- CipUX 3.2.9 Installation Guide for Debian-Edu/Skolelinux
This is based on the CipUX 3.2.8 installation guide, which includes the work of many contributers:
Please leave the main-document without wikification. It will go 1:1 outside this wiki (into CipUX packages and other places). So when doing changes it's a good idea to keep the style, too. Thanks!
CipUX 3.2.9 installation guide for Debian-Edu/ Skolelinux 2.0 Original by Christian Küker 2006-05-13 License GPL Revision 0.1 2006-05-13 by Christian Külker (first draft) Revision 0.2 2006-06-05 by Christian Külker add backupdir, security hints Revision 0.3 Contents: 1 Introduction 2 Installation of CipUX release 2.1 Prepare the CipUX package install process 2.2 Installing the CipUX framework packages 3 System configuration 3.1 Configure the LDAP Server 3.2 Configure SAMBA Server 3.2 Configure and set up the CipUX framework 3.3 The Webmin configuration 3.4 Final Setup with CAT 4 Additional system configuration 4.1 Quota configuration 4.2 CipUX Deploy configuration (>= 3.2.9) 1 Introduction ---------------- This manual is for the installation of CipUX 3.2.9 on a freshly installed Debian-edu/ Skolelinux 2.0 with main server profile and eventually additionally installed terminal server profile. To install CipUX you will also need a working internet connection! *============================[ WARNING ]============================* || || || WARNING: Do not use CipUX on a productive Debian-edu/Skolelinux || || system, if you already have added users by means of WLUS || || (webmin-ldap-user-simple)! || || The installation will not delete your users, but this is not a || || migration manual and therefore the resulting LDAP database is || || going to be unusable for a productive environment. || || || *===================================================================* Almost all(!) steps in this installation manual have to be done on the machine which has been installed with the main server profile! This machine identifies itself by the name "tjener". The only(!) steps that may also be done by using another machine are the few ones that are done by using a web-browser. Conventions in this manual: CTRL press the control key CTRL-c press the control key, hold it, and press the c key $ you may execute this command as any user # you have to execute this command as root user [01] .. [xx] are command and output numbers and are used for references, they are not intended to be written. (01) .. (xx) are also command and output numbers and are used for optional references. <OK> means pressing the button "OK". vim you may use you favorite editor here User-hint some not tested advice from users 2 Installation of CipUX release --------------------------------- 2.1 Prepare the CipUX package install process --------------------------------------------- Edit the file /etc/apt/sources.list and add the following lines: [01] vim /etc/apt/sources.list deb http://debian.cipworx.org/ sid main contrib non-free deb http://ftp.debian.org/debian/ sarge main contrib non-free Then switch off the proxy by typing [02] export http_proxy="" export ftp_proxy="" 2.2 Installing the CipUX framework packages ------------------------------------------- Execute these commands as root: [03] # aptitude update On some systems it must be done twice. (Ask a Debian guru why!) [04] # aptitude update [05] # aptitude install cipux-common cipux-cibot cipux-cat-webmin ONLY if you want to install the deploy system you have to do additionally: [06] # aptitude install cipux-deploy 3 System configuration ------------------------- 3.1 Configure the LDAP server ----------------------------- First of all we need a well configured LDAP server and just to be save a backup. Normally the LDAP server is started on a fresh installed System, so we stop it with: [06] # /etc/init.d/slapd stop Then we make a temporary backup only for that server: (if you want to restore it, please have a look at (Footnote 01) [07] if the backup directory does not exist, crate it # mkdir -p /skole/backup Then do the backup # tar cvjf /skole/backup/tmp_backup_ldap.tar.bz2 /var/lib/ldap Now we edit /etc/ldap/slapd.conf and add a new include line (at the END of the other include lines): *============================[ WARNING ]============================* || || || WARNING: You might like CipUX so much that you probably put the || || include in front of the other includes. But: don't do that! || || You will get errors about the not known attribute uid. || || || *===================================================================* [08] # vim /etc/ldap/slapd.conf include /etc/ldap/schema/cipux.schema We start the LDAP server again with: [09] # /etc/init.d/slapd start And we check if the LDAP server starts. (If you do not now how to do that, please have ha look at footnote 02) 3.2 Configure SAMBA Server -------------------------- If you do not intend to use SAMBA you should skip this section! CipUX may be used in conjunction with SAMBA. These steps should be processed to get CipUX respect the additional features for SAMBA. Note that this section does not cover specific SAMBA problems. Edit the Samba configuration and check or change smb.conf for the following parameters: (01) # vim /etc/samba/smb.conf ldap machine suffix = ou=Machines passdb backend = ldapsam:ldaps://ldap add machine script = /usr/bin/cipux_task_create_machine %u Change the following line in /etc/pam_ldap.conf (02) # vim /etc/pam_ldap.conf base dc=skole,dc=skolelinux,dc=no Enable the SAMBA PDC machines in LDAP (03) # vim /etc/ldap/slapd.conf change all ou=Machines,ou=People, to ou=Machines 3.2 Configure and set up the CipUX framework -------------------------------------------- This should be done by a Debian conform mechanism. Who would like to write one? First of all we are on a Debian-edu/Skolelinux system, therefore we have to tell this to the CipUX framework. [10] # vim /etc/cipux/system.conf Customer = skolelinux Then you have to grant CipUX the access to the ldap server. On Debian-edu the already set root password is also the LDAP password. (It's NOT a new password!) So change himitsu to your root/ LDAP password. [11] # touch /etc/cipux/ldappassword.conf # chown root:root /etc/cipux/ldappassword.conf # chmod 600 /etc/cipux/ldappassword.conf # echo -n 'himitsu' > /etc/cipux/ldappassword.conf (Use _your_ actual LDAP password instead of "himitsu"!) (Using echo -n is only secure on new machines without users. If you updating your password, use an editor which do not write line ends like CR, LF) # chmod 400 /etc/cipux/ldappassword.conf And only IF you also want to use Samba change: [12] # vim /etc/cipux/cipux.conf Cipux_Use_Samba=yes After this we have to test the access to the ldap server: (paste this into one command line with propper spacing) [13] # /usr/bin/ldapsearch -x -p 389 -h localhost -ZZ -y /etc/cipux/ldappassword.conf -D 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' -b 'uid=root,ou=People,dc=skole,dc=skolelinux,dc=no' -LLL If we see: [14] ldap_bind: Invalid credentials (49) The LDAP password was wrong. (Check for the command line syntax and the password you set in [11] and if the LDAP password is shell save) If we get: [15] dn: uid=root,ou=People,dc=skole,dc=skolelinux,dc=no objectClass: sambaSamAccount objectClass: account uid: root sambaSID: S-1-5-21-2697446647-283449030-1896125139-1000 everything is OK. (The sambaSID may be different.) Then we check some settings by [16] # cipux_maint_diagnostic pre Now we have to change the LDAP database by setting up the according CipUX structures. This is the most challenging task in the process and may not easily be reversible! Therefore the backup. What will the script do? - move ou=Machines,ou=People,dc=skole,dc=skoelinux,dc=no to ou=Machines,dc=skole,dc=skoelinux,dc=no - add ou=CipUX,ou=People,dc=skole,dc=skoelinux,dc=no - add some default objects: admin, and roles - DELETE some other objects!!! *============================[ WARNING ]============================* || || || WARNING: This script is intended to run on a 'freshly' || || installed Debian-edu/Skolelinux release/ system || || || *===================================================================* Execute the following command: [17] # cipux_setup_ldap and hopefully it will perform the work to change the ldap database. To test the installation run the diagnostic script. [18] # cipux_maint_diagnostic It should only generate tests with answers "OK". 3.3 The Webmin configuration ---------------------------- The final thing to do is to make the Webmin module CAT accessible for the Webmin user root. Start a browser (konqueror won't work!) User-hint: Konqueror works using https://localhost:10000 or https://10.0.2.2:10000, other local addresses are currently not in the proxy exception list (should be changed to contain .intern.) and not allowed in the proxy. [19] $ mozilla-firefox and switch off the proxy in the browser. [20] Edit -> Preferences -> General -> Connection Settings ... -> "Direct connection to the Internet"-> <OK> Enter the following URL (location, address) into the browser's location bar: [13] https://localhost:10000 A certification dialog will pop up ... [21] select "Accept this certificate permanently" [22] <OK> Another dialog appears: "You have requested an encrypted page. The website has identified itself correctly, and information you see or enter on this page can easily be read by a third party." [...] [23] <OK> [24] User name: root Password: himitsu <Login> (use _your_ root password instead of "himitsu"!) [25] <never for this site> [26] go to Webmin -> Webmin Users -> root [27] select System -> CipUX Administration Tool [28] press "save" button [29] If you want the feature, that very user can change his/ her password you should give the the CipUX Webmin CAT module. As the user root before, give the Webmin user "pam" the Webmin CAT module. [30] If you want to use the application form module inside your institution without password (it doesn't make sense with a password) you have to do the following: * create a webmin user 'applicationform' * add in webmin configuration: anonymous user access the to URLs to the user applicationform for: /cat/applicationform.cgi /cat/images 3.4 Final Setup with CAT ------------------------ Log into Webmin as root or cipadmin (same password) In Webmin you have to go to Webmin Index -> System -> CipUX Administration Tool When you log in to CAT for the first time only the setup module (setup.cgi) is available. You may use this as root or cipadmin. Follow the setup questions. After finishing the setup other modules will become available depending on the setup. 4 Additional system configuration ----------------------------------- The additional system configuration is optional and doesn't have do be done on every system. 4.1 Quota configuration ----------------------- CipUX can be used with user quota. To enable quota you must have a quota enabled kernel and quota capable file system on the users home directory. Example setting up quota on ext3 (TODO) 4.2 CipUX Deploy configuration (after 3.2.9) --------------------------------------------- The CipUX deploy module is not part of 3.2.8. install tftpd-hpa apt-get install tftpd-hpa Ignore the error message during install, because we run tftpd stand alone, not with inetd. edit the file # vim /etc/default/tftpd-hpa #Defaults for tftpd-hpa RUN_DAEMON="yes" #OPTIONS="-l -s /var/lib/tftpboot" OPTIONS=" -l -v -v -v -c -p -U 007 -u cipux -a 192.168.0.254 -s /var/lib/tftpboot " # id cipux If the user user does not exist, then create it now: # groupadd -g 200 cipux # useradd -u 200 -g 200 -d /var/lib/tftpboot -s /bin/false cipux # chown cipux /var/lib/tftpboot/cipux # chown cipux /var/lib/tftpboot/cipux/conf # chown cipux /var/lib/tftpboot/cipux/script # /etc/init.d/inetd stop # /etc/init.d/tftpd-hpa start * remove inetd from the default run level * add tftpd-hpa to default run level ================================== (footnote 01): Backup Restore (Only if you need it!) +------------------------------------------------------------------+ | If you want to restore your LDAP data later, you may write the | | backup back (when the LDAP server is NOT running!) with: | | | | (18) | | # /etc/init.d/slapd stop | | # rm -r /var/lib/ldap | | # cd / | | # tar xvjf /skole/backup/tmp_backup_ldap.tar.bz2 | | # /etc/init.d/slapd start | +------------------------------------------------------------------+ (footnote 02): How to check if the LDAP server is running? # ps ax | grep slapd | grep -v grep This should produce output like: 2890 ? Ss 0:00 /usr/sbin/slapd -h ldap:/// ldaps:/// This means the LDAP server is running.
|