CipUX 3.2.x installation manual for Debian-Edu/Skolelinux Original by Christian Kuelker 2005-08-01 License GFDL Invariant Section: Title (except version number), "Original by Christian Kuelker" Revision 0.1 2005-08-01 by Christian Kuelker (init) Revision 0.2 2005-08-11 by Christian Kuelker (add chapter 2) Revision 0.3 2005-08-12 by Christian Kuelker (add Chapter 3) Revision 0.4 2005-08-12 by Patrick Willam (several checks, "wording") Revision 0.5 2005-08-12 by Holger Sicking (typo) Revision 0.6 2005-08-12 by Christian Kuelker (/etc/hosts correction) Revision 0.7 2005-08-12 by Patrick Willam (apttitude, backup) Revision 0.8 2005-08-12 by Christian Kuelker (First steps) Revision 0.9 2005-08-12 by Radi Wieloch (errors, numbers, orthography, grammar) Revision 1.0 2005-08-12 by Christian Kuelker (repository changed) Revision 1.1 2005-08-17 by Ralf Gesellensetter (warning) Revision 1.2 2005-08-19 by Christian Kuelker (correct Revison, warning) Revision 1.3 2005-08-19 by Christian Kuelker (change first steps) Revision 1.4 2005-08-23 by Christian Kuelker (add cipux_maint_diagnostic pre) Revision 1.5 2005-09-03 by Christian Kuelker (add CAT setup) Revision 1.6 2005-09-07 by Christian Kuelker (add Samba configuration) Revision 1.7 2005-09-07 by Christian Kuelker (add Samba in cipux.conf) Revision 1.8 2005-09-15 by Michael Stamm (LDAP schema include place) Revision 1.9 2005-09-21 by Georg Damm (correct backup-path) Revision 2.0 2005-10-06 by Christian Kuelker (correct Samba install, add script) Revision 2.1 2005-10-06 by Christian Kuelker (samba access rights for LDAP) Revision 2.2 2005-10-25 by Christian Kuelker (samba default groups ) Contents: 1 Preparing the Debian-Edu/Skolelinux system 1.1 Upgrading the LDAP server with CipUX schema 1.2 Prepare the CipUX package install process 2 Installing the CipUX framework packages 3 System configuration 3.1 Configuring the LDAP 3.2 Configure the CipUX framework 3.3 The webmin setup 3.4 Enter CAT 3.5 First steps 4 Additional system configuration 4.1 Samba configuration 1 Preparing the Debian-Edu/Skolelinux system ---------------------------------------------- This manual is for the installation of CipUX on a freshly installed Debian-Edu/Skolelinux PR05. WARNING: Do not uses CipUX on productive Debian-Edu/Skolelinux system, when you already added users by means of webmin-ldap-user-simple (wlus)!. The installation may not delete your users, but this is not a migration manual and therefore the resulting LDAP datababase should be unuseable for the productive environemt. To install CipUX you will also need a working internet connection! Convention in this manual: CTRL = press the control key CTRL-c press the control key, hold it, and press the c key $ = you may execute this command as any user # = you have to execute this command as root user (1)...(x) are command and output numbers and are used for references, they are not intended to be written. means pressing the button "OK". 1.1 Upgrading the LDAP server with CipUX schema ----------------------------------------------- A valid ldap and cipux name is necessary. You need a valid name resolution for the ldap server and the host name cipux. Insert the name cipux into the /etc/hosts file by changing the line: (1) 127.0.0.1 localhost to 127.0.0.1 localhost cipux You also need the resolution of the name ldap. Usually it should be resolved by the local DNS server. It can be tested with the command: (2) $ ping ldap This should produce output like this: (3) tjener:~$ ping ldap PING localhost (127.0.0.1) 56(84) bytes of data. 64 bytes from tjener.intern (10.0.2.2): icmp_seq=1 ttl=64 time=0.069 ms 64 bytes from tjener.intern (10.0.2.2): icmp_seq=2 ttl=64 time=0.070 ms 64 bytes from tjener.intern (10.0.2.2): icmp_seq=3 ttl=64 time=0.068 ms (4) Cancel with CTRL-c If there is output like: (5) tjener:~$ ping ldap ping: unknown host ldap This means, that the computer can't know his own name as ldap, which should be the case for the server. A quick workaround for ipv4 networks is this: edit the /etc/hosts and change the line: (6)/etc/hosts 127.0.0.1 localhost cipux to 127.0.0.1 localhost ldap cipux Repeat the commands (2) and (6) untill you receive the output of (3). 1.2 Prepare the CipUX package install process --------------------------------------------- Edit the /etc/apt/sources.list and add the following line: (7)/etc/apt/sources deb http://debian.cipworx.org/ sid main contrib non-free deb http://ftp.debian.org/debian/ sarge main contrib non-free Then switch off the proxy by typing (8) export http_proxy="" 2 Installing the CipUX framework packages ------------------------------------------- Execute the command as root: (9) # ping debian.cipworx.org (10) # CTRL-c (11) # aptitude update (12) # aptitude update (13) # aptitude install cipux-common cipux-cibot cipux-cat-webmin 3 System configuration ------------------------- 3.1 Configuring the LDAP -------------------------- First of all wee need a well configured LDAP server and just to be save a backup. We look if the ldap server is started: (14) # ps ax|grep slapd|grep -v grep This should produce output like: (15) 2890 ? Ss 0:00 /usr/sbin/slapd -h ldap:/// ldaps:/// So we stop the server. (16) # /etc/init.d/slapd stop We have to be sure that the ldap server is stopped. So if we execute (14) again it should not generate any output. Then we make a temporary backup, which may only be used for this ldap version. We execute the archive program: (17) # tar cvjf /skole/backup/tmp_backup_ldap.tar.bz2 /var/lib/ldap If you want to restore your ldap data later, you may write the backup back (when the ldap server is NOT running!) with: (18) # rm -r /var/lib/ldap # cd / # tar xvjf /skole/backup/tmp_backup_ldap.tar.bz2 Now we edit the /etc/ldap/slapd.conf and add a new include line (at the END of the other includelines) and change the schemacheck from on to off: (19) include /etc/ldap/schema/cipux.schema schemacheck off One may change this setting to "on" again after everything is installed and works fine. WARNING: You might like CipUX so much that you put the include in front of the other includes. But: don't do that. You will get errors about the not known attribute uid! We start the ldap server again with: (20) # /etc/init.d/slapd start And check if its started with (14). It should produce output like (15). 3.2 Configure the CipUX framework ----------------------------------- First of all we are on a Debian/Edu Skolelinux system, therefore we have to tell this the CipUX framework by editing /etc/cipux/system.conf and change (21) Customer = default to Customer = skolelinux Then you have to grant CipUX the access to the ldap server. On Debian/Edu the already set root password is also the LDAP password. (It`s NOT a new password!) We have to edit /etc/cipux/cipux.conf and change one line. If your root pasword is "himitsu" you will have to change (22) Ldap_Password=secret to Ldap_Password=himitsu and (only IF we use SAMBA) Cipux_Use_Samba=no to Cipux_Use_Samba=yes After this we have to test the access: (23) tjener:~# /usr/bin/ldapsearch -x -p 389 -h localhost -ZZ -w 'himitsu' -D 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' -b 'uid=root,ou=People,dc=skole,dc=skolelinux,dc=no' -LLL If we get: (24) ldap_bind: Invalid credentials (49) The password was wrong. If we get: (25) dn: uid=root,ou=People,dc=skole,dc=skolelinux,dc=no objectClass: sambaSamAccount objectClass: account uid: root sambaSID: S-1-5-21-2697446647-283449030-1896125139-1000 everything is ok. (The sambaSID may be different.) Then we check some setting by (26) cipux_maint_diagnostic pre Now we have to change the LDAP server by setting up the CipUX LDAP structure. This is the most challenging task in the process and may not be easily reversible. Therefore the backup. What will the script do? - move ou=Machines,ou=People,dc=skole,dc=skoelinux,dc=no to ou=Machines,dc=skole,dc=skoelinux,dc=no - add ou=CipUX,ou=People,dc=skole,dc=skoelinux,dc=no - add some default objects: admin, and roles - DELETE some other objects!!! WARNING: This script is intended to run on a 'freshly' installed Skolelinux PR05 release! Execute the following command: (27) # cipux_setup_ldap and hopefully it will perform the work to change the LDAP server. To test the installation run the diagnostic script. (28) # cipux_maint_diagnostic It should only generate tests with answers "ok". 3.3 The webmin setup -------------------- The last thing to do is to make CAT accessible for the webmin user root. Start a browser (konqueror won't work!) (29) # mozilla-firefox and switch off the proxy in the browser. (30) Edit -> Preferences -> General -> Connection Settings ... -> "Dircect connection to the Internet"-> Enter the following URL (location, address) into the browser's location bar: (31) https://cipux:10000 A certification dialog will pop up ... (32) select "Accept this certificate permanently" (33) Another dialog appears: "You have requested an encrypted page. The website has identified itself correctly, and information you see or enter on this page can easily be read by a third party." [...] (34) (35) Username: root Password: himitsu (36) (37) go to Webmin -> Webmin Users -> root (38) select System -> CipUX Administration Tool (39) press "save" button 3.4. Enter CAT -------------- In webmin you have to go to (40) Webmin Index -> System -> CipUX Administration Tool 3.5 First steps --------------- If you plan to use Samba, please read 4.1 first. When you first log in to CAT only the setup module (setup.cgi) is aviable. You may use this as root or cipadmin. Follow the setup questions. After finish the setup other modules depending on the setup are iviable. If you create a user for the first time, you will fail, because some objects do not exist yet. So please create the following objects first: (A) create a new group/course (example: class84 ) with the CAT module "groups" (German: "Gruppen") (B) create a private skel with "skeladmin" (German: "Vorlage Verzeichnis (skel)") After this creation you may add a new user with "User Support Sevice" (German: Benutzerbetreuung) 4 Additional system configuration ----------------------------------- The additional system configuration is optional and don't have do be done on every system. 4.1 Samba configuration ----------------------- CipUX may be used in conjunction with samba. These steps should be processed to get CipUX respect the additional features for Samba. Note that this section do not cover specifc samba problems. This section should be applied before the creation of users or groups or workstations. * Enable Samba in CipUX (1) edit /etc/cipux/cipux.conf Change Cipux_Use_Samba=no to Cipux_Use_Samba=yes * Edit the samba configuration and check or change smb.conf. (2) edit /etc/samba/smb.conf Change ldap machine suffix = ou=Machines,ou=People to ldap machine suffix = ou=Machines On Sarge this should work: passdb backend = ldapsam:ldaps://ldap On Woddy this may work (if you disabled crypted connections): passdb backend = ldapsam:ldap://ldap ldap ssl = start_tls Change the machine creation add machine script = /etc/samba/smbaddclient.pl %u to add machine script = /usr/bin/cipux_add -m --attribute uid='%u' * check if the group machine exist: This example is ok: tjener:/# id machines uid=900(machines) gid=900(machines) groups=900(machines),10000(none) You should add a group called 'machines' if 'id machines' failed. (3) groupadd -g 900 machines Note, that this group might go into LDAP in the future. * (This is not tested, remarks wellcome) Change pam_ldap.conf This may only be important under the following condition: Example: You create a new windows machine: ws24$ if the command id 'ws24$' do not result in a line like: uid=10936(ws24$) gid=900(machines) groups=900(machines) you should solve the problem by editing pam_ldap.conf (The numbers may be different) (4) edit /etc/pam_ladp.conf Change # The distinguished name of the search base. # base dc=example,dc=net base ou=People,dc=skole,dc=skolelinux,dc=no to # The distinguished name of the search base. # base dc=example,dc=net base ou=dc=skole,dc=skolelinux,dc=no (5) Enable samba PDC with LDAP In /etc/ldap/slapd.conf change all ou=Machines,ou=People, to ou=Machines (6) Create some default groups if you want to use some logon.bat Features: Add the groups 'cipan' and 'sources' with CAT. cipan: share to store application. Every user will get this share as drive I sources: share where cipadmin may store CDs. cipadmin will get this share as drive J