- CipUX 3.2.8 Installation Guide for Debian-Edu/Skolelinux
- This guide is brought to you by the work of many contributors; see revision history for details.
- Note
Please leave the main-document without wikification. It will go 1:1 outside this wiki (into CipUX packages and other places). So when doing changes it's a good idea to keep the style, too. Thanks!
CipUX 3.2.8 installation guide
for Debian-Edu/Skolelinux 2.0
Original by
Christian Kuelker
2005-08-01
License GPL
Revision 0.1 2005-08-01 by Christian Kuelker (init)
Revision 0.2 2005-08-11 by Christian Kuelker (add chapter 2)
Revision 0.3 2005-08-12 by Christian Kuelker (add Chapter 3)
Revision 0.4 2005-08-12 by Patrick Willam (several checks, "wording")
Revision 0.5 2005-08-12 by Holger Sicking (typo)
Revision 0.6 2005-08-12 by Christian Kuelker (/etc/hosts correction)
Revision 0.7 2005-08-12 by Patrick Willam (aptitude, backup)
Revision 0.8 2005-08-12 by Christian Kuelker (First steps)
Revision 0.9 2005-08-12 by Radi Wieloch (errors, numbers, orthography, grammar)
Revision 1.0 2005-08-12 by Christian Kuelker (repository changed)
Revision 1.1 2005-08-17 by Ralf Gesellensetter (warning)
Revision 1.2 2005-08-19 by Christian Kuelker (correct Revison, warning)
Revision 1.3 2005-08-19 by Christian Kuelker (change first steps)
Revision 1.4 2005-08-23 by Christian Kuelker (add cipux_maint_diagnostic pre)
Revision 1.5 2005-09-03 by Christian Kuelker (add CAT setup)
Revision 1.6 2005-09-07 by Christian Kuelker (add Samba configuration)
Revision 1.7 2005-09-07 by Christian Kuelker (add Samba in cipux.conf)
Revision 1.8 2005-09-15 by Michael Stamm (LDAP schema include place)
Revision 1.9 2005-09-21 by Georg Damm (correct backup-path)
Revision 2.0 2005-10-06 by Christian Kuelker (correct Samba install, add script)
Revision 2.1 2005-10-06 by Christian Kuelker (samba access rights for LDAP)
Revision 2.2 2005-10-25 by Christian Kuelker (samba default groups)
Revision 2.3 2005-11-01 by Juergen Leibner (correct /etc/pam_ldap.conf)
Revision 2.4 2005-11-05 by Christian Kuelker (application form installation)
Revision 2.5 2005-11-24 by Patrick Willam (minor enhancements, clearifications)
Revision 2.6 2005-11-25 by Georg Damm (hints to change WLUS-users to CipUX-users)
Revision 2.7 2005-11-26 by Christian Kuelker (clearifications)
Revision 2.8 2005-12-31 by Christian Gatzemeier (div. corrections and alternatives)
Revision 2.9 2006-01-27 by Martin Herweg (install on pr06,image-deploy for fat clients)
Revision 3.0 2006-04-08 by Christian Kuelker (ftp_proxy)
Revision 3.1 2006-04-14 by Christian Kuelker (move to debian-wiki, some simplifications)
Revision 3.2 2006-05-19 by Christian Kuelker (after Agreement, change License to GPL)
Contents:
1 Preparing the Debian-Edu/Skolelinux system
1.1 Upgrading the LDAP server with CipUX schema
1.2 Prepare the CipUX package install process
2 Installing the CipUX framework packages
3 System configuration
3.1 Configuring the LDAP
3.2 Configure the CipUX framework
3.3 The webmin setup
3.4 Enter CAT
3.5 First steps
4 Additional system configuration
4.1 Samba configuration
4.2 CipUX-deploy
1 Preparing the Debian-Edu/Skolelinux system
----------------------------------------------
This manual is for the installation of CipUX 3.2.8 on a freshly
installed Debian-edu/Skolelinux 2.0 with main server profile.
*============================[ WARNING ]============================*
|| ||
|| WARNING: Do not use CipUX on a productive Debian-edu/Skolelinux ||
|| system, if you already have added users by means of WLUS ||
|| (webmin-ldap-user-simple)! ||
|| The installation will not delete your users, but this is not a ||
|| migration manual and therefore the resulting LDAP datababase is ||
|| going to be unuseable for a productive environment. ||
|| ||
*===================================================================*
To install CipUX you will also need a working internet
connection!
Almost all(!) steps in this installation manual have to be done on
the machine which has been installed with the main server profile!
This maschine identifies itself by the name "tjener".
The only(!) steps that may also be done by using another machine
are the few ones that are done by using a web-browser.
Conventions in this manual:
CTRL = press the control key
CTRL-c press the control key, hold it, and press the c key
$ = you may execute this command as any user
# = you have to execute this command as root user
(1)...(x) are command and output numbers and are used for
references, they are not intended to be written.
<OK> means pressing the button "OK".
vim (you may use you favorite editor here)
User-hint: (Some not tested advice from users)
1.1 Upgrading the LDAP server with CipUX schema
-----------------------------------------------
Valid DNS names "ldap" and "cipux" are necessary.
You need a valid name resolution for the ldap server
and the host name cipux.
Insert the name cipux into the /etc/hosts file by changing
the line:
(1)
127.0.0.1 localhost
to
127.0.0.1 localhost cipux
Userhint: Better and easy to do: Define a new cname (cannonical
name). Webmin ->Servers ->Bind DNS ->intern.
Zone ->Name Alias (Name: cipux Real Name: tjener)
An ldap cname already exists in skolelinux.
You also need the resolution of the name ldap. Usually it
should be resolved by the local DNS server.
It can be tested with the command:
(2)
$ ping ldap
This should produce output like this:
(3)
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from tjener.intern (10.0.2.2): icmp_seq=1 ttl=64 time=0.069 ms
64 bytes from tjener.intern (10.0.2.2): icmp_seq=2 ttl=64 time=0.070 ms
64 bytes from tjener.intern (10.0.2.2): icmp_seq=3 ttl=64 time=0.068 ms
(4)
Cancel with CTRL-c
If there is output like
(5)
ping: unknown host ldap
this means, that the computer can't know his own name as ldap,
which should be the case for the server. A quick workaround for
ipv4 networks is to edit the file /etc/hosts and change the line:
(6)/etc/hosts
127.0.0.1 localhost cipux
to
127.0.0.1 localhost ldap cipux
Repeat the commands (2) and (6) until you receive the
output of (3).
1.2 Prepare the CipUX package install process
---------------------------------------------
Edit the file /etc/apt/sources.list and add the following lines:
(7)/etc/apt/sources.list
deb http://debian.cipworx.org/ sid main contrib non-free
deb http://ftp.debian.org/debian/ sarge main contrib non-free
Then switch off the proxy by typing
(8)
export http_proxy=""
export ftp_proxy=""
2 Installing the CipUX framework packages
-------------------------------------------
Execute these commands as root:
(9)
# ping debian.cipworx.org
(10)
# CTRL-c
(11)
# aptitude update
(12) On some systems it must be done twice. (Ask a Debian guru why!)
# aptitude update
(13)
# aptitude install cipux-common cipux-cibot cipux-cat-webmin
3 System configuration
-------------------------
3.1 Configuring the LDAP
--------------------------
First of all we need a well configured LDAP server and just
to be save a backup.
We look if the ldap server is started:
(14)
# ps ax | grep slapd | grep -v grep
This should produce output like:
(15)
2890 ? Ss 0:00 /usr/sbin/slapd -h ldap:/// ldaps:///
This means the ldap server is running. So we stop it with:
(16)
# /etc/init.d/slapd stop
We have to be sure that the ldap server is stopped. So if
we execute (14) again it should not generate any output.
Then we make a temporary backup, which may only be used for
this ldap version. We execute the archive program:
(17)
# tar cvjf /skole/backup/tmp_backup_ldap.tar.bz2 /var/lib/ldap
Backup Restore (Only if you need it!)
+------------------------------------------------------------------+
| If you want to restore your ldap data later, you may write the |
| backup back (when the ldap server is NOT running!) with: |
| |
| (18) |
| # /etc/init.d/slapd stop |
| # rm -r /var/lib/ldap |
| # cd / |
| # tar xvjf /skole/backup/tmp_backup_ldap.tar.bz2 |
| # /etc/init.d/slapd start |
+------------------------------------------------------------------+
Now we edit /etc/ldap/slapd.conf and add a new include line
(at the END of the other includelines):
(19)
# vim /etc/ldap/slapd.conf
include /etc/ldap/schema/cipux.schema
*============================[ WARNING ]============================*
|| ||
|| WARNING: You might like CipUX so much that you probably put the ||
|| include in front of the other includes. But: don't do that! ||
|| You will get errors about the not known attribute uid. ||
|| ||
*===================================================================*
We start the ldap server again with:
(20)
# /etc/init.d/slapd start
And check if its started with (14). It should produce output
like (15).
3.2 Configure the CipUX framework
-----------------------------------
First of all we are on a Debian-edu/Skolelinux system,
therefore we have to tell this to the CipUX framework by
editing /etc/cipux/system.conf and change
(21)
# vim /etc/cipux/system.conf
Customer = default
to
Customer = skolelinux
Then you have to grant CipUX the access to the ldap server.
On Debian-edu the already set root password is also the LDAP
password. (It's NOT a new password!)
We have to edit /etc/cipux/cipux.conf and change one line.
If your LDAP pasword is "himitsu" you will have to change
(22)
# vim /etc/cipux/cipux.conf
Ldap_Password=secret
to
Ldap_Password=himitsu
(Use _your_ actual LDAP password instead of "himitsu"!)
And only IF you also want to use Samba change
Cipux_Use_Samba=no
to
Cipux_Use_Samba=yes
After this we have to test the access to the ldap server:
(paste this into one command line with propper spaceing)
(23)
# /usr/bin/ldapsearch -x -p 389 -h localhost -ZZ -w 'himitsu' -D 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' -b 'uid=root,ou=People,dc=skole,dc=skolelinux,dc=no' -LLL
(Again: use _your_ LDAP password instead of "himitsu"!)
If we get:
(24)
ldap_bind: Invalid credentials (49)
The LDAP password was wrong.
(Check for the command line syntax, the LDAP password
and if the LDAP password is shell save)
If we get:
(25)
dn: uid=root,ou=People,dc=skole,dc=skolelinux,dc=no
objectClass: sambaSamAccount
objectClass: account
uid: root
sambaSID: S-1-5-21-2697446647-283449030-1896125139-1000
everything is ok. (The sambaSID may be different.)
HINT [1]: If you plan to migrate from WLUS, use this link:
http://skolelinux.de/wiki/CipUX/Skripte/Migration
Then we check some settings by
(26)
# cipux_maint_diagnostic pre
Now we have to change the ldap database by setting up the
according CipUX structures. This is the most challenging task
in the process and may not easily be reversible!
Therefore the backup.
What will the script do?
- move ou=Machines,ou=People,dc=skole,dc=skoelinux,dc=no
to ou=Machines,dc=skole,dc=skoelinux,dc=no
- add ou=CipUX,ou=People,dc=skole,dc=skoelinux,dc=no
- add some default objects: admin, and roles
- DELETE some other objects!!!
*============================[ WARNING ]============================*
|| ||
|| WARNING: This script is intended to run on a 'freshly' ||
|| installed Debian-edu/Skolelinux release/ system ||
|| ||
*===================================================================*
Execute the following command:
(27)
# cipux_setup_ldap
and hopefully it will perform the work to change the ldap
database.
To test the installation run the diagnostic script.
(28)
# cipux_maint_diagnostic
It should only generate tests with answers "ok".
HINT [2]: If you plan to migrate from WLUS, use this link:
http://skolelinux.de/wiki/CipUX/Skripte/Migration
3.3 The webmin setup
--------------------
The final thing to do is to make the webmin module CAT
accessible for the webmin user root.
Start a browser (konqueror won't work!)
User-hint: Konqueror works using https://localhost:10000 or
https://10.0.2.2:10000, other local addresses are
currently not in the proxy exception list (should
be changed to contain .intern.) and not allowed
in the proxy.
(29)
$ mozilla-firefox
and switch off the proxy in the browser.
(30)
Edit -> Preferences -> General -> Connection Settings ...
-> "Dircect connection to the Internet"-> <OK>
Enter the following URL (location, address) into the
browser's location bar:
(31)
https://cipux:10000
A certification dialog will pop up ...
(32)
select "Accept this certificate permanently"
(33)
<OK>
Another dialog appears:
"You have requested an encrypted page. The website has
identified itself correctly, and information you see or
enter on this page can easily be read by a third party."
[...]
(34)
<OK>
(35)
Username: root
Password: himitsu
<Login>
(use _your_ root password instead of "himitsu"!)
(36)
<never for this site>
(37)
go to Webmin -> Webmin Users -> root
(38)
select System -> CipUX Administration Tool
(39)
press "save" button
New in 3.2.9:
If you want your users to be able to change there password with
userdata.cgi you have to do the following:
* As the user root before, give the webmin user "pam" the
Webmin CAT module.
New in 3.2.9:
If you want to use the application form module (new in 3.2.9) inside
your institution without password (it doesnt mak sense with a password)
you have to do the following:
* create a webmin user 'applicationform'
* add in webmin configuration:
anonymous user access the to URLs to the user applicationform for:
/cat/applicationform.cgi
/cat/images
3.4. Enter CAT
--------------
In webmin you have to go to
(40)
Webmin Index -> System -> CipUX Administration Tool
3.5 First steps
---------------
If you plan to use Samba, please read 4.1 first.
When you log in to CAT for the first time only the setup
module (setup.cgi) is availible. You may use this as root
or cipadmin.
Follow the setup questions. After finishing the setup
other modules will become availible depending on the setup.
If you now want to create an user, you will fail because
some objects do not exist yet. So please create the following
objects first:
(A) create a new group/course (example: class84 ) with
the CAT module "groups"
(German: "Gruppen")
(B) create a private skel with "skeladmin"
(German: "Vorlage Verzeichnis (skel)")
After these object creations are done you now may add a
new user with "User Support Sevice"
(German: "Benutzerbetreuung")
4 Additional system configuration
-----------------------------------
The additional system configuration is optional and doesn't have
do be done on every system.
4.1 Samba configuration
-----------------------
CipUX may be used in conjunction with samba. These steps should
be processed to get CipUX respect the additional features for
Samba. Note that this section does not cover specific Samba problems.
This section should be applied before the creation of users or
groups or workstations.
* Enable Samba in CipUX
(1)
# vim /etc/cipux/cipux.conf
Change
Cipux_Use_Samba=no
to
Cipux_Use_Samba=yes
* Edit the Samba configuration and check or change smb.conf.
(2)
# vim /etc/samba/smb.conf
Change
ldap machine suffix = ou=Machines,ou=People
to
ldap machine suffix = ou=Machines
On Sarge this should work:
passdb backend = ldapsam:ldaps://ldap
On Woody this may work (if you disabled crypted connections):
passdb backend = ldapsam:ldap://ldap
ldap ssl = start_tls
Change the machine creation
add machine script = /etc/samba/smbaddclient.pl %u
to
add machine script = /usr/bin/cipux_add -m --attribute uid='%u'
* check if the group "machine" exists:
(3)
# id machines
should give
(4)
uid=900(machines) gid=900(machines) groups=900(machines),10000(none)
If (3) failed you should add a group called "machines":
(5)
# groupadd -g 900 machines
Note: this group might go into LDAP in the future.
* (This is not tested, remarks welcome) Change pam_ldap.conf
This may only be important under the following condition:
User-hint: With the current configuration tools you will lose your
changes on the next upgrade if you change the ldap
settings by hand as described here. Use
dpkg-reconfigure.
Example: You create a new windows machine: ws24$
If the command id 'ws24$' does not result in a line like
uid=10936(ws24$) gid=900(machines) groups=900(machines)
you should solve the problem by editing pam_ldap.conf
(The numbers may be different)
A typo has been fixed here:
(6)
# vim /etc/pam_ldap.conf
Change
# The distinguished name of the search base.
# base dc=example,dc=net
base ou=People,dc=skole,dc=skolelinux,dc=no
to
# The distinguished name of the search base.
# base dc=example,dc=net
base dc=skole,dc=skolelinux,dc=no
(7) Enable samba PDC with LDAP
In /etc/ldap/slapd.conf change all
ou=Machines,ou=People,
to
ou=Machines
(8) Create some default groups if you want to use some logon.bat
Features:
Add the groups 'cipan' and 'sources' with CAT.
cipan: Samba share to store application.
Every user will get this share as drive I
sources: Samba share where cipadmin may store CDs.
cipadmin will get this share as drive J
4.2 Cipux-Deploy (after 3.2.9)
The CipUX deploy module is not part of 3.2.8.
4.2.1 install tftpd-hpa
apt-get install tftpd-hpa
Ignore the error messsage during install, because we run tftpd standalone , not with inetd.
edit the file
# vim /etc/default/tftpd-hpa
#Defaults for tftpd-hpa
RUN_DAEMON="yes"
#OPTIONS="-l -s /var/lib/tftpboot"
OPTIONS=" -l -v -v -v -c -p -U 007 -u cipux -a 192.168.0.254 -s /var/lib/tftpboot "
# id cipux
If the user user does not exist, then create it now:
# groupadd -g 200 cipux
# useradd -u 200 -g 200 -d /var/lib/tftpboot -s /bin/false cipux
# chown cipux /var/lib/tftpboot/cipux
# chown cipux /var/lib/tftpboot/cipux/conf
# chown cipux /var/lib/tftpboot/cipux/script
# /etc/init.d/inetd stop
# /etc/init.d/tftpd-hpa start
* remove inetd from the default runlevel
* add tftpd-hpa to default runlevel
|