- CipUX 3.2.10 Installation Guide for Debian-Edu/Skolelinux
This is based on the CipUX 3.2.8 installation guide, which includes the work of many contributors:
Please leave the main-document without wikification. It will go 1:1 outside this wiki (into CipUX packages and other places). So when doing changes it's a good idea to keep the style, too. Thanks!
CipUX 3.2.10 installation guide
for Debian-Edu/Skolelinux 2.0
Original by
Christian Külker
2006-07-01
License GPL
Revision 0.1 2006-07-01 by Christian Külker (first draft)
Revision 0.2 2006-07-09 by Christian Külker (add backports repository)
Revision 0.3 2006-07-12 by Christian Külker (quick installation section)
Revision 0.4 2006-08-09 by Georg Damm (correction of backup restore)
Revision 0.5 2006-09-12 by Georg Damm
(additional configuration step for samba)
Revision 0.6 2006-10-14 by Georg Damm (correction of quota setup)
Contents:
1 Introduction
2 Installation of CipUX release
2.1 Prepare the CipUX package install process
2.2 Installing the CipUX framework packages
3 System configuration
3.1 Configure the LDAP Server
3.2 Configure SAMBA Server
3.2 Configure and set up the CipUX framework
3.3 Additional CipUX packages
3.4 The Webmin configuration
3.5 Final Setup with CAT
4 Additional system configuration
4.1 Quota configuration
4.2 CipUX Deploy configuration (>= 3.2.9)
4.3 CipUX XML-RPC server configuration (>= 3.2.10)
5. Quick installation Examples
5.1 Step-through installtion without Samba, with RPC
1 Introduction
----------------
This manual is for the installation of CipUX 3.2.10 on a freshly
installed Debian-edu/Skolelinux 2.0 with main server profile
and eventually additionally installed terminal server profile.
To install CipUX you will also need a working Internet connection!
*============================[ WARNING ]============================*
|| ||
|| WARNING: Do not use CipUX on a productive Debian-edu/Skolelinux ||
|| system, if you already have added users by means of WLUS ||
|| (webmin-ldap-user-simple)! ||
|| The installation will not delete your users, but this is not a ||
|| migration manual and therefore the resulting LDAP database is ||
|| going to be unusable for a productive environment. ||
|| ||
*===================================================================*
Almost all(!) steps in this installation manual have to be done on
the machine which has been installed with the main server profile!
This machine identifies itself by the name "tjener".
The only(!) steps that may also be done by using another machine
are the few ones that are done by using a web-browser.
Conventions in this manual:
CTRL press the control key
CTRL-c press the control key, hold it down, and press the c key
$ you may execute this command as any user
# you have to execute this command as root user
[01] .. [xx] are command and output numbers and are used for
references, they are not intended to be written.
(01) .. (xx) are also command and output numbers and are used
for optional references.
<OK> means pressing the button "OK".
vim you may use you favorite editor here
User-hint some untested advice from users
2 Installation of CipUX release
---------------------------------
2.1 Prepare the CipUX package install process
---------------------------------------------
Edit the file /etc/apt/sources.list and add the following lines:
[01]
vim /etc/apt/sources.list
deb http://debian.cipworx.org/ sid main contrib non-free
deb http://backports.cipworx.org/ sid main contrib non-free
deb http://ftp.debian.org/debian/ sarge main contrib non-free
Then switch off the proxy by typing
[02]
export http_proxy=""
export ftp_proxy=""
2.2 Installing the CipUX framework packages
-------------------------------------------
Execute these commands as root:
[03]
# aptitude update
On some systems it must be done twice. (Ask a Debian guru why!)
[04]
# aptitude update
[05]
# aptitude install cipux-common cipux-cibot
3 System configuration
-------------------------
3.1 Configure the LDAP server
-----------------------------
First of all we need a well configured LDAP server and just
to be safe make a backup.
Normally the LDAP server is started on a fresh installed System,
so we stop it with:
[08]
# /etc/init.d/slapd stop
Then we make a temporary backup only for that server:
(if you want to restore it, please have a look at (Footnote 01)
[09]
if the backup directory does not exist, create it
# mkdir -p /skole/backup
Then do the backup
# tar cvzf /skole/backup/tmp_backup_ldap.tar.gz /var/lib/ldap
Now we edit /etc/ldap/slapd.conf and add a new include line
(at the END of the other include lines):
*============================[ WARNING ]============================*
|| ||
|| WARNING: You might like CipUX so much that you probably put the ||
|| include in front of the other includes. Don't do that! ||
|| You will get errors about the unknown attribute uid. ||
|| ||
*===================================================================*
[10]
# vim /etc/ldap/slapd.conf
include /etc/ldap/schema/cipux.schema
Start the LDAP server again with:
[11]
# /etc/init.d/slapd start
Check if the LDAP server starts (if you do not now how to do
that, please have a look at footnote 02).
3.2 Configure SAMBA Server
--------------------------
If you do not intend to use SAMBA, skip this section!
CipUX may be used in conjunction with SAMBA. These steps should
be processed to get CipUX respect the additional features for
SAMBA. Note that this section does not cover specific SAMBA problems.
Edit the Samba configuration smb.conf so it matches exactly the
following parameters:
(01)
# vim /etc/samba/smb.conf
ldap machine suffix = ou=Machines
passdb backend = ldapsam:ldaps://ldap
add machine script = /usr/bin/cipux_task_create_machine %u
Change the following line in /etc/pam_ldap.conf
(02)
# vim /etc/pam_ldap.conf
base dc=skole,dc=skolelinux,dc=no
Comment out the following line in /etc/libnss-ldap.conf
(03)
# vim /etc/libnss-ldap.conf
nss_base_passwd ou=People,
Enable the SAMBA PDC machines in LDAP
(04)
# vim /etc/ldap/slapd.conf
change all
ou=Machines,ou=People,
to
ou=Machines
Restart the LDAP and the SAMBA server
(05)
# /etc/init.d/slapd stop
# /etc/init.d/slapd start
# /etc/init.d/samba stop
# /etc/init.d/samba start
3.2 Configure and set up the CipUX framework
--------------------------------------------
This should be done by a Debian conform mechanism. Who would like
to write one?
First of all we are on a Debian-edu/Skolelinux system,
therefore we have to tell this to the CipUX framework.
[12]
# vim /etc/cipux/system.conf
Customer = debian-edu
Then you have to grant CipUX the access to the ldap server.
On Debian-edu the already set root password is also the LDAP
password. (It's NOT a new password!) So change himitsu to your
root/ LDAP password.
[13]
# touch /etc/cipux/ldappassword.conf
# chown root:root /etc/cipux/ldappassword.conf
# chmod 600 /etc/cipux/ldappassword.conf
# echo -n 'himitsu' > /etc/cipux/ldappassword.conf
(Use _your_ actual LDAP password instead of "himitsu"!)
(Using echo -n is only secure on new machines without users.
If you're updating your password, use an editor which does not write
line ends like CR, LF)
# chmod 400 /etc/cipux/ldappassword.conf
And only IF you also want to use Samba change:
[14]
# vim /etc/cipux/cipux.conf
Cipux_Use_Samba=yes
After this we have to test the access to the LDAP server:
(paste this into one command line with proper spacing)
[15]
# /usr/bin/ldapsearch -x -p 389 -h localhost -ZZ -y /etc/cipux/ldappassword.conf -D 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' -b 'uid=root,ou=People,dc=skole,dc=skolelinux,dc=no' -LLL
If we see:
[16]
ldap_bind: Invalid credentials (49)
The LDAP password was wrong.
(Check for the command line syntax and the password you set in [11]
and if the LDAP password is shell save)
If we get:
[17]
dn: uid=root,ou=People,dc=skole,dc=skolelinux,dc=no
objectClass: sambaSamAccount
objectClass: account
uid: root
sambaSID: S-1-5-21-2697446647-283449030-1896125139-1000
everything is OK. (The sambaSID may be different.)
Then we check some settings by
[18]
# cipux_maint_diagnostic debian-edu pre
Now we have to change the LDAP database by setting up the
according CipUX structures. This is the most challenging task
in the process and may not easily be reversible!
Therefore the backup.
What will the script do?
- move ou=Machines,ou=People,dc=skole,dc=skoelinux,dc=no
to ou=Machines,dc=skole,dc=skoelinux,dc=no
- add ou=CipUX,ou=People,dc=skole,dc=skoelinux,dc=no
- add some default objects: admin, and roles
- DELETE some other objects!!!
*============================[ WARNING ]============================*
|| ||
|| WARNING: This script is intended to run on a 'freshly' ||
|| installed Debian-edu/Skolelinux release/ system ||
|| ||
*===================================================================*
Execute the following command:
[19]
# cipux_setup_ldap
It will perform the work to change the ldap database.
[19.1]
# aptitude install cipux-cat-webmin
To test the installation run the diagnostic script.
[20]
# cipux_maint_diagnostic debian-edu
It should only generate tests with answers "OK".
3.3 Additional CipUX packages
-----------------------------
[01]
ONLY if you want to install the deploy system, you have to do
additionally:
[02]
# aptitude install cipux-deploy
ONLY if you want to install the XML-RPC server, you have to do
additionally:
[03]
# aptitude install cipux-rpc
3.4 The Webmin configuration
----------------------------
The final thing to do is to make the Webmin module CAT
accessible for the Webmin user root and pam.
Here, a brief summary:
- change language for 'root' to English, German, or French
- change language for 'pam' to English, German, or French
- add CipUX Adminstration tool to 'root'
- add CipUX Adminstration tool to 'pam'
- remove 'user 'Administrate users in ldap' (WLUS) for 'root'
- remove 'user Administrate users in ldap' (WLUS) for 'pam'
If you want to use the application form feature:
- create user Webmin user 'applicationform'
- add CipUX Adminstration tool to 'applicationform'
- grant anonymous access for user 'applicationform'
to the following URLs:
/cat/applicationform.cgi
/cat/images
Here are some details:
Start a browser (konqueror won't work!)
User-hint: Konqueror works using https://localhost:10000 or
https://10.0.2.2:10000, other local addresses are
currently not in the proxy exception list (should
be changed to contain .intern.) and not allowed
in the proxy.
[21]
$ mozilla-firefox
and switch off the proxy in the browser.
[22]
Edit -> Preferences -> General -> Connection Settings ...
-> "Direct connection to the Internet"-> <OK>
Enter the following URL (location, address) into the
browser's location bar:
[23]
https://localhost:10000
A certification dialog will pop up ...
[24]
select "Accept this certificate permanently"
[25]
<OK>
Another dialog appears:
"You have requested an encrypted page. The website has
identified itself correctly, and information you see or
enter on this page can easily be read by a third party."
[...]
[26]
<OK>
[27]
User name: root
Password: himitsu
<Login>
(use _your_ root password instead of "himitsu"!)
[28]
<never for this site>
[29]
go to Webmin -> Webmin Users -> root
[30]
select System -> CipUX Administration Tool
[31]
press "save" button
[32]
If you want the feature that every user can change his/her password,
you should give the "CipUX Administration Tool". As with user root
before, give the Webmin user "pam" the "CipUX Administration Tool".
[33]
If you want to use the application form module inside
your institution without password (it doesn't make sense with a password)
you have to do the following:
* create a webmin user 'applicationform'
check the box "CipUX Administration Tool"
* go back to Webmin index
* go to webmin configuration:
* go to Anonymous Module Access
anonymous user access the to URLs to the user applicationform for with
URL Path | Webmin User
--------------------------+----------------------
/cat/applicationform.cgi | applicationform
/cat/images | applicationform
3.5 Final Setup with CAT
------------------------
Log into Webmin as root or cipadmin (same password)
In Webmin you have to go to
Webmin Index -> System -> CipUX Administration Tool
When you log in to CAT for the first time only the setup
module (setup.cgi) is available. You may use this as root
or cipadmin.
Follow the setup questions. After finishing the setup
other modules will become available depending on the setup.
4 Additional system configuration
-----------------------------------
The additional system configuration is optional and doesn't have
do be done on every system.
4.1 Quota configuration
-----------------------
CipUX can be used with user quota. To enable quota you must have a
quota enabled kernel and quota capable file system on the users home
directory.
Example setting up quota on ext3:
Install quota:
# apt-get install quota
Use quota on home0:
# vi /etc/fstab
and change
/dev/vg_data/lv_home0 /skole/tjener/home0 ext3 defaults 0 2
to
/dev/vg_data/lv_home0 /skole/tjener/home0 ext3 defaults,usrquota,grpquota 0 2
Create the quota-files:
# touch /skole/tjener/home0/aquota.user
# touch /skole/tjener/home0/aquota.group
# chmod 600 /skole/tjener/home0/aquota.*
Remount home0 so that the changes take effect:
# mount -o remount /skole/tjener/home0/
Check the quota:
# quotacheck -avugm
Turn on quota:
# quotaon -avug
Activate quotas in CipUX by changing the following lines
# vim /etc/cipux/cipux.conf
CipUX_Quota=1
Cipux_Quota_Filesystem=/skole/tjener/home0
4.2 CipUX Deploy configuration (after 3.2.9)
---------------------------------------------
The CipUX deploy module is not part of 3.2.8.
install tftpd-hpa
apt-get install tftpd-hpa
Ignore the error message during install, because we run tftpd stand alone,
not with inetd.
edit the file
# vim /etc/default/tftpd-hpa
#Defaults for tftpd-hpa
RUN_DAEMON="yes"
#OPTIONS="-l -s /var/lib/tftpboot"
OPTIONS=" -l -v -v -v -c -p -U 007 -u cipux -a 192.168.0.254 -s /var/lib/tftpboot "
# id cipux
If the user user does not exist, create it now:
# groupadd -g 200 cipux
# useradd -u 200 -g 200 -d /var/lib/tftpboot -s /bin/false cipux
# chown cipux /var/lib/tftpboot/cipux
# chown cipux /var/lib/tftpboot/cipux/conf
# chown cipux /var/lib/tftpboot/cipux/script
# /etc/init.d/inetd stop
# /etc/init.d/tftpd-hpa start
* remove inetd from the default run level
* add tftpd-hpa to default run level
4.3 CipUX XML-RPC server configuration (>= 3.2.10)
--------------------------------------------------
You only need the CipUX XML-RPC server if you are using the CipUX
Moodle plugins.
(1) Installation:
# aptitude install cipux-rpc
(2) Running the server
# /etc/init.d/cipuxrpcd start
(3) Stopping the server
# /etc/init.d/cipuxrpcd stop
5. Quick installation Examples
-------------------------------
5.1 Step-through installtion without Samba, with RPC
----------------------------------------------------
[01]
# vim /etc/apt/sources.list
deb http://debian.cipworx.org/ sid main contrib non-free
deb http://backports.cipworx.org/ sid main contrib non-free
deb http://ftp.debian.org/debian/ sarge main contrib non-free
[02]
# export http_proxy="";export ftp_proxy=""
# aptitude update; aptitude update
# aptitude install cipux-common cipux-cibot
# aptitude install cipux-cat-webmin
# /etc/init.d/slapd stop
[03]
# vim /etc/ldap/slapd.conf
include /etc/ldap/schema/cipux.schema
[04]
# /etc/init.d/slapd start
# echo "Customer = debian-edu" > /etc/cipux/system.conf
# touch /etc/cipux/ldappassword.conf
# chown root:root /etc/cipux/ldappassword.conf
# chmod 600 /etc/cipux/ldappassword.conf
# echo -n 'himitsu' > /etc/cipux/ldappassword.conf
# chmod 400 /etc/cipux/ldappassword.conf
# cipux_maint_diagnostic debian-edu pre
# cipux_setup_ldap debian-edu
# cipux_maint_diagnostic debian-edu
# aptitude install cipux-rpc
==================================
(footnote 01):
Backup Restore (Only if you need it!)
+------------------------------------------------------------------+
| If you want to restore your LDAP data later, you may write the |
| backup back (when the LDAP server is NOT running!) with: |
| |
| (18) |
| # /etc/init.d/slapd stop |
| # rm -r /var/lib/ldap |
| # cd / |
| # tar xvfz /skole/backup/tmp_backup_ldap.tar.gz |
| # /etc/init.d/slapd start |
+------------------------------------------------------------------+
(footnote 02):
How to check if the LDAP server is running?
# ps ax | grep slapd | grep -v grep
This should produce output like:
2890 ? Ss 0:00 /usr/sbin/slapd -h ldap:/// ldaps:///
This means the LDAP server is running.
|