Escolar Documentos
Profissional Documentos
Cultura Documentos
Overview
Webmin is a wonderful interface to manage Linux servers and Webmin can use an LDAP server to store users
and groups so you can share those information among different Linux servers so a single credential could be
used to manage several servers with the exact same permissions. Out of the box Webmin does not support MS
Active directory and it need some adjustment to make it work and this document is exactly that.
I remind all that Webmin’s Users/groups are specific Webmin objects and have nothing to do with native
users/groups in AD. You may see AD as a shared storage location for Webmin.
This document take for granted that you are already familiar with Webmin, Linux and MS AD.
This document has been written while using version 1.720 of Webmin but it has also been tested up to version
1.730
AD Preparation
First we need to create an OU that will be restricted and will contain Webmin related information like users,
groups and so on.
In my example I have an OU called Global under which I created a sub-OU called Webmin.
Yourdomain.Local/Global/WebminAccounts
Next we need an AD account that will be use by Webmin to access AD, in my example I created
Yourdomain\_svc_LDAP_WebminAuth
And set with FULL permission on the OU Yourdomain.Local/Global/WebminAccounts.
That service account does not need to be created in the previous created OU as it’s not specifically a Webmin
object but a real AD account.
Schema extension using the LDIF file.
Once done we need to create the required schema as Webmin use custom objects. We can’t use the file
webmin.schema provided in the Webmin interface because it was intended for openLDAP. Even with some
converter to LDIF, it will doesn’t work properly. So I made my own LDIF file.
The OID and names used was kept because they are well registered and there will be no conflict at all with what
we can currently have in our active directory. You just have to be very aware that this is an irreversible process
as every schema extensions. So I decline any responsibilities to problems you may have using this procedure.
Log on your domain controller that is the schema master and be sure to be a schema admin.
Have the file ADWebmin.ldif ready. See the attachment in this post.
The LDIF file are domain independent, so the –c argument is required so be sure to replace the string highlighted
with your real domain name. The log folder is also important as it will keep a trace of what happen.
Then reload the schema to be sure that changes are reported in the console.
Using the schema administration go in the permissions of all 3 new classes(webminUser, webminGroup and webminAcl)
and add our service account with full rights.
Configure webmin to use LDAP
You need Perl-Ldap libraries, so if not installed yet you need to do it. In my case I’m using Centos and I add it
using the usual yum command inside a telnet session:
Next go in Webmin.
Enter the information related to your own domain.
At this point the integration is still partial even if it’s possible to create and delete users with some success but
there are still some steps to make or you may face errors like this one below.
Failed to save user : Failed to modify user : 000020B1: UpdErr: DSID-030F1080, problem 6004
(CANT_ON_RDN), data 0
This is cause by the fact that Microsoft do not allow changing the CN simply because the DN is related to it and
this can be done in the context of the ADUC. So renaming a user will never work from Webmin interface but at
least we can make it work for all other changes by removing the update of the CN field.
I made 2 procedures, a quick one and a configurable one that will add a selectable option in the LDAP
configuration page.
*Remember that the lines numbers may change a little depending of the version of Webmin you have, so try to
recognize the other lines around them from my screenshots.
*You may have to do it each time you will update webmin software on the servers if those files are overwritten
this document has been written while we had 1.720 version.
CN fix – Configurable method.
This method have some more steps to add the option to enable or disable the Microsoft active directory mode
and add a link to download the LDIF file.
Insert the following line around line 104 to have our new settings to be saved in the configuration file.
*Remember that the lines numbers may change a little depending of the version of Webmin you have, so try to
recognize the other lines around them from my screenshots.
$miniserv{'ldapmsad'} = $in{'msad'};
push(@ldapgrid,
"MS Active Directory",
&ui_yesno_radio("msad", $miniserv{'ldapmsad'}));
All this will add the following in the configuration page
my $msad = $miniserv{'ldapmsad'};
my $msad = $miniserv{'ldapmsad'};
Edit /usr/libexec/webmin/acl/schema.cgi
Go on line 17
Change to
print &text('schema_download', 'webmin.schema')," <a href=/acl/ADWebmin.ldif>MS
Active Directory</a>","<p>\n";
This will add a link in the schema download page just beside the original one.
Known limitations
As mentioned earlier some operation can’t be done like renaming a user/group, this is cause by the fact that
Microsoft do not allow changing the CN simply because the DN is related to it and this can be done in the
context of the ADUC.
You may see the Webmin objects in ADUC but to fully see everything like ACL you will need to use ADSIEdit.