Alle Inhalte in diesem Wiki stehen unter der GPL.
CipUX 3.2.9 Installation Guide for Debian-Edu/Skolelinux

This is based on the CipUX 3.2.8 installation guide, which includes the work of many contributers:

  • Patrick Willam (several checks, "wording", aptitude, backup, minor enhancements)
  • Ludger Sicking (typo)
  • Radi Wieloch (errors, numbers, orthography, grammar)
  • Ralf Gesellensetter (warning)
  • Michael Stamm (LDAP schema include place)
  • Jürgen Leibner (correct /etc/pam_ldap.conf)
  • Georg Damm (hints to change WLUS-users to CipUX-users)
  • Christian Gatzemeier (div. corrections and alternatives)
  • Martin Herweg (install on pr06,image-deploy for fat clients)
  • Christian Külker (first draft)
  • Note

    Please leave the main-document without wikification. It will go 1:1 outside this wiki (into CipUX packages and other places). So when doing changes it's a good idea to keep the style, too. Thanks!


                       CipUX 3.2.9 installation guide
                       for Debian-Edu/ Skolelinux 2.0
    
    
                             Original by
                          Christian Küker
                             2006-05-13
    
    
                            License GPL
    
    Revision 0.1 2006-05-13 by Christian Külker     (first draft)
    Revision 0.2 2006-06-05 by Christian Külker     add backupdir, security hints
    Revision 0.3
    
    
    
    Contents:
    1   Introduction
    
    2   Installation of CipUX release
    2.1 Prepare the CipUX package install process
    2.2 Installing the CipUX framework packages
    
    3   System configuration
    3.1 Configure the LDAP Server
    3.2 Configure SAMBA Server
    3.2 Configure and set up the CipUX framework
    3.3 The Webmin configuration
    3.4 Final Setup with CAT
    
    4   Additional system configuration
    4.1 Quota configuration
    4.2 CipUX Deploy configuration (>= 3.2.9)
    
    
    1   Introduction
    ----------------
    
        This manual is for the installation of CipUX 3.2.9 on a freshly
        installed Debian-edu/ Skolelinux 2.0 with main server profile 
        and eventually additionally installed terminal server profile. 
      
        To install CipUX you will also need a working internet connection!
    
        *============================[ WARNING ]============================*
        ||                                                                 ||
        || WARNING: Do not use CipUX on a productive Debian-edu/Skolelinux || 
        || system, if you already have added users by means of WLUS        ||
        || (webmin-ldap-user-simple)!                                      ||
        || The installation will not delete your users, but this is not a  ||
        || migration manual and therefore the resulting LDAP database is   ||
        || going to be unusable for a productive environment.              ||
        ||                                                                 ||
        *===================================================================*
    
        Almost all(!) steps in this installation manual have to be done on
        the machine which has been installed with the main server profile!
        This machine identifies itself by the name "tjener".
    
        The only(!) steps that may also be done by using another machine
        are the few ones that are done by using a web-browser.
    
        Conventions in this manual:
    
        CTRL         press the control key
        CTRL-c       press the control key, hold it, and press the c key
    
        $            you may execute this command as any user
        #            you have to execute this command as root user
    
        [01] .. [xx] are command and output numbers and are used for
                     references, they are not intended to be written.
        (01) .. (xx) are also command  and output numbers and are used 
                     for optional references.
    
        <OK>         means pressing the button "OK".
    
        vim          you may use you favorite editor here
    
        User-hint    some not tested advice from users
    
    
    2   Installation of CipUX release
    ---------------------------------
    
    2.1 Prepare the CipUX package install process
    ---------------------------------------------
    
       Edit the file /etc/apt/sources.list and add the following lines:
       [01]
       vim /etc/apt/sources.list
         deb     http://debian.cipworx.org/ sid main contrib non-free
         deb     http://ftp.debian.org/debian/ sarge main contrib non-free
    
       Then switch off the proxy by typing
       [02]
       export http_proxy=""
       export ftp_proxy=""
    
    2.2 Installing the CipUX framework packages
    -------------------------------------------
    
       Execute these commands as root:
       [03]
       # aptitude update
    
       On some systems it must be done twice. (Ask a Debian guru why!)
       [04]
       # aptitude update
    
       [05]
       # aptitude install cipux-common cipux-cibot cipux-cat-webmin
    
       ONLY if you want to install the deploy system you have to do 
       additionally:
       [06]
       # aptitude install cipux-deploy
    
    
    3   System configuration
    -------------------------
    
    3.1 Configure the LDAP server
    -----------------------------
    
        First of all we need a well configured LDAP server and just
        to be save a backup.
    
        Normally the LDAP server is started on a fresh installed System, 
        so we stop it with:
        [06]  
        # /etc/init.d/slapd stop
    
        Then we make a temporary backup only for that server:
        (if you want to restore it, please have a look at (Footnote 01)     
        [07]
        if the backup directory does not exist, crate it
         # mkdir -p /skole/backup  
        Then do the backup
         # tar cvjf /skole/backup/tmp_backup_ldap.tar.bz2 /var/lib/ldap
    
        Now we edit /etc/ldap/slapd.conf and add a new include line
        (at the END of the other include lines):
    
        *============================[ WARNING ]============================*
        ||                                                                 ||
        || WARNING: You might like CipUX so much that you probably put the ||
        || include in front of the other includes. But: don't do that!     ||
        || You will get errors about the not known attribute uid.          ||
        ||                                                                 ||
        *===================================================================*
    
        [08]
        # vim /etc/ldap/slapd.conf
        include /etc/ldap/schema/cipux.schema
    
        We start the LDAP server again with:
        [09]
        # /etc/init.d/slapd start
    
        And we check if the LDAP server starts. (If you do not now how to do 
        that, please have ha look at footnote 02) 
    
    
    3.2 Configure SAMBA Server
    --------------------------
    
      If you do not intend to use SAMBA you should skip this section!
    
      CipUX may be used in conjunction with SAMBA. These steps should 
      be processed to get CipUX respect the additional features for
      SAMBA. Note that this section does not cover specific SAMBA problems.
    
      Edit the Samba configuration and check or change smb.conf for the
      following parameters:
      (01) 
      # vim /etc/samba/smb.conf
       
         ldap machine suffix = ou=Machines
       
         passdb backend = ldapsam:ldaps://ldap
     
         add machine script = /usr/bin/cipux_task_create_machine %u
    
    
      Change the following line in /etc/pam_ldap.conf
      (02)
      # vim /etc/pam_ldap.conf
    
         base dc=skole,dc=skolelinux,dc=no
    
    
      Enable the SAMBA PDC machines in LDAP  
      (03)
      # vim /etc/ldap/slapd.conf
    
        change all
          ou=Machines,ou=People,
        to
          ou=Machines
    
    
    
    3.2 Configure and set up the CipUX framework
    --------------------------------------------
    
        This should be done by a Debian conform mechanism. Who would like 
        to write one?
    
        First of all we are on a Debian-edu/Skolelinux system,
        therefore we have to tell this to the CipUX framework.
    
        [10]
        # vim /etc/cipux/system.conf
        Customer = skolelinux
    
        Then you have to grant CipUX the access to the ldap server.
        On Debian-edu the already set root password is also the LDAP
        password. (It's NOT a new password!) So change himitsu to your 
        root/ LDAP password.
    
        [11]
        # touch /etc/cipux/ldappassword.conf
        # chown root:root /etc/cipux/ldappassword.conf
        # chmod 600 /etc/cipux/ldappassword.conf
        # echo -n 'himitsu' > /etc/cipux/ldappassword.conf
    
        (Use _your_ actual LDAP password instead of "himitsu"!)
        (Using echo -n is only secure on new machines without users. 
         If you updating your password, use an editor which do not write
         line ends like CR, LF)  
    
        # chmod 400 /etc/cipux/ldappassword.conf
    
        And only IF you also want to use Samba change:
        [12]
        # vim /etc/cipux/cipux.conf
        Cipux_Use_Samba=yes
    
        After this we have to test the access to the ldap server:
        (paste this into one command line with propper spacing)
    
        [13]
        # /usr/bin/ldapsearch -x -p 389 -h localhost -ZZ -y /etc/cipux/ldappassword.conf -D 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' -b 'uid=root,ou=People,dc=skole,dc=skolelinux,dc=no' -LLL
    
         If we see:
        [14]
        ldap_bind: Invalid credentials (49)
    
        The LDAP password was wrong. 
    
        (Check for the command line syntax and the password you set in [11]
         and if the LDAP password is shell save)
    
        If we get:
        [15]
        dn: uid=root,ou=People,dc=skole,dc=skolelinux,dc=no
        objectClass: sambaSamAccount
        objectClass: account
        uid: root
        sambaSID: S-1-5-21-2697446647-283449030-1896125139-1000
    
        everything is OK. (The sambaSID may be different.)
    
        Then we check some settings by
    
        [16]
        # cipux_maint_diagnostic pre
    
        Now we have to change the LDAP database by setting up the
        according CipUX structures. This is the most challenging task
        in the process and may not easily be reversible!
        Therefore the backup.
    
        What will the script do?
         - move ou=Machines,ou=People,dc=skole,dc=skoelinux,dc=no
           to ou=Machines,dc=skole,dc=skoelinux,dc=no
         - add ou=CipUX,ou=People,dc=skole,dc=skoelinux,dc=no
         - add some default objects: admin, and roles
         - DELETE some other objects!!!
    
        *============================[ WARNING ]============================*
        ||                                                                 ||
        || WARNING: This script is intended to run on a 'freshly'          ||
        ||          installed Debian-edu/Skolelinux release/ system        ||          
        ||                                                                 ||
        *===================================================================*
    
        Execute the following command:
    
        [17]
        # cipux_setup_ldap
    
        and hopefully it will perform the work to change the ldap
        database.
    
        To test the installation run the diagnostic script.
    
        [18]
        # cipux_maint_diagnostic
    
        It should only generate tests with answers "OK".
    
    3.3 The Webmin configuration
    ----------------------------
    
        The final thing to do is to make the Webmin module CAT
        accessible for the Webmin user root.
    
        Start a browser (konqueror won't work!)
    
        User-hint: Konqueror works using https://localhost:10000 or 
                   https://10.0.2.2:10000, other local addresses are 
                   currently not in the proxy exception list (should 
                   be changed to contain .intern.) and not allowed 
                   in the proxy.
    
        [19]
        $ mozilla-firefox
    
    
        and switch off the proxy in the browser.
        [20]
        Edit -> Preferences -> General -> Connection Settings ...
          -> "Direct connection to the Internet"-> <OK>
    
    
        Enter the following URL (location, address) into the
        browser's location bar:
        [13]
        https://localhost:10000
    
    
        A certification dialog will pop up ...
        [21]
        select "Accept this certificate permanently"
    
    
        [22]
        <OK>
    
        Another dialog appears:
        "You have requested an encrypted page. The website has
         identified itself correctly, and information you see or
         enter on this page can easily be read by a third party."
         [...]
    
    
        [23]
        <OK>
    
    
        [24]
        User name: root
        Password: himitsu
        <Login>
    
        (use _your_ root password instead of "himitsu"!)
    
    
        [25]
        <never for this site>
    
    
        [26]
        go to Webmin -> Webmin Users -> root
    
        [27]
        select System -> CipUX Administration Tool
    
    
        [28]
        press "save" button
    
    
        [29]
        If you want the feature, that very user can change his/ her password
        you should give the the CipUX Webmin CAT module. As the user root 
        before, give the Webmin user "pam" the Webmin CAT module.
    
    
        [30]
        If you want to use the application form module inside 
        your institution without password (it doesn't make sense with a password)
        you have to do the following:
    
        * create a webmin user 'applicationform'
    
        * add in webmin configuration:
          anonymous user access the to URLs to the user applicationform for:
      
          /cat/applicationform.cgi
          /cat/images
    
    
    
    
    3.4 Final Setup with CAT
    ------------------------
    
      Log into Webmin as root or cipadmin (same password)
    
      In Webmin you have to go to
    
      Webmin Index -> System -> CipUX Administration Tool
    
    
      When you log in to CAT for the first time only the setup
      module (setup.cgi) is available. You may use this as root
      or cipadmin.
    
      Follow the setup questions. After finishing the setup
      other modules will become available depending on the setup.
    
    
    4   Additional system configuration
    -----------------------------------
    
      The additional system configuration is optional and doesn't have
      do be done on every system.
    
    
    4.1 Quota configuration
    -----------------------
    
     CipUX can be used with user quota. To enable quota you must have a 
     quota enabled kernel and quota capable file system on the users home 
     directory.
     
     Example setting up quota on ext3
    
     (TODO)
    
    4.2 CipUX Deploy configuration (after 3.2.9)
    ---------------------------------------------
    
    The CipUX deploy module is not part of 3.2.8.
    
    install tftpd-hpa
    
    apt-get install tftpd-hpa
    
    Ignore the error message during install, because we run tftpd stand alone, 
    not with inetd.
    
    edit the file 
    
    # vim /etc/default/tftpd-hpa
    
       #Defaults for tftpd-hpa
       RUN_DAEMON="yes"
       #OPTIONS="-l -s /var/lib/tftpboot"
       OPTIONS=" -l -v -v -v -c -p -U 007 -u cipux -a 192.168.0.254 -s /var/lib/tftpboot "
    
    # id cipux
    
    If the user user does not exist, then create it now:
    
    # groupadd -g 200 cipux
    # useradd -u 200 -g 200 -d /var/lib/tftpboot -s /bin/false cipux
    
    # chown cipux /var/lib/tftpboot/cipux
    # chown cipux /var/lib/tftpboot/cipux/conf
    # chown cipux /var/lib/tftpboot/cipux/script
    # /etc/init.d/inetd stop
    # /etc/init.d/tftpd-hpa start
    
     * remove inetd from the default run level
     * add tftpd-hpa to default run level
    
    
    
    
    
    ==================================
    (footnote 01):
        Backup Restore (Only if you need it!)
        +------------------------------------------------------------------+
        |  If you want to restore your LDAP data later, you may write the  |
        |  backup back (when the LDAP server is NOT running!) with:        |
        |                                                                  |
        |  (18)                                                            |
        |  # /etc/init.d/slapd stop                                        |
        |  # rm -r /var/lib/ldap                                           |
        |  # cd /                                                          |
        |  # tar xvjf /skole/backup/tmp_backup_ldap.tar.bz2                |
        |  # /etc/init.d/slapd start                                       |
        +------------------------------------------------------------------+
    
    (footnote 02):
        How to check if the LDAP server is running?
    
        #  ps ax | grep slapd | grep -v grep
    
        This should produce output like:
    
        2890 ?        Ss     0:00 /usr/sbin/slapd -h ldap:/// ldaps:///
    
        This means the LDAP server is running.
    
    

    CipUX/Archive/en/Installation/3.2.9 (last edited 2006-07-01 16:23:26 by ChristianKuelker)