Account Administration for K-12 School Systems

Taking care of computers in schools can present special problems; this program solves them.
Installation Instructions

Packages are provided for installing on Debian and Red Hat systems. There is also a tar archive file for installing on other systems.

There are two packages: k12admin-server and k12admin-client. The k12admin-server package should be installed only on the computer that will be the main account administration computer for your district. The k12admin-client package should be installed on every machine that will be updated from the k12admin-server machine.

Installing k12admin-server

The k12admin-server package contains the files necessary to use a machine as the central account administration server. Typically, you will want k12admin-server installed on only one machine in your district. It is possible to install the k12admin-client package on the same machine as the k12admin-server package, although for security reasons this may not be desirable. It would be better if the accounts on the server computer were administered manually, so that students and staff members do not have accounts on the server and are less likely to try mucking around there.

Install the k12admin-server package by running

dpkg -i k12admin-server*deb


rpm -i k12admin-server*rpm
(use -U in place of -i if this is an upgrade) in the directory where you have stored the package. If this is a first install, you will be told to run k12admin-server.setup as root to create the MySQL database. This file was placed in the /usr/bin/ directory when the package was installed, so it should be in your path.

If you are installing the package from a tar file, unpack the archive, go (cd) to the k12admin-server* directory and run make install to install the package.

In order to create the MySQL database, you will need to enter the root password of your MySQL server. Note that the MySQL root password is not the same as your normal root password. You should have been prompted to enter a password for your MySQL server when that package was installed. The script will allow you to keep trying passwords until it succeeds. Just press ENTER if your MySQL root password is blank. If this is the case, the k12admin-server package will prompt you for a new password, as it is a grave security risk to have a blank MySQL password.

The second password asked for by the k12admin-server.setup is one for the k12 MySQL user. This user is used by the scripts to connect to the MySQL database. You do not need to memorize this password, as it is stored in the /etc/k12admin.MySQL.pass file which is readable by the k12admin and www-data users only. You can change this password at any time by rerunning the k12admin-server.setup program.

Now you must configure Apache so it knows where the k12admin files are located. Once Apache is configured and reloaded, you should be able to access the account administration system at http://yourservermachine/k12admin/ from any web browser. Log in as user demoteacher with demopass as the password.

Apache Configuration

I strongly recommend using apache-ssl ( in order to encrypt packets between your web browser and the k12admin-server. This is especially true if there is potential for someone to be sniffing packets that are being transmitted. The basic authentication that is part of the HTTP standard is not encrypted, and your password can be grabbed easily off every outgoing web request if you are not using a secure server.

You must edit the Apache configuration files to enable the account-administration system. Add the following lines to the bottom of Apache's access.conf file:

Alias /k12admin/ /var/k12admin/web/
     ScriptAlias /k12admin-cgi/ /var/k12admin/webscripts/
     <Directory /var/k12admin/>
     AllowOverride AuthConfig

You might also have to change the user and group of the Apache web server process. It may be set to “nobody” by default. The web server process must have access to the database containing sensitive account information. The password for accessing the database is stored in /etc/k12admin.MySQL.pass and is readable by only the www-data user and the k12admin group. It is, therefore, necessary to have the Apache process running as www-data. This account was created when k12admin-server was installed, if it didn't already exist.

To set the user and group of the Apache process, change the following lines in Apache's httpd.conf file:

User www-data
Group www-data

Reload Apache after making these changes. On Debian systems, reload Apache by running

/etc/init.d/apache reload
/etc/init.d/apache-ssl reload
On Red Hat, run
/etc/rc.d/init.d/httpd reload