yetangitu/lam
1
0
Fork 0
mirror of https://github.com/LDAPAccountManager/lam.git synced 2025-10-03 01:39:33 +02:00
Code Issues Releases Wiki Activity

#443 run userdel.local before directory is removed

Browse source
This commit is contained in:
Roland Gruber 2025-07-02 07:59:46 +02:00
parent be0923a224
commit 8ddcd7965a
3 changed files with 167 additions and 167 deletions
Download patch file Download diff file Expand all files Collapse all files

1
lam/HISTORY
View file

@ -1,4 +1,5 @@
September 2025 9.3 September 2025 9.3
- Lamdaemon: run /usr/sbin/userdel.local before (and no longer after) home directory is deleted (443)
- LAM Pro: - LAM Pro:
-> SMS support for password sending and password self-reset (441) -> SMS support for password sending and password self-reset (441)

331
lam/docs/manual-sources/appendix-lamdaemon.xml
View file

@ -1,205 +1,204 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"> "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<appendix id="a_lamdaemon"> <appendix id="a_lamdaemon">
<title>Setup for home directory and quota management</title> <title>Setup lamdaemon for home directory and quota management</title>
<para>Lamdaemon.pl is used to modify quota and home directories on a <para>Lamdaemon.pl is used to modify quota and home directories on a remote
remote or local host via SSH (even if homedirs are located on or local host via SSH (even if homedirs are located on localhost).</para>
localhost).</para>
<para>If you want wo use it you have to set up the following things to get <para>If you want to use it you have to set up the following things to get
it to work:</para> it to work:</para>
<section> <para><emphasis role="bold">Installation</emphasis></para>
<title>Installation</title>
<para>First of all, you need to install lamdaemon.pl on your remote <para>First of all, you need to install lamdaemon.pl on your remote server
server where LAM should manage homedirs and/or quota. This is usually a where LAM should manage homedirs and/or quota. This is usually a different
different server than the one where LAM is installed. But there is no server than the one where LAM is installed. But there is no problem if it is
problem if it is the same.</para> the same.</para>
<screenshot> <screenshot>
<mediaobject> <mediaobject>
<imageobject> <imageobject>
<imagedata fileref="images/lamdaemonServers.png" /> <imagedata fileref="images/lamdaemonServers.png"/>
</imageobject> </imageobject>
</mediaobject> </mediaobject>
</screenshot> </screenshot>
<para></para> <para/>
<para><emphasis role="bold">Debian based (e.g. also <itemizedlist>
Ubuntu)</emphasis></para> <listitem>
<para>Debian based (e.g. also Ubuntu): Please install the lamdaemon DEB
package on your quota/homedir server.</para>
</listitem>
<para>Please install the lamdaemon DEB package on your quota/homedir <listitem>
server.</para> <para>RPM based (Fedora, CentOS, Suse, ...): Please install the
lamdaemon RPM package on your quota/homedir server.</para>
</listitem>
<para><emphasis role="bold">RPM based (Fedora, CentOS, Suse, <listitem>
...)</emphasis></para> <para>Other: Please copy lib/lamdaemon.pl from the LAM tar.bz2 package
to your quota/homedir server. The location may be anywhere (e.g. use
<para>Please install the lamdaemon RPM package on your quota/homedir
server.</para>
<para><emphasis role="bold">Other</emphasis></para>
<para>Please copy lib/lamdaemon.pl from the LAM tar.bz2 package to your
quota/homedir server. The location may be anywhere (e.g. use
/opt/lamdaemon). Please make the lamdaemon.pl script executable.</para> /opt/lamdaemon). Please make the lamdaemon.pl script executable.</para>
</section> </listitem>
</itemizedlist>
<section id="a_lamdaemonConf"> <para><emphasis role="bold">LAM server profile
<title>LDAP Account Manager configuration</title> configuration</emphasis></para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>Set the remote or local host in the configuration (e.g. <para>Set the remote or local host in the configuration (e.g.
127.0.0.1)</para> 127.0.0.1)</para>
</listitem> </listitem>
<listitem> <listitem>
<para>Path to lamdaemon.pl, e.g. <para>Path to lamdaemon.pl, e.g. /srv/www/htdocs/lam/lib/lamdaemon.pl If
/srv/www/htdocs/lam/lib/lamdaemon.pl If you installed a DEB or you installed a DEB or RPM package then the script will be located at
RPM package then the script will be located at /usr/share/ldap-account-manager/lib/lamdaemon.pl.</para>
/usr/share/ldap-account-manager/lib/lamdaemon.pl.</para> </listitem>
</listitem>
<listitem> <listitem>
<para>Your LAM admin user must be a valid Unix account. It needs to <para id="a_lamdaemonConf">Your LAM admin user must be a valid Unix
have the object class "posixAccount" and an attribute "uid". This account. It needs to have the object class "posixAccount" and an
account must be accepted by the SSH daemon of your home directory attribute "uid". This account must be accepted by the SSH daemon of your
server. Do not create a second local account but change your system home directory server. Do not create a second local account but change
to accept LDAP users. You can use LAM to add the Unix account part your system to accept LDAP users. You can use LAM to add the Unix
to your admin user or create a new account. Please do not forget to account part to your admin user or create a new account. Please do not
setup LDAP write access (<ulink forget to setup LDAP write access (<ulink
url="http://www.openldap.org/doc/admin24/access-control.html">ACLs</ulink>) url="http://www.openldap.org/doc/admin24/access-control.html">ACLs</ulink>)
if you create a new account.</para> if you create a new account.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para></para> <para/>
<screenshot> <screenshot>
<mediaobject> <mediaobject>
<imageobject> <imageobject>
<imagedata fileref="images/lamdaemon.png" /> <imagedata fileref="images/lamdaemon.png"/>
</imageobject> </imageobject>
</mediaobject> </mediaobject>
</screenshot> </screenshot>
<para>Note that the builtin admin/manager entries do not work for <para>Note that the builtin admin/manager entries do not work for lamdaemon.
lamdaemon. You need to login with a Unix account.</para> You need to login with a Unix account.</para>
<screenshot> <screenshot>
<mediaobject> <mediaobject>
<imageobject> <imageobject>
<imagedata fileref="images/lamdaemon1.png" /> <imagedata fileref="images/lamdaemon1.png"/>
</imageobject> </imageobject>
</mediaobject> </mediaobject>
</screenshot> </screenshot>
<para><emphasis role="bold">OpenLDAP ACL location:</emphasis></para> <para><emphasis role="bold">OpenLDAP ACL location</emphasis></para>
<para>The access rights for OpenLDAP are configured in <para>The access rights for OpenLDAP are configured in /etc/ldap/slapd.conf
/etc/ldap/slapd.conf or or /etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif.</para>
/etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif.</para>
</section>
<section> <para><emphasis role="bold">Setup sudo</emphasis></para>
<title>Setup sudo</title>
<para>The perl script has to run as root. Therefore we need a wrapper, <para>The perl script has to run as root. Therefore we need a wrapper, sudo.
sudo. Edit /etc/sudoers on host where homedirs or quotas should be used Edit /etc/sudoers on host where homedirs or quotas should be used and add
and add the following line:</para> the following line:</para>
<para>$admin All= NOPASSWD: $path_to_lamdaemon *</para> <para>$admin All= NOPASSWD: $path_to_lamdaemon *</para>
<para><emphasis condition="">$admin</emphasis> is the admin user from <para><emphasis condition="">$admin</emphasis> is the admin user from LAM
LAM (must be a valid Unix account) and (must be a valid Unix account) and <emphasis>$path_to_lamdaemon</emphasis>
<emphasis>$path_to_lamdaemon</emphasis> is the path to is the path to lamdaemon.pl.</para>
lamdaemon.pl.</para>
<para><emphasis role="bold">Example:</emphasis></para> <para>Example:</para>
<para>myAdmin ALL= NOPASSWD: /srv/www/htdocs/lam/lib/lamdaemon.pl <para>myAdmin ALL= NOPASSWD: /srv/www/htdocs/lam/lib/lamdaemon.pl *</para>
*</para>
<para>You might need to run the sudo command once manually to init sudo. <para>You might need to run the sudo command once manually to init sudo. The
The command "sudo -l" will show all possible sudo commands of the command "sudo -l" will show all possible sudo commands of the current
current user.</para> user.</para>
<para><emphasis role="bold">Attention:</emphasis> Please do not use the <para><emphasis role="bold">Attention:</emphasis> Please do not use the
options "Defaults requiretty" and "Defaults env_reset" in /etc/sudoers. options "Defaults requiretty" and "Defaults env_reset" in /etc/sudoers.
Otherwise you might get errors like "you must have a tty to run sudo" or Otherwise you might get errors like "you must have a tty to run sudo" or "no
"no tty present and no askpass program specified".</para> tty present and no askpass program specified".</para>
</section>
<section> <para><emphasis role="bold">Setup Perl</emphasis></para>
<title>Setup Perl</title>
<para>We need an extra Perl module - Quota. To install it, run:</para> <para>We need an extra Perl module - Quota. To install it, run:</para>
<simplelist>
<member>perl -MCPAN -e shell</member>
<member>install Quota</member>
</simplelist>
<para>If your Perl executable is not located in /usr/bin/perl you will have
to edit the path in the first line of lamdaemon.pl. If you have problems
compiling the Perl modules try installing a newer release of your GCC
compiler and the "make" application.</para>
<para>Several Linux distributions already include a quota package for
Perl.</para>
<para><emphasis role="bold">Set up SSH</emphasis></para>
<para>Your SSH daemon must offer the password authentication method. To
activate it just use this configuration option in
/etc/ssh/sshd_config:</para>
<para>PasswordAuthentication yes</para>
<para><emphasis role="bold">Calling of external scripts</emphasis></para>
<para>The following extra scripts are called if they exist:</para>
<itemizedlist>
<listitem>
<para>Create home directory: /usr/sbin/useradd.local &lt;USER NAME&gt;
(after directory was created)</para>
</listitem>
<listitem>
<para>Delete home directory: /usr/sbin/userdel.local &lt;USER NAME&gt;
(before directory is removed)</para>
</listitem>
</itemizedlist>
<para><emphasis role="bold">Troubleshooting</emphasis></para>
<para>If you have problems managing quotas and home directories then these
points might help:</para>
<itemizedlist>
<listitem>
<para>There is a test page for lamdaemon: Login to LAM and open Tools
-&gt; Tests -&gt; Lamdaemon test</para>
</listitem>
<listitem>
<para>Check /var/log/auth.log or its equivalent on your system. This
file contains messages about all logins. If the ssh login failed then
you will find a description about the reason here.</para>
</listitem>
<listitem>
<para>Set sshd in debug mode. In /etc/ssh/sshd_conf add these
lines:</para>
<simplelist> <simplelist>
<member>perl -MCPAN -e shell</member> <member>SyslogFacility AUTH</member>
<member>install Quota</member> <member>LogLevel DEBUG3</member>
</simplelist> </simplelist>
<para>If your Perl executable is not located in /usr/bin/perl you will <para>Now check /var/log/syslog for messages from sshd.</para>
have to edit the path in the first line of lamdaemon.pl. If you have </listitem>
problems compiling the Perl modules try installing a newer release of </itemizedlist>
your GCC compiler and the "make" application.</para>
<para>Several Linux distributions already include a quota package for <para>Error message <emphasis role="bold">"Your LAM admin user (...) must be
Perl.</para> a valid Unix account to work with lamdaemon!"</emphasis>: This happens if
</section> you use the default LDAP admin/manager user to login to LAM. Please see
<link linkend="a_lamdaemonConf">here</link> and setup a Unix account.</para>
<section> </appendix>
<title>Set up SSH</title>
<para>Your SSH daemon must offer the password authentication method. To
activate it just use this configuration option in
/etc/ssh/sshd_config:</para>
<para>PasswordAuthentication yes</para>
</section>
<section>
<title>Troubleshooting</title>
<para>If you have problems managing quotas and home directories then
these points might help:</para>
<itemizedlist>
<listitem>
<para>There is a test page for lamdaemon: Login to LAM and open
Tools -&gt; Tests -&gt; Lamdaemon test</para>
</listitem>
<listitem>
<para>Check /var/log/auth.log or its equivalent on your system. This
file contains messages about all logins. If the ssh login failed
then you will find a description about the reason here.</para>
</listitem>
<listitem>
<para>Set sshd in debug mode. In /etc/ssh/sshd_conf add these
lines:</para>
<simplelist>
<member>SyslogFacility AUTH</member>
<member>LogLevel DEBUG3</member>
</simplelist>
<para>Now check /var/log/syslog for messages from sshd.</para>
</listitem>
</itemizedlist>
<para>Error message <emphasis role="bold">"Your LAM admin user (...)
must be a valid Unix account to work with lamdaemon!"</emphasis>: This
happens if you use the default LDAP admin/manager user to login to LAM.
Please see <link linkend="a_lamdaemonConf">here</link> and setup a Unix
account.</para>
</section>
</appendix>

2
lam/lib/lamdaemon.pl
View file

@ -264,10 +264,10 @@ sub removeHomedir {
($<, $>) = ($>, $<); # Get root privileges ($<, $>) = ($>, $<); # Get root privileges
if (-d $vals[3] && $vals[3] ne '/') { if (-d $vals[3] && $vals[3] ne '/') {
if ((stat($vals[3]))[4] eq $vals[4]) { if ((stat($vals[3]))[4] eq $vals[4]) {
system 'rm', '-Rf', $vals[3]; # delete home directory
if (-e '/usr/sbin/userdel.local') { if (-e '/usr/sbin/userdel.local') {
system '/usr/sbin/userdel.local', $vals[0]; system '/usr/sbin/userdel.local', $vals[0];
} }
system 'rm', '-Rf', $vals[3]; # delete home directory
$return = "Ok"; $return = "Ok";
logMessage(LOG_INFO, "Home directory removed (" . $vals[3] . ")"); logMessage(LOG_INFO, "Home directory removed (" . $vals[3] . ")");
} }