Lamdaemon.pl is used to modify quota and home directories on a remote or local host via SSH (even if homedirs are located on localhost).
If you want to use it you have to set up the following things to get it to work:
Installation
First of all, you need to install lamdaemon.pl on your remote server where LAM should manage homedirs and/or quota. This is usually a different server than the one where LAM is installed. But there is no problem if it is the same.
Debian based (e.g. also Ubuntu): Please install the lamdaemon DEB package on your quota/homedir server.
RPM based (Fedora, CentOS, Suse, ...): Please install the lamdaemon RPM package on your quota/homedir server.
Other: Please copy lib/lamdaemon.pl from the LAM tar.bz2 package to your quota/homedir server. The location may be anywhere (e.g. use /opt/lamdaemon). Please make the lamdaemon.pl script executable.
LAM server profile configuration
Set the remote or local host in the configuration (e.g. 127.0.0.1)
Path to lamdaemon.pl, e.g. /srv/www/htdocs/lam/lib/lamdaemon.pl If you installed a DEB or RPM package then the script will be located at /usr/share/ldap-account-manager/lib/lamdaemon.pl.
Your LAM admin user must be a valid Unix account. It needs to have the object class "posixAccount" and an attribute "uid". This account must be accepted by the SSH daemon of your home directory server. Do not create a second local account but change your system to accept LDAP users. You can use LAM to add the Unix account part to your admin user or create a new account. Please do not forget to setup LDAP write access (ACLs) if you create a new account.
Note that the builtin admin/manager entries do not work for lamdaemon. You need to login with a Unix account.
OpenLDAP ACL location
The access rights for OpenLDAP are configured in /etc/ldap/slapd.conf or /etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif.
Setup sudo
The perl script has to run as root. Therefore we need a wrapper, sudo. Edit /etc/sudoers on host where homedirs or quotas should be used and add the following line:
$admin All= NOPASSWD: $path_to_lamdaemon *
$admin is the admin user from LAM (must be a valid Unix account) and $path_to_lamdaemon is the path to lamdaemon.pl.
Example:
myAdmin ALL= NOPASSWD: /srv/www/htdocs/lam/lib/lamdaemon.pl *
You might need to run the sudo command once manually to init sudo. The command "sudo -l" will show all possible sudo commands of the current user.
Attention: Please do not use the options "Defaults requiretty" and "Defaults env_reset" in /etc/sudoers. Otherwise you might get errors like "you must have a tty to run sudo" or "no tty present and no askpass program specified".
Setup Perl
We need an extra Perl module - Quota. To install it, run:
| perl -MCPAN -e shell |
| install Quota |
If your Perl executable is not located in /usr/bin/perl you will have to edit the path in the first line of lamdaemon.pl. If you have problems compiling the Perl modules try installing a newer release of your GCC compiler and the "make" application.
Several Linux distributions already include a quota package for Perl.
Set up SSH
Your SSH daemon must offer the password authentication method. To activate it just use this configuration option in /etc/ssh/sshd_config:
PasswordAuthentication yes
Calling of external scripts
The following extra scripts are called if they exist:
Create home directory: /usr/sbin/useradd.local <USER NAME> (after directory was created)
Delete home directory: /usr/sbin/userdel.local <USER NAME> (before directory is removed)
Troubleshooting
If you have problems managing quotas and home directories then these points might help:
There is a test page for lamdaemon: Login to LAM and open Tools -> Tests -> Lamdaemon test
Check /var/log/auth.log or its equivalent on your system. This file contains messages about all logins. If the ssh login failed then you will find a description about the reason here.
Set sshd in debug mode. In /etc/ssh/sshd_conf add these lines:
SyslogFacility AUTH LogLevel DEBUG3 Now check /var/log/syslog for messages from sshd.
Error message "Your LAM admin user (...) must be a valid Unix account to work with lamdaemon!": This happens if you use the default LDAP admin/manager user to login to LAM. Please see here and setup a Unix account.