Alle Inhalte in diesem Wiki stehen unter der GPL.
CipUX 3.2.10 Installation Guide for Debian-Edu/Skolelinux

This is based on the CipUX 3.2.8 installation guide, which includes the work of many contributors:

  • Patrick Willam (several checks, "wording", aptitude, backup, minor enhancements)
  • Ludger Sicking (typo)
  • Radi Wieloch (errors, numbers, orthography, grammar)
  • Ralf Gesellensetter (warning)
  • Michael Stamm (LDAP schema include place)
  • Jürgen Leibner (correct /etc/pam_ldap.conf)
  • Georg Damm (hints to change WLUS-users to CipUX-users)
  • Christian Gatzemeier (div. corrections and alternatives)
  • Martin Herweg (install on pr06,image-deploy for fat clients)
  • Christian Külker (first draft)
  • Note

    Please leave the main-document without wikification. It will go 1:1 outside this wiki (into CipUX packages and other places). So when doing changes it's a good idea to keep the style, too. Thanks!


                       CipUX 3.2.10 installation guide
                       for Debian-Edu/Skolelinux 2.0
    
    
                             Original by
                          Christian Külker
                             2006-07-01
    
    
                            License GPL
    
    Revision 0.1 2006-07-01 by Christian Külker     (first draft)
    Revision 0.2 2006-07-09 by Christian Külker     (add backports repository)
    Revision 0.3 2006-07-12 by Christian Külker     (quick installation section)
    Revision 0.4 2006-08-09 by Georg Damm           (correction of backup restore)
    Revision 0.5 2006-09-12 by Georg Damm           
    (additional configuration step for samba)
    Revision 0.6 2006-10-14 by Georg Damm           (correction of quota setup)
    
    Contents:
    1   Introduction
    
    2   Installation of CipUX release
    2.1 Prepare the CipUX package install process
    2.2 Installing the CipUX framework packages
    
    3   System configuration
    3.1 Configure the LDAP Server
    3.2 Configure SAMBA Server
    3.2 Configure and set up the CipUX framework
    3.3 Additional CipUX packages
    3.4 The Webmin configuration
    3.5 Final Setup with CAT
    
    4   Additional system configuration
    4.1 Quota configuration
    4.2 CipUX Deploy configuration (>= 3.2.9)
    4.3 CipUX XML-RPC server configuration (>= 3.2.10)
    
    5.  Quick installation Examples
    5.1 Step-through installtion without Samba, with RPC
    
    1   Introduction
    ----------------
    
        This manual is for the installation of CipUX 3.2.10 on a freshly
        installed Debian-edu/Skolelinux 2.0 with main server profile 
        and eventually additionally installed terminal server profile. 
      
        To install CipUX you will also need a working Internet connection!
    
        *============================[ WARNING ]============================*
        ||                                                                 ||
        || WARNING: Do not use CipUX on a productive Debian-edu/Skolelinux || 
        || system, if you already have added users by means of WLUS        ||
        || (webmin-ldap-user-simple)!                                      ||
        || The installation will not delete your users, but this is not a  ||
        || migration manual and therefore the resulting LDAP database is   ||
        || going to be unusable for a productive environment.              ||
        ||                                                                 ||
        *===================================================================*
    
        Almost all(!) steps in this installation manual have to be done on
        the machine which has been installed with the main server profile!
        This machine identifies itself by the name "tjener".
    
        The only(!) steps that may also be done by using another machine
        are the few ones that are done by using a web-browser.
    
        Conventions in this manual:
    
        CTRL         press the control key
        CTRL-c       press the control key, hold it down, and press the c key
    
        $            you may execute this command as any user
        #            you have to execute this command as root user
    
        [01] .. [xx] are command and output numbers and are used for
                     references, they are not intended to be written.
        (01) .. (xx) are also command  and output numbers and are used 
                     for optional references.
    
        <OK>         means pressing the button "OK".
    
        vim          you may use you favorite editor here
    
        User-hint    some untested advice from users
    
    2   Installation of CipUX release
    ---------------------------------
    
    2.1 Prepare the CipUX package install process
    ---------------------------------------------
    
       Edit the file /etc/apt/sources.list and add the following lines:
       [01]
       vim /etc/apt/sources.list
         deb     http://debian.cipworx.org/ sid main contrib non-free
         deb     http://backports.cipworx.org/ sid main contrib non-free
         deb     http://ftp.debian.org/debian/ sarge main contrib non-free
    
       Then switch off the proxy by typing
       [02]
       export http_proxy=""
       export ftp_proxy=""
    
    2.2 Installing the CipUX framework packages
    -------------------------------------------
    
       Execute these commands as root:
       [03]
       # aptitude update
    
       On some systems it must be done twice. (Ask a Debian guru why!)
       [04]
       # aptitude update
    
       [05]
       # aptitude install cipux-common cipux-cibot
    
    
    3   System configuration
    -------------------------
    
    3.1 Configure the LDAP server
    -----------------------------
    
        First of all we need a well configured LDAP server and just
        to be safe make a backup.
    
        Normally the LDAP server is started on a fresh installed System, 
        so we stop it with:
        [08]  
        # /etc/init.d/slapd stop
    
        Then we make a temporary backup only for that server:
        (if you want to restore it, please have a look at (Footnote 01)     
        [09]
        if the backup directory does not exist, create it
         # mkdir -p /skole/backup  
        Then do the backup
         # tar cvzf /skole/backup/tmp_backup_ldap.tar.gz /var/lib/ldap
    
        Now we edit /etc/ldap/slapd.conf and add a new include line
        (at the END of the other include lines):
    
        *============================[ WARNING ]============================*
        ||                                                                 ||
        || WARNING: You might like CipUX so much that you probably put the ||
        || include in front of the other includes. Don't do that!          ||
        || You will get errors about the unknown attribute uid.            ||
        ||                                                                 ||
        *===================================================================*
    
        [10]
        # vim /etc/ldap/slapd.conf
        include /etc/ldap/schema/cipux.schema
    
        Start the LDAP server again with:
        [11]
        # /etc/init.d/slapd start
    
        Check if the LDAP server starts (if you do not now how to do 
        that, please have a look at footnote 02).
    
    3.2 Configure SAMBA Server
    --------------------------
    
      If you do not intend to use SAMBA, skip this section!
    
      CipUX may be used in conjunction with SAMBA. These steps should 
      be processed to get CipUX respect the additional features for
      SAMBA. Note that this section does not cover specific SAMBA problems.
    
      Edit the Samba configuration smb.conf so it matches exactly the
      following parameters:
      (01) 
      # vim /etc/samba/smb.conf
       
         ldap machine suffix = ou=Machines
       
         passdb backend = ldapsam:ldaps://ldap
     
         add machine script = /usr/bin/cipux_task_create_machine %u
    
      Change the following line in /etc/pam_ldap.conf
      (02)
      # vim /etc/pam_ldap.conf
    
         base dc=skole,dc=skolelinux,dc=no
    
      Comment out the following line in /etc/libnss-ldap.conf
      (03)
      # vim /etc/libnss-ldap.conf
    
         nss_base_passwd ou=People,
    
      Enable the SAMBA PDC machines in LDAP  
      (04)
      # vim /etc/ldap/slapd.conf
    
        change all
          ou=Machines,ou=People,
        to
          ou=Machines
    
      Restart the LDAP and the SAMBA server
      (05) 
      # /etc/init.d/slapd stop
      # /etc/init.d/slapd start
      # /etc/init.d/samba stop
      # /etc/init.d/samba start
    
    3.2 Configure and set up the CipUX framework
    --------------------------------------------
    
        This should be done by a Debian conform mechanism. Who would like 
        to write one?
    
        First of all we are on a Debian-edu/Skolelinux system,
        therefore we have to tell this to the CipUX framework.
    
        [12]
        # vim /etc/cipux/system.conf
        Customer = debian-edu
    
        Then you have to grant CipUX the access to the ldap server.
        On Debian-edu the already set root password is also the LDAP
        password. (It's NOT a new password!) So change himitsu to your 
        root/ LDAP password.
    
        [13]
        # touch /etc/cipux/ldappassword.conf
        # chown root:root /etc/cipux/ldappassword.conf
        # chmod 600 /etc/cipux/ldappassword.conf
        # echo -n 'himitsu' > /etc/cipux/ldappassword.conf
    
        (Use _your_ actual LDAP password instead of "himitsu"!)
        (Using echo -n is only secure on new machines without users. 
        If you're updating your password, use an editor which does not write
        line ends like CR, LF)  
    
        # chmod 400 /etc/cipux/ldappassword.conf
    
        And only IF you also want to use Samba change:
        [14]
        # vim /etc/cipux/cipux.conf
        Cipux_Use_Samba=yes
    
        After this we have to test the access to the LDAP server:
        (paste this into one command line with proper spacing)
    
        [15]
        # /usr/bin/ldapsearch -x -p 389 -h localhost -ZZ -y /etc/cipux/ldappassword.conf -D 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' -b 'uid=root,ou=People,dc=skole,dc=skolelinux,dc=no' -LLL
    
         If we see:
        [16]
        ldap_bind: Invalid credentials (49)
    
        The LDAP password was wrong. 
    
        (Check for the command line syntax and the password you set in [11]
        and if the LDAP password is shell save)
    
        If we get:
        [17]
        dn: uid=root,ou=People,dc=skole,dc=skolelinux,dc=no
        objectClass: sambaSamAccount
        objectClass: account
        uid: root
        sambaSID: S-1-5-21-2697446647-283449030-1896125139-1000
    
        everything is OK. (The sambaSID may be different.)
    
        Then we check some settings by
    
        [18]
        # cipux_maint_diagnostic debian-edu pre
    
        Now we have to change the LDAP database by setting up the
        according CipUX structures. This is the most challenging task
        in the process and may not easily be reversible!
        Therefore the backup.
    
        What will the script do?
         - move ou=Machines,ou=People,dc=skole,dc=skoelinux,dc=no
           to ou=Machines,dc=skole,dc=skoelinux,dc=no
         - add ou=CipUX,ou=People,dc=skole,dc=skoelinux,dc=no
         - add some default objects: admin, and roles
         - DELETE some other objects!!!
    
        *============================[ WARNING ]============================*
        ||                                                                 ||
        || WARNING: This script is intended to run on a 'freshly'          ||
        ||          installed Debian-edu/Skolelinux release/ system        ||          
        ||                                                                 ||
        *===================================================================*
    
        Execute the following command:
    
        [19]
        # cipux_setup_ldap
    
        It will perform the work to change the ldap database.
    
        [19.1]
        # aptitude install cipux-cat-webmin
    
        To test the installation run the diagnostic script.
    
        [20]
        # cipux_maint_diagnostic debian-edu
    
        It should only generate tests with answers "OK".
    
    
    3.3 Additional CipUX packages
    -----------------------------
       [01]
    
       ONLY if you want to install the deploy system, you have to do 
       additionally:
       [02]
       # aptitude install cipux-deploy
    
       ONLY if you want to install the XML-RPC server, you have to do
       additionally:
       [03]
       # aptitude install cipux-rpc
    
    3.4 The Webmin configuration
    ----------------------------
    
        The final thing to do is to make the Webmin module CAT
        accessible for the Webmin user root and pam.
    
        Here, a brief summary:
    
        - change language for 'root' to English, German, or French
        - change language for 'pam' to English, German, or French
        - add CipUX Adminstration tool to 'root'
        - add CipUX Adminstration tool to 'pam'
        - remove 'user 'Administrate users in ldap' (WLUS) for 'root'
        - remove 'user Administrate users in ldap' (WLUS) for 'pam'
    
        If you want to use the application form feature:
        - create user Webmin user 'applicationform'
        - add CipUX Adminstration tool to 'applicationform'
        - grant anonymous access for user 'applicationform'
          to the following URLs:
          /cat/applicationform.cgi
          /cat/images
    
        Here are some details:   
    
        Start a browser (konqueror won't work!)
    
        User-hint: Konqueror works using https://localhost:10000 or 
                   https://10.0.2.2:10000, other local addresses are 
                   currently not in the proxy exception list (should 
                   be changed to contain .intern.) and not allowed 
                   in the proxy.
    
        [21]
        $ mozilla-firefox
    
        and switch off the proxy in the browser.
        [22]
        Edit -> Preferences -> General -> Connection Settings ...
          -> "Direct connection to the Internet"-> <OK>
    
        Enter the following URL (location, address) into the
        browser's location bar:
        [23]
        https://localhost:10000
    
        A certification dialog will pop up ...
        [24]
        select "Accept this certificate permanently"
    
        [25]
        <OK>
    
        Another dialog appears:
        "You have requested an encrypted page. The website has
         identified itself correctly, and information you see or
         enter on this page can easily be read by a third party."
         [...]
    
        [26]
        <OK>
    
        [27]
        User name: root
        Password: himitsu
        <Login>
    
        (use _your_ root password instead of "himitsu"!)
    
        [28]
        <never for this site>
    
        [29]
        go to Webmin -> Webmin Users -> root
    
        [30]
        select System -> CipUX Administration Tool
    
        [31]
        press "save" button
    
        [32]
        If you want the feature that every user can change his/her password,
        you should give the "CipUX Administration Tool". As with user root 
        before, give the Webmin user "pam" the "CipUX Administration Tool".
    
        [33]
        If you want to use the application form module inside 
        your institution without password (it doesn't make sense with a password)
        you have to do the following:
    
        * create a webmin user 'applicationform'
          check the box "CipUX Administration Tool"
    
        * go back to Webmin index
    
        * go to webmin configuration:
         
        * go to Anonymous Module Access
          
          anonymous user access the to URLs to the user applicationform for with
      
         URL Path                  | Webmin User
         --------------------------+----------------------
         /cat/applicationform.cgi  | applicationform
         /cat/images               | applicationform
    
    
    3.5 Final Setup with CAT
    ------------------------
    
        Log into Webmin as root or cipadmin (same password)
    
        In Webmin you have to go to
    
        Webmin Index -> System -> CipUX Administration Tool
    
        When you log in to CAT for the first time only the setup
        module (setup.cgi) is available. You may use this as root
        or cipadmin.
    
        Follow the setup questions. After finishing the setup
        other modules will become available depending on the setup.
    
    4   Additional system configuration
    -----------------------------------
    
        The additional system configuration is optional and doesn't have
        do be done on every system.
    
        4.1 Quota configuration
        -----------------------
    
        CipUX can be used with user quota. To enable quota you must have a 
        quota enabled kernel and quota capable file system on the users home 
        directory.
     
        Example setting up quota on ext3:
    
        Install quota:
        # apt-get install quota
    
        Use quota on home0:
        # vi /etc/fstab
        and change
        /dev/vg_data/lv_home0   /skole/tjener/home0     ext3      defaults 0 2
        to
        /dev/vg_data/lv_home0   /skole/tjener/home0     ext3 defaults,usrquota,grpquota      0 2
    
        Create the quota-files: 
        # touch /skole/tjener/home0/aquota.user
        # touch /skole/tjener/home0/aquota.group
        # chmod 600 /skole/tjener/home0/aquota.*
    
        Remount home0 so that the changes take effect:
        # mount -o remount /skole/tjener/home0/
    
        Check the quota:
        # quotacheck -avugm
    
        Turn on quota:
        # quotaon -avug
    
        Activate quotas in CipUX by changing the following lines
        # vim /etc/cipux/cipux.conf
        CipUX_Quota=1
        Cipux_Quota_Filesystem=/skole/tjener/home0
    
    
    4.2 CipUX Deploy configuration (after 3.2.9)
    ---------------------------------------------
    
        The CipUX deploy module is not part of 3.2.8.
    
        install tftpd-hpa
    
        apt-get install tftpd-hpa
    
        Ignore the error message during install, because we run tftpd stand alone, 
        not with inetd.
    
        edit the file 
    
        # vim /etc/default/tftpd-hpa
    
           #Defaults for tftpd-hpa
           RUN_DAEMON="yes"
           #OPTIONS="-l -s /var/lib/tftpboot"
           OPTIONS=" -l -v -v -v -c -p -U 007 -u cipux -a 192.168.0.254 -s /var/lib/tftpboot "
    
        # id cipux
    
        If the user user does not exist, create it now:
    
        # groupadd -g 200 cipux
        # useradd -u 200 -g 200 -d /var/lib/tftpboot -s /bin/false cipux
    
        # chown cipux /var/lib/tftpboot/cipux
        # chown cipux /var/lib/tftpboot/cipux/conf
        # chown cipux /var/lib/tftpboot/cipux/script
        # /etc/init.d/inetd stop
        # /etc/init.d/tftpd-hpa start
    
         * remove inetd from the default run level
         * add tftpd-hpa to default run level
    
    
    4.3 CipUX XML-RPC server configuration (>= 3.2.10)
    --------------------------------------------------
    
        You only need the CipUX XML-RPC server if you are using the CipUX 
        Moodle plugins.
    
        (1) Installation:
    
          # aptitude install cipux-rpc
    
        (2) Running the server
    
          # /etc/init.d/cipuxrpcd start
    
        (3) Stopping the server
    
          # /etc/init.d/cipuxrpcd stop
    
    5.  Quick installation Examples
    -------------------------------
    
    5.1 Step-through installtion without Samba, with RPC
    ----------------------------------------------------
    [01]
      # vim /etc/apt/sources.list
         deb     http://debian.cipworx.org/ sid main contrib non-free
         deb     http://backports.cipworx.org/ sid main contrib non-free
         deb     http://ftp.debian.org/debian/ sarge main contrib non-free
    [02]
      # export http_proxy="";export ftp_proxy=""
      # aptitude update; aptitude update
      # aptitude install cipux-common cipux-cibot
      # aptitude install cipux-cat-webmin
      # /etc/init.d/slapd stop
    [03]
      # vim /etc/ldap/slapd.conf
        include /etc/ldap/schema/cipux.schema
    [04]
      # /etc/init.d/slapd start
      # echo "Customer = debian-edu" > /etc/cipux/system.conf
      # touch /etc/cipux/ldappassword.conf
      # chown root:root /etc/cipux/ldappassword.conf
      # chmod 600 /etc/cipux/ldappassword.conf
      # echo -n 'himitsu' > /etc/cipux/ldappassword.conf
      # chmod 400 /etc/cipux/ldappassword.conf
      # cipux_maint_diagnostic debian-edu pre
      # cipux_setup_ldap debian-edu
      # cipux_maint_diagnostic debian-edu
      # aptitude install cipux-rpc
    
    ==================================
    (footnote 01):
        Backup Restore (Only if you need it!)
        +------------------------------------------------------------------+
        |  If you want to restore your LDAP data later, you may write the  |
        |  backup back (when the LDAP server is NOT running!) with:        |
        |                                                                  |
        |  (18)                                                            |
        |  # /etc/init.d/slapd stop                                        |
        |  # rm -r /var/lib/ldap                                           |
        |  # cd /                                                          |
        |  # tar xvfz /skole/backup/tmp_backup_ldap.tar.gz                 |
        |  # /etc/init.d/slapd start                                       |
        +------------------------------------------------------------------+
    
    (footnote 02):
        How to check if the LDAP server is running?
    
        #  ps ax | grep slapd | grep -v grep
    
        This should produce output like:
    
        2890 ?        Ss     0:00 /usr/sbin/slapd -h ldap:/// ldaps:///
    
        This means the LDAP server is running.
    
    

    CipUX/Archive/en/Installation/3.2.10 (last edited 2008-02-14 10:06:00 by ChristianKuelker)