Webmin using AD to stored users and groups. Overview Webmin is a wonderful interface to manage Linux servers and Webmin can use an LDAP server to store users and groups so you can share those information among different Linux servers so a single credential could be used to manage several servers with the exact same permissions. Out of the box Webmin does not support MS Active directory and it need some adjustment to make it work and this document is exactly that. I remind all that Webmin s Users/groups are specific Webmin objects and have nothing to do with native users/groups in AD. You may see AD as a shared storage location for Webmin. This document take for granted that you are already familiar with Webmin, Linux and MS AD. This document has been written while using version 1.720 of Webmin but it has also been tested up to version 1.730 AD Preparation First we need to create an OU that will be restricted and will contain Webmin related information like users, groups and so on. In my example I have an OU called Global under which I created a sub-ou called Webmin. Yourdomain.Local/Global/WebminAccounts Next we need an AD account that will be use by Webmin to access AD, in my example I created Yourdomain\_svc_LDAP_WebminAuth And set with FULL permission on the OU Yourdomain.Local/Global/WebminAccounts. That service account does not need to be created in the previous created OU as it s not specifically a Webmin object but a real AD account.
Schema extension using the LDIF file. Once done we need to create the required schema as Webmin use custom objects. We can t use the file webmin.schema provided in the Webmin interface because it was intended for openldap. Even with some converter to LDIF, it will doesn t work properly. So I made my own LDIF file. The OID and names used was kept because they are well registered and there will be no conflict at all with what we can currently have in our active directory. You just have to be very aware that this is an irreversible process as every schema extensions. So I decline any responsibilities to problems you may have using this procedure. Log on your domain controller that is the schema master and be sure to be a schema admin. Have the file ADWebmin.ldif ready. See the attachment in this post. The LDIF file are domain independent, so the c argument is required so be sure to replace the string highlighted with your real domain name. The log folder is also important as it will keep a trace of what happen. ldifde -i -k -f ADWebmin.ldif -c DC=x DC=YourDomain,DC=local -j C:\tmp
If we take a look in the log, we can see what happen. Then reload the schema to be sure that changes are reported in the console. You should have listed 3 new classes and 5 attributes.
Permissions on the new classes If the account used in webmin(yourdomain\_svc_ldap_webminauth) to create webmin accounts in AD is not a domain admins, you will need to add some permissions on the 3 new classes. Using the schema administration go in the permissions of all 3 new classes(webminuser, webmingroup and webminacl) and add our service account with full rights.
Configure webmin to use LDAP You need Perl-Ldap libraries, so if not installed yet you need to do it. In my case I m using Centos and I add it using the usual yum command inside a telnet session: yum install perl-ldap Next go in Webmin.
Enter the information related to your own domain. Service account must not have any space in it!! Create carefully. At this point the integration is still partial even if it s possible to create and delete users with some success but there are still some steps to make or you may face errors like this one below. Failed to save user : Failed to modify user : 000020B1: UpdErr: DSID-030F1080, problem 6004 (CANT_ON_RDN), data 0 This is cause by the fact that Microsoft do not allow changing the CN simply because the DN is related to it and this can be done in the context of the ADUC. So renaming a user will never work from Webmin interface but at least we can make it work for all other changes by removing the update of the CN field. I made 2 procedures, a quick one and a configurable one that will add a selectable option in the LDAP configuration page. CN fix Simple method This is the quick fix to make webmin MSAD compatible, for a more complete modification see the next section. To fix that edit the lines 588 and 1076 of /usr/libexec/webmin/acl/acl-lib.pl *Remember that the lines numbers may change a little depending of the version of Webmin you have, so try to recognize the other lines around them from my screenshots.
*You may have to do it each time you will update webmin software on the servers if those files are overwritten this document has been written while we had 1.720 version.
CN fix Configurable method. This method have some more steps to add the option to enable or disable the Microsoft active directory mode and add a link to download the LDIF file. Edit the file /usr/libexec/webmin/acl/save_sql.cgi Insert the following line around line 104 to have our new settings to be saved in the configuration file. *Remember that the lines numbers may change a little depending of the version of Webmin you have, so try to recognize the other lines around them from my screenshots. $miniserv{'ldapmsad'} = $in{'msad'}; Edit the file /usr/libexec/webmin/acl/edit_sql.cgi Insert the next section between 2 push blocks around line 81 push(@ldapgrid, "MS Active Directory", &ui_yesno_radio("msad", $miniserv{'ldapmsad'}));
All this will add the following in the configuration page Now we need to use that as a condition in other scripts. We need to edit near the lines 529, 588,1026 and 1076 of /usr/libexec/webmin/acl/acl-lib.pl Begin with the sub modify_user Insert the next line as shown my $msad = $miniserv{'ldapmsad'}; Next make the following modifications
Change this section to my @attrs = ( "webminpass", $user->{'pass'} ); if ($msad ne "1") { push(@attrs, "cn", $user->{'name'}); } Repeat for the modify_group sub-routine which is a similar modification. my $msad = $miniserv{'ldapmsad'}; my @attrs = ( "webmindesc", $group->{'desc'} ); if ($msad ne "1") { push(@attrs, "cn", $group->{'name'});
} LDIF files link in webmin The last thing we can make the LDIF file available from Webmin for an easy access if we need to extend other AD. Upload the ldif files in the folder /usr/libexec/webmin/acl You may use Webmin(Others-Upload and download) to upload the file. Edit /usr/libexec/webmin/acl/schema.cgi Go on line 17 Change to
print &text('schema_download', 'webmin.schema')," <a href=/acl/adwebmin.ldif>ms Active Directory</a>","<p>\n"; This will add a link in the schema download page just beside the original one. Known limitations As mentioned earlier some operation can t be done like renaming a user/group, this is cause by the fact that Microsoft do not allow changing the CN simply because the DN is related to it and this can be done in the context of the ADUC. You may see the Webmin objects in ADUC but to fully see everything like ACL you will need to use ADSIEdit.