AddThis Social Bookmark Button

Print

LDAP Server Administration with GOsa

by Alexander Prohorenko
12/02/2004
Do you pine for the nice days of Minix-1.1, when men were men and wrote their own device drivers?
--Linus Torvalds, comp.os.minix

While I am not a fan of the various web management systems, sometimes I find them pretty useful and convenient. They have their advantages and disadvantages. For example, drawbacks include:

  • Security weaknesses, or the perception of weaknesses. Confirming these fears, consider a recent vulnerability report from Sept. 21, 2004, Flaw found in Unix/Linux admin tool:

    A flaw in two popular Unix and Linux administration consoles could lead to systems being compromised, according to an alert from security firm Secunia. The bug in Usermin, a widely used administration console for Unix and Linux, could allow the introduction of rogue shell code when a user views a particular e-mail via the web. The attacking code would assume the privileges of the Usermin administrator. Usermin lets users administer their own accounts on a network via a web-based interface and lets them carry out functions such as reading e-mail online. In its advisory, Secunia gave the vulnerability a "highly critical" rating--its second most severe category. Also affected is Webmin, a system administration tool that ships with Linux distributions such as Suse, Mandrake and Gentoo. Webmin contains Usermin functions, including the vulnerable web mail feature, Secunia said.

  • Limited configurability. Most systems can configure a smaller number of parameters than can an administrator with a text editor, the man pages, and the configuration files available directly.

Advantages include:

  • Improved presentation, using traditional WYSIWYG technology.
  • Integrity of operations. If the configuration change operation requires editing two or more configuration files, the interface can enforce this. Doing manual edits can cause administrators to miss updates.
  • The possibility of allowing less experienced users to configure services. However, this is also a disadvantage and a security weakness. Every system administrator should be a little bit paranoid.

Related Reading

LDAP System Administration
By Gerald Carter

Many software products have infrequently used options; for example, if I have initially set the system locale to US, I suppose that I'll rarely change that. Adding the option of changing the locale in the web interface is a low priority. However, not having the option there may lead an administrator to believe that it's not possible to change the locale at all.

The most famous web configuration tools are SWAT and Webmin.

SWAT is the Samba Web Administration Tool. SWAT uses integral Samba components to locate parameters supported by the particular version of Samba. Unlike external tools and utilities, SWAT is always up to date as known Samba parameters change. SWAT provides context-sensitive help for each configuration parameter, directly from man page entries. SWAT has pretty nice documentation, including Using Samba, 2nd Edition.

Webmin is a web-based interface for system administration for Unix systems. Using any browser that supports tables and forms (and Java for the File Manager module), you can set up user accounts, Apache, DNS, file sharing, and so on. Currently it works only on Unix platforms, but the Windows version is already under development. Webmin includes a simple web server to run several CGI programs, which update system files directly. The web server and all CGI programs are written in Perl. Dru Lavigne's FreeBSD Basics has two interesting articles about Webmin, An Introduction to Webmin and An Introduction to Webmin--Part Two.

GOsa (GOnicus System Administrator) is a web administration tool for managing accounts and systems in LDAP databases, written in PHP and licensed under the GNU GPL. The author of GOsa is GONICUS GmbH, a German company. GOsa can manage users, groups, mail distribution lists, thin clients, and faxes. Users can retrieve information about themselves, use LDAP contact and telephone lists, change their passwords, and view fax statistics. Users can also configure their own mail accounts, but their configuration possibilities are limited.

The requirements for GOsa are not trivial, so it's usually not a good fit in a small office, such as one that only uses POP3. I'd suggest you to try Webmin instead. However, if your network uses LDAP and you run more than one service inside, GOsa would be a helpful solution. As for the compatibility list, GOsa provides access to POSIX, shadow, Samba, proxy, fax, pure FTP, and Kerberos accounts. It can also manage the Postfix/Cyrus server combination and can write user-adapted sieve scripts. Actually, it can configure any kind of software that uses LDAP.

To run GOsa, you need at least the following software:

I am not giving links to LDAP or IMAP4 servers—there are many implementations of these protocols, and GOsa does not limit itself to any specific software. On the other hand, GOsa has a better support for an OpenLDAP server and includes specific configuration files for this server, so you may like to use it instead of any other one. GOsa uses Crypt::SmbHash for creating a Samba hash.

Installing this software requires some time and definitely some experience, but it's pretty simple if you have both. I doubt that there is much sense in starting GOsa for your network if you only want to change user mail passwords through the Web. However, if you're already using LDAP services and have more than one system administrator, GOsa can make your work easier.

First download the latest GOsa version, as shown in Figure 1. At the time of this writing, the latest was gosa-2.1.3.tar.gz.

Figure 1
Figure 1. Downloading GOsa. Click on the image for a full-size screenshot.

The previous releases had patches available, but they're already in the new tarball.

Then, untar the downloaded tarball and look in the documentation files. Unlike Webmin and SWAT, GOsa has poor documentation. It comes in two files in the distribution, ./gosa-2.1.3/INSTALL and ./gosa-2.1.3/README. The most interesting one is INSTALL, which explains a typical installation.

First create a temporary (spool) directory for GOsa work files and the configuration directory, as Figure 2 suggests.

Figure 2
Figure 2. Creating GOsa directories. Click on the image for a full-size screenshot.

/var/spool/gosa is a spool directory, nobody and nogroup are a web user and its group, and /etc/gosa is a directory for the configuration files.

The documentation suggests modifying httpd.conf, the Apache configuration file. You can put the GOsa web tool into the VirtualHost part by adding the following:

<VirtualHost localhost:80>
	Alias /gosa /home/white/gosa/html
</VirtualHost>

Restart your web server.

# /usr/local/apache/bin/apachectl restart

Now, you'll be able to access the GOsa web console at http://localhost/gosa/setup.php.

After the first run, GOsa will create its configuration at /etc/gosa/gosa.conf (as long as you remembered to set the correct file permissions there and the file wasn't there previously). setup.php starts checking the system according to GOsa requirements; first it checks the PHP installation for required modules, then it checks the needed programs, and finally, after you provide basic information about your LDAP connection, it checks LDAP connectivity.

The most important parts of the PHP setup are the PHP version and the precompiled support for the IMAP4, LDAP, and GD libraries. If these three pieces are in place, setup.php proceeds further, marking the necessary elements OK or Failed, as appropriate. It marks optional components OK or Ignore. If setup.php can't test all needed elements, you will not be able to proceed.

After this, setup.php looks for a set of helper programs and checks their versions. Among these programs are ImageMagick and fping. Then it proceeds to the initial LDAP configuration, where it checks for the required LDAP schemas. It can also detect Samba versions. If the LDAP configuration is fine, the setup moves to the LDAP tree configuration screen.

On the LDAP tree configuration screen, you must specify the location name and the parameters to access the LDAP server. GOsa always acts as admin and manages access rights internally, and it needs the admin DN and corresponding password for this. (This is the documented workaround until OpenLDAP fully supports directory ACLs.) As an option, setup.php allows you to configure some basic LDAP parameters, including how to create accounts, and to change the locations where GOsa saves people and groups.

When you fill in all the necessary fields, setup.php finishes the process by saving the /etc/gosa/gosa.conf configuration file.

Now GOsa is a simple and a user-friendly web interface for your LDAP server. As far as LDAP is an integrated mechanism that allows the centralized management of access, authorization, and authentification, and the storage of the information, like the users and groups of users and different privileges, GOsa simply makes the LDAP possibilities for system administration needs available with a nicer interface.

Figure 3 shows a sample GOsa web interface screen.

Figure 3
Figure 3. The GOsa interface. Click on the image for a full-size screenshot.


Pages: 1, 2

Next Pagearrow