CipUX 3.2.x installation guide
for Debian-Edu/Skolelinux 1.0 (Venus)
Original by
Christian Kuelker
2005-08-01
woody-version by
Georg Damm
2005-08-28
License GPL
Revision 0.1 2005-08-01 by Christian Kuelker (init)
Revision 0.2 2005-08-11 by Christian Kuelker (add chapter 2)
Revision 0.3 2005-08-12 by Christian Kuelker (add Chapter 3)
Revision 0.4 2005-08-12 by Patrick Willam (several checks, "wording")
Revision 0.5 2005-08-12 by Holger Sicking (typo)
Revision 0.6 2005-08-12 by Christian Kuelker (/etc/hosts correction)
Revision 0.7 2005-08-12 by Patrick Willam (apttitude, backup)
Revision 0.8 2005-08-12 by Christian Kuelker (First steps)
Revision 0.9 2005-08-12 by Radi Wieloch (errors, numbers, orthography, grammar)
Revision 1.0 2005-08-12 by Christian Kuelker (repository changed)
Revision 1.1 2005-08-17 by Ralf Gesellensetter (warning)
Revision 1.2 2005-08-19 by Christian Kuelker (correct Revison, warning)
Revision 1.3 2005-08-19 by Christian Kuelker (change first steps)
Revision 1.4 2005-08-23 by Christian Kuelker (add cipux_maint_diagnostic pre)
Revision 1.5 2005-08-28 by Georg Damm (changes for woody-installation)
Revision 1.6 2005-09-10 by Georg Damm (add improved migration)
Revision 1.7 2005-09-10 by Georg Damm (add samba configuration)
Revision 1.8 2006-04-19 by Christian Kuelker (small changes, translation)
Revision 1.9 2006-04-21 by Georg Damm (translation)
Revision 1.9 2006-04-22 by Georg Damm (minor corrections)
Revision 2.0 2006-05-19 by Christian Kuelker (after agreement change License to GPL)
Please see also the installation guide for Debian-Edu/ Skolelinux 2.0
Contents:
0 Security Remarks
1 Preparing the Debian-Edu/Skolelinux system
1.1 Upgrading the LDAP server with CipUX schema
1.2 Prepare the CipUX package install process
2 Installing the CipUX framework packages
3 System configuration
3.1 Configuring the LDAP
3.2 Configure the CipUX framework
3.3 The webmin setup
3.4 Enter CAT
3.5 First steps
4 Additional system configuration
0 Security Remarks
-----------------------------------------------
This Dokumentation is "non-official" and not well tested.
The installation of CipUX on a Skolelinux 1.x (venus) has (at the
moment?) a huge security risk, because CipUX uses the commands of hte
ldapscripts package. That means that the root-password can be seen by
any user on a venus tjener by executing "ps axgu". This is not the case
on a sarge based tjener!!
This security issue is fixed after CipUX 3.2.9.
1 Preparing the Debian-Edu/Skolelinux system
----------------------------------------------
This manual is for the installation of CipUX on a
installed Debian-Edu/Skolelinux 1.0 (called venus).
WARNING: This is a first primer for a migration
when you already added users by means of
webmin-ldap-user-simple (wlus)!. Use ist at your own risk!!!!.
To install CipUX you will also need a working internet
connection!
Convention in this manual:
CTRL = press the control key
CTRL-c press the control key, hold it, and press the c key
$ = you may execute this command as any user
# = you have to execute this command as root user
(1)...(x) are command and output numbers and are used for
references, they are not intended to be written.
<OK> means pressing the button "OK".
1.1 Upgrading the LDAP server with CipUX schema
-----------------------------------------------
A valid ldap and cipux name is necessary.
You need a valid name resolution for the ldap server
and the host name cipux.
Insert the name cipux into the /etc/hosts file by changing
the line:
(1)
127.0.0.1 localhost
to
127.0.0.1 localhost cipux
You also need the resolution of the name ldap. Usually it
should be resolved by the local DNS server.
It can be tested with the command:
(2)
$ ping ldap
This should produce output like this:
(3)
tjener:~$ ping ldap
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from tjener.intern (10.0.2.2): icmp_seq=1 ttl=64 time=0.069 ms
64 bytes from tjener.intern (10.0.2.2): icmp_seq=2 ttl=64 time=0.070 ms
64 bytes from tjener.intern (10.0.2.2): icmp_seq=3 ttl=64 time=0.068 ms
(4)
Cancel with CTRL-c
If there is output like:
(5)
tjener:~$ ping ldap
ping: unknown host ldap
This means, that the computer can't know his own name as ldap,
which should be the case for the server. A quick workaround for
ipv4 networks is this: edit the /etc/hosts and change the line:
(6)/etc/hosts
127.0.0.1 localhost cipux
to
127.0.0.1 localhost ldap cipux
Repeat the commands (2) and (6) untill you receive the
output of (3).
1.2 Prepare the CipUX package install process
---------------------------------------------
Edit the /etc/apt/sources.list and add the following line:
(7)/etc/apt/sources
deb http://debian.cipworx.org/ sid main contrib non-free
deb http://ftp.debian.org/debian/ woody main contrib non-free
Then switch off the proxy by typing
(8)
export http_proxy=""
2 Installing the CipUX framework packages
-------------------------------------------
Execute the command as root:
(9)
# ping debian.cipworx.org
(10)
# CTRL-c
(11)
# apt-get update
(12)
# apt-get update
(13)
# apt-get install -s cipux-common cipux-cibot cipux-cat-webmin
This should produce output like this:
Reading Package Lists... Done
Building Dependency Tree... Done
The following extra packages will be installed:
libdate-calc-perl libquota-perl libtie-ixhash-perl
The following NEW packages will be installed:
cipux-cat-webmin cipux-cibot cipux-common libdate-calc-perl
libquota-perl libtie-ixhash-perl
0 packages upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
Inst cipux-common (3.2.7-1 unstable)
Inst libdate-calc-perl (5.0-2 Debian:3.0r6/stable)
Inst libquota-perl (1.4.1-2 Debian:3.0r6/stable)
Inst libtie-ixhash-perl (1.21-1 Debian:3.0r6/stable)
Inst cipux-cibot (3.2.7-1 unstable)
Inst cipux-cat-webmin (3.2.7-1 unstable)
Conf cipux-common (3.2.7-1 unstable)
Conf libdate-calc-perl (5.0-2 Debian:3.0r6/stable)
Conf libquota-perl (1.4.1-2 Debian:3.0r6/stable)
Conf libtie-ixhash-perl (1.21-1 Debian:3.0r6/stable)
Conf cipux-cibot (3.2.7-1 unstable)
Conf cipux-cat-webmin (3.2.7-1 unstable)
If everything seems ok, install the packages:
# apt-get install cipux-common cipux-cibot cipux-cat-webmin
3 System configuration
-------------------------
3.1 Configuring the LDAP
--------------------------
First of all wee need a well configured LDAP server and just
to be save a backup.
We look if the ldap server is started:
(14)
# ps ax|grep slapd|grep -v grep
This should produce output like:
(15)
2890 ? Ss 0:00 /usr/sbin/slapd -h ldap:/// ldaps:///
So we stop the server.
(16)
# /etc/init.d/slapd stop
We have to be sure that the ldap server is stopped. So if
we execute (14) again it should not generate any output.
Then we make a temporary backup, which may only be used for
this ldap version. We execute the archive program:
(17)
# tar cvjf /skole/backup/tmp_backup_ldap.tar.bz2 /var/lib/ldap
If you want to restore your ldap data later, you may write the
backup back (when the ldap server is NOT running!) with:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# rm -r /var/lib/ldap
# cd /
# tar xvjf /skole/backup/tmp_backup_ldap.tar.bz2
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Now we make a copy and delete all "ssf=128" entries in the
/etc/ldap/slapd.conf. After that we edit and add a new
include line and change the schemacheck from on to off:
(19)
# cd /etc/ldap/
# cp slapd.conf slapd.conf.old
# sed -e 's/ssf=128//' slapd.conf.old > slapd.conf
include /etc/ldap/schema/cipux.schema
schemacheck off
One may change this setting to "on" again after everything
is installed and works fine.
We start the ldap server again with:
(20)
# /etc/init.d/slapd start
And check if its started with (14). It should produce output
like (15).
3.2 Configure the CipUX framework
-----------------------------------
First of all we are on a Debian/Edu Skolelinux system,
therefore we have to tell this the CipUX framework by
editing /etc/cipux/system.conf and change
(21)
Customer = default
to
Customer = skolelinux
I recommend to do the following on a running system
only without a network connection, because the root password
can easily be seen with ps!!!!!
Then you have to grant CipUX the access to the ldap server.
On Debian/Edu the already set root password is also the LDAP
password. (It`s NOT a new password!)
We have to edit /etc/cipux/cipux.conf and change one line.
If your root pasword is "himitsu" you will have to change
(22)
Ldap_Password=secret
to
Ldap_Password=himitsu
After this we have to test the access:
(23)
# /usr/bin/ldapsearch -x -p 389 -h localhost -w 'himitsu'
-D 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' -b 'uid=root,ou=People,dc=skole,dc=skolelinux,dc=no' -LLL
If we get:
(24)
ldap_bind: Invalid credentials (49)
The password was wrong.
If we get:
(25)
dn: uid=root,ou=People,dc=skole,dc=skolelinux,dc=no
objectClass: sambaSamAccount
objectClass: account
uid: root
sambaSID: S-1-5-21-2697446647-283449030-1896125139-1000
.... (sambaPwdMustChange: 2147483647
sambaAcctFlags: [U ]
sambaLMPassword: 794D28F3A9F71D971AA818381E4E281B
sambaNTPassword: 8F368683A54205B649BCFCD82ED0FC97
sambaPwdCanChange: 1104872740
sambaPwdLastSet: 1104872740)
everything is ok. (The sambaSID may be different.)
Then we change some settings:
(25a)
change in /etc/cipux/cipux.conf:
Ldap_Start_TLS=-ZZ
into
Ldap_Start_TLS=
(25b)
delete -ZZ option in
/usr/bin/cipux_maint_diagnostic (line 106)
/usr/bin/cipux_setup_ldap_configuration (line 64?)
/usr/bin/cipux_setup_ldap_machines (lines 64, 93, 106)
Get mkntpwd:
(25c)
# cd /usr/local/sbin/
# wget http://test.cipworx.org/mkntpwd
# chmod 755 mkntpwd
and store all teachers in teachers.txt:
(25d)
# /usr/bin/ldapsearch -x -p 389 -h localhost -W -D 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' -b 'cn=teachers,ou=Group,dc=skole,dc=skolelinux,dc=no' -LLL | grep memberUid | cut -d \ -f2 > teachers.txt
(25e) edit CiBot.pm
change
my $cmd = "/usr/bin/ldapsearch -x -p $cipux{Ldap_Port} -h $cipux{Ldap_Host} -LLL ou=CipUX dn";
into
my $cmd = "/usr/bin/ldapsearch -x -p $cipux{Ldap_Port} -h $cipux{Ldap_Host}
-b \"dc=skole,dc=skolelinux,dc=no\" -LLL ou=CipUX dn";
(26)
cipux_maint_diagnostic pre
Now we have to change the LDAP server by setting up the
CipUX LDAP structure. This is the most challenging task
in the process and may not be easily reversible.
Therefore the backup.
What will the script do?
- move ou=Machines,ou=People,dc=skole,dc=skoelinux,dc=no
to ou=Machines,dc=skole,dc=skoelinux,dc=no
- add ou=CipUX,ou=People,dc=skole,dc=skoelinux,dc=no
- add some default objects: admin, and roles
- DELETE some other objects!!!
WARNING: This script is intended to run on a 'freshly'
installed Skolelinux PR05 release!
Execute the following command:
(27)
# cipux_setup_ldap
(Some error message occurs under woody due to problems with rsh and tar.)
and hopefully it will perform the work to change the LDAP
server.
To test the installation run the diagnostic script.
(28)
# cipux_maint_diagnostic
It should only generate tests with answers "ok".
(28a)
# cd /skole/backup/
# /usr/bin/ldapsearch -x -p 389 -h localhost -W -D
'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' -b
'dc=skole,dc=skolelinux,dc=no' -LLL >
backup_ldap_2005-08-25.ldif
Hint: If the ldap contains to much entries, you must change
the sizelimit in slapd.conf and ldap.conf:
sizelimit 8000
(28b)
Beware!!!! The script is not _really_ tested!!!!
# wlus2cipux -f /skole/backup/backup_ldap_2005-08-25.ldif
changes the LDAP-tree from wlus to cipux
(The script is available from
http://skolelinux.de:8080/skole1/Members/damm/wlus2cipux.
Please mind a chmod u+x wlus2cipux)
3.3 The webmin setup
--------------------
The last thing to do is to make CAT accessible for the
webmin user root.
Start a browser (konqueror won't work!)
(29)
# mozilla
and switch off the proxy in the browser.
(30)
Edit -> Preferences -> General -> Connection Settings ...
-> "Dircect connection to the Internet"-> <OK>
Enter the following URL (location, address) into the
browser's location bar:
(31)
https://cipux:10000
A certification dialog will pop up ...
(32)
select "Accept this certificate permanently"
(33)
<OK>
Another dialog appears:
"You have requested an encrypted page. The website has
identified itself correctly, and information you see or
enter on this page can easily be read by a third party."
[...]
(34)
<OK>
(35)
Username: root
Password: himitsu
<Login>
(36)
<never for this site>
(37)
go to Webmin -> Webmin Users -> root
(38)
check "CipUX Administration Tool" in the Modules section
uncheck "Webmin-Ldap-User-Simple" (???)
(39)
press "save" button
3.4. Enter CAT
--------------
In webmin you have to go to
(40)
Webmin Index -> System -> CipUX Administration Tool
3.5 First steps
---------------
If you create a user for the first time, you will fail,
because some objects do not exist yet. So please create
the following objects first:
(A) create a new group/course (example: class84 ) with
the CAT module "groups"
(German: "Gruppen")
(B) create a private skel with "skeladmin"
(German: "Vorlage Verzeichnis (skel)")
After this creation you may add a new user with
"User Support Sevice" (German: Benutzerbetreuung)
State of affairs:
- Modul useradmin (user support service):
*create passwort: ok
*create user: ok (but only ascii-characters)
- Modul groupadmin (groups):
see useradmin
- Modul tutoradmin (tutoradmin):
seemed to be o.k.
- Modul internet():
* out of order.
3.6 Further remarks:
- Samba: Does not work any more!!!!
- cipux_task_* : works only with ascci-characters
4 Additional system configuration
-----------------------------------
TODO: Configure quota, ACL, Samba
The additional system configuration is optional and don't have
do be done on every system.
4.1 Samba configuration
-----------------------
CipUX may be used in conjunction with samba. These steps should
be processed to get CipUX respect the additional features for
Samba. Note that this section do not cover specifc samba problems.
This section should be applied before the creation of users or
groups or workstations.
* Enable Samba in CipUX
(1) edit /etc/cipux/cipux.conf
Change
Cipux_Use_Samba=no
to
Cipux_Use_Samba=yes
* Edit the samba configuration and check or change smb.conf.
(2) edit /etc/samba/smb.conf
Change
ldap machine suffix = ou=Machines,ou=People
to
ldap machine suffix = ou=Machines
On Sarge this should work:
passdb backend = ldapsam:ldaps://ldap
On Woddy this may work (if you disabled crypted connections):
passdb backend = ldapsam:ldap://ldap
ldap ssl = start_tls
Change the machine creation
add machine script = /etc/samba/smbaddclient.pl %u
to
add machine script = /usr/bin/cipux_add.pl -m --attribute uid='%u'
* you schould add a group called 'machines' if 'id machines' failed.
(3) groupadd -g 600 machines
Note, that this group might go into LDAP in the future.
* (This is not tested, remarks welcome) Change pam_ldap.conf
This may only be important under the following condition:
Example: You create a new windows machine: ws24$
if the command id 'ws24$' do not result in a line like:
uid=10936(ws24$) gid=600(machines) groups=600(machines)
you should solve the problem by editing pam_ldap.conf
(The numbers may be different)
(4) edit /etc/pam_ladp.conf
Change
# The distinguished name of the search base.
# base dc=example,dc=net
base ou=People,dc=skole,dc=skolelinux,dc=no
to
# The distinguished name of the search base.
# base dc=example,dc=net
base ou=dc=skole,dc=skolelinux,dc=no
