Webmin using AD to stored users and groups.

Overview
Webmin is a wonderful interface to manage Linux servers and Webmin can use an LDAP server to store users
and groups so you can share those information among different Linux servers so a single credential could be
used to manage several servers with the exact same permissions. Out of the box Webmin does not support MS
Active directory and it need some adjustment to make it work and this document is exactly that.

I remind all that Webmin’s Users/groups are specific Webmin objects and have nothing to do with native
users/groups in AD. You may see AD as a shared storage location for Webmin.

This document take for granted that you are already familiar with Webmin, Linux and MS AD.

This document has been written while using version 1.720 of Webmin but it has also been tested up to version
1.730

AD Preparation
First we need to create an OU that will be restricted and will contain Webmin related information like users,
groups and so on.

In my example I have an OU called Global under which I created a sub-OU called Webmin.

Yourdomain.Local/Global/WebminAccounts

Next we need an AD account that will be use by Webmin to access AD, in my example I created
Yourdomain\_svc_LDAP_WebminAuth
And set with FULL permission on the OU Yourdomain.Local/Global/WebminAccounts.
That service account does not need to be created in the previous created OU as it’s not specifically a Webmin
object but a real AD account.
Schema extension using the LDIF file.
Once done we need to create the required schema as Webmin use custom objects. We can’t use the file
webmin.schema provided in the Webmin interface because it was intended for openLDAP. Even with some
converter to LDIF, it will doesn’t work properly. So I made my own LDIF file.

The OID and names used was kept because they are well registered and there will be no conflict at all with what
we can currently have in our active directory. You just have to be very aware that this is an irreversible process
as every schema extensions. So I decline any responsibilities to problems you may have using this procedure.

Log on your domain controller that is the schema master and be sure to be a schema admin.

Have the file ADWebmin.ldif ready. See the attachment in this post.

The LDIF file are domain independent, so the –c argument is required so be sure to replace the string highlighted
with your real domain name. The log folder is also important as it will keep a trace of what happen.

ldifde -i -k -f ADWebmin.ldif -c DC=x DC=YourDomain,DC=local -j C:\tmp

If we take a look in the log, we can see what happen.

Then reload the schema to be sure that changes are reported in the console.

You should have listed 3 new classes and 5 attributes.

Permissions on the new classes
If the account used in webmin(Yourdomain\_svc_LDAP_WebminAuth) to create webmin accounts in AD is not a domain
admins, you will need to add some permissions on the 3 new classes.

Using the schema administration go in the permissions of all 3 new classes(webminUser, webminGroup and webminAcl)
and add our service account with full rights.
Configure webmin to use LDAP
You need Perl-Ldap libraries, so if not installed yet you need to do it. In my case I’m using Centos and I add it
using the usual yum command inside a telnet session:

yum install perl-LDAP

Next go in Webmin.
Enter the information related to your own domain.

Service account must not have any space in it !! Create carefully.

At this point the integration is still partial even if it’s possible to create and delete users with some success but
there are still some steps to make or you may face errors like this one below.

Failed to save user : Failed to modify user : 000020B1: UpdErr: DSID-030F1080, problem 6004
(CANT_ON_RDN), data 0

This is cause by the fact that Microsoft do not allow changing the CN simply because the DN is related to it and
this can be done in the context of the ADUC. So renaming a user will never work from Webmin interface but at
least we can make it work for all other changes by removing the update of the CN field.

I made 2 procedures, a quick one and a configurable one that will add a selectable option in the LDAP
configuration page.

CN fix Simple method

This is the quick fix to make webmin MSAD compatible, for a more complete modification see the next section.

To fix that edit the lines 588 and 1076 of /usr/libexec/webmin/acl/acl-lib.pl

*Remember that the lines numbers may change a little depending of the version of Webmin you have, so try to
recognize the other lines around them from my screenshots.
*You may have to do it each time you will update webmin software on the servers if those files are overwritten
this document has been written while we had 1.720 version.
CN fix – Configurable method.
This method have some more steps to add the option to enable or disable the Microsoft active directory mode
and add a link to download the LDIF file.

Edit the file /usr/libexec/webmin/acl/save_sql.cgi

Insert the following line around line 104 to have our new settings to be saved in the configuration file.

*Remember that the lines numbers may change a little depending of the version of Webmin you have, so try to
recognize the other lines around them from my screenshots.

$miniserv{'ldapmsad'} = $in{'msad'};

Edit the file /usr/libexec/webmin/acl/edit_sql.cgi

Insert the next section between 2 push blocks around line 81

push(@ldapgrid,
"MS Active Directory",
&ui_yesno_radio("msad", $miniserv{'ldapmsad'}));
All this will add the following in the configuration page

Now we need to use that as a condition in other scripts.

We need to edit near the lines 529, 588,1026 and 1076 of /usr/libexec/webmin/acl/acl-lib.pl

Begin with the sub modify_user

Insert the next line as shown

my $msad = $miniserv{'ldapmsad'};

Next make the following modifications

Change this section to

my @attrs = ( "webminPass", $user->{'pass'} );

if ($msad ne "1") {
push(@attrs, "cn", $user->{'name'});
}

Repeat for the modify_group sub-routine which is a similar modification.

my $msad = $miniserv{'ldapmsad'};

my @attrs = ( "webminDesc", $group->{'desc'} );

if ($msad ne "1") {
push(@attrs, "cn", $group->{'name'});
 }

LDIF files link in webmin

The last thing we can make the LDIF file available from Webmin for an easy access if we need to extend other
AD.

Upload the ldif files in the folder /usr/libexec/webmin/acl

You may use Webmin(Others-Upload and download) to upload the file.

Edit /usr/libexec/webmin/acl/schema.cgi

Go on line 17

Change to
print &text('schema_download', 'webmin.schema')," <a href=/acl/ADWebmin.ldif>MS
Active Directory</a>","<p>\n";

This will add a link in the schema download page just beside the original one.

Known limitations

As mentioned earlier some operation can’t be done like renaming a user/group, this is cause by the fact that
Microsoft do not allow changing the CN simply because the DN is related to it and this can be done in the
context of the ADUC.

You may see the Webmin objects in ADUC but to fully see everything like ACL you will need to use ADSIEdit.