YASLI Documentation


BASICS

YASLI is completly written in Perl and contains no static HTML
Code. It should run under any (UNIX) Platform which Perl supports.
Currently tested and supported is the following combination:
The scripts are divided into two "logical" groups:
The following table gives you an overview about the available
scripts and what they are intended for:

Scriptname
Group
Description
simple_ldap_add.pl
Admin
Provides a form for adding LDAP User Data. Inserts the new user into the LDAP Server after some checks.
simple_ldap_base.pl

Contains global variables and functions for all scripts. Gets 'required' by the other Perl scripts and needs to be customized.
simple_ldap_chgpwd.pl
End-User
Provides a form for the End-User to change their own password after authenticating against the LDAP with their current password.
simple_ldap_delete.pl
Admin Asks the Admin if he really wants to delete a user from the LDAP after he has selected the user in the simple_ldap_query2.pl script.
simple_ldap_modify.pl
Admin Provides a form for modifying the current user attibutes.
simple_ldap_physdel.pl
Admin Physically deletes the selected user from the LDAP, after the admin has confirmed the simple_ldap_delete.pl script output.
simple_ldap_physmod.pl
Admin Physically modifies the user attributes in the LDAP which were changed in the form provided by simple_ldap_modify.pl.
simple_ldap_query2.pl
Admin The actual YASLI Startpage. Presents a form where the admin can enter an User-ID he wants to search the LDAP for. The resulting List contains action-Buttons for every hit.


Installation

This section describes in detail what must be done and what prerequisites must be
in place to get YASLI up and running.

Perl Prerequisites

All the YASLI scripts are currently developed and testet under UNIX Perl. So at
this point of time I can make no statements if YASLI is running under an Windows
Environment. You simply have to try it out.

YASLI needs to have the following Perl Modules installed:
Further details about getting and installing Perl Modules can be found here:

http://www.perldoc.com/perl5.6/pod/perlmodinstall.html

I'm developing and running YASLI under an RedHat 8.0 installation with Perl v5.8.0.

LDAP Prerequisites

YASLI is currently tested with OpenLDAP v2.0.27, but that is not mandatory. More
important is the structure of the LDAP. YASLI expects the following:

    dc=organization,dc=tld
     |
     |-- ou=People
     |    |
     |    |- uid=<uid>
     |        |
     |        |- cn=<canonical name>
     |        |- sn=<surname>
     |        |- givenName=<given name>
     |        |- uid=<user-id>
     |        |- mail=<email address>
     |        |- mobil=<mobil number>
     |        |- telephoneNumber=<telephone number>
     |        |- facsimileTelephoneNumber=<fax number>
     |        |- description=<user description>
     |   
     |-- ou=Groups
          |
          |- cn=<groupname>
              |
              |- description=<group description>
              |- uniqueMember=<uid=<uid>>

You can choose and configure 'organization' and 'tld' in the Root DN, the rest
is fix. So currently either your LDAP fits into that scheme or you must modify
the YASLI sources (shouldn't be to hard for an skilled Perl programmer).
In future realeases I will make this more flexible and configurable.

If you're about to build up an completely new LDAP, maybe you should choose the
above scheme for your Root DN and for user and groups, because it is very common
out there and it is extensible (e.g. ou=Machines, ...). Here is an very basic example
of an OpenLDAP Config, together with an LDIF for the initial structure of your
new LDAP tree. After that you are able to insert your first users directly with
YASLI.

Apache Prerequisites

I recommend using Apache webserver and if you are doing a lot of administration
use mod_perl. YASLI is tested with Apache v2.0.47 together with mod_perl v2.0.

Tip: If your running RedHat 8.0 consider compiling Apache and mod_perl by yourself.
     Do not use the RPM that comes with RH 8.0, it never worked for me.

Follow the instruction under

http://perl.apache.org/docs/2.0/user/install/install.html

for basically installing and configuring your webserver. It is also an good idea
to compile LDAP Support into Apache,

./configure --enable-ldap --enable-auth-ldap ...

wait and read on.

The following is an Apache example configuration that worked out for me:

8< +++

# The mod_perl stuff
LoadModule perl_module modules/mod_perl.so
PerlModule Apache2
PerlSwitches -T
PerlRequire /var/www/etc/startup.pl

# The public 'end-user' area
Alias /yasli/ /var/www/yasli/
<Location /yasli/>
    SetHandler perl-script
    PerlResponseHandler ModPerl::Registry
    PerlOptions +ParseHeaders
    Options +ExecCGI
</Location>

# The 'admin' area
Alias /yasli_admin/ /var/www/yasli_admin/
<Location /yasli_admin/>
    SetHandler perl-script
   
# Allow access only from the following IPs
    Order deny,allow
    Deny from all
    Allow from 10.20.30.4 10.20.30.5
   
# Access to the scripts in that area only after
    # authentication against our LDAP
    AuthType Basic
     AuthName "YASLI Admin"
    AuthLDAPEnabled on
   
# Insert your LDAPs FQDN and Root DN here
    AuthLDAPURL ldap://openldap.mydomain.com/dc=myorg,dc=mytld?uid?sub?(objectClass=*)
    AuthLDAPAuthoritative on
   
# Insert UIDs of the admin here, which should be able to
   
# access the scripts in that area
    require user admin1 admin2
    PerlResponseHandler ModPerl::Registry
    PerlOptions +ParseHeaders
    Options +ExecCGI
</Location>

+++ >8


Place the scripts

After you have met all the above prerequisites you can install (actually copy) the
YASLI scripts to an location where your webserver can execute them. You should place
them into to different locations. The 'admin' scripts into an place where only admins
can use them and the 'end-user' script to an location that is public accessible.
Follow the table in the 'BASICS' section above for copying which script to what
location.

'simple_ldap_base.pl' should be stored in a save place outside the executable or
accessible area. Because that file contains sensitive data as you see later. Point
an path to that file in your 'startup.pl' (extend Perl LIB Path @INC).

After that you have to modify the following entries in
'simple_ldap_base.pl':

$LDAP_HOST = 'stargazer2';
    Insert here the hostname or complete FQDN of the machine
    hosting your LDAP.

$LDAP_LOGIN = 'cn=root,dc=acme,dc=com';
    This is the DN of your directory manager account or any
    other account with sufficient privileges.

$LDAP_BASE = 'ou=People,dc=acme,dc=com';
    Insert here the branch which directly contains all your
    defined users. This may change in furture versions, especially
    when support for LDAP groups is added.

$LDAP_PASSWD = 'secret';
    This is very bad and I am really unhappy with this. Here you
    need to enter your directory managers password in cleartext.
    If you have any better idea, please let me know. I will change
    immediately ...

$YASLI_PATH = '/perl';
    Directory Prefix (Alias) which appears in the URL in front
    of the YASLI scriptnames.


USAGE

Point your Administrators to the following Start-URL:

       http://FQDN/yasli_admin/simple_ldap_query2.pl

You start all over with the search page. There you can see if an user with an
special User-ID exists. If yes, you can decide to modify his attributes or
completely delete him/her. If the user doesn't exist, you can add him/her to
the LDAP.

Point your End-User to the following URL:

       http://FQDN/yasli/simple_ldap_chgpwd.pl

They first need to authenticate themself with their current password to the
LDAP. If that succeed, they get the chance to change their password.