Original: DebianEdu:CipUX/Installation/3.2.0
CipUX 3.2.x Installationsguide
für Debian-Edu/Skolelinux 1.0 (Venus)
Im Original von
Christian Kuelker
2005-08-01
woody-version von
Georg Damm
2005-08-28
License GFDL (Keine invarianten Abschnitte)
Revision 0.1 2005-08-01 by Christian Kuelker (init)
Revision 0.2 2005-08-11 by Christian Kuelker (hinzufügen von Kapitel 2)
Revision 0.3 2005-08-12 by Christian Kuelker (hinzufügen von Kapitel 3)
Revision 0.4 2005-08-12 by Patrick Willam (einige Tests, "wording")
Revision 0.5 2005-08-12 by Holger Sicking (typo)
Revision 0.6 2005-08-12 by Christian Kuelker (/etc/hosts Korrekturen)
Revision 0.7 2005-08-12 by Patrick Willam (apttitude, backup)
Revision 0.8 2005-08-12 by Christian Kuelker (erste Schritte)
Revision 0.9 2005-08-12 by Radi Wieloch (Fehler, Nummern, Orthographie, Grammatik)
Revision 1.0 2005-08-12 by Christian Kuelker (Depot geändert)
Revision 1.1 2005-08-17 by Ralf Gesellensetter (Warnung)
Revision 1.2 2005-08-19 by Christian Kuelker (Korrektur der Revision, Warnung)
Revision 1.3 2005-08-19 by Christian Kuelker (Änderung der "ersten Schritte")
Revision 1.4 2005-08-23 by Christian Kuelker (hinzufügen voncipux_maint_diagnostic pre)
Revision 1.5 2005-08-28 by Georg Damm (Änderungen für woody-installation)
Revision 1.6 2005-09-10 by Georg Damm (Hinzufügen der verbesserten Migration)
Revision 1.7 2005-09-10 by Georg Damm (Hinzufügen der Samba Konfiguration)
Revision 1.8 2006-04-19 by Christian Kuelker (geringfügige Änderungen, Übersetzung)
Revision 1.9 2006-04-21 by Georg Damm (Übersetzung)
Bitte beachte auch den Installationsguide für Debian-Edu/ Skolelinux 2.0
Inhalte:
0 Bemerkungen zur Sicherheit
1 Vorbereiten des Debian-Edu/Skolelinux Systems
1.1 Upgrading des LDAP Servers mit dem CipUX schema
1.2 Vorbereiten des CipUX Paket Installationsprozesses
2 Installieren CipUX framework Pakete
3 System Konfiguration
3.1 Konfigurieren des LDAPs
3.2 Konfiguration der CipUX framework
3.3 Das Webmin Setup
3.4 Enter CAT
3.5 Erste Schritte
4 Additionale System Konfiguration
0 Bemerkungen zur Sicherheit
-----------------------------------------------
Diese Dokumentation ist "inoffiziell" und nicht gut erprobt.
Die Installation von CipUX auf Skolelinux 1.x (venus) birgt (zur Zeit?) ein riesiges Sicherheitsrisiko, da CipUX Befehle des ldapscripts Paketes verwendet. Das bedeutet, dass das root-passwort von jedem user gesehen werden kann, der bei venus tjener "ps axgu" ausführt. Dies ist nicht der Fall, wenn der tjener auf sarge basiert!!
Dieses Sicherheitsproblem ist behoben nach CipUX 3.2.9.
1. Vorbereiten des Debian-Edu/Skolelinux Systems
----------------------------------------------
Dieses Manual ist gedacht für die Installation von CipUX auf ein installiertes Debian-Edu/Skolelinux 1.0 (Venus genannt).
WARNUNG: Dies ist ein erster Primer für eine Migration, wenn du bereits User für webmin-ldap-user-simple (wlus) geadded hast. Benutzung auf eigene Gefahr!!!!!
Um CipUX zu installieren, benötigst du ausserdem eine funktionierende Internetverbindung!
Konvention in diesem Manual:
CTRL = drück die Steuerungs-Taste
CTRL-c = drück die Steuerungstaste, halte sie gedrückt und drücke die C Taste
$ = Diesen Befehlt kannst du wie jeder normale user einfach ausführen
# = Diesen Befehl musst du als root user ausführen
(1) ...(x) sind Befehle und Outputnummern und werden für Referenzen verwendet. Sie sind nicht dazu da, ausgeschrieben zu werden.
<OK> Bedeutet das Drücken der "OK" Taste.
1.1 Upgraden des LDAP Servers mit dem CipUX schema
-----------------------------------------------
Ein gültiger ldap und cipux Name ist erforderlich.
Du benötigst eine gültige Namensresolution für den ldap Server und den Hostnamen cipux.
Gib den Namen cipux in die /etc/hosts datei ein, indem du die Zeile änderst:
(1)
127.0.0.1 localhost
wird zu
127.0.0.1 localhost cipux
Du brauchst auch die Resolution des ldap Namens. Normalerweise sollte das von dem lokalen DNS Server erledigt werden.
Es kann getestet werden durch den Befehl:
(2)
$ ping ldap
Dabei sollte ein output wie dieser hier entstehen:
(3)
tjener:~$ ping ldap
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from tjener.intern (10.0.2.2): icmp_seq=1 ttl=64 time=0.069 ms
64 bytes from tjener.intern (10.0.2.2): icmp_seq=2 ttl=64 time=0.070 ms
64 bytes from tjener.intern (10.0.2.2): icmp_seq=3 ttl=64 time=0.068 ms
(4)
Brich ab mit CTRL-c
Wenn outputh wie dieser entsteht:
(5)
tjener:~$ ping ldap
ping: unbekannter host ldap
This means, that the computer can't know his own name as ldap,
which should be the case for the server. A quick workaround for
ipv4 networks is this: edit the /etc/hosts and change the line:
(6)/etc/hosts
127.0.0.1 localhost cipux
to
127.0.0.1 localhost ldap cipux
Repeat the commands (2) and (6) untill you receive the
output of (3).
1.2 Prepare the CipUX package install process
---------------------------------------------
Edit the /etc/apt/sources.list and add the following line:
(7)/etc/apt/sources
deb http://debian.cipworx.org/ sid main contrib non-free
deb http://ftp.debian.org/debian/ woody main contrib non-free
Then switch off the proxy by typing
(8)
export http_proxy=""
2 Installing the CipUX framework packages
-------------------------------------------
Execute the command as root:
(9)
# ping debian.cipworx.org
(10)
# CTRL-c
(11)
# apt-get update
(12)
# apt-get update
(13)
# apt-get install -s cipux-common cipux-cibot cipux-cat-webmin
This should produce output like this:
Reading Package Lists... Done
Building Dependency Tree... Done
The following extra packages will be installed:
libdate-calc-perl libquota-perl libtie-ixhash-perl
The following NEW packages will be installed:
cipux-cat-webmin cipux-cibot cipux-common libdate-calc-perl
libquota-perl libtie-ixhash-perl
0 packages upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
Inst cipux-common (3.2.7-1 unstable)
Inst libdate-calc-perl (5.0-2 Debian:3.0r6/stable)
Inst libquota-perl (1.4.1-2 Debian:3.0r6/stable)
Inst libtie-ixhash-perl (1.21-1 Debian:3.0r6/stable)
Inst cipux-cibot (3.2.7-1 unstable)
Inst cipux-cat-webmin (3.2.7-1 unstable)
Conf cipux-common (3.2.7-1 unstable)
Conf libdate-calc-perl (5.0-2 Debian:3.0r6/stable)
Conf libquota-perl (1.4.1-2 Debian:3.0r6/stable)
Conf libtie-ixhash-perl (1.21-1 Debian:3.0r6/stable)
Conf cipux-cibot (3.2.7-1 unstable)
Conf cipux-cat-webmin (3.2.7-1 unstable)
If everything seems ok, install the packages:
# apt-get install cipux-common cipux-cibot cipux-cat-webmin
3 System configuration
-------------------------
3.1 Configuring the LDAP
--------------------------
First of all wee need a well configured LDAP server and just
to be save a backup.
We look if the ldap server is started:
(14)
# ps ax|grep slapd|grep -v grep
This should produce output like:
(15)
2890 ? Ss 0:00 /usr/sbin/slapd -h ldap:/// ldaps:///
So we stop the server.
(16)
# /etc/init.d/slapd stop
We have to be sure that the ldap server is stopped. So if
we execute (14) again it should not generate any output.
Then we make a temporary backup, which may only be used for
this ldap version. We execute the archive program:
(17)
# tar cvjf /skole/backup/tmp_backup_ldap.tar.bz2 /var/lib/ldap
If you want to restore your ldap data later, you may write the
backup back (when the ldap server is NOT running!) with:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# rm -r /var/lib/ldap
# cd /
# tar xvjf /skole/backup/tmp_backup_ldap.tar.bz2
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Now we make a copy and delete all "ssf=128" entries in the
/etc/ldap/slapd.conf. After that we edit and add a new
include line and change the schemacheck from on to off:
(19)
# cd /etc/ldap/
# cp slapd.conf slapd.conf.old
# sed -e 's/ssf=128//' slapd.conf.old > slapd.conf
include /etc/ldap/schema/cipux.schema
schemacheck off
One may change this setting to "on" again after everything
is installed and works fine.
We start the ldap server again with:
(20)
# /etc/init.d/slapd start
And check if its started with (14). It should produce output
like (15).
3.2 Configure the CipUX framework
-----------------------------------
First of all we are on a Debian/Edu Skolelinux system,
therefore we have to tell this the CipUX framework by
editing /etc/cipux/system.conf and change
(21)
Customer = default
to
Customer = skolelinux
I recommend to do the following on a running system
only without a network connection, because the root password
can easily be seen with ps!!!!!
Then you have to grant CipUX the access to the ldap server.
On Debian/Edu the already set root password is also the LDAP
password. (It`s NOT a new password!)
We have to edit /etc/cipux/cipux.conf and change one line.
If your root pasword is "himitsu" you will have to change
(22)
Ldap_Password=secret
to
Ldap_Password=himitsu
After this we have to test the access:
(23)
# /usr/bin/ldapsearch -x -p 389 -h localhost -w 'himitsu'
-D 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' -b 'uid=root,ou=People,dc=skole,dc=skolelinux,dc=no' -LLL
If we get:
(24)
ldap_bind: Invalid credentials (49)
The password was wrong.
If we get:
(25)
dn: uid=root,ou=People,dc=skole,dc=skolelinux,dc=no
objectClass: sambaSamAccount
objectClass: account
uid: root
sambaSID: S-1-5-21-2697446647-283449030-1896125139-1000
.... (sambaPwdMustChange: 2147483647
sambaAcctFlags: [U ]
sambaLMPassword: 794D28F3A9F71D971AA818381E4E281B
sambaNTPassword: 8F368683A54205B649BCFCD82ED0FC97
sambaPwdCanChange: 1104872740
sambaPwdLastSet: 1104872740)
everything is ok. (The sambaSID may be different.)
Then we change some settings:
(25a)
change in /etc/cipux/cipux.conf:
Ldap_Start_TLS=-ZZ
into
Ldap_Start_TLS=
(25b)
delete -ZZ option in
/usr/bin/cipux_maint_diagnostic (line 106)
/usr/bin/cipux_setup_ldap_configuration (line 64?)
/usr/bin/cipux_setup_ldap_machines (lines 64, 93, 106)
Get mkntpwd:
(25c)
# cd /usr/local/sbin/
# wget http://test.cipworx.org/mkntpwd
# chmod 755 mkntpwd
and store all teachers in teachers.txt:
(25d)
# /usr/bin/ldapsearch -x -p 389 -h localhost -W -D 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' -b 'cn=teachers,ou=Group,dc=skole,dc=skolelinux,dc=no' -LLL | grep memberUid | cut -d \ -f2 > teachers.txt
(25e) edit CiBot.pm
change
my $cmd = "/usr/bin/ldapsearch -x -p $cipux{Ldap_Port} -h $cipux{Ldap_Host} -LLL ou=CipUX dn";
into
my $cmd = "/usr/bin/ldapsearch -x -p $cipux{Ldap_Port} -h $cipux{Ldap_Host}
-b \"dc=skole,dc=skolelinux,dc=no\" -LLL ou=CipUX dn";
(26)
cipux_maint_diagnostic pre
Now we have to change the LDAP server by setting up the
CipUX LDAP structure. This is the most challenging task
in the process and may not be easily reversible.
Therefore the backup.
What will the script do?
- move ou=Machines,ou=People,dc=skole,dc=skoelinux,dc=no
to ou=Machines,dc=skole,dc=skoelinux,dc=no
- add ou=CipUX,ou=People,dc=skole,dc=skoelinux,dc=no
- add some default objects: admin, and roles
- DELETE some other objects!!!
WARNING: This script is intended to run on a 'freshly'
installed Skolelinux PR05 release!
Execute the following command:
(27)
# cipux_setup_ldap
i
The following error message occurs under woody:
delete role assistent (if it is there, just to be save)
rsh: /skole/backup/backup_homedir_assistent_2005-08-28+16: Name or service not known
tar (Kind): /skole/backup/backup_homedir_assistent_2005-08-28+16\:04\:27.tar.bz2: Kann open nicht ausführen.: Eingabe-/Ausgabefehler
tar (Kind): Nicht behebbarer Fehler: Programmabbruch.
tar: Kindprozeß gab Status 2 zurück.
tar: Fehler beim Beenden, verursacht durch vorhergehende Fehler.
create role assistent ...
delete role guest (if it is there, just to be save)
create role guest ...
delete role examinee (if it is there, just to be save)
rsh: /skole/backup/backup_homedir_examinee_2005-08-28+16: Name or service not known
tar (Kind): /skole/backup/backup_homedir_examinee_2005-08-28+16\:04\:57.tar.bz2: Kann open nicht ausführen.: Eingabe-/Ausgabefehler
tar (Kind): Nicht behebbarer Fehler: Programmabbruch.
tar: Kindprozeß gab Status 2 zurück.
tar: Fehler beim Beenden, verursacht durch vorhergehende Fehler.
create role examinee ...
delete role skel (if it is there, just to be save)
create role skel ...
delete admin cipadmin (if it is there, just to be save)
rsh: /skole/backup/backup_homedir_cipadmin_2005-08-28+16: Name or service not known
tar (Kind): /skole/backup/backup_homedir_cipadmin_2005-08-28+16\:05\:27.tar.bz2: Kann open nicht ausführen.: Eingabe-/Ausgabefehler
tar (Kind): Nicht behebbarer Fehler: Programmabbruch.
tar: Kindprozeß gab Status 2 zurück.
tar: Fehler beim Beenden, verursacht durch vorhergehende Fehler.
create admin cipadmin ...
delete skel noskel (if it is there, just to be save)
rsh: /skole/backup/backup_homedir_noskel_2005-08-28+16: Name or service not known
tar (Kind): /skole/backup/backup_homedir_noskel_2005-08-28+16\:05\:42.tar.bz2: Kann open nicht ausführen.: Eingabe-/Ausgabefehler
tar (Kind): Nicht behebbarer Fehler: Programmabbruch.
tar: Kindprozeß gab Status 2 zurück.
tar: Fehler beim Beenden, verursacht durch vorhergehende Fehler.
create skel noskel ...
delete other role course (if it is there, just to be save)
rsh: /skole/backup/backup_homedir_course_2005-08-28+16: Name or service not known
tar (Kind): /skole/backup/backup_homedir_course_2005-08-28+16\:05\:55.tar.bz2: Kann open nicht ausführen.: Eingabe-/Ausgabefehler
tar (Kind): Nicht behebbarer Fehler: Programmabbruch.
tar: Kindprozeß gab Status 2 zurück.
tar: Fehler beim Beenden, verursacht durch vorhergehende Fehler.
create other role course ...
delete other role examination (if it is there, just to be save)
rsh: /skole/backup/backup_homedir_examination_2005-08-28+16: Name or service not known
tar (Kind): /skole/backup/backup_homedir_examination_2005-08-28+16\:06\:12.tar.bz2: Kann open nicht ausführen.: Eingabe-/Ausgabefehler
tar (Kind): Nicht behebbarer Fehler: Programmabbruch.
tar: Kindprozeß gab Status 2 zurück.
tar: Fehler beim Beenden, verursacht durch vorhergehende Fehler.
create other role examination ...
delete group nogroup (if it is there, just to be save)
create group nogroup ...
tjener:/# ls /skole/backup/backup_homedir_
backup_homedir_guest_2005-08-28+15:35:32.tar.bz2
backup_homedir_guest_2005-08-28+16:04:42.tar.bz2
backup_homedir_nogroup_2005-08-28+15:37:46.tar.bz2
backup_homedir_nogroup_2005-08-28+16:06:28.tar.bz2
backup_homedir_none_2005-08-28+15:34:03.tar.bz2
backup_homedir_none_2005-08-28+16:03:28.tar.bz2
backup_homedir_skel_2005-08-28+15:36:09.tar.bz2
backup_homedir_skel_2005-08-28+16:05:13.tar.bz2
backup_homedir_student_2005-08-28+15:34:20.tar.bz2
backup_homedir_student_2005-08-28+16:03:43.tar.bz2
backup_homedir_teacher_2005-08-28+15:34:38.tar.bz2
backup_homedir_teacher_2005-08-28+16:03:58.tar.bz2
backup_homedir_tutor_2005-08-28+15:34:56.tar.bz2
backup_homedir_tutor_2005-08-28+16:04:13.tar.bz2
and hopefully it will perform the work to change the LDAP
server.
To test the installation run the diagnostic script.
(28)
# cipux_maint_diagnostic
It should only generate tests with answers "ok".
(28a)
# cd /skole/backup/
# /usr/bin/ldapsearch -x -p 389 -h localhost -W -D
'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' -b
'dc=skole,dc=skolelinux,dc=no' -LLL >
backup_ldap_2005-08-25.ldif
Hint: If the ldap contains to much entries, you must change
the sizelimit in slapd.conf and ldap.conf:
sizelimit 8000
(28b)
Beware!!!! The script is not _really_ tested!!!!
# wlus2cipux -f /skole/backup/backup_ldap_2005-08-25.ldif
changes the LDAP-tree from wlus to cipux
(The script is available from
http://skolelinux.de:8080/skole1/Members/damm/wlus2cipux.
Please mind a chmod u+x wlus2cipux)
3.3 The webmin setup
--------------------
The last thing to do is to make CAT accessible for the
webmin user root.
Start a browser (konqueror won't work!)
(29)
# mozilla
and switch off the proxy in the browser.
(30)
Edit -> Preferences -> General -> Connection Settings ...
-> "Dircect connection to the Internet"-> <OK>
Enter the following URL (location, address) into the
browser's location bar:
(31)
https://cipux:10000
A certification dialog will pop up ...
(32)
select "Accept this certificate permanently"
(33)
<OK>
Another dialog appears:
"You have requested an encrypted page. The website has
identified itself correctly, and information you see or
enter on this page can easily be read by a third party."
[...]
(34)
<OK>
(35)
Username: root
Password: himitsu
<Login>
(36)
<never for this site>
(37)
go to Webmin -> Webmin Users -> root
(38)
check "CipUX Administration Tool" in the Modules section
uncheck "Webmin-Ldap-User-Simple" (???)
(39)
press "save" button
3.4. Enter CAT
--------------
In webmin you have to go to
(40)
Webmin Index -> System -> CipUX Administration Tool
3.5 First steps
---------------
If you create a user for the first time, you will fail,
because some objects do not exist yet. So please create
the following objects first:
(A) create a new group/course (example: class84 ) with
the CAT module "groups"
(German: "Gruppen")
(B) create a private skel with "skeladmin"
(German: "Vorlage Verzeichnis (skel)")
After this creation you may add a new user with
"User Support Sevice" (German: Benutzerbetreuung)
Bisheriger Stand der Dinge:
State of affairs:
- Modul useradmin (user support service):
*create passwort: ok
*create user: ok (but only ascii-characters)
- Modul groupadmin (groups):
see useradmin
- Modul tutoradmin (tutoradmin):
seemed to be o.k.
- Modul internet():
* out of order.
3.6 Further remarks:
Samba: Does not work any more!!!!
Funktioniert nicht für die neuen Cipux-User (nur falls im LDAP noch die
Samba-Attribute stehen. Es funktioniert vor 28 b) alles reibungslos, danach
geht nichts mehr).
Wahrscheinlich ein Problem mit der Authentifizierung (in konqueror sieht
man unter smb://tjener/Schueler/ die shares)
(Änderung "ldap machine suffix = ou=Machines" bringt nichts)
cipux_task_* : works only with ascci-characters
4 Additional system configuration
-----------------------------------
TODO: Configure quota, ACL, Samba
The additional system configuration is optional and don't have
do be done on every system.
4.1 Samba configuration
-----------------------
CipUX may be used in conjunction with samba. These steps should
be processed to get CipUX respect the additional features for
Samba. Note that this section do not cover specifc samba problems.
This section should be applied before the creation of users or
groups or workstations.
* Enable Samba in CipUX
(1) edit /etc/cipux/cipux.conf
Change
Cipux_Use_Samba=no
to
Cipux_Use_Samba=yes
* Edit the samba configuration and check or change smb.conf.
(2) edit /etc/samba/smb.conf
Change
ldap machine suffix = ou=Machines,ou=People
to
ldap machine suffix = ou=Machines
On Sarge this should work:
passdb backend = ldapsam:ldaps://ldap
On Woddy this may work (if you disabled crypted connections):
passdb backend = ldapsam:ldap://ldap
ldap ssl = start_tls
Change the mashine creation
add machine script = /etc/samba/smbaddclient.pl %u
to
add machine script = /usr/bin/cipux_add.pl -m --attribute uid='%u'
* you schould add a group called 'machines' if 'id machines' failed.
(3) groupadd -g 600 machines
Note, that this group might go into LDAP in the future.
* (This is not tested, remarks welcome) Change pam_ldap.conf
This may only be important under the following condition:
Example: You create a new windows machine: ws24$
if the command id 'ws24$' do not result in a line like:
uid=10936(ws24$) gid=600(machines) groups=600(machines)
you should solve the problem by editing pam_ldap.conf
(The numbers may be different)
(4) edit /etc/pam_ladp.conf
Change
# The distinguished name of the search base.
# base dc=example,dc=net
base ou=People,dc=skole,dc=skolelinux,dc=no
to
# The distinguished name of the search base.
# base dc=example,dc=net
base ou=dc=skole,dc=skolelinux,dc=no
|