venerdì 29 aprile 2011

Creare un PDC con Ubuntu server 10-04

Questa procedura è copiata pari pari dal post di Bulletxt  http://ubuntuforums.org/showthread.php?t=1499753.
La procedura sostanzialmente funziona. Ho riscontrato solo alcuni errori minori per i quali propongo qualche aggiustamento (li trovate in rosso nel testo).
La propongo qui solo per..... non perdermela.....
----------------------------------------------------------------------------------------------

Hi everyone, after digging over the net and after spending a lot of time trying to understand how things work, I'm proud to present a very quick and super easy tutorial to create a Samba Primary Domain Controller with LDAP integration inside Ubuntu 10.04, both 32bit and 64bit.
In less than 30 minutes you'll have:
- A fully working PDC for Windows Clients
- Roaming profiles NOT enabled (this is what most of you want)
- Be able to have shared folders automatically mounted when a user logs into the domain
- Tested and fully working with(all flavours): Windows XP, Windows Vista and even Windows 7!
If you do everything exactly like I wrote I guarantee it will work. One single error can compromise everything and you'll have to restart from the beginning! You have been warned!
General Information before reading:
- In this guide each step will have a number, so if you ever have to ask me a question be sure you point the exact number, I will ignore any posts without the number being explicited.
- Commands you must type start with a "->".
- The guide presumes you know how to use Nano text editor (or any other text editor from shell like Vim).
- In this guide my default password is always "pwd123".
Let's Start.
1)
Install Ubuntu Server 10.04 32Bit or 64Bit
Once Ubuntu 10.04 is up, log with root user:
-> sudo su
From now on I assume you are always root user.
2)
Set a static IP,
in this example the NIC card is eth0 and the network is part of 192.168.1.x class.
-> nano /etc/network/interfaces
Quote:
auto lo eth0
iface lo inet loopback
iface eth0 inet static
address 192.168.1.10
broadcast 192.168.1.255
netmask 255.255.255.0
gateway 192.168.1.1
3)
-> /etc/init.d/networking restart
-> ifconfig
The output should show you the static IP, try pinging a local IP or an internet IP to be sure you are on the net, ex:
-> ping www.google.it
or try pinging your gateway set before:
-> ping 192.168.1.1
If you are unsure, reboot your machine to see if "ifconfig" command still shows you the same IP and to be sure you're still part of the network by pinging as said before.
ONCE YOU FINISHED WITH THIS GUIDE, IF YOU EVER CHANGE YOUR IP BE SURE TO READ SECTION: "TIPS AND TRICKS", FOUND AT THE END OF THIS GUIDE OR YOUR PDC WILL STOP WORKING.
4)
-> apt-get update
-> apt-get dist-upgrade
-> reboot
-> sudo su
5)
-> apt-get install slapd ldap-utils
-> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
-> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
-> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
6)
  MODIFICA DEL FILE backend.example.com.ldif
Your next step will be to modify this file, the only thing you should care of changing is the password, which is set at line "olcRootPW:". By default password is "pwd123".
Vale la pena notare che nel file è necessario intrudurre una riga vuota dopo la quinta riga, altrimenti la procedura non funziona.
-> nano backend.example.com.ldif
Quote:
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hd

dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=pdc
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=pdc
olcRootPW: pwd123
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=pdc" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=pdc" write by * read
7)
From now on, if ldap commands similar to this ask for a password, put password set above in step 6, by default in this guide as said "pwd123".
-> ldapadd -Y EXTERNAL -H ldapi:/// -f backend.example.com.ldif
8)
-> apt-get install samba samba-doc libpam-smbpass smbclient smbldap-tools
9)
Now I'll make you download my samba configuration file.
-> wget http://digilander.libero.it/bulletxt...10.04/smb.conf
After downloading it, you'll have to change ONLY two values: "workgroup = " and "netbios = ".
Workgroup is the name of the Domain. This is the name that you'll have to enter in a Windows client to make it join the domain. Netbios is instead the name used to browse shared folders, for example in Windows you'll put "\\$netbiosname\$shared_folder".
DO NOT PUT WORKGROUP NAME IDENTICAL TO NETBIOS NAME.
IMPORTANT: carefully decide the NETBIOS name, once you change it YOU CAN'T CHANGE IT AGAIN OTHERWISE IT WILL BREAK EVERYTHING! YOU'VE BEEN WARNED.
Type the following and change the two values.
-> nano smb.conf
Once you changed the two values type:
-> cp -rf smb.conf /etc/samba/smb.conf
10)
In the next command it will prompt you to put a password, this must be the same as set before in step 6, by default in this guide "pwd123"
-> smbpasswd -W
11)
-> service smbd restart
12)
Now you must check that samba is running, it will ask you for a password, just hit Enter.
-> smbclient -L localhost
It should not give you any errors, instead it must show some stuff and you should see your Workgroup Name set in step 9
13)
-> mkdir -v /var/lib/samba/profiles
-> chmod 777 /var/lib/samba/profiles
-> mkdir -v -p /var/lib/samba/netlogon
-> chmod 777 /var/lib/samba/netlogon
Nel comando che segue nella procedura originale era presente un refuso, qui corretto.
-> cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
-> gzip -d /etc/ldap/schema/samba.schema.gz
14)
-> > schema_convert.conf
-> nano schema_convert.conf
Quote:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/samba.schema
15)
-> mkdir /tmp/ldif_output
-> slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={12}samba,cn=schema,cn=config" > /tmp/cn=samba.ldif
16)
Now you'll have to edit a file, open the file with the following command and read below to understand what must be edited.
-> nano /tmp/cn\=samba.ldif
At the very top you'll see:
Quote:
dn: cn{12}=samba,cn=schema,cn=config
Change it to:
Quote:
dn: cn=samba,cn=schema,cn=config
Always at the top you'll see:
Quote:
cn: {12}samba
Change it to:
Quote:
cn: samba
At the end of the file you'll see:
Quote:
structuralObjectClass: olcSchemaConfig
entryUUID: b53b75ca-083f-102d-9fff-2f64fd123c95
creatorsName: cn=config
createTimestamp: 20080827045234Z
entryCSN: 20080827045234.341425Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20080827045234Z
Delete all those lines, save and close.
17)
Be sure the following command does not give errors:
-> ldapadd -Y EXTERNAL -H ldapi:/// -D cn=admin,cn=config -W -f /tmp/cn\=samba.ldif
18)
-> > samba_indexes.ldif
-> nano samba_indexes.ldif
Quote:
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
19)
Be sure the following does not give any errors.
-> ldapmodify -Y EXTERNAL -H ldapi:/// -D cn=admin,cn=config -W -f samba_indexes.ldif
20)
Now thanks to the following command, you'll finally understand if everything till now went fine. If everything goes fine, it will output a lot of stuff, including at the end strings similar to the ones found in step 18
-> ldapsearch -Y EXTERNAL -H ldapi:/// -D cn=admin,cn=config -b cn=config -W olcDatabase={1}hdb
21)
Now that ldap is working perfectly, we must also be sure Samba is working too.
The following command MUST not give errors, and it must output something similar to this:
Quote:
SID for domain DOMAIN is: S-1-5-21-908678672-1104131578-2020688504
So this is the command to type:
-> net getlocalsid
Io a questo livello ho qualche volta ottenuto l'errore "Can't fetch domain SID for name".
Lo stesso problema è stato segnalato nei post di commento all'articolo originale di Bulletxt. Riprovando la procedura con un altro WORKGROUP e NETBIOSNAME le cose si sono sistemate.

22)
-> gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz
23)
Next command is crucial to make Samba and Ldap work together. When prompted,
press always Enter without inserting anything. There are only two cases where you must type something.
When it asks for "Logon Home" and "Logon Path", put a "." character.
At a certain point, it will ask you for a password two times, once for ldap bind master and then for ldap bind slave. In both cases, you must put the exact same password you put in step 6, by default in this guide "pwd123".
So now you know what to do, this is the command:
-> perl /usr/share/doc/smbldap-tools/configure.pl
24)
Following command should create some groups, at the end it will ask for a password. As always put password provided in step 6, default of this guide is "pwd123".
-> smbldap-populate
25)
-> /etc/init.d/slapd stop
-> slapindex
-> chown openldap:openldap /var/lib/ldap/*
-> /etc/init.d/slapd start
26)
If everything till now is really working, the next command will make user "root" be a Domain Administrator.
In section "Tips and Tricks" you'll see how to make other users be a Domain admin.
THIS COMMAND MUST NOT GIVE ERRORS, otherwise it means LDAP is not working with Samba.
-> smbldap-groupmod -m 'root' 'Administrators'
27)
In the next command, it will ask you for some stuff. Do not make errors here!
When it asks for questions that want a Yes/No reply, just press Enter leaving default.
When it asks for LDAP server Uniform Resource Identifier, leave it as it is "ldapi:///"
When it asks for Distinguished name of the search base, put "dc=pdc"
When it asks for LDAP account for root, put "cn=admin, dc=pdc"
When it asks for LDAP password, put the same set in step 6, default of this guide was "pwd123"
The command is:
-> apt-get --yes install ldap-auth-client
IMPORTANT: if you do a mistake, you can reconfigure the previous command typing:
-> dpkg-reconfigure ldap-auth-config
28)
-> auth-client-config -t nss -p lac_ldap
29)
The following command is used to enable Unix, Ldap and Samba authentication.
Be sure all of them are selected with "*" character and press Enter.
The command is:
-> pam-auth-update ldap
30)
The following command should output something similar to this:
Quote:
Domain Admins:*:512:root
Domain Users:*:513:
Domain Guests:*:514:
Domain Computers:*:515:
Administrators:*:544:root
Account Operators:*:548:
Print Operators:*:550:
Backup Operators:*:551:
Replicators:*:552:
The command is:
-> getent group
31)
-> reboot
32)
Good, we're done. After reboot, let's check that everything is working by creating a user.
-> sudo su
If the following command does not give errors, it means Samba and Ldap are both working together, and you should be happy! It will ask for a password, the password is the password you want for the user, in this case for user "user1":
-> smbldap-useradd -a -m -P user1
33)
If you reached this step without errors, it means you are ready to make your Windows Clients join the domain.
However for security reasons it's not a good idea to make your customer know the password of "root" account. At the moment, to make a Windows Client join the domain you'll have to put user "root" and its password, let's instead make another user which will be part of the Domain Administrators. We'll call the user "adminpdc".
-> smbldap-useradd -a -m -P adminpdc
-> smbldap-groupmod -m ' adminpdc' 'Administrators'
-> smbldap-groupmod -m ' adminpdc' 'Domain Admins'
-> sudo auth-client-config -t nss -p lac_ldap
Good, now we have user "adminpdc" that is a Domain Administrator but is in no way a possible security danger for your Linux machine, since it's not part of sudoers. In this way you'll never have to use account "root" to make a Windows client join the domain or to make changes to the Windows client OS.
Finally, make your Windows Client (xp,vista,7) join the domain! :
- In Windows XP, right click on Computer->Properties and click on Change as seen here: http://www.iaji.net/wp-content/uploa...uter_name3.png
- For Windows Vista and 7 instead, right click on Computer, on the left click on Advanced Settings and then click on "Change" under "Computer Name" Tab.
IMPORTANT ABOUT WINDOWS 7:
To make Windows 7 be part of the domain, read below section Tips and Tricks.
- As domain, put the workgroup name you set in step 9
- When it asks for username and password, put "adminpdc" and the password of this user, you set this on step 33. If everything goes well it will say you joined the domain and you must reboot.
That's all!
TIPS AND TRICKS:
Create/Delete/Manage Users:
To Add: smbldap-useradd -a -m -P user
To Delete: smbldap-userdel user
To ChangePassword: smbldap-passwd user
To add a Domain Administrator:
-> smbldap-groupmod -m 'user' 'Administrators'
-> smbldap-groupmod -m 'user' 'Domain Admins'
-> auth-client-config -t nss -p lac_ldap
If you ever change the static IP of the PDC:
-> service smbd stop
-> rm /var/cache/samba/browse.dat
-> rm /var/cache/samba/login_cache.tdb
-> rm /var/lib/samba/wins.dat
-> reboot
To make Windows 7 join the domain:
- Download this file and click on it: https://bugzilla.samba.org/attachmen...88&action=view
- Reboot Windows 7
- Make Windows 7 join the domain. It will say it joined the domain but then it will give you a DNS error. Ignore it and reboot again Windows 7
- You should now be part of the domain
Confermo che questo "trucchetto" funziona con Windows 7 Professional.

To make your PDC automatically map net drives:
-> apt-get install flip
-> > /var/lib/samba/netlogon/allusers.bat
In this example you'll have a shared folder for all users, of course you can edit /etc/samba/smb.conf to create specific user shares.
-> mkdir -p /var/lib/samba/shared/
-> chmod -R 777 /var/lib/samba/shared/
-> nano /var/lib/samba/netlogon/allusers.bat
NOTE: change "PSAMBA" with the Netbios name set in step 9. Change drive "m:" to any letter you prefer.
Quote:
@echo off
net use m: /delete
net use m: "\\PSAMBA\shared"
-> flip -m /var/lib/samba/netlogon/allusers.bat

Indicazioni per far girare openldap in modalità sicura (ssl)
Quando si voglia usare un server PDC basato su samba e Ldap per fare autenticare macchine windows XP tramite Pgina, è utile usare il server Ldap in modalità sicura (ssl) di modo che nomeutente e password non viaggino in chiaro sulla rete.
Per ottenere questo bisogna creare un certificato del server sul PDC ed istruire openldap ad usarlo.
Le istruzioni sono basate sulla guida ufficiale di ubuntu server  https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html
Le mie modifiche (in rosso) riguardano principalmente la durata dei certificati, che di default sono impostati su un solo anno. Nella guida li imposterò a 10 anni.

TLS and SSL

When authenticating to an OpenLDAP server it is best to do so using an encrypted session. This can be accomplished using Transport Layer Security (TLS) and/or Secure Sockets Layer (SSL).
The first step in the process is to obtain or create a certificate. Because slapd is compiled using the gnutls library, the certtool utility will be used to create certificates.
  1. First, install gnutls-bin by entering the following in a terminal:
    sudo apt-get install gnutls-bin
    
  2. Next, create a private key for the Certificate Authority (CA):
    sudo sh -c "certtool --generate-privkey > /etc/ssl/private/cakey.pem"
    
  3. Create a /etc/ssl/ca.info details file to self-sign the CA certificate containing:
    cn = Nome della scuola o istituzione
    ca
    cert_signing_key
    expiration_days = 3650
    
  4. Now create the self-signed CA certificate:
    sudo certtool --generate-self-signed --load-privkey /etc/ssl/private/cakey.pem --template  /etc/ssl/ca.info --outfile /etc/ssl/certs/cacert.pem
    
  5. Make a private key for the server:
    sudo sh -c "certtool --generate-privkey > /etc/ssl/private/pdc_slapd_key.pem"
    
    [Note]
    Sostituire pdc nel nome del file con lo hostname del vostro server (in questa guida è proprio "pdc"). Naming the certificate and key for the host and service that will be using them will help keep filenames and paths straight.
  6. To sign the server's certificate with the CA, create the /etc/ssl/pdc.info info file containing:
    organization = Nome della scuola o istituzione
    cn = pdc
    tls_www_server
    encryption_key
    signing_key
    expiration_days = 3650
    
  7. Create the server's certificate:
    sudo certtool --generate-certificate --load-privkey /etc/ssl/private/pdc_slapd_key.pem --load-ca-certificate /etc/ssl/certs/cacert.pem --load-ca-privkey /etc/ssl/private/cakey.pem --template /etc/ssl/pdc.info --outfile /etc/ssl/certs/pdc_slapd_cert.pem
    
La procedura che sta per essere descritta attiva una modalità di inserimento "interattiva", nel senso che non ci si può limitare a copiare/incollare tutte le righe insieme ma si deve operare riga per riga premendo INVIO. Il tutorial originale prevede di dover inserire la password LDAP (pwd123 in questo tutorial): la modalità interattiva non mostra la domanda "Enter LDAP password": io non l'ho inserita ed ho constatato che tutto funziona correttamente. Nelle righe che seguono pdc è lo hostname del server che stiamo configurando: va cambiato se lo hostname è diverso. Con un paio di "invio" alla fine e un "control-C" per uscire dalla modalità di inserimento si termina la procedura.

Once you have a certificate, key, and CA cert installed, use ldapmodify to add the new configuration options:
sudo ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/pdc_slapd_cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/pdc_slapd_key.pem

modifying entry "cn=config"

[Note]
Adjust the ldap01_slapd_cert.pem, ldap01_slapd_key.pem, and cacert.pem names if yours are different.
Next, edit /etc/default/slapd uncomment the SLAPD_SERVICES option:
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"

Nel prossimo passo il tutorial prevede di assegnare i files dei certificati agli utenti "openldap" e "ssl-cert". Per non avere un messaggio di errore ho trovato utile creare preventivamente il gruppo "ssl-cert" con il comando:
addgroup ssl-cert.
Al solito il nome "pdc" è lo hostname del server che stiamo configurando e va sostituito con il proprio.

Now the openldap user needs access to the certificate:
sudo adduser openldap ssl-cert
sudo chgrp ssl-cert /etc/ssl/private
sudo chgrp ssl-cert /etc/ssl/private/pdc_slapd_key.pem
sudo chmod g+r /etc/ssl/private/pdc_slapd_key.pem
[Note]
If the /etc/ssl/private and /etc/ssl/private/server.key have different permissions, adjust the commands appropriately. 

A questo punto bisogna proprio settare i permessi della cartella /etc/ssl/private e del file /etc/ssl/private/server.key come indicato nella nota sopra.
Ho appurato che il permesso 710 per /etc/ssl/private e il permesso 644 per /etc/ssl/private/pdc_slapd_key.pem
Per impostare i permessi in questo modo usare questi comandi:
chmod 710 /etc/ssl/private
chmod 644 /etc/ssl/private/pdc_slapd_key.pem

Finally, restart slapd:
/etc/init.d/slapd restart
The slapd daemon should now be listening for LDAPS connections and be able to use STARTTLS during authentication.
[Note]
If you run into troubles with the server not starting, check the /var/log/syslog. If you see errors like main: TLS init def ctx failed: -1, it is likely there is a configuration problem. Check that the certificate is signed by the authority from in the files configured, and that the ssl-cert group has read permissions on the private key.
Aggiornare i certificati scaduti
Mi è capitato che i certificati del server scadessero. Per sistemare le cose basta rifare i passi 4 e 7 per generare nuovi cacert.pem e pdc_slapd_cert.pem.
È bene poi riavviare il server. Se si usa Pgina bisogna poi caricare cacert..pem tra i "certificati delle fonti attendibili" usando gli strumenti di internet explorer.

IL TUTORIAL DEVE CONTINUARE
CON LA SISTEMAZIONE DI SMB.CONF PER GESTIRE LE SHARE DEI SINGOLI UTENTI E DEI GRUPPI
CON GLI SCRIPT PER LA CREAZIONE INIZIALE "IN MASSA" DEGLI UTENTI LDAP
CON L'INSERIMENTO DEI VIDEO "PASSO PASSO"

domenica 10 aprile 2011

Provare Plone senza impegno

Six Feet Up mette a disposizione una demo di Plone 4 che si può testare anche con i permessi dell'amministratore.
È un servizio eccezionale per chi vuole provare Plone sul campo senza dover installare nulla.
Tutto il materiale creato e le modifiche apportate al sito di Prova vengono "azzerate" alle 3 di ogni giorno ora degli Stati Uniti costa Est (le 9 del mattino in Italia).
L'indirizzo del plone demo è:

http://plone-demo.sixfeetup.com/

giovedì 7 aprile 2011

Spostare le viewlets di Plone

Oggi con il mio Plone 4.0.4 di test sono riuscito a spostare una viewlet da un viewlet manager ad un altro.
Ho seguito la documentazione per Plone 3 e ho lavorato customizzando un prodotto fatto da altri (il tema Webrichtlijnen).
Lo scopo era quello di portare in alto la viewlet delle site_actions che in Plone 4 sta nel footer.
Ecco le personalizzazioni svolte.
In buildout-cache/eggs/collective.webrichtlijnen/collective/webrichtlijen/browser/configure.zcml

ho inserito queste righe:

<!-- Viewlets registration -->
  <browser:viewlet
      name="plone.site_actions"
      manager="plone.app.layout.viewlets.interfaces.IPortalHeader"
      class="plone.app.layout.viewlets.common.SiteActionsViewlet"
      permission="zope2.View"
      layer=".interfaces.IThemeSpecific"
      />


In buildout-cache/eggs/collective.webrichtlijnen/collective/webrichtlijen/profiles/default/viewlets.xml (creato ex novo) ho inserito

<?xml version="1.0"?>
<object>
  <order manager="plone.portalheader" skinname="Webrichtlijnen"
         based-on="Plone Default">
    <viewlet name="plone.site_actions" insert-after="plone.skip_links" />
  </order>
  <!-- We hide the one we want to move -->
  <hidden manager="plone.portalfooter" skinname="Webrichtlijnen">
        <viewlet name="plone.site_actions" />
          </hidden>
</object>

Il cui senso è di inserire la viewlet site_actions dentro il viewlet manager portalheader e di nasconderla nel viewlet manager portalfooter dove si trovava prima.

Ho fatto un po' di debugging lanciando plone con il comando instance fg.
Per vedere applicate le modifiche ad un sito già fatto è necessario reinstallare il prodotto Webrichtlijnen appena customizzato sul filesystem.
Riferimenti
Ottima documentazione a questo scopo si può trovare su https://weblion.psu.edu/trac/weblion/wiki/MoveViewletsBetweenViewletManagers