Mandriva Directory Server On Debian Etch - Page 5
16 Webinterface Configuration
16.1 SSL Certificate
This SSL certificate will be used for the MMC and the CUPS web-frontend.
mkdir /etc/apache2/ssl/
openssl req -new -x509 -keyout /etc/apache2/ssl/server.key -out /etc/apache2/ssl/server.crt -days 365 -nodes
chmod 600 /etc/apache2/ssl/server.key
cp /etc/apache2/ssl/* /etc/cups/ssl/
16.2 CUPS
In order that you can access the CUPS web-frontend from other machines in your network, you have to adjust some settings.
vi /etc/cups/cupsd.conf
Change:
Listen localhost:631
To:
Listen %server_ip%:631
Change:
# Restrict access to the server...
<Location />
Order allow,deny
Allow localhost
</Location>
# Restrict access to the admin pages...
<Location /admin>
Encryption Required
Order allow,deny
Allow localhost
</Location>
# Restrict access to configuration files...
<Location /admin/conf>
AuthType Basic
Require user @SYSTEM
Order allow,deny
Allow localhost
</Location>
To:
# Restrict access to the server...
<Location />
Order allow,deny
Allow localhost
Allow 192.168.0.0/24
</Location>
# Restrict access to the admin pages...
<Location /admin>
Encryption Required
Order allow,deny
Allow localhost
Allow 192.168.0.0/24
</Location>
# Restrict access to configuration files...
<Location /admin/conf>
AuthType Basic
Require user @SYSTEM
Order allow,deny
Allow localhost
Allow 192.168.0.0/24
</Location>
Afterwards restart CUPS.
/etc/init.d/cupsys restart
Now you're able to manage your CUPS printers via the CUPS webinterface from your workstation. Open https://192.168.0.100:631/ (Later, when the nameserver and the dhcp-server are configured, you should connect via https://server1.example.com:631) within your preferred browser and log in as root. Please note that if there is no Linux driver available for your printer and you want to use this printer only from your Windows workstations trough SAMBA, you can use the printer manufacturer "RAW" and install the correct driver on your Windows workstations.
Please note that if you are going to set up a HP printer, you should add it to CUPS via hplip (command line). The exact command depends on the connection type of your device - have a look at "hp-setup --help". E.g.: For a network-printer with the IP 192.168.0.20 the command is "hp-setup -i 192.168.0.20". Afterwards you can adjust the printer settings (resolution etc.) within the CUPS webinterface.
After you added a new printer to CUPS, you'll have to add it to Samba via
cupsaddsmb -a
16.3 MMC
We'll create two vhosts - one for http-connections and one for https-connections.
16.3.1 HTTP VHost
vi /etc/apache2/sites-available/http
Add the following configuration.
<VirtualHost 192.168.0.100:80>
ServerName server1.example.com
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
16.3.2 HTTPS VHost
vi /etc/apache2/sites-available/https
Add the following configuration.
NameVirtualHost 192.168.0.100:443
<VirtualHost 192.168.0.100:443>
ServerName server1.example.com
ServerAdmin [email protected]
DocumentRoot /usr/share/mmc/
SSLEngine on
SSLCertificateKeyFile ssl/server.key
SSLCertificateFile ssl/server.crt
SSLProtocol all
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
<Directory /usr/share/mmc/>
AllowOverride None
Order allow,deny
Allow from 192.168.0.0/24
php_flag short_open_tag on
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
</Directory>
ErrorLog /var/log/apache2/mmc_error.log
CustomLog /var/log/apache2/mmc_access.log combined
LogLevel warn
</VirtualHost>
Add the HTTPS listen port to the apache configuration.
vi /etc/apache2/ports.conf
Add the following line:
Listen 443
16.4 Modules & Sites
After that we enable the new sites, ...
a2ensite http
a2ensite https
... the rewrite module ...
a2enmod rewrite
... and the ssl module.
a2enmod ssl
Now restart apache.
/etc/init.d/apache2 restart
17 MMC Plugins
17.1 MMC Base-Plugin Configuration
Edit MMC base-plugin configuration file.
vi /etc/mmc/plugins/base.ini
Edit the baseDN that it fits to your domain, insert the correct ldap admin password and change the destination path for the archives - the content should look like this:
[ldap] # LDAP we are connected to host = 127.0.0.1 # LDAP base DN baseDN = dc=example, dc=com # Users location in the LDAP baseUsersDN = ou=Users, %(basedn)s # Groups location in the LDAP baseGroupsDN = ou=Groups, %(basedn)s # Computers Locations baseComputersDN = ou=Computers, %(basedn)s # LDAP manager rootName = cn=admin, %(basedn)s password = howtoforge # If enabled, the MMC will create/move/delete the home of the users # Else will do nothing, but only write user informations into LDAP userHomeAction = 1 # Skeleton directory to populate a new home directory skelDir = /etc/skel # If set, all new users will belong to this group when created defaultUserGroup = Domain Users # Default home directory for users defaultHomeDir = /home # user uid number start uidStart = 10000 # group gid number start gidStart = 10000 # LDAP log file path logfile = /var/log/ldap.log # FDS log file path # logfile = /opt/fedora-ds/slapd-hostname/logs/access # you can specify here where you can authorized creation of your homedir # default is your defaultHomeDir # example: # authorizedHomeDir = /home, /home2, /mnt/depot/newhome [backup-tools] # Path of the backup tools path = /usr/lib/mmc/backup-tools # Where are put the archives destpath = /home/samba/archives
17.2 MMC Mail-Plugin Configuration
Edit MMC mail-plugin configuration file.
vi /etc/mmc/plugins/mail.ini
Edit the vDomainDN that it fits to your domain, comment the line for postfix delivery and comment out the line for dovecot delivery - the content should look like this:
[main] disable = 0 # Enable virtual domain support vDomainSupport = 0 # If vdomain enabled, OU where the domain are stored vDomainDN = ou=mailDomains, dc=example, dc=com [userDefault] # For Postfix delivery # mailbox = %homeDirectory%/Maildir/ # For Dovecot delivery mailbox = maildir:%homeDirectory%/Maildir/ # Default quota (200 MBytes) set for user mailuserquota = 204800
17.3 MMC Network-Plugin Configuration
Edit MMC network-plugin configuration file.
vi /etc/mmc/plugins/network.ini
Edit the domain name that it fits to your domain - the content should look like this:
[main] disable = 0 [dhcp] dn = ou=DHCP,dc=example,dc=com pidfile = /var/run/dhcpd.pid init = /etc/init.d/dhcp3-server logfile = /var/log/daemon.log leases = /var/lib/dhcp3/dhcpd.leases [dns] dn = ou=DNS,dc=example,dc=com pidfile = /var/run/bind/run/named.pid init = /etc/init.d/bind9 logfile = /var/log/daemon.log bindroot = /etc/bind/ binduser = bind # dnsreader = DNS Reader # dnsreaderpassword = DNSReaderPassword
18 MMC Agent Initial Start
At this point the mmc-agent is ready for the initial start.
/etc/init.d/mmc-agent start
During the first startup the mmc-agent writes some bind and dhcp related settings into the LDAP - so you have to restart bind (the dhcp-server is not running at the moment).
/etc/init.d/bind9 restart