Differences between revisions 1 and 20 (spanning 19 versions)
Revision 1 as of 2006-04-15 00:43:36
Size: 20871
Comment: init
Revision 20 as of 2008-02-10 02:06:42
Size: 10076
Comment: CipUX is generic, not something specific to DebianEdu.
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= CipUX 3.2.x Installation Guide for Debian-Edu/Skolelinux =
{{{
               CipUX 3.2.x installation guide
                   for Debian-Edu/Skolelinux


                         Original by
                      Christian Kuelker
                         2005-08-01


                  License GFDL (No invariant sections.)

Revision 0.1 2005-08-01 by Christian Kuelker (init)
Revision 0.2 2005-08-11 by Christian Kuelker (add chapter 2)
Revision 0.3 2005-08-12 by Christian Kuelker (add Chapter 3)
Revision 0.4 2005-08-12 by Patrick Willam (several checks, "wording")
Revision 0.5 2005-08-12 by Holger Sicking (typo)
Revision 0.6 2005-08-12 by Christian Kuelker (/etc/hosts correction)
Revision 0.7 2005-08-12 by Patrick Willam (aptitude, backup)
Revision 0.8 2005-08-12 by Christian Kuelker (First steps)
Revision 0.9 2005-08-12 by Radi Wieloch (errors, numbers, orthography, grammar)
Revision 1.0 2005-08-12 by Christian Kuelker (repository changed)
Revision 1.1 2005-08-17 by Ralf Gesellensetter (warning)
Revision 1.2 2005-08-19 by Christian Kuelker (correct Revison, warning)
Revision 1.3 2005-08-19 by Christian Kuelker (change first steps)
Revision 1.4 2005-08-23 by Christian Kuelker (add cipux_maint_diagnostic pre)
Revision 1.5 2005-09-03 by Christian Kuelker (add CAT setup)
Revision 1.6 2005-09-07 by Christian Kuelker (add Samba configuration)
Revision 1.7 2005-09-07 by Christian Kuelker (add Samba in cipux.conf)
Revision 1.8 2005-09-15 by Michael Stamm (LDAP schema include place)
Revision 1.9 2005-09-21 by Georg Damm (correct backup-path)
Revision 2.0 2005-10-06 by Christian Kuelker (correct Samba install, add script)
Revision 2.1 2005-10-06 by Christian Kuelker (samba access rights for LDAP)
Revision 2.2 2005-10-25 by Christian Kuelker (samba default groups)
Revision 2.3 2005-11-01 by Juergen Leibner (correct /etc/pam_ldap.conf)
Revision 2.4 2005-11-05 by Christian Kuelker (application form installation)
Revision 2.5 2005-11-24 by Patrick Willam (minor enhancements, clearifications)
Revision 2.6 2005-11-25 by Georg Damm (hints to change WLUS-users to CipUX-users)
Revision 2.7 2005-11-26 by Christian Kuelker (clearifications)
Revision 2.8 2005-12-31 by Christian Gatzemeier (div. corrections and alternatives)
Revision 2.9 2006-01-27 by Martin Herweg (install on pr06,image-deploy for fat clients)
Revision 3.0 2006-04-08 by Christian Kuelker (ftp_proxy)
Revision 3.1 2006-04-14 by Christian Kuelker (move to debian-wiki, some simplifications)

Contents:

1 Preparing the Debian-Edu/Skolelinux system
1.1 Upgrading the LDAP server with CipUX schema
1.2 Prepare the CipUX package install process

2 Installing the CipUX framework packages

3 System configuration
3.1 Configuring the LDAP
3.2 Configure the CipUX framework
3.3 The webmin setup
3.4 Enter CAT
3.5 First steps

4 Additional system configuration
4.1 Samba configuration
4.2 CipUX-deploy

1 Preparing the Debian-Edu/Skolelinux system
----------------------------------------------

    This manual is for the installation of CipUX 3.2.8 on a freshly
    installed Debian-edu/Skolelinux 2.0 with main server profile.


    *============================[ WARNING ]============================*
    || ||
    || WARNING: Do not use CipUX on a productive Debian-edu/Skolelinux ||
    || system, if you already have added users by means of WLUS ||
    || (webmin-ldap-user-simple)! ||
    || The installation will not delete your users, but this is not a ||
    || migration manual and therefore the resulting LDAP datababase is ||
    || going to be unuseable for a productive environment. ||
    || ||
    *===================================================================*


    To install CipUX you will also need a working internet
    connection!

    Almost all(!) steps in this installation manual have to be done on
    the machine which has been installed with the main server profile!
    This maschine identifies itself by the name "tjener".

    The only(!) steps that may also be done by using another machine
    are the few ones that are done by using a web-browser.

    Conventions in this manual:

    CTRL = press the control key
    CTRL-c press the control key, hold it, and press the c key

    $ = you may execute this command as any user
    # = you have to execute this command as root user

    (1)...(x) are command and output numbers and are used for
    references, they are not intended to be written.

    <OK> means pressing the button "OK".

    vim (you may use you favorite editor here)

    User-hint: (Some not tested advice from users)


1.1 Upgrading the LDAP server with CipUX schema
-----------------------------------------------

   Valid DNS names "ldap" and "cipux" are necessary.

   You need a valid name resolution for the ldap server
   and the host name cipux.

   Insert the name cipux into the /etc/hosts file by changing
   the line:

   (1)
   127.0.0.1 localhost

   to

   127.0.0.1 localhost cipux

      Userhint: Better and easy to do: Define a new cname (cannonical
                name). Webmin ->Servers ->Bind DNS ->intern.
                Zone ->Name Alias (Name: cipux Real Name: tjener)
                An ldap cname already exists in skolelinux.

   You also need the resolution of the name ldap. Usually it
   should be resolved by the local DNS server.

   It can be tested with the command:

   (2)
   $ ping ldap

   This should produce output like this:

   (3)
   PING localhost (127.0.0.1) 56(84) bytes of data.
   64 bytes from tjener.intern (10.0.2.2): icmp_seq=1 ttl=64 time=0.069 ms
   64 bytes from tjener.intern (10.0.2.2): icmp_seq=2 ttl=64 time=0.070 ms
   64 bytes from tjener.intern (10.0.2.2): icmp_seq=3 ttl=64 time=0.068 ms

   (4)
   Cancel with CTRL-c

   If there is output like

   (5)
   ping: unknown host ldap

   this means, that the computer can't know his own name as ldap,
   which should be the case for the server. A quick workaround for
   ipv4 networks is to edit the file /etc/hosts and change the line:

   (6)/etc/hosts
   127.0.0.1 localhost cipux

   to

   127.0.0.1 localhost ldap cipux


   Repeat the commands (2) and (6) until you receive the
   output of (3).


1.2 Prepare the CipUX package install process
---------------------------------------------

   Edit the file /etc/apt/sources.list and add the following lines:

   (7)/etc/apt/sources.list
   deb http://debian.cipworx.org/ sid main contrib non-free
   deb http://ftp.debian.org/debian/ sarge main contrib non-free

   Then switch off the proxy by typing

   (8)
   export http_proxy=""
   export ftp_proxy=""

2 Installing the CipUX framework packages
-------------------------------------------

   Execute these commands as root:

   (9)
   # ping debian.cipworx.org

   (10)
   # CTRL-c

   (11)
   # aptitude update

   (12) On some systems it must be done twice. (Ask a Debian guru why!)
   # aptitude update

   (13)
   # aptitude install cipux-common cipux-cibot cipux-cat-webmin


3 System configuration
-------------------------

3.1 Configuring the LDAP
--------------------------

    First of all we need a well configured LDAP server and just
    to be save a backup.

    We look if the ldap server is started:

    (14)
    # ps ax | grep slapd | grep -v grep

    This should produce output like:

    (15)
    2890 ? Ss 0:00 /usr/sbin/slapd -h ldap:/// ldaps:///

    This means the ldap server is running. So we stop it with:

    (16)
    # /etc/init.d/slapd stop

    We have to be sure that the ldap server is stopped. So if
    we execute (14) again it should not generate any output.

    Then we make a temporary backup, which may only be used for
    this ldap version. We execute the archive program:

    (17)
    # tar cvjf /skole/backup/tmp_backup_ldap.tar.bz2 /var/lib/ldap


    Backup Restore (Only if you need it!)
    +------------------------------------------------------------------+
    | If you want to restore your ldap data later, you may write the |
    | backup back (when the ldap server is NOT running!) with: |
    | |
    | (18) |
    | # /etc/init.d/slapd stop |
    | # rm -r /var/lib/ldap |
    | # cd / |
    | # tar xvjf /skole/backup/tmp_backup_ldap.tar.bz2 |
    | # /etc/init.d/slapd start |
    +------------------------------------------------------------------+

    Now we edit /etc/ldap/slapd.conf and add a new include line
    (at the END of the other includelines):

    (19)
    # vim /etc/ldap/slapd.conf
    include /etc/ldap/schema/cipux.schema

    *============================[ WARNING ]============================*
    || ||
    || WARNING: You might like CipUX so much that you probably put the ||
    || include in front of the other includes. But: don't do that! ||
    || You will get errors about the not known attribute uid. ||
    || ||
    *===================================================================*

    We start the ldap server again with:

    (20)
    # /etc/init.d/slapd start

    And check if its started with (14). It should produce output
    like (15).

3.2 Configure the CipUX framework
-----------------------------------

    First of all we are on a Debian-edu/Skolelinux system,
    therefore we have to tell this to the CipUX framework by
    editing /etc/cipux/system.conf and change

    (21)
    # vim /etc/cipux/system.conf
    Customer = default

    to

    Customer = skolelinux

    Then you have to grant CipUX the access to the ldap server.
    On Debian-edu the already set root password is also the LDAP
    password. (It's NOT a new password!)
    We have to edit /etc/cipux/cipux.conf and change one line.
    If your LDAP pasword is "himitsu" you will have to change

    (22)
    # vim /etc/cipux/cipux.conf
    Ldap_Password=secret

    to

    Ldap_Password=himitsu

    (Use _your_ actual LDAP password instead of "himitsu"!)

    And only IF you also want to use Samba change

    Cipux_Use_Samba=no

    to
    
    Cipux_Use_Samba=yes

    After this we have to test the access to the ldap server:
    (paste this into one command line with propper spaceing)

    (23)
    # /usr/bin/ldapsearch -x -p 389 -h localhost -ZZ -w 'himitsu' -D 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' -b 'uid=root,ou=People,dc=skole,dc=skolelinux,dc=no' -LLL

    (Again: use _your_ LDAP password instead of "himitsu"!)

    If we get:

    (24)
    ldap_bind: Invalid credentials (49)

    The LDAP password was wrong.

    (Check for the command line syntax, the LDAP password
     and if the LDAP password is shell save)
    

    If we get:

    (25)
    dn: uid=root,ou=People,dc=skole,dc=skolelinux,dc=no
    objectClass: sambaSamAccount
    objectClass: account
    uid: root
    sambaSID: S-1-5-21-2697446647-283449030-1896125139-1000

    everything is ok. (The sambaSID may be different.)

    HINT [1]: If you plan to migrate from WLUS, use this link:
    http://skolelinux.de/wiki/CipUX/Skripte/Migration

    Then we check some settings by

    (26)
    # cipux_maint_diagnostic pre

    Now we have to change the ldap database by setting up the
    according CipUX structures. This is the most challenging task
    in the process and may not easily be reversible!
    Therefore the backup.

    What will the script do?
     - move ou=Machines,ou=People,dc=skole,dc=skoelinux,dc=no
       to ou=Machines,dc=skole,dc=skoelinux,dc=no
     - add ou=CipUX,ou=People,dc=skole,dc=skoelinux,dc=no
     - add some default objects: admin, and roles
     - DELETE some other objects!!!

    *============================[ WARNING ]============================*
    || ||
    || WARNING: This script is intended to run on a 'freshly' ||
    || installed Debian-edu/Skolelinux release/ system ||
    || ||
    *===================================================================*

    Execute the following command:

    (27)
    # cipux_setup_ldap

    and hopefully it will perform the work to change the ldap
    database.

    To test the installation run the diagnostic script.

    (28)
    # cipux_maint_diagnostic

    It should only generate tests with answers "ok".

    HINT [2]: If you plan to migrate from WLUS, use this link:
    http://skolelinux.de/wiki/CipUX/Skripte/Migration

3.3 The webmin setup
--------------------

    The final thing to do is to make the webmin module CAT
    accessible for the webmin user root.

    Start a browser (konqueror won't work!)

    User-hint: Konqueror works using https://localhost:10000 or
               https://10.0.2.2:10000, other local addresses are
               currently not in the proxy exception list (should
               be changed to contain .intern.) and not allowed
               in the proxy.

    (29)
    $ mozilla-firefox

    and switch off the proxy in the browser.

    (30)
    Edit -> Preferences -> General -> Connection Settings ...
      -> "Dircect connection to the Internet"-> <OK>

    Enter the following URL (location, address) into the
    browser's location bar:

    (31)
    https://cipux:10000

    A certification dialog will pop up ...

    (32)
    select "Accept this certificate permanently"

    (33)
    <OK>

    Another dialog appears:
    "You have requested an encrypted page. The website has
     identified itself correctly, and information you see or
     enter on this page can easily be read by a third party."
     [...]

    (34)
    <OK>

    (35)
    Username: root
    Password: himitsu
    <Login>

    (use _your_ root password instead of "himitsu"!)

    (36)
    <never for this site>

    (37)
    go to Webmin -> Webmin Users -> root

    (38)
    select System -> CipUX Administration Tool

    (39)
    press "save" button

    New in 3.2.9:
    If you want your users to be able to change there password with
    userdata.cgi you have to do the following:

    * As the user root before, give the webmin user "pam" the
      Webmin CAT module.

    New in 3.2.9:
    If you want to use the application form module (new in 3.2.9) inside
    your institution without password (it doesnt mak sense with a password)
    you have to do the following:

    * create a webmin user 'applicationform'

    * add in webmin configuration:
      anonymous user access the to URLs to the user applicationform for:
  
      /cat/applicationform.cgi
      /cat/images

3.4. Enter CAT
--------------
    In webmin you have to go to

    (40)
    Webmin Index -> System -> CipUX Administration Tool

3.5 First steps
---------------

  If you plan to use Samba, please read 4.1 first.

  When you log in to CAT for the first time only the setup
  module (setup.cgi) is availible. You may use this as root
  or cipadmin.

  Follow the setup questions. After finishing the setup
  other modules will become availible depending on the setup.

  If you now want to create an user, you will fail because
  some objects do not exist yet. So please create the following
  objects first:

   (A) create a new group/course (example: class84 ) with
       the CAT module "groups"
       (German: "Gruppen")

   (B) create a private skel with "skeladmin"
       (German: "Vorlage Verzeichnis (skel)")

  After these object creations are done you now may add a
  new user with "User Support Sevice"
  (German: "Benutzerbetreuung")


4 Additional system configuration
-----------------------------------

  The additional system configuration is optional and doesn't have
  do be done on every system.


4.1 Samba configuration
-----------------------

  CipUX may be used in conjunction with samba. These steps should
  be processed to get CipUX respect the additional features for
  Samba. Note that this section does not cover specific Samba problems.
  This section should be applied before the creation of users or
  groups or workstations.


  * Enable Samba in CipUX

  (1)
  # vim /etc/cipux/cipux.conf

  Change
   
    Cipux_Use_Samba=no

  to

    Cipux_Use_Samba=yes


  * Edit the Samba configuration and check or change smb.conf.

  (2)
  # vim /etc/samba/smb.conf

   Change
   
     ldap machine suffix = ou=Machines,ou=People

   to
   
     ldap machine suffix = ou=Machines


   On Sarge this should work:
   
     passdb backend = ldapsam:ldaps://ldap

   On Woody this may work (if you disabled crypted connections):
   
     passdb backend = ldapsam:ldap://ldap
     ldap ssl = start_tls
    
   Change the machine creation
   
     add machine script = /etc/samba/smbaddclient.pl %u
   
   to

      add machine script = /usr/bin/cipux_add -m --attribute uid='%u'


   * check if the group "machine" exists:
     
   (3)
   # id machines

   should give

   (4)
   uid=900(machines) gid=900(machines) groups=900(machines),10000(none)

   If (3) failed you should add a group called "machines":

   (5)
   # groupadd -g 900 machines

   Note: this group might go into LDAP in the future.
## page was renamed from DebianEdu/CipUX/Installation
##cipuxfirstlevelpage

||||<: tablewidth="100%" tablestyle=""rowbgcolor="#dddddd"rowstyle=""style="text-align: left;">'''CipUX'''||
||||<:rowbgcolor="#dddddd"rowstyle=""> Installtion of CipUX ||
||<(rowbgcolor="#dddddd"rowstyle=""> [[TableOfContents]] || [[Navigation(children,5)]] ||


= CipUX Installation 3.4.x for DebiaEdu =

{{{
This is under development for now. Do not install on productive systems,
as long this remark is here.
}}}

Choose a fresh installed DebianEdu (Etch/Lenny)

(1)

edit /etc/apt/sources.list

add:
{{{
 deb http://debiantest.cipux.org/ sid main
}}}

Type this commands:
 * aptitude install cipux-common
 * aptitude install cipux-ldap
 * aptitude install cipux-object
 * aptitude install cipux-task
 * /usr/sbin/cipux_setup -svnD 129
 * vim /etc/pam_ldap.conf

change
{{{
base ou=People,dc=skole,dc=skolelinux,dc=no
}}}
to
{{{
base dc=skole,dc=skolelinux,dc=no
}}}

 * vim /etc/libnss-ldap.conf

change
{{{
nss_base_passwd ou=People,
}}}
to
{{{
nss_base_passwd ou=People,
nss_base_passwd ou=CipUX,
}}}



 * aptitude install cipux-rpc

Use login cipadmin and known password to test the RPC server:
 * cipux_rpc_test_client
 * aptitude install cipux-cat-web
 * browse to http://localhost/cipux-cat-web/
 * login as "cipadmin" (password was given during installation)


= CipUX Installation 3.4.x for plain Debian =

{{{
This is under development for now. Do not install on productive systems,
as long this remark is here.
}}}

Choose a fresh installed Debian (Etch) with hostname cipux340 and
domain name example.net (!!!).

(1)

edit /etc/apt/sources.list

comment out something like this:
{{{
# deb cdrom:[Debian GNU/Linux 4.0 r2 _Etch_ - Offical i386 NETINST Binary-1 20080103-00:44]/ etch contrib main
}}}

add:
{{{
 deb http://debiantest.cipux.org/ sid main
}}}



(2)
Line 595: Line 95:
   * (This is not tested, remarks welcome) Change pam_ldap.conf
   This may only be important under the following condition:

   User-hint: With the current configuration tools you will lose your
              changes on the next upgrade if you change the ldap
              settings by hand as described here. Use
              dpkg-reconfigure.

   Example: You create a new windows machine: ws24$
   If the command id 'ws24$' does not result in a line like
   uid=10936(ws24$) gid=900(machines) groups=900(machines)
   you should solve the problem by editing pam_ldap.conf
   (The numbers may be different)

A typo has been fixed here:
   (6)
   # vim /etc/pam_ldap.conf

   Change
   
     # The distinguished name of the search base.
     # base dc=example,dc=net
     base ou=People,dc=skole,dc=skolelinux,dc=no
   
   to
     # The distinguished name of the search base.
     # base dc=example,dc=net
     base dc=skole,dc=skolelinux,dc=no

   (7) Enable samba PDC with LDAP
   
   In /etc/ldap/slapd.conf change all
      ou=Machines,ou=People,
   to
      ou=Machines

   (8) Create some default groups if you want to use some logon.bat
   Features:

   Add the groups 'cipan' and 'sources' with CAT.

   cipan: Samba share to store application.
   Every user will get this share as drive I

   sources: Samba share where cipadmin may store CDs.
   cipadmin will get this share as drive J


4.2 Cipux-Deploy (after 3.2.9)

The CipUX deploy module is not part of 3.2.8.

4.2.1 install tftpd-hpa

apt-get install tftpd-hpa

Ignore the error messsage during install, because we run tftpd standalone , not with inetd.

edit the file

# vim /etc/default/tftpd-hpa

   #Defaults for tftpd-hpa
   RUN_DAEMON="yes"
   #OPTIONS="-l -s /var/lib/tftpboot"
   OPTIONS=" -l -v -v -v -c -p -U 007 -u cipux -a 192.168.0.254 -s /var/lib/tftpboot "

# id cipux

If the user user does not exist, then create it now:

# groupadd -g 200 cipux
# useradd -u 200 -g 200 -d /var/lib/tftpboot -s /bin/false cipux

# chown cipux /var/lib/tftpboot/cipux
# chown cipux /var/lib/tftpboot/cipux/conf
# chown cipux /var/lib/tftpboot/cipux/script
# /etc/init.d/inetd stop
# /etc/init.d/tftpd-hpa start

 * remove inetd from the default runlevel
 * add tftpd-hpa to default runlevel

}}}

-----

 * If an error occurs: [:CipUX/Bugs:CipUX bugs and status]

 * How you can update to a new version: [:CipUX/Update:CipUX update]
Type this commands:

 * unset http_proxy (or set it correctly)
 * aptitude update
 * aptitude install cipux-common


{{{ Question 1 (Configuring slapd)
Please enter the password for the admin entry in your LDAP directory.

Admin password:

By default: empty

Correct answer: (choose one and remember it!)
}}}

 * aptitude install cipux-ldap

{{{
Question 2 (libnss-ldap)

Please enter the URI of the LDAP server used. This is a string in the form ldap://<hostname or IP>:<port>/ . ldaps:// or ldapi:// can also be used. The port number is optional.

Note: It is usually a good idea to use an IP address; this reduces risks of failure in the event name service is unavailable.

LDAP server Uniform Resource Identifier

By default: ldapi:///

Correct answer: ldap://127.0.0.1
}}}


{{{
Question 3 (libnss-ldap)

Please enter the distinguished name of the LDAP search base. Many sites use the components of their domain names for this purpose. For example, the domain "example.net" would use "dc=example,dc=net" as the distinguished name of the search base.

distinguished name of the search base

By default: dc=example.net,dc=net

Correct answer: dc=example.net,dc=net

}}}

{{{
 Question 4 (libnss-ldap)

Please enter which version of the LDAP protocol ldapns is to use. It is usually a good idea to set this to highest available version number.

LDAP version to use

By default: 2 or 3

Correct answer: 3
}}}


{{{
Question 5 (libnss-ldap)

This account will be used for nss requests with root privileges.

Note: For this to work the account needs permission to access the attributes in the LDAP directory that are related to the users

shadow entries as well as users' and groups' passwords.

LDAP account for root

By default: cn=manager,dc=example,dc=net

Correct answer: cn=admin,dc=example,dc=net
}}}


{{{
Question 6 (libnss-ldap)

Bitte geben sie das Passwort ein, das verwendet wird, wenn libnss-ldap sich mit dem LDAP-Zugang fuer root am LDAP-Verzeichnis anmeldet.

Das Passwort wird in einer eigenene Datei /etc/libnss-ldap.secret gespeichert, die nur fuer root lesbar ist.

Beleibt das Passwort leer, wird das alte Passwort wieder benutzt.

Passwort des LDAP-Zugangs fuer Root:

by default: empty
correct answer: (use password from above)

}}}

{{{
 Question 7 (libpam-ldap)

This option will allow you to make password utilities that use pam, to
behave like you would be changing local passwords.

The password will be stored in a sepereate file which will be made
readable to root only.

If you are using NFS mounted /etc or any other custom setup, you should
disable this.

Make local root Datatbase admin.

By default: YES (YES or NO)

Correct answer: YES
}}}



{{{
 Question 8 (libpam-ldap)

Choose this option if you can't retrieve entries from the datatbase
without logging in.

Note: Under normal setup, this not needed.

Does the LDAP database require login?

By default: NO (YES or NO)

Correct answer: NO
}}}

{{{

Questin 9 (libpam-ldap)

This account will be used when root changes a password.

Note: This account has to be a privileged account.

LDAP account for root:

By default: cn=manager,dc=example,dc=net

Correct answer: cn=admin,dc=example,dc=net


}}}

{{{

Question 10 (libpam-ldap)

Please enter the password for the admin entry in your LDAP directory.

Admin password:

By default: empty

Correct answer: (choose one and remember it!)

}}}



 * aptitude install cipux-object
 * aptitude install cipux-task

Add "ldap" and "files" to the following services in /etc/nsswitch.conf
and comment out "compat"

{{{

passwd: files ldap
group: files ldap
shadow: files ldap
netgroup: files ldap
automount: files ldap
# passwd: compat
# group: compat
# shadow: compat

}}}

 * /etc/init.d/nscd restart
 * /usr/sbin/cipux_setup -svnD 129
 * aptitude install cipux-rpc
 * cipux_rpc_test_client (give cipadmin and password)
 * aptitude install cipux-cat-web
 * browse to http://localhost/cipux-cat-web/
 * login as "cipadmin" (password was given during installation)


Remarks:
 * aptitude install ... leads to a warning message as the buildserver does not sign its packages with a gpg key


= CipUX Automatic Setup 3.4.x (TODO) =

This chapter is intended for integrators or developers who would like to
deploy CipUX on their distribution or LiveCD. So this page contains
several methods to install CipUX.

== apt-getting debs ==

You can fetch the debian packages of cipux from last svn-revision with the following entry in your sources list.
Every half hour, the packages are build if there was any commit to svn-repository, so here you will get the very latest ones.
This location is also available by browser via http://debiantest.cipux.org

{{{
 deb http://debiantest.cipux.org/ sid main
}}}

Get the package list
   * aptitude update

== Setup process description ==

   * The first setup is done via the package cipux-cibot

   Within the package cipux-cibot a script can be found to add
   * administrator
   * schema
   * ACL
   * PAM
   * add default CipUX objects
   * add default CipUX values
   * move some object if necessary
   * delete some objects if necessary

   (it is a good idea to install also cipux-common and cipux-profile for that)

== Attended installation procedure ==

 * see CipUX installation above

== Unattended installation procedure ==

 * (1) add the following files
   * mkdir -p /etc/cipux; chmod 700 /etc/cipux; chown root:root /etc/cipux;
   * echo -n "secret" > /etc/cipux/ldappassword.conf (cipuxadm password)
   * chmod 400 /etc/cipux/ldappassword.conf
   * chown root:root /etc/cipux/ldappassword.conf
   * echo -n "DISTRIBUTION" > /etc/cipux/system.conf (distribution: debian, debian-edu, ...)
   * chmod 400 /etc/cipux/system.conf
   * chown root:root /etc/cipux/system.conf
 * (2) aptitude install cipux-common cipux-cibot cipux-profile
 * (3) /usr/share/cipux/sbin/cipux_setup -sn
 * (4) aptitude install cipux-rpc cipux-cat-webim

Remarks:

     Profile:
     * install cipux-profile BEFORE running cipux_setup
     * run: /usr/share/cipux/sbin/cipux_setup -sn -p PROFILE
     * list of supported profiles can be get with:
       ls /usr/share/cipux/sbin/cipux_profile_*
     * if there is no profile suitable for you, create one.
     * if you have created one, please share that with the community.

     System:
     * supported distributions for now are:
       * debian-edu
       * debian
       * ubuntu (in the future, please ask: christian@skolelinux.de)
       * edubuntu (in the future, please ask: christian@skolelinux.de)
     * example: echo -n "debian" > /etc/cipux/system.conf


== Customization for (jet) unsupported Distributions ==

 * get in contact with one of:
   * christian@skolelinux.de
   * x.oswald@free.fr
 * join #cipux
 * add a customer in /etc/cipux/customer.conf
 * add a customer to cipux.conf
 * probably change LDAP values in cipux.conf
 * check all pathes for executables
 * check LPREF variable in top level Makefile
 * do test it on fresh installed systems



= Other CipUX Installation Guides =

Installation guides for different Debian and Debian-Edu/Skolelinux releases. For Updates
please read the [:DebianEdu/CipUX/Update:update page].

== On Debian (Etch) , Debian-Edu/ Skolelinux 3.0 ==

 * This, page: see above

== Older installation guides ==

 * [:DebianEdu/CipUX/Installation/3.2.10:Installation guide for 3.2.10]
 * older installation guides can be found here: http://wiki.cipux.org/Archive

== Debian-Edu/ Skolelinux 1.0 (Venus) ==

 * [:DebianEdu/CipUX/Installation/3.2.0:Installation guide for 3.2.0]
 * older installation guides can be found here: http://wiki.cipux.org/Archive

 




 
||<tablestyle=""tablewidth="99%"rowbgcolor="#7fa0cf"> [[Navigation(siblings,1)]] ||

CipUX

Installtion of CipUX

?TableOfContents

?Navigation(children,5)

CipUX Installation 3.4.x for DebiaEdu

This is under development for now. Do not install on productive systems, 
as long this remark is here.

Choose a fresh installed DebianEdu (Etch/Lenny)

(1)

edit /etc/apt/sources.list

add:

 deb http://debiantest.cipux.org/ sid main

Type this commands:

  • aptitude install cipux-common
  • aptitude install cipux-ldap
  • aptitude install cipux-object
  • aptitude install cipux-task
  • /usr/sbin/cipux_setup -svnD 129
  • vim /etc/pam_ldap.conf

change

base ou=People,dc=skole,dc=skolelinux,dc=no

to

base dc=skole,dc=skolelinux,dc=no
  • vim /etc/libnss-ldap.conf

change

nss_base_passwd ou=People,

to

nss_base_passwd ou=People,
nss_base_passwd ou=CipUX,
  • aptitude install cipux-rpc

Use login cipadmin and known password to test the RPC server:

  • cipux_rpc_test_client
  • aptitude install cipux-cat-web
  • browse to http://localhost/cipux-cat-web/

  • login as "cipadmin" (password was given during installation)

CipUX Installation 3.4.x for plain Debian

This is under development for now. Do not install on productive systems, 
as long this remark is here.

Choose a fresh installed Debian (Etch) with hostname cipux340 and domain name example.net (!!!).

(1)

edit /etc/apt/sources.list

comment out something like this:

# deb cdrom:[Debian GNU/Linux 4.0 r2 _Etch_ - Offical i386 NETINST Binary-1 20080103-00:44]/ etch contrib main

add:

 deb http://debiantest.cipux.org/ sid main

(2)

Type this commands:

  • unset http_proxy (or set it correctly)
  • aptitude update
  • aptitude install cipux-common

{{{ Question 1 (Configuring slapd) Please enter the password for the admin entry in your LDAP directory.

Admin password:

By default: empty

Correct answer: (choose one and remember it!) }}}

  • aptitude install cipux-ldap

Question 2 (libnss-ldap)

Please enter the URI of the LDAP server used. This is a string in the form ldap://<hostname or IP>:<port>/ . ldaps:// or ldapi:// can also be used. The port number is optional.

Note: It is usually a good idea to use an IP address; this reduces risks of failure in the event name service is unavailable.

LDAP server Uniform Resource Identifier

By default:     ldapi:///

Correct answer: ldap://127.0.0.1

Question 3 (libnss-ldap)

Please enter the distinguished name of the LDAP search base. Many sites use the components of their domain names for this purpose. For example, the domain "example.net" would use "dc=example,dc=net" as the distinguished name of the search base.

distinguished name of the search base

By default:     dc=example.net,dc=net

Correct answer: dc=example.net,dc=net

 Question 4 (libnss-ldap)

Please enter which version of the LDAP protocol ldapns is to use. It is usually a good idea to set this to highest available version number.

LDAP version to use

By default: 2 or 3

Correct answer: 3

Question 5 (libnss-ldap)

This account will be used for nss requests with root privileges.

Note: For this to work the account needs permission to access the attributes in the LDAP directory that are related to the users

shadow entries as well as users' and groups' passwords.

LDAP account for root

By default: cn=manager,dc=example,dc=net

Correct answer: cn=admin,dc=example,dc=net

Question 6 (libnss-ldap)

Bitte geben sie das Passwort ein, das verwendet wird, wenn libnss-ldap sich mit dem LDAP-Zugang fuer root am LDAP-Verzeichnis anmeldet. 

Das Passwort wird in einer eigenene Datei /etc/libnss-ldap.secret gespeichert, die nur fuer root lesbar ist.

Beleibt das Passwort leer, wird das alte Passwort wieder benutzt.

Passwort des LDAP-Zugangs fuer Root:

by default: empty
correct answer: (use password from above)

 Question 7 (libpam-ldap)

This option will allow you to make password utilities that use pam, to 
behave like you would be changing local passwords.

The password will be stored in a sepereate file which will be made 
readable to root only. 

If you are using NFS mounted /etc or any other custom setup, you should 
disable this.

Make local root Datatbase admin.

By default: YES  (YES or NO)

Correct answer: YES

 Question 8 (libpam-ldap) 

Choose this option if you can't retrieve entries from the datatbase
without logging in.

Note: Under normal setup, this not needed.

Does the LDAP database require login?

By default: NO  (YES or NO)

Correct answer: NO

Questin 9 (libpam-ldap)

This account will be used when root changes a password.

Note: This account has to be a privileged account. 

LDAP account for root:

By default: cn=manager,dc=example,dc=net

Correct answer: cn=admin,dc=example,dc=net

Question 10 (libpam-ldap)

Please enter the password for the admin entry in your LDAP directory.

Admin password:

By default: empty

Correct answer: (choose one and remember it!)
  • aptitude install cipux-object
  • aptitude install cipux-task

Add "ldap" and "files" to the following services in /etc/nsswitch.conf and comment out "compat"

passwd:         files ldap
group:          files ldap
shadow:         files ldap
netgroup:       files ldap
automount:      files ldap
# passwd:         compat
# group:          compat
# shadow:         compat
  • /etc/init.d/nscd restart
  • /usr/sbin/cipux_setup -svnD 129
  • aptitude install cipux-rpc
  • cipux_rpc_test_client (give cipadmin and password)
  • aptitude install cipux-cat-web
  • browse to http://localhost/cipux-cat-web/

  • login as "cipadmin" (password was given during installation)

Remarks:

  • aptitude install ... leads to a warning message as the buildserver does not sign its packages with a gpg key

CipUX Automatic Setup 3.4.x (TODO)

This chapter is intended for integrators or developers who would like to deploy CipUX on their distribution or LiveCD. So this page contains several methods to install CipUX.

apt-getting debs

You can fetch the debian packages of cipux from last svn-revision with the following entry in your sources list. Every half hour, the packages are build if there was any commit to svn-repository, so here you will get the very latest ones. This location is also available by browser via http://debiantest.cipux.org

 deb http://debiantest.cipux.org/ sid main

Get the package list

  • aptitude update

Setup process description

  • The first setup is done via the package cipux-cibot Within the package cipux-cibot a script can be found to add
  • administrator
  • schema
  • ACL
  • PAM
  • add default CipUX objects
  • add default CipUX values
  • move some object if necessary
  • delete some objects if necessary (it is a good idea to install also cipux-common and cipux-profile for that)

Attended installation procedure

  • see CipUX installation above

Unattended installation procedure

  • (1) add the following files
    • mkdir -p /etc/cipux; chmod 700 /etc/cipux; chown root:root /etc/cipux;
    • echo -n "secret" > /etc/cipux/ldappassword.conf (cipuxadm password)

    • chmod 400 /etc/cipux/ldappassword.conf
    • chown root:root /etc/cipux/ldappassword.conf
    • echo -n "DISTRIBUTION" > /etc/cipux/system.conf (distribution: debian, debian-edu, ...)

    • chmod 400 /etc/cipux/system.conf
    • chown root:root /etc/cipux/system.conf
  • (2) aptitude install cipux-common cipux-cibot cipux-profile
  • (3) /usr/share/cipux/sbin/cipux_setup -sn
  • (4) aptitude install cipux-rpc cipux-cat-webim

Remarks:

  • Profile:
  • install cipux-profile BEFORE running cipux_setup
  • run: /usr/share/cipux/sbin/cipux_setup -sn -p PROFILE
  • list of supported profiles can be get with:
    • ls /usr/share/cipux/sbin/cipux_profile_*
  • if there is no profile suitable for you, create one.
  • if you have created one, please share that with the community. System:
  • supported distributions for now are:
  • example: echo -n "debian" > /etc/cipux/system.conf

Customization for (jet) unsupported Distributions

  • get in contact with one of:
  • join #cipux
  • add a customer in /etc/cipux/customer.conf
  • add a customer to cipux.conf
  • probably change LDAP values in cipux.conf
  • check all pathes for executables
  • check LPREF variable in top level Makefile
  • do test it on fresh installed systems

Other CipUX Installation Guides

Installation guides for different Debian and Debian-Edu/Skolelinux releases. For Updates please read the [:DebianEdu/CipUX/Update:update page].

On Debian (Etch) , Debian-Edu/ Skolelinux 3.0

  • This, page: see above

Older installation guides

Debian-Edu/ Skolelinux 1.0 (Venus)

?Navigation(siblings,1)