users. The first thing you need to do is make a test user. This is a user that functions as a template for setting up things exactly the way you want it to be for all of your users. Have a look at Chapter 11

Figure 12-14. New User

Now you should be ready to create new users. The first thing you should do is to create a test user. This is a user that you use as a template for setting up things exactly the way you want things to be for all of your users. Have a look at Chapter 11There are two different ways to add new users, either one at a time, or a whole bunch at once using a so-called semicolon-separated file(;). By clicking on "New User(s)" you get up a rather long page. At the top is the possibility to add users manually one by one, by providing first/last name, together with password, if desired. A little farther down the page, you find the possibility to add several users at once, "Add users from file"

When you add a user in this way, the computer provides the username, and if you want, the password as well. But you can override this by ticking "Common password - Yes" and then typing in the password you want.

Remember to also choose what kind of role you want the new user to have.

Figure 12-15. Result of New User

When new users have been added using WLUS, you get a receipt with information about name, username and password, in a format that makes it easy to print it out, clip it up and give it to the user.

Figure 12-16. Importing the File

It is also possible to add an entire class of users, or even a whole school. By using the other way of adding users, that is the so-called semicolon-separated file.

This file is formatted with the different fields separated by a semicolon. You can create this file by exporting it to a semicolon-separated file from the school's database of attending pupils, or by exporting from OpenOffice/Excel, or by using a regular, simple text editor such as K-menu->Editors->Text Editor

Figure 12-17. File Import

In order to use the file import function, you have to scroll down to the bottom of the page where you find a dialogue box for adding users from file. Click on browse to find your file with the semicolon-separated users. When you have found that file, click on "Add users from file"

Figure 12-18. Importing Users from File

When you have got the file with the users, you will see the different semicolon-separated items listed in different columns. At the top of each column you choose the name for its content; as a minimum you should have first name and last name.

Figure 12-19. Result of File Import

When you add users from file, you get a nice list of the new users' usernames and passwords, in a format that is easy to print out and distribute to the user.

Figure 12-20. List of Registered Users

By clicking on "Search" without filling in the search field, you get a list of all users who are registered. By clicking on "User Data" you get the possibility of changing the password for that user, as well as other things such as the name of the user. If you want, you can also choose to move the users home directory, but you will need to personally move the files in question since this is not done by WLUS.

Figure 12-21.

Figure 12-22. Disable Login

When users are on the system, there are some extra possibilities to choose, such as "Delete user" and "Disable Login"

By putting a cross in front of a user, and choosing for example "Disable Login" that user will not be allowed to login.

Figure 12-23. Excluded Users

The result of having chosen "Disable Login" is seen as a fine red cross for that user.

Figure 12-24. Re-enabling Login

By putting a cross in front of the user and clicking on "Enable Login" you will see a green cross reappear in front of that user. The user can login again.

12.3.1. Changing the User's Password

The users can change their own password, as long as they have one that works. By starting the program kdepasswd which they can find in K-menu->Utilities->Change Password

Of course, they can also use the command passwd from the command line.

Figure 12-25. Kdepasswd, Old Password

This is where you type in the old password, that is, the one that the user used to login. Note: if this is written incorrectly, then the kdepasswd program will "freeze". Log out/in to solve this.

Figure 12-26. Kdepasswd, New Password

This is where you type in the new password. Note: this must be 6,7 or 8 characters, neither more nor less.

Figure 12-27. Kdepasswd, Successful

If everything goes the way it should, then this message will pop up.

Figure 12-28. Kdepasswd, Too Long Password

If you type in a password that is longer than 8 characters, you will get a message that the password has been truncated, that is, only the first 8 characters have been used.

12.3.2. Changing a User's Password from the Command Line

You can change the password for a user from the command line if you know the person's username.

/usr/share/debian-edu-config/tools/passwd brukernavn

You will be asked to type in a new password twice, and then finally you must type in the LDAP-administrator password.

12.3.3. Changing the LDAP-Admin Password

In order to make changes in LDAP, such as adding users, changing passwords, etc, you must give a password, the so-called LDAP-admin password. This password is created during installation; see Figure 6-4. This password is one of 3 administrative passwords. The other two are the Webmin password, see Section 12.1 and the root password, see Figure 6-4.

The LDAP-admin password is changed from the command line with this command

/usr/share/debian-edu-config/tools/passwd admin

Then you will be asked to provide the new password twice, as well as to type in the old one.

/usr/share/debian-edu-config/tools/passwd admin
Enter new password for user admin: 
Reenter new password: 
Enter bind password:

12.3.4. Direct Editing of Files in the LDAP-Database.

By using the command

slapcat -l /root/bruker.ldif

you will get a pure text file that contains the LDAP database. In this case, this is in the file named /root/bruker.ldif. This is a so-called ldif-file, ergo the file type "ldif". It would be smart to stop the slapd LDAP daemon, before you bring up this ldif-file This is, along with stopping nscd (Name Service Cache Daemon) is done with the commands

/etc/init.d/slapd stop
/etc/init.d/nscd stop

Be aware the when you stop slapd, no one can login. Then you have to srt it up again.

/etc/init.d/slapd start
/etc/init.d/nscd start

You can edit this file /root/bruker.ldifwith the help of your favourite text editor, for example kedit Section 8.2

In this file you can make changes in usernames, home directories, groups, etc., the same as when you use the user administration module in Webmin, Section 12.3. The advantage of using an ldif-file is that you can change several things at once. This is the file you use if you have to reinstall and want to use the same usernames and passwords again- it is a little tedious to have to hand out 1000 new usernames and passwords.

12.3.4.1. Putting the Old LDAP Databasen in a New Installation

Sometimes you just have to do a reinstallation. In order not to inconvenience the users too much, it's nice to let them keep using their old passwords and usernames. If you have that specific ldif-file from LDAP, then you can just put it in the new installation and your users will be able to continue to use their old usernames and passwords.

Recipe for Carrying Over the LDAP Database

On the old server, before you do the reinstallation, take out an ldif-file from LDAP,
/etc/init/slapd stop
slapcat -l /root/bruker.ldif

Remember that whenslapd is stopped, no one can login.
Move this file, /root/bruker.ldif, over to the new installation, either by using a USB-pendrive, or by using a CD.
In order to be able to put in the old LDAP database with the help of your bruker.ldif, you have to delete the one that is already there. The database files are found in /var/lib/ldap. A good way to get rid of them is to move them to another directory, just in case you need them later.
mkdir /root/dbb
/etc/init/slapd stop
/etc/init.d/nscd stop
mv /var/lib/ldap/* /root/dbb
slapadd -l bruker.ldif
/etc/init/slapd start
/etc/init.d/nscd start
Now it's possible to use the old usernames and passwords. Remember that the old Webmin root password it the one to use.

12.3.5. How to Start with a New "Fresh" LDAP Database?

NoeSometimes you can get in a situation where someone has experimented a little too much with various configurations, maybe so much that reinstallasjon would be the easiest thing to do.

If that happens with LDAP, there is a simpler way to "start from scratch" than to reinstall the whole system. You can delete your LDAP database that doesn't function the way you want it to, and then put in a new and unused one, in the same condition as it was right after installation. This means that all of your current users will be deleted.

The first thing you have to do is to make a copy of your current LDAP databasen, no matter whether it functions or not.

Stopp slapd-demonen og nscd
/etc/init.d/slapd stop
/etc/init.d/nscd stop
Make a copy of the old LDAP database, that is create a so-called ldif-file
slapcat -l /root/ldap.old.ldif
Delete the old LDAP database
mkdir /root/dbb.old
mv /var/lib/ldap/* /root/dbb.old
Now you can put in a new, clean LDAP database with the command
ldap-debian-edu-install
[1]
Delete the home directories for the users whom you have just thrown out, 'rm -rf' dletes the entire directory, with asking. Be careful!
rm -rf /skole/tjener/home/user1
rm -rf /skole/tjener/home/user2
osv
De aware that you are now permanently deleting these home directories. Just in case you might regret this action later, it's wise to take a backup before you delete them. See Section 12.2
If this doesn't work, you can put in the old LDAP databasen again
/etc/init.d/slapd stop
/etc/init.d/nscd stop
mkdir /root/dbb2.old
mv /var/lib/ldap/* /root/dbb2.old
slapadd -l /root/ldap.old.ldif
/etc/init.d/slapd start
/etc/init.d/nscd start
Once in a while, it's wise to make a copy of the LDAP database,
slapcat -l /root/ldap.TodaysDate.ldif

Prev	Home	Next
Backup	Up	Configuration/Use of the Most Used Programs