Charity admin
This page chronicles the administrative changes to charity.progclub.org. If you make an administrative change you should document the change here. Changes are logged he in reverse chronological order with a time-stamp in the form YYYY-MM-DD hh:mm. You can use the time from whatever timezone you are in, or UTC if you're cool, but use 24 hour time. Don't worry if the changes you make have a time-stamp that is less than a time-stamp later in the page, put the latest changes at the top. Put a link to your wiki user account before the time-stamp so we know who's doing what. See the Administrative reference for other information.
John 2011-08-14 21:39
Configuring slapd indexes
Per these instructions:
root@charity:/etc/ldap# vim ldap.conf
# Indices to maintain for this database index objectClass eq,pres index ou,cn,sn,mail,givenName eq,pres,sub index uidNumber,gidNumber,memberUid eq,pres index loginShell eq,pres # I also added this line to stop warning in syslog .. #index uniqueMember eq,pres ## required to support pdb_getsampwnam index uid pres,sub,eq ## required to support pdb_getsambapwrid() index displayName pres,sub,eq # These attributes don't exist in this database .. #index nisMapName,nisMapEntry eq,pres,sub #index sambaSID eq #index sambaPrimaryGroupSID eq #index sambaDomainName eq #index default sub
root@charity:/etc/ldap# /etc/init.d/slapd stop Stopping OpenLDAP: slapd. root@charity:/etc/ldap# slapindex WARNING! Runnig as root! There's a fair chance slapd will fail to start. Check file permissions! root@charity:/etc/ldap# cd /var/lib/slapd/ root@charity:/var/lib/slapd# ls root@charity:/var/lib/slapd# ll total 8 drwxr-xr-x 2 root root 4096 2011-06-02 20:14 ./ drwxr-xr-x 32 root root 4096 2011-08-06 05:40 ../ root@charity:/var/lib/slapd# /etc/init.d/slapd start Starting OpenLDAP: slapd.
John 2011-08-14 19:00
Configuring KDC ACLs
root@charity:/etc/krb5kdc# vim kadm5.acl
*/admin@PROGCLUB.ORG * jj5@PROGCLUB.ORG * tasaio@PROGCLUB.ORG * sanguinev@PROGCLUB.ORG * friggles@PROGCLUB.ORG * jedd@PROGCLUB.ORG *
root@charity:~# /etc/init.d/krb5-admin-server restart * Restarting Kerberos administrative servers kadmind
John 2011-08-13 15:09
Installing ViewVC
jj5@charity:~$ release pcview "First release. Just a copy of ViewVC 1.0.12." Releasing pcview Checking availability of release: https://www.progclub.org/svn/pcrepo/pcview/tags/release/2011/08/13/01 Committed revision 184. Committed revision 185. Committed revision 186.
jj5@charity:~$ sudo -s root@charity:~# cd /var/www root@charity:/var/www# svn co https://www.progclub.org/svn/pcrepo/pcview/tags/latest www.progclub.org-pcview
root@charity:/var/www# vim /etc/iptables.up.rules
# Hell, allow anything from John's house -A INPUT -s 60.240.67.126/32 -j ACCEPT
root@charity:/var/www# iptables -F root@charity:/var/www# iptables-restore < /etc/iptables.up.rules root@charity:/var/www# cd www.progclub.org-pcview/ root@charity:/var/www/www.progclub.org-pcview# bin/standalone.py -r /var/svn/pcrepo bash: bin/standalone.py: Permission denied root@charity:/var/www/www.progclub.org-pcview# cd bin root@charity:/var/www/www.progclub.org-pcview/bin# ls asp cvsdbadmin make-database standalone.py cgi loginfo-handler mod_python svndbadmin root@charity:/var/www/www.progclub.org-pcview/bin# ll total 92 drwxr-xr-x 6 root root 4096 2011-08-13 05:11 ./ drwxr-xr-x 9 root root 4096 2011-08-13 05:11 ../ drwxr-xr-x 3 root root 4096 2011-08-13 05:11 asp/ drwxr-xr-x 3 root root 4096 2011-08-13 05:11 cgi/ -rw-r--r-- 1 root root 4476 2011-08-13 05:11 cvsdbadmin -rw-r--r-- 1 root root 10476 2011-08-13 05:11 loginfo-handler -rw-r--r-- 1 root root 4726 2011-08-13 05:11 make-database drwxr-xr-x 3 root root 4096 2011-08-13 05:11 mod_python/ -rw-r--r-- 1 root root 26993 2011-08-13 05:11 standalone.py drwxr-xr-x 6 root root 4096 2011-08-13 05:11 .svn/ -rw-r--r-- 1 root root 10749 2011-08-13 05:11 svndbadmin root@charity:/var/www/www.progclub.org-pcview/bin# chmod -R a+x * root@charity:/var/www/www.progclub.org-pcview# bin/standalone.py -r /var/svn/pcrepo : No such file or directory
No fun!
root@charity:/var/www/www.progclub.org-pcview# chmod a+x viewvc-install root@charity:/var/www/www.progclub.org-pcview# ./viewvc-install : No such file or directory
Argh!
Time to ask for help.
Wait... this explains it, WinZip fucked my line endings!
jj5@charity:~$ sudo -s [sudo] password for jj5: root@charity:~# wget http://viewvc.tigris.org/files/documents/3330/47621/viewvc-1.0.12.tar.gz --2011-08-13 05:53:37-- http://viewvc.tigris.org/files/documents/3330/47621/viewvc-1.0.12.tar.gz Resolving viewvc.tigris.org... 204.16.104.146 Connecting to viewvc.tigris.org|204.16.104.146|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 523289 (511K) [application/x-gzip] Saving to: `viewvc-1.0.12.tar.gz' 100%[======================================>] 523,289 528K/s in 1.0s 2011-08-13 05:53:38 (528 KB/s) - `viewvc-1.0.12.tar.gz' saved [523289/523289]
root@charity:~# tar xvf viewvc-1.0.12.tar.gz root@charity:~# cd /var/www root@charity:/var/www# svn co https://www.progclub.org/svn/pcrepo/pcview/trunk www.progclub.org-pcview-dev root@charity:/var/www# cd www.progclub.org-pcview-dev/ root@charity:/var/www/www.progclub.org-pcview-dev# ls bin docs README viewvc.conf.dist CHANGES INSTALL templates viewvc-install COMMITTERS lib templates-contrib windows cvsgraph.conf.dist LICENSE.html TODO root@charity:/var/www/www.progclub.org-pcview-dev# cp -R ~/viewvc-1.0.12/* . root@charity:/var/www/www.progclub.org-pcview-dev# svn ci -m "Fixed line endings for ViewVC" root@charity:/var/www/www.progclub.org-pcview-dev# exit exit jj5@charity:~$ release pcview "Fixed line endings." Releasing pcview Checking availability of release: https://www.progclub.org/svn/pcrepo/pcview/tags/release/2011/08/13/01 Checking availability of release: https://www.progclub.org/svn/pcrepo/pcview/tags/release/2011/08/13/02 Committed revision 188. Committed revision 189. Committed revision 190. jj5@charity:~$ sudo -s root@charity:~# cd /var/www/www.progclub.org-pcview root@charity:/var/www/www.progclub.org-pcview# update bash: update: command not found root@charity:/var/www/www.progclub.org-pcview# svn update root@charity:/var/www/www.progclub.org-pcview# cd bin root@charity:/var/www/www.progclub.org-pcview/bin# ll total 92 drwxr-xr-x 6 root root 4096 2011-08-13 05:59 ./ drwxr-xr-x 9 root root 4096 2011-08-13 05:59 ../ drwxr-xr-x 3 root root 4096 2011-08-13 05:59 asp/ drwxr-xr-x 3 root root 4096 2011-08-13 05:59 cgi/ -rw-r--r-- 1 root root 4319 2011-08-13 05:59 cvsdbadmin -rw-r--r-- 1 root root 10159 2011-08-13 05:59 loginfo-handler -rw-r--r-- 1 root root 4572 2011-08-13 05:59 make-database drwxr-xr-x 3 root root 4096 2011-08-13 05:59 mod_python/ -rw-r--r-- 1 root root 26350 2011-08-13 05:59 standalone.py drwxr-xr-x 6 root root 4096 2011-08-13 05:59 .svn/ -rw-r--r-- 1 root root 10437 2011-08-13 05:59 svndbadmin root@charity:/var/www/www.progclub.org-pcview/bin# chmod -R a+x * root@charity:/var/www/www.progclub.org-pcview/bin# cd .. root@charity:/var/www/www.progclub.org-pcview# bin/standalone.py -r /var/svn/pcrepo server ready at http://localhost:7467/viewvc
root@charity:/var/www/www.progclub.org-pcview# chmod a+x viewvc-install root@charity:/var/www/www.progclub.org-pcview# ./viewvc-install This is the ViewVC 1.0.12 installer. It will allow you to choose the install path for ViewVC. You will now be asked some installation questions. Defaults are given in square brackets. Just hit [Enter] if a default is okay. Installation path [/usr/local/viewvc-1.0.12]: DESTDIR path (generally only used by package maintainers) []:
...
ViewVC file installation complete. Consult the INSTALL document for detailed information on completing the installation and configuration of ViewVC on your system. Here's a brief overview of the remaining steps: 1) Edit the /usr/local/viewvc-1.0.12/viewvc.conf file. 2) Either configure an existing web server to run /usr/local/viewvc-1.0.12/bin/cgi/viewvc.cgi. Or, copy /usr/local/viewvc-1.0.12/bin/cgi/viewvc.cgi to an already-configured cgi-bin directory. Or, use the standalone server provided by this distribution at /usr/local/viewvc-1.0.12/bin/standalone.py.
root@charity:/var/www/www.progclub.org-pcview# cd /usr/local/viewvc-1.0.12/ root@charity:/usr/local/viewvc-1.0.12# ls bin cvsgraph.conf.dist templates viewvc.conf cvsgraph.conf lib templates-contrib viewvc.conf.dist root@charity:/usr/local/viewvc-1.0.12# vim viewvc.conf
root@charity:/usr/local/viewvc-1.0.12# cd /etc/apache2/sites-available/ root@charity:/etc/apache2/sites-available# vim default
ScriptAlias /pcview-view /usr/local/viewvc-1.0.12/bin/cgi/viewvc.cgi ScriptAlias /pcview-query /usr/local/viewvc-1.0.12/bin/cgi/viewvc.cgi
root@charity:/etc/apache2/sites-available# apache2ctl graceful
GET: http://www.progclub.org/pcview-view
An Exception Has Occurred Python Traceback Traceback (most recent call last): File "/usr/local/viewvc-1.0.12/lib/viewvc.py", line 3761, in main request.run_viewvc() File "/usr/local/viewvc-1.0.12/lib/viewvc.py", line 258, in run_viewvc import vclib.svn File "/usr/local/viewvc-1.0.12/lib/vclib/svn/__init__.py", line 27, in <module> from svn import fs, repos, core, delta ImportError: No module named svn
Google that.
What causes "Error: ImportError: No module named svn"? ViewVC uses Subversion's Python bindings to interact with and pull information out of your Subversion repositories. These bindings are not, however, generally provided as part of the ViewVC distribution — you have to install them yourself some other way. (For more information, contact the Subversion community.) The error you see is Python being asked to import the Subversion Python bindings and being unable to do so, typically because the bindings modules aren't found in the Python library search path.
Not very helpful dear.
root@charity:/usr/local/viewvc-1.0.12# apt-cache search python svn python-svn - A(nother) Python interface to Subversion python-svn-dbg - A(nother) Python interface to Subversion (debug extension) python-rope - Python refactoring library svn-workbench - A Workbench for Subversion bzr - easy to use distributed version control system bzr-doc - easy to use distributed version control system (documentation) python-subversion - Python bindings for Subversion python-subversion-dbg - Python bindings for Subversion (debug extension) root@charity:/usr/local/viewvc-1.0.12# apt-get install python-subversion Reading package lists... Done Building dependency tree Reading state information... Done Suggested packages: python-subversion-dbg The following NEW packages will be installed: python-subversion 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 755kB of archives. After this operation, 3,449kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main python-subversion 1.6.6dfsg-2ubuntu1.3 [755kB] Fetched 755kB in 1s (525kB/s) Committing to: /etc/ modified iptables.up.rules modified apache2/sites-available/default Committed revision 41. Selecting previously deselected package python-subversion. (Reading database ... 18330 files and directories currently installed.) Unpacking python-subversion (from .../python-subversion_1.6.6dfsg-2ubuntu1.3_amd64.deb) ... Setting up python-subversion (1.6.6dfsg-2ubuntu1.3) ... Processing triggers for libc-bin ... ldconfig deferred processing now taking place Processing triggers for python-support ... root@charity:/usr/local/viewvc-1.0.12#
GET: http://www.progclub.org/pcview-view
Works!
Just tidy that up a bit:
root@charity:/usr/local/viewvc-1.0.12# vim /etc/apache2/sites-available/default
ScriptAlias /pcview /usr/local/viewvc-1.0.12/bin/cgi/viewvc.cgi ScriptAlias /pcview-query /usr/local/viewvc-1.0.12/bin/cgi/query.cgi
root@charity:/usr/local/viewvc-1.0.12# apache2ctl graceful
Actually,
ScriptAlias /pcrepo /usr/local/viewvc-1.0.12/bin/cgi/viewvc.cgi #ScriptAlias /pcview-query /usr/local/viewvc-1.0.12/bin/cgi/query.cgi
So that's: http://www.progclub.org/pcrepo
jj5@charity:~$ sudo -s root@charity:~# cd /var/www/www.progclub.org root@charity:/var/www/www.progclub.org# vim robots.txt
Disallow: /pcrepo/
That ought to do it. Wait...
root@charity:~# apt-cache search enscript enscript - converts text to Postscript, HTML or RTF with syntax highlighting root@charity:~# apt-get install enscript Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: libpaper-utils libpaper1 Suggested packages: gv postscript-viewer lpr The following NEW packages will be installed: enscript libpaper-utils libpaper1 0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded. Need to get 482kB of archives. After this operation, 2,707kB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libpaper1 1.1.23+nmu1build1 [21.2kB] Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main enscript 1.6.5-1 [442kB] Get:3 http://archive.ubuntu.com/ubuntu/ lucid/main libpaper-utils 1.1.23+nmu1build1 [18.3kB] Fetched 482kB in 1s (372kB/s) Committing to: /etc/ modified apache2/sites-available/default Committed revision 42. Preconfiguring packages ... Selecting previously deselected package libpaper1. (Reading database ... 18382 files and directories currently installed.) Unpacking libpaper1 (from .../libpaper1_1.1.23+nmu1build1_amd64.deb) ... Selecting previously deselected package enscript. Unpacking enscript (from .../enscript_1.6.5-1_amd64.deb) ... Selecting previously deselected package libpaper-utils. Unpacking libpaper-utils (from .../libpaper-utils_1.1.23+nmu1build1_amd64.deb) ... Processing triggers for man-db ... Setting up libpaper1 (1.1.23+nmu1build1) ... Creating config file /etc/papersize with new version Setting up enscript (1.6.5-1) ... Setting up libpaper-utils (1.1.23+nmu1build1) ... Processing triggers for libc-bin ... ldconfig deferred processing now taking place Committing to: /etc/ added enscript.cfg added libpaper.d added papersize Committed revision 43.
root@charity:~# cd /usr/local/viewvc-1.0.12/ root@charity:/usr/local/viewvc-1.0.12# vim viewvc.conf
# should we use 'enscript' for syntax coloring? use_enscript = 1
root@charity:/usr/local/viewvc-1.0.12# locate enscript bash: locate: command not found root@charity:/usr/local/viewvc-1.0.12# whereis enscript enscript: /usr/bin/enscript /etc/enscript.cfg /usr/share/enscript /usr/share/man/man1/enscript.1.gz root@charity:/usr/local/viewvc-1.0.12# vim viewvc.conf
# # if the enscript program is not on the path, set this value # #enscript_path = enscript_path = /usr/bin/
root@charity:/usr/local/viewvc-1.0.12# apt-cache search syntax highlight | grep highlight
root@charity:/usr/local/viewvc-1.0.12# apt-get install highlight Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: highlight-common The following NEW packages will be installed: highlight highlight-common 0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded. Need to get 490kB of archives. After this operation, 1,864kB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://archive.ubuntu.com/ubuntu/ lucid/universe highlight-common 2.12-1 [196kB] Get:2 http://archive.ubuntu.com/ubuntu/ lucid/universe highlight 2.12-1 [294kB] Fetched 490kB in 1s (394kB/s) Selecting previously deselected package highlight-common. (Reading database ... 18593 files and directories currently installed.) Unpacking highlight-common (from .../highlight-common_2.12-1_all.deb) ... Selecting previously deselected package highlight. Unpacking highlight (from .../highlight_2.12-1_amd64.deb) ... Processing triggers for man-db ... Setting up highlight-common (2.12-1) ... Setting up highlight (2.12-1) ... Committing to: /etc/ added highlight added highlight/filetypes.conf Committed revision 44.
root@charity:/usr/local/viewvc-1.0.12# vim viewvc.conf
# should we use 'enscript' for syntax coloring? use_enscript = 0
...
# should we use 'highlight' for syntax coloring? # NOTE: use_enscript has to be 0 or enscript will be used instead use_highlight = 1
John 2011-08-12 15:53
Installing bc
jj5@charity:~/bin$ sudo apt-get install bc [sudo] password for jj5: Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: bc 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 112kB of archives. After this operation, 328kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main bc 1.06.95-2 [112kB] Fetched 112kB in 0s (115kB/s) Selecting previously deselected package bc. (Reading database ... 18313 files and directories currently installed.) Unpacking bc (from .../bc_1.06.95-2_amd64.deb) ... Processing triggers for man-db ... Setting up bc (1.06.95-2) ...
John 2011-08-09 20:05
Configuring Pcldap project
root@charity:/var/www/www.progclub.org/# svn co https://www.progclub.org/svn/pcrepo/pcldap/trunk pcldap root@charity:/var/www/www.progclub.org/# svn co https://www.progclub.org/svn/pcrepo/pcldap/trunk pcldap-dev root@charity:/var/www/www.progclub.org# cd pcldap root@charity:/var/www/www.progclub.org/pcldap# ls config hooks index.php lib locale templates VERSION doc htdocs INSTALL LICENSE queries tools root@charity:/var/www/www.progclub.org/pcldap# cd config/ root@charity:/var/www/www.progclub.org/pcldap/config# ls config.php.example root@charity:/var/www/www.progclub.org/pcldap/config# cp config.php.example config.php root@charity:/var/www/www.progclub.org/pcldap/config# apt-get install php5-ldap Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: php5-ldap 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 19.9kB of archives. After this operation, 115kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main php5-ldap 5.3.2-1ubuntu4.9 [19.9kB] Fetched 19.9kB in 0s (37.0kB/s) Committing to: /etc/ modified network/interfaces added network/interfaces2011-08-09_01:48 Committed revision 39. Selecting previously deselected package php5-ldap. (Reading database ... 18310 files and directories currently installed.) Unpacking php5-ldap (from .../php5-ldap_5.3.2-1ubuntu4.9_amd64.deb) ... Processing triggers for libapache2-mod-php5 ... * Reloading web server config apache2 [ OK ] Setting up php5-ldap (5.3.2-1ubuntu4.9) ... Committing to: /etc/ added php5/conf.d/ldap.ini Committed revision 40. root@charity:/var/www/www.progclub.org/pcldap/config# apache2ctl graceful
John 2011-08-08 16:43
Updating robots.txt file for pcwiki
Added the following to /var/www/www.progclub.org/robots.txt
Disallow: /pcwiki/
John 2011-08-06 15:30
Installing OpenLDAP
Following these instructions. Oh, no, wait. These instructions.
jj5@charity:~$ sudo apt-get install slapd ldap-utils [sudo] password for jj5: Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: libdb4.7 libltdl7 libperl5.10 libslp1 odbcinst odbcinst1debian1 unixodbc Suggested packages: slpd openslp-doc libmyodbc odbc-postgresql tdsodbc unixodbc-bin The following NEW packages will be installed: ldap-utils libdb4.7 libltdl7 libperl5.10 libslp1 odbcinst odbcinst1debian1 slapd unixodbc 0 upgraded, 9 newly installed, 0 to remove and 0 not upgraded. Need to get 3,302kB of archives. After this operation, 8,253kB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libdb4.7 4.7.25-9 [653kB] Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main libltdl7 2.2.6b-2ubuntu1 [296kB] Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libperl5.10 5.10.1-8ubuntu2.1 [1,202B] Get:4 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libslp1 1.2.1-7.6ubuntu0.1 [54.5kB] Get:5 http://archive.ubuntu.com/ubuntu/ lucid/main odbcinst 2.2.11-21 [35.5kB] Get:6 http://archive.ubuntu.com/ubuntu/ lucid/main odbcinst1debian1 2.2.11-21 [66.6kB] Get:7 http://archive.ubuntu.com/ubuntu/ lucid/main unixodbc 2.2.11-21 [209kB] Get:8 http://archive.ubuntu.com/ubuntu/ lucid-updates/main slapd 2.4.21-0ubuntu5.5 [1,637kB] Get:9 http://archive.ubuntu.com/ubuntu/ lucid-updates/main ldap-utils 2.4.21-0ubuntu5.5 [348kB] Fetched 3,302kB in 2s (1,595kB/s) Committing to: /etc/ modified shadow Committed revision 35. Preconfiguring packages ... Selecting previously deselected package libdb4.7. (Reading database ... 17937 files and directories currently installed.) Unpacking libdb4.7 (from .../libdb4.7_4.7.25-9_amd64.deb) ... Selecting previously deselected package libltdl7. Unpacking libltdl7 (from .../libltdl7_2.2.6b-2ubuntu1_amd64.deb) ... Selecting previously deselected package libperl5.10. Unpacking libperl5.10 (from .../libperl5.10_5.10.1-8ubuntu2.1_amd64.deb) ... Selecting previously deselected package libslp1. Unpacking libslp1 (from .../libslp1_1.2.1-7.6ubuntu0.1_amd64.deb) ... Selecting previously deselected package odbcinst. Unpacking odbcinst (from .../odbcinst_2.2.11-21_amd64.deb) ... Selecting previously deselected package odbcinst1debian1. Unpacking odbcinst1debian1 (from .../odbcinst1debian1_2.2.11-21_amd64.deb) ... Selecting previously deselected package unixodbc. Unpacking unixodbc (from .../unixodbc_2.2.11-21_amd64.deb) ... Selecting previously deselected package slapd. Unpacking slapd (from .../slapd_2.4.21-0ubuntu5.5_amd64.deb) ... Selecting previously deselected package ldap-utils. Unpacking ldap-utils (from .../ldap-utils_2.4.21-0ubuntu5.5_amd64.deb) ... Processing triggers for man-db ... Processing triggers for ureadahead ... Setting up libdb4.7 (4.7.25-9) ... Setting up libltdl7 (2.2.6b-2ubuntu1) ... Setting up libperl5.10 (5.10.1-8ubuntu2.1) ... Setting up libslp1 (1.2.1-7.6ubuntu0.1) ... Setting up ldap-utils (2.4.21-0ubuntu5.5) ... Setting up odbcinst (2.2.11-21) ... Setting up odbcinst1debian1 (2.2.11-21) ... Setting up unixodbc (2.2.11-21) ... Setting up slapd (2.4.21-0ubuntu5.5) ... Creating new user openldap... done. Creating initial slapd configuration... done. Starting OpenLDAP: slapd. Processing triggers for libc-bin ... ldconfig deferred processing now taking place Committing to: /etc/ modified .etckeeper added ODBCDataSources modified group modified group- modified gshadow modified gshadow- added odbc.ini modified passwd modified passwd- modified shadow modified shadow- added apparmor.d/usr.sbin.slapd added default/slapd added init.d/slapd added ldap/sasl2 added ldap/schema added ldap/slapd.d added ldap/schema/README added ldap/schema/collective.schema added ldap/schema/corba.schema added ldap/schema/core.ldif added ldap/schema/core.schema added ldap/schema/cosine.ldif added ldap/schema/cosine.schema added ldap/schema/duaconf.schema added ldap/schema/dyngroup.schema added ldap/schema/inetorgperson.ldif added ldap/schema/inetorgperson.schema added ldap/schema/java.schema added ldap/schema/ldapns.schema added ldap/schema/misc.ldif added ldap/schema/misc.schema added ldap/schema/nis.ldif added ldap/schema/nis.schema added ldap/schema/openldap.ldif added ldap/schema/openldap.schema added ldap/schema/pmi.schema added ldap/schema/ppolicy.schema added ldap/slapd.d/cn=config added ldap/slapd.d/cn=config.ldif added ldap/slapd.d/cn=config/cn=schema added ldap/slapd.d/cn=config/cn=schema.ldif added ldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif added ldap/slapd.d/cn=config/olcDatabase={0}config.ldif added ldap/slapd.d/cn=config/cn=schema/cn={0}core.ldif added rc0.d/K80slapd added rc1.d/K80slapd added rc2.d/S19slapd added rc3.d/S19slapd added rc4.d/S19slapd added rc5.d/S19slapd added rc6.d/K80slapd Committed revision 36.
jj5@charity:~$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config"
jj5@charity:~$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=nis,cn=schema,cn=config"
jj5@charity:~$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=inetorgperson,cn=schema,cn=config"
root@charity:~# cd /etc/ldap root@charity:/etc/ldap# ls ldap.conf sasl2 schema slapd.d root@charity:/etc/ldap# vim backend.progclub.org.ldif
# Load dynamic backend modules dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/lib/ldap olcModuleload: back_hdb # Database settings dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcSuffix: dc=progclub,dc=org olcDbDirectory: /var/lib/ldap olcRootDN: cn=admin,dc=progclub,dc=org olcRootPW: <secret> olcDbConfig: set_cachesize 0 2097152 0 olcDbConfig: set_lk_max_objects 1500 olcDbConfig: set_lk_max_locks 1500 olcDbConfig: set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcLastMod: TRUE olcDbCheckpoint: 512 30 olcAccess: to attrs=userPassword by dn="cn=admin,dc=progclub,dc=org" write by anonymous auth by self write by * none olcAccess: to attrs=shadowLastChange by self write by * read olcAccess: to dn.base="" by * read olcAccess: to * by dn="cn=admin,dc=progclub,dc=org" write by * read
root@charity:/etc/ldap# sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.progclub.org.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=module,cn=config" adding new entry "olcDatabase=hdb,cn=config"
root@charity:/etc/ldap# vim frontend.progclub.org.ldif
# Create top-level object in domain dn: dc=progclub,dc=org objectClass: top objectClass: dcObject objectclass: organization o: ProgClub dc: ProgClub description: ProgClub # Admin user. dn: cn=admin,dc=progclub,dc=org objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword: <secret> dn: ou=people,dc=progclub,dc=org objectClass: organizationalUnit ou: people dn: ou=groups,dc=progclub,dc=org objectClass: organizationalUnit ou: groups dn: uid=jj5,ou=people,dc=progclub,dc=org objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: jj5 sn: Elliot givenName: John cn: John Elliot displayName: John Elliot uidNumber: 1000 gidNumber: 10000 userPassword: <secret> gecos: John Elliot loginShell: /bin/bash homeDirectory: /home/jj5 shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 8 shadowMax: 999999 shadowLastChange: 10877 mail: jj5@jj5.net postalCode: 2774 #l: #o: mobile: +61 4 3505 7839 homePhone: +61 4 4739 2150 title: ProgClub Founder postalAddress: initials: JE dn: cn=administrators,ou=groups,dc=progclub,dc=org objectClass: posixGroup cn: administrators gidNumber: 10000
root@charity:/etc/ldap# sudo ldapadd -x -D cn=admin,dc=progclub,dc=org -W -f frontend.progclub.org.ldif Enter LDAP Password: adding new entry "dc=progclub,dc=org" adding new entry "cn=admin,dc=progclub,dc=org" adding new entry "ou=people,dc=progclub,dc=org" adding new entry "ou=groups,dc=progclub,dc=org" adding new entry "uid=jj5,ou=people,dc=progclub,dc=org" ldap_add: Invalid syntax (21) additional info: l: value #0 invalid per syntax
root@charity:/etc/ldap# vim frontend.progclub.org.ldif root@charity:/etc/ldap# sudo ldapadd -x -D cn=admin,dc=progclub,dc=org -W -f frontend.progclub.org.ldif Enter LDAP Password: ldap_bind: Server is unwilling to perform (53) additional info: unauthenticated bind (DN with no password) disallowed root@charity:/etc/ldap# sudo ldapadd -x -D cn=admin,dc=progclub,dc=org -W -f frontend.progclub.org.ldif Enter LDAP Password: adding new entry "dc=progclub,dc=org" ldap_add: Already exists (68)
Had to fixup a mistake, created frontend.progclub.org.ldif.end with the data that hadn't made it into LDAP.
root@charity:/etc/ldap# sudo ldapadd -x -D cn=admin,dc=progclub,dc=org -W -f frontend.progclub.org.ldif.end Enter LDAP Password: adding new entry "uid=jj5,ou=people,dc=progclub,dc=org" adding new entry "cn=administrators,ou=groups,dc=progclub,dc=org"
root@charity:/etc/ldap# ldapsearch -xLLL -b "dc=progclub,dc=org" uid=jj5 sn givenName cn dn: uid=jj5,ou=people,dc=progclub,dc=org sn: Elliot givenName: John cn: John Elliot
Works!
friggles@charity:/etc/ldap$ sudo ldapadd -x -D cn=admin,dc=progclub,dc=org -W -f friggles.ldif Enter LDAP Password: adding new entry "uid=friggles,ou=people,dc=progclub,dc=org"
jj5@charity:~$ sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn [sudo] password for jj5: SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: cn=config dn: cn=module{0},cn=config dn: cn=schema,cn=config dn: cn={0}core,cn=schema,cn=config dn: cn={1}cosine,cn=schema,cn=config dn: cn={2}nis,cn=schema,cn=config dn: cn={3}inetorgperson,cn=schema,cn=config dn: olcDatabase={-1}frontend,cn=config dn: olcDatabase={0}config,cn=config dn: olcDatabase={1}hdb,cn=config
jj5@charity:~$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: olcDatabase={1}hdb,cn=config add: olcDbIndex olcDbIndex: uidNumber eq modifying entry "olcDatabase={1}hdb,cn=config" ^+D
root@charity:/etc/ldap# vim uid_index.ldif root@charity:/etc/ldap# cat uid_index.ldif dn: olcDatabase={1}hdb,cn=config add: olcDbIndex olcDbIndex: uid eq,pres,sub
root@charity:/etc/ldap# ldapmodify -Y EXTERNAL -H ldapi:/// -f uid_index.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}hdb,cn=config"
root@charity:/etc/ldap# vim schema_convert.conf root@charity:/etc/ldap# cat schema_convert.conf include /etc/ldap/schema/core.schema include /etc/ldap/schema/collective.schema include /etc/ldap/schema/corba.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/duaconf.schema include /etc/ldap/schema/dyngroup.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/java.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/openldap.schema include /etc/ldap/schema/ppolicy.schema
root@charity:/etc/ldap# mkdir /tmp/ldif_output root@charity:/etc/ldap# slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={5}dyngroup,cn=schema,cn=config" > /tmp/cn=dyngroup.ldif root@charity:/etc/ldap# slapcat -f schema_convert.conf -F /tmp/ldif_output -n 0 | grep dyngroup dn: cn={5}dyngroup,cn=schema,cn=config cn: {5}dyngroup root@charity:/etc/ldap# vim /tmp/cn\=dyngroup.ldif
dn: cn=dyngroup,cn=schema,cn=config ... cn: dyngroup
root@charity:/etc/ldap# ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/cn\=dyngroup.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=dyngroup,cn=schema,cn=config"
root@charity:/etc/ldap# ldapsearch -c -Y EXTERNAL -H ldapi:/// -LLL -b cn=config olcDatabase=config olcAccess SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: olcDatabase={0}config,cn=config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break
root@charity:/etc/ldap# ldapsearch -c -Y EXTERNAL -H ldapi:/// -LLL -b cn=config olcDatabase={1}hdb olcAccess SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: olcDatabase={1}hdb,cn=config olcAccess: {0}to attrs=userPassword by dn="cn=admin,dc=progclub,dc=org" write by anonymous auth by self write by * none olcAccess: {1}to attrs=shadowLastChange by self write by * read olcAccess: {2}to dn.base="" by * read olcAccess: {3}to * by dn="cn=admin,dc=progclub,dc=org" write by * read
root@charity:/etc/ldap# apt-get install gnutls-bin Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: gnutls-bin 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 144kB of archives. After this operation, 549kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu/ lucid/universe gnutls-bin 2.8.5-2 [144kB] Fetched 144kB in 1s (142kB/s) Committing to: /etc/ modified .etckeeper added ldap/backend.progclub.org.ldif added ldap/friggles.ldif added ldap/frontend.progclub.org.ldif added ldap/frontend.progclub.org.ldif.end added ldap/schema_convert.conf added ldap/uid_index.ldif added ldap/slapd.d/cn=config/cn=module{0}.ldif added ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif added ldap/slapd.d/cn=config/cn=schema/cn={1}cosine.ldif added ldap/slapd.d/cn=config/cn=schema/cn={2}nis.ldif added ldap/slapd.d/cn=config/cn=schema/cn={3}inetorgperson.ldif added ldap/slapd.d/cn=config/cn=schema/cn={4}dyngroup.ldif Committed revision 37. Selecting previously deselected package gnutls-bin. (Reading database ... 18289 files and directories currently installed.) Unpacking gnutls-bin (from .../gnutls-bin_2.8.5-2_amd64.deb) ... Processing triggers for man-db ... Setting up gnutls-bin (2.8.5-2) ...
root@charity:/etc/ldap# sh -c "certtool --generate-privkey > /etc/ssl/private/cakey.pem" Generating a 2048 bit RSA private key...
root@charity:/etc/ldap# vim /etc/ssl/ca.info root@charity:/etc/ldap# cat /etc/ssl/ca.info cn = ProgClub ca cert_signing_key
root@charity:/etc/ldap# certtool --generate-self-signed --load-privkey /etc/ssl/private/cakey.pem --template /etc/ssl/ca.info --outfile /etc/ssl/certs/cacert.pem Generating a self signed certificate... X.509 Certificate Information: Version: 3 Serial Number (hex): 4e3ce51d Validity: Not Before: Sat Aug 06 06:54:21 UTC 2011 Not After: Sun Aug 05 06:54:21 UTC 2012 Subject: CN=ProgClub Subject Public Key Algorithm: RSA Modulus (bits 2048): b6:b1:59:be:2c:5c:3b:81:6c:6e:d1:e6:0e:98:92:20 cd:b5:a4:4d:f9:9c:b5:7d:ee:54:85:f1:fd:76:09:c2 06:5d:55:98:13:a2:d3:19:c2:d1:a2:84:d0:8a:93:9c 77:50:3b:52:89:c4:8c:97:65:d9:3e:67:44:b1:8a:d7 75:2c:5b:0c:92:50:9b:4d:2e:08:08:4e:8a:39:1f:c7 ce:d5:30:6e:c1:ff:51:80:f0:00:ee:f2:e6:9d:3f:f4 88:41:f9:54:f1:6d:4c:9e:3f:a2:24:9e:73:5f:bf:63 50:37:0b:df:17:b1:a3:1a:27:07:4e:5e:df:5a:d7:96 62:7c:68:c4:21:ab:f2:2c:f5:af:27:f8:ba:bd:6a:5f 07:a3:14:b2:99:97:cb:75:fa:f5:e5:da:de:37:61:bd 2a:fb:a9:10:4a:a9:1a:d8:b3:8d:d8:a6:d3:90:6d:c0 35:5a:6e:d7:01:5c:73:d3:b7:6e:3c:e0:21:d9:58:55 05:e5:d1:3b:4c:43:96:52:d0:80:a5:55:36:82:3f:d5 11:10:71:66:4d:75:32:56:dc:f3:d0:05:b9:de:f3:bf 29:52:30:a1:87:66:e2:6a:56:24:61:5c:48:6c:43:10 cc:80:e2:5a:45:56:c0:ac:a0:a6:0c:9b:d1:84:a9:a9 Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): TRUE Key Usage (critical): Certificate signing. Subject Key Identifier (not critical): d433db6e317b06dcd2eba88b7954afcaef1d2e18 Other Information: Public Key Id: d433db6e317b06dcd2eba88b7954afcaef1d2e18 Signing certificate...
root@charity:/etc/ldap# sh -c "certtool --generate-privkey > /etc/ssl/private/charity_slapd_key.pem" Generating a 2048 bit RSA private key...
root@charity:/etc/ldap# vim /etc/ssl/charity.info root@charity:/etc/ldap# cat /etc/ssl/charity.info organization = ProgClub cn = charity.progclub.org tls_www_server encryption_key signing_key
root@charity:/etc/ldap# certtool --generate-certificate --load-privkey /etc/ssl/private/charity_slapd_key.pem --load-ca-certificate /etc/ssl/certs/cacert.pem --load-ca-privkey /etc/ssl/private/cakey.pem --template /etc/ssl/charity.info --outfile /etc/ssl/certs/charity_slapd_cert.pem Generating a signed certificate... X.509 Certificate Information: Version: 3 Serial Number (hex): 4e3ce62a Validity: Not Before: Sat Aug 06 06:58:50 UTC 2011 Not After: Sun Aug 05 06:58:50 UTC 2012 Subject: O=ProgClub,CN=charity.progclub.org Subject Public Key Algorithm: RSA Modulus (bits 2048): cd:05:34:13:ac:58:0b:f7:bf:08:df:30:48:66:38:9c 93:a0:d9:92:ca:67:db:a9:5b:fb:57:02:b1:f9:fa:b8 74:5f:b0:37:f8:3b:c2:6d:17:39:1f:53:cc:cd:35:e0 64:11:e3:05:6c:17:5e:a4:bb:11:ae:75:bf:e9:f5:39 0d:be:92:98:fc:15:88:15:ff:62:db:74:49:bc:6f:7b b4:07:59:44:ef:4d:7c:30:b8:68:46:75:7d:20:a6:70 3e:0f:ca:c6:2e:77:e0:a9:08:2d:25:64:69:9a:42:ef 92:7e:86:88:20:fa:4e:38:58:43:59:1d:54:80:15:e9 d1:00:ff:21:63:2c:10:a8:86:27:04:84:f6:5f:f2:7b 9e:df:9b:47:27:af:3d:2f:22:b2:79:f3:c5:89:61:38 38:26:19:40:2e:fe:cc:da:b8:78:82:4e:4e:fe:ac:ee b4:c5:8b:72:14:92:96:0f:95:33:b3:8c:5f:84:ec:49 84:9a:ff:24:ff:7b:62:ab:91:e2:df:76:f7:0b:33:4a 69:6c:e7:f4:65:4a:da:2e:04:e0:b2:ce:4d:a9:48:59 38:28:08:e1:23:41:05:25:c6:71:76:5e:91:d7:c9:fd 53:4d:54:36:56:73:d8:1b:a1:90:12:43:90:3b:41:5f Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): FALSE Key Purpose (not critical): TLS WWW Server. Key Usage (critical): Digital signature. Key encipherment. Subject Key Identifier (not critical): 92543d9cae79eaeb4d0e1f0484a24527ec6d8bd4 Authority Key Identifier (not critical): d433db6e317b06dcd2eba88b7954afcaef1d2e18 Other Information: Public Key Id: 92543d9cae79eaeb4d0e1f0484a24527ec6d8bd4 Signing certificate...
root@charity:/etc/ldap# ldapmodify -Y EXTERNAL -H ldapi:/// SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/charity_slapd_cert.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/charity_slapd_key.pem modifying entry "cn=config" ^+D
root@charity:/etc/ldap# vim /etc/default/slapd
#SLAPD_SERVICES="ldap:/// ldapi:///" SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
root@charity:/etc/ldap# adduser openldap ssl-cert Adding user `openldap' to group `ssl-cert' ... Adding user openldap to group ssl-cert Done. root@charity:/etc/ldap# chgrp ssl-cert /etc/ssl/private/charity_slapd_key.pem root@charity:/etc/ldap# chmod g+r /etc/ssl/private/charity_slapd_key.pem
root@charity:/etc/ldap# /etc/init.d/slapd restart Stopping OpenLDAP: slapd. Starting OpenLDAP: slapd.
John 2011-08-06 05:35
Enabling mod_rewrite in Apache
root@charity:/var/www/www.progclub.org/pcblog# a2enmod rewrite Enabling module rewrite. Run '/etc/init.d/apache2 restart' to activate new configuration! root@charity:/var/www/www.progclub.org/pcblog# apache2ctl graceful
That was after configuring a .htaccess file for pcblog:
jj5@charity:~$ cat /var/www/www.progclub.org/pcblog/.htaccess <IfModule mod_rewrite.c> RewriteEngine On RewriteBase /blog/ RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /blog/index.php [L] </IfModule>
John 2011-08-05 23:15
Installing php5-mcrypt
root@charity:/var/www/www.progclub.org# apt-get install php5-mcrypt Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: libmcrypt4 Suggested packages: libmcrypt-dev mcrypt The following NEW packages will be installed: libmcrypt4 php5-mcrypt 0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded. Need to get 104kB of archives. After this operation, 365kB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://archive.ubuntu.com/ubuntu/ lucid/universe libmcrypt4 2.5.8-3.1 [87.6kB] Get:2 http://archive.ubuntu.com/ubuntu/ lucid/universe php5-mcrypt 5.3.2-0ubuntu1 [16.7kB] Fetched 104kB in 0s (110kB/s) Committing to: /etc/ modified group modified group- modified gshadow modified gshadow- modified passwd modified passwd- modified shadow modified shadow- Committed revision 32. Selecting previously deselected package libmcrypt4. (Reading database ... 17926 files and directories currently installed.) Unpacking libmcrypt4 (from .../libmcrypt4_2.5.8-3.1_amd64.deb) ... Selecting previously deselected package php5-mcrypt. Unpacking php5-mcrypt (from .../php5-mcrypt_5.3.2-0ubuntu1_amd64.deb) ... Processing triggers for libapache2-mod-php5 ... * Reloading web server config apache2 [ OK ] Setting up libmcrypt4 (2.5.8-3.1) ... Setting up php5-mcrypt (5.3.2-0ubuntu1) ... Processing triggers for libc-bin ... ldconfig deferred processing now taking place Committing to: /etc/ added php5/conf.d/mcrypt.ini Committed revision 33.
John 2011-08-05 22:24
Creating pcblog database and user
root@charity:/var/www/www.progclub.org# mysql -uroot -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 1030 Server version: 5.1.41-3ubuntu12.10 (Ubuntu) Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> use mysql; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> create user 'pcblog'@'%' identified by 'uiq82r3wy'; Query OK, 0 rows affected (0.09 sec) mysql> create database pcblog; Query OK, 1 row affected (0.09 sec) mysql> select host, user from user; +---------------------------+------------------+ | host | user | +---------------------------+------------------+ | % | pcblog | | 127.0.0.1 | root | | 60-240-67-126.tpgi.com.au | pcwiki | | charity | root | | localhost | debian-sys-maint | | localhost | pcwiki | | localhost | root | +---------------------------+------------------+ 7 rows in set (0.01 sec) mysql> grant all privileges on pcblog.* to 'pcblog'@'%' with grant option; Query OK, 0 rows affected (0.14 sec) mysql> flush privileges; Query OK, 0 rows affected (0.02 sec) mysql> quit Bye
John 2011-08-05 17:32
Adding user jedd
jj5@charity:~$ sudo adduser jedd [sudo] password for jj5: Adding user `jedd' ... Adding new group `jedd' (1006) ... Adding new user `jedd' (1006) with group `jedd' ... Creating home directory `/home/jedd' ... Copying files from `/etc/skel' ... Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Changing the user information for jedd Enter the new value, or press ENTER for the default Full Name []: Jedd Rashbrooke Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n] jj5@charity:~$ sudo adduser jedd sudo Adding user `jedd' to group `sudo' ... Adding user jedd to group sudo Done.
John 2011-08-05 16:59
Disabling IPSec
Can't get IPSec to work. Commented out /etc/network/if-up.d/ip and removed the policies from /etc/ipsec-tools.conf.
John 2011-08-05 16:10
Trying to get kadmin to work from Hope
Found this.
root@charity:~# kadmin.local -p jj5/admin -q "addprinc -randkey host/hope.progclub.net" Authenticating as principal jj5/admin with password. WARNING: no policy specified for host/hope.progclub.net@PROGCLUB.ORG; defaulting to no policy Principal "host/hope.progclub.net@PROGCLUB.ORG" created.
root@charity:~# kadmin.local -p jj5/admin -q "ktadd -k /etc/krb5.keytab host/hope.progclub.net" Authenticating as principal jj5/admin with password. Entry for principal host/hope.progclub.net with kvno 2, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/hope.progclub.net with kvno 2, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/hope.progclub.net with kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/hope.progclub.net with kvno 2, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
Ah, I was confused.
root@charity:/etc# rm krb5.keytab
John 2011-08-05 14:57
Changing jj5/admin password in Kerberos
This is so my password will be different from the Linux system password, so I can tell if the system is logging me in with my Kerberos credentials (when I configure SSH to use Kerberos, for example).
jj5@charity:~$ kadmin -p jj5/admin Couldn't open log file /var/log/krb5.log: Permission denied Authenticating as principal jj5/admin with password. Password for jj5/admin@PROGCLUB.ORG: kadmin: cpw jj5/admin Enter password for principal "jj5/admin@PROGCLUB.ORG": Re-enter password for principal "jj5/admin@PROGCLUB.ORG": Password for "jj5/admin@PROGCLUB.ORG" changed. kadmin: quit
Adding user jj5
jj5@charity:~$ kadmin -p jj5/admin Couldn't open log file /var/log/krb5.log: Permission denied Authenticating as principal jj5/admin with password. Password for jj5/admin@PROGCLUB.ORG: kadmin: addprinc jj5 WARNING: no policy specified for jj5@PROGCLUB.ORG; defaulting to no policy Enter password for principal "jj5@PROGCLUB.ORG": Re-enter password for principal "jj5@PROGCLUB.ORG": Principal "jj5@PROGCLUB.ORG" created. kadmin: quit
John 2011-08-05 00:26
Kerberizing Apache
Following these instructions.
jj5@charity:~$ sudo -s [sudo] password for jj5: root@charity:~# kadmin.local Authenticating as principal root/admin@PROGCLUB.ORG with password. kadmin.local: addprinc -randkey HTTP/charity.progclub.org WARNING: no policy specified for HTTP/charity.progclub.org@PROGCLUB.ORG; defaulting to no policy Principal "HTTP/charity.progclub.org@PROGCLUB.ORG" created. kadmin.local: ktadd -k /etc/apache2/apache2.keytab HTTP/charity.progclub.org Entry for principal HTTP/charity.progclub.org with kvno 2, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/apache2/apache2.keytab. Entry for principal HTTP/charity.progclub.org with kvno 2, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/apache2/apache2.keytab. Entry for principal HTTP/charity.progclub.org with kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/apache2/apache2.keytab. Entry for principal HTTP/charity.progclub.org with kvno 2, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/apache2/apache2.keytab. kadmin.local: quit root@charity:~# chown www-data:www-data /etc/apache2/apache2.keytab root@charity:~# chmod 400 /etc/apache2/apache2.keytab root@charity:~# apt-get install libapache2-mod-auth-kerb Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: libapache2-mod-auth-kerb 0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded. Need to get 20.3kB of archives. After this operation, 119kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libapache2-mod-auth-kerb 5.3-5build2 [20.3kB] Fetched 20.3kB in 0s (36.1kB/s) Committing to: /etc/ modified .etckeeper modified krb5.conf added apache2/apache2.keytab added krb5kdc/kadm5.acl modified krb5kdc/kdc.conf added krb5kdc/stash Committed revision 28. Selecting previously deselected package libapache2-mod-auth-kerb. (Reading database ... 17919 files and directories currently installed.) Unpacking libapache2-mod-auth-kerb (from .../libapache2-mod-auth-kerb_5.3-5build2_amd64.deb) ... Setting up libapache2-mod-auth-kerb (5.3-5build2) ... Enabling module auth_kerb. Run '/etc/init.d/apache2 restart' to activate new configuration! Committing to: /etc/ added apache2/mods-available/auth_kerb.load added apache2/mods-enabled/auth_kerb.load Committed revision 29. root@charity:~# cd /etc/apache2/sites-available/ root@charity:/etc/apache2/sites-available# vim default-ssl
<Directory /var/www/www.progclub.org/test> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all AuthType Kerberos AuthName "Kerberos Login" KrbAuthRealm PROGCLUB.ORG Krb5Keytab /etc/apache2/apache2.keytab #KrbMethodK5Passwd off #optional--makes GSSAPI SPNEGO a requirement Require valid-user </Directory>
root@charity:/etc/apache2/sites-available# cd /var/www/www.progclub.org/ root@charity:/var/www/www.progclub.org# mkdir test root@charity:/var/www/www.progclub.org# cd test root@charity:/var/www/www.progclub.org/test# vim index.php
<?php phpinfo(); ?>
root@charity:/var/www/www.progclub.org/test# apache2ctl graceful
John 2011-08-04 21:21
Installing Kerberos
Following these instructions.
jj5@charity:~$ sudo -s [sudo] password for jj5: root@charity:~# nslookup charity.progclub.org bash: nslookup: command not found root@charity:~# apt-get install nslookup Reading package lists... Done Building dependency tree Reading state information... Done E: Couldn't find package nslookup root@charity:~# apt-cache search nslookup dnsutils - Clients provided with BIND root@charity:~# apt-get install dnsutils Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: bind9-host geoip-database libbind9-60 libdns64 libgeoip1 libisc60 libisccc60 libisccfg60 liblwres60 Suggested packages: rblcheck geoip-bin The following NEW packages will be installed: bind9-host dnsutils geoip-database libbind9-60 libdns64 libgeoip1 libisc60 libisccc60 libisccfg60 liblwres60 0 upgraded, 10 newly installed, 0 to remove and 2 not upgraded. Need to get 2,024kB of archives. After this operation, 4,866kB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libgeoip1 1.4.6.dfsg-17 [109kB] Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libisc60 1:9.7.0.dfsg.P1-1ubuntu0.3 [170kB] Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libdns64 1:9.7.0.dfsg.P1-1ubuntu0.3 [692kB] Get:4 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libisccc60 1:9.7.0.dfsg.P1-1ubuntu0.3 [29.9kB] Get:5 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libisccfg60 1:9.7.0.dfsg.P1-1ubuntu0.3 [53.1kB] Get:6 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libbind9-60 1:9.7.0.dfsg.P1-1ubuntu0.3 [34.7kB] Get:7 http://archive.ubuntu.com/ubuntu/ lucid-updates/main liblwres60 1:9.7.0.dfsg.P1-1ubuntu0.3 [48.5kB] Get:8 http://archive.ubuntu.com/ubuntu/ lucid-updates/main bind9-host 1:9.7.0.dfsg.P1-1ubuntu0.3 [68.6kB] Get:9 http://archive.ubuntu.com/ubuntu/ lucid-updates/main dnsutils 1:9.7.0.dfsg.P1-1ubuntu0.3 [162kB] Get:10 http://archive.ubuntu.com/ubuntu/ lucid/main geoip-database 1.4.6.dfsg-17 [658kB] Fetched 2,024kB in 8s (227kB/s) Selecting previously deselected package libgeoip1. (Reading database ... 17754 files and directories currently installed.) Unpacking libgeoip1 (from .../libgeoip1_1.4.6.dfsg-17_amd64.deb) ... Selecting previously deselected package libisc60. Unpacking libisc60 (from .../libisc60_1%3a9.7.0.dfsg.P1-1ubuntu0.3_amd64.deb) ... Selecting previously deselected package libdns64. Unpacking libdns64 (from .../libdns64_1%3a9.7.0.dfsg.P1-1ubuntu0.3_amd64.deb) ... Selecting previously deselected package libisccc60. Unpacking libisccc60 (from .../libisccc60_1%3a9.7.0.dfsg.P1-1ubuntu0.3_amd64.deb) ... Selecting previously deselected package libisccfg60. Unpacking libisccfg60 (from .../libisccfg60_1%3a9.7.0.dfsg.P1-1ubuntu0.3_amd64.deb) ... Selecting previously deselected package libbind9-60. Unpacking libbind9-60 (from .../libbind9-60_1%3a9.7.0.dfsg.P1-1ubuntu0.3_amd64.deb) ... Selecting previously deselected package liblwres60. Unpacking liblwres60 (from .../liblwres60_1%3a9.7.0.dfsg.P1-1ubuntu0.3_amd64.deb) ... Selecting previously deselected package bind9-host. Unpacking bind9-host (from .../bind9-host_1%3a9.7.0.dfsg.P1-1ubuntu0.3_amd64.deb) ... Selecting previously deselected package dnsutils. Unpacking dnsutils (from .../dnsutils_1%3a9.7.0.dfsg.P1-1ubuntu0.3_amd64.deb) ... Selecting previously deselected package geoip-database. Unpacking geoip-database (from .../geoip-database_1.4.6.dfsg-17_all.deb) ... Processing triggers for man-db ... Setting up libgeoip1 (1.4.6.dfsg-17) ... Setting up libisc60 (1:9.7.0.dfsg.P1-1ubuntu0.3) ... Setting up libdns64 (1:9.7.0.dfsg.P1-1ubuntu0.3) ... Setting up libisccc60 (1:9.7.0.dfsg.P1-1ubuntu0.3) ... Setting up libisccfg60 (1:9.7.0.dfsg.P1-1ubuntu0.3) ... Setting up libbind9-60 (1:9.7.0.dfsg.P1-1ubuntu0.3) ... Setting up liblwres60 (1:9.7.0.dfsg.P1-1ubuntu0.3) ... Setting up bind9-host (1:9.7.0.dfsg.P1-1ubuntu0.3) ... Setting up dnsutils (1:9.7.0.dfsg.P1-1ubuntu0.3) ... Setting up geoip-database (1.4.6.dfsg-17) ... Processing triggers for libc-bin ... ldconfig deferred processing now taking place root@charity:~# nslookup charity.progclub.org Server: 67.207.128.4 Address: 67.207.128.4#53 Non-authoritative answer: Name: charity.progclub.org Address: 67.207.128.184
root@charity:~# nslookup 67.207.128.184 Server: 67.207.128.4 Address: 67.207.128.4#53 Non-authoritative answer: 184.128.207.67.in-addr.arpa name = charity.progclub.org. Authoritative answers can be found from: 128.207.67.in-addr.arpa nameserver = NS2.SLICEHOST.NET. 128.207.67.in-addr.arpa nameserver = NS1.SLICEHOST.NET. NS1.SLICEHOST.NET internet address = 67.23.4.57 NS2.SLICEHOST.NET internet address = 173.45.224.132
root@charity:~# apt-get install krb5-kdc krb5-admin-server Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: krb5-config krb5-user libgssrpc4 libkadm5clnt-mit7 libkadm5srv-mit7 libkdb5-4 Suggested packages: openbsd-inetd inet-superserver krb5-kdc-ldap krb5-doc The following NEW packages will be installed: krb5-admin-server krb5-config krb5-kdc krb5-user libgssrpc4 libkadm5clnt-mit7 libkadm5srv-mit7 libkdb5-4 0 upgraded, 8 newly installed, 0 to remove and 2 not upgraded. Need to get 777kB of archives. After this operation, 2,187kB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libgssrpc4 1.8.1+dfsg-2ubuntu0.9 [82.2kB] Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libkadm5clnt-mit7 1.8.1+dfsg-2ubuntu0.9 [62.8kB] Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libkdb5-4 1.8.1+dfsg-2ubuntu0.9 [62.3kB] Get:4 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libkadm5srv-mit7 1.8.1+dfsg-2ubuntu0.9 [76.8kB] Get:5 http://archive.ubuntu.com/ubuntu/ lucid/main krb5-config 2.2 [23.0kB] Get:6 http://archive.ubuntu.com/ubuntu/ lucid-updates/main krb5-user 1.8.1+dfsg-2ubuntu0.9 [137kB] Get:7 http://archive.ubuntu.com/ubuntu/ lucid-updates/universe krb5-kdc 1.8.1+dfsg-2ubuntu0.9 [219kB] Get:8 http://archive.ubuntu.com/ubuntu/ lucid-updates/universe krb5-admin-server 1.8.1+dfsg-2ubuntu0.9 [113kB] Fetched 777kB in 1s (560kB/s) Preconfiguring packages ... Selecting previously deselected package libgssrpc4. (Reading database ... 17824 files and directories currently installed.) Unpacking libgssrpc4 (from .../libgssrpc4_1.8.1+dfsg-2ubuntu0.9_amd64.deb) ... Selecting previously deselected package libkadm5clnt-mit7. Unpacking libkadm5clnt-mit7 (from .../libkadm5clnt-mit7_1.8.1+dfsg-2ubuntu0.9_amd64.deb) ... Selecting previously deselected package libkdb5-4. Unpacking libkdb5-4 (from .../libkdb5-4_1.8.1+dfsg-2ubuntu0.9_amd64.deb) ... Selecting previously deselected package libkadm5srv-mit7. Unpacking libkadm5srv-mit7 (from .../libkadm5srv-mit7_1.8.1+dfsg-2ubuntu0.9_amd64.deb) ... Selecting previously deselected package krb5-config. Unpacking krb5-config (from .../krb5-config_2.2_all.deb) ... Selecting previously deselected package krb5-user. Unpacking krb5-user (from .../krb5-user_1.8.1+dfsg-2ubuntu0.9_amd64.deb) ... Selecting previously deselected package krb5-kdc. Unpacking krb5-kdc (from .../krb5-kdc_1.8.1+dfsg-2ubuntu0.9_amd64.deb) ... Selecting previously deselected package krb5-admin-server. Unpacking krb5-admin-server (from .../krb5-admin-server_1.8.1+dfsg-2ubuntu0.9_amd64.deb) ... Processing triggers for man-db ... Processing triggers for ureadahead ... Setting up libgssrpc4 (1.8.1+dfsg-2ubuntu0.9) ... Setting up libkadm5clnt-mit7 (1.8.1+dfsg-2ubuntu0.9) ... Setting up libkdb5-4 (1.8.1+dfsg-2ubuntu0.9) ... Setting up libkadm5srv-mit7 (1.8.1+dfsg-2ubuntu0.9) ... Setting up krb5-config (2.2) ... Setting up krb5-user (1.8.1+dfsg-2ubuntu0.9) ... Setting up krb5-kdc (1.8.1+dfsg-2ubuntu0.9) ... krb5kdc: cannot initialize realm PROGCLUB.ORG - see log file for details Setting up krb5-admin-server (1.8.1+dfsg-2ubuntu0.9) ... kadmind: No such file or directory while initializing, aborting Processing triggers for libc-bin ... ldconfig deferred processing now taking place Committing to: /etc/ modified .etckeeper added krb5.conf added krb5kdc added default/krb5-admin-server added default/krb5-kdc added init.d/krb5-admin-server added init.d/krb5-kdc added krb5kdc/kdc.conf added rc0.d/K18krb5-admin-server added rc0.d/K18krb5-kdc added rc1.d/K18krb5-admin-server added rc1.d/K18krb5-kdc added rc2.d/S18krb5-admin-server added rc2.d/S18krb5-kdc added rc3.d/S18krb5-admin-server added rc3.d/S18krb5-kdc added rc4.d/S18krb5-admin-server added rc4.d/S18krb5-kdc added rc5.d/S18krb5-admin-server added rc5.d/S18krb5-kdc added rc6.d/K18krb5-admin-server added rc6.d/K18krb5-kdc Committed revision 27.
Package configuration âââââââââââââââââââââ⤠Configuring krb5-admin-server âââââââââââââââââââââââ â â â Setting up a Kerberos Realm â â â â This package contains the administrative tools required to run the â â Kerberos master server. â â â â However, installing this package does not automatically set up a â â Kerberos realm. This can be done later by running the "krb5_newrealm" â â command. â â â â Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the â â administration guide found in the krb5-doc package. â â â â <Ok> â â â ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
root@charity:~# dpkg-reconfigure krb5-kdc
Package configuration ââââââââââââââââââââââââââ⤠Configuring krb5-kdc ââââââââââââââââââââââââââââ â â â The Kerberos Key Distribution Center (KDC) configuration files, in â â /etc/krb5kdc, may be created automatically. â â â â By default, an example template will be copied into this directory with â â local parameters filled in. â â â â Administrators who already have infrastructure to manage their Kerberos â â configuration may wish to disable these automatic configuration changes. â â â â Create the Kerberos KDC configuration automatically? â â â â <Yes> <No> â â â âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
<Yes>
krb5kdc: cannot initialize realm PROGCLUB.ORG - see log file for details
root@charity:~# cd /var/log root@charity:/var/log# ls apache2 dmesg kern.log mysql.log syslog.2.gz apt dmesg.0 kern.log.1 mysql.log.1.gz syslog.3.gz auth.log dmesg.1.gz lastlog mysql.log.2.gz syslog.4.gz auth.log.1 dmesg.2.gz lpr.log mysql.log.3.gz syslog.5.gz boot dmesg.3.gz mail.err mysql.log.4.gz syslog.6.gz bootstrap.log dmesg.4.gz mail.info mysql.log.5.gz syslog.7.gz btmp dpkg.log mail.log mysql.log.6.gz udev btmp.1 dpkg.log.1 mail.warn mysql.log.7.gz user.log daemon.log fail2ban.log messages news wtmp daemon.log.1 fail2ban.log.1 messages.1 pycentral.log wtmp.1 debug faillog mysql syslog debug.1 fsck mysql.err syslog.1
Where is the KBR log!?
root@charity:/etc# cat krb5kdc/kdc.conf [kdcdefaults] kdc_ports = 750,88 default_realm = PROGCLUB.ORG [realms] PROGCLUB.ORG = { database_name = /var/lib/krb5kdc/principal admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab acl_file = /etc/krb5kdc/kadm5.acl key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 default_principal_flags = +preauth }
root@charity:/etc# reboot Broadcast message from jj5@charity (/dev/pts/0) at 11:49 ... The system is going down for reboot NOW!
root@charity:/etc/krb5kdc# vim kadm5.acl
# This file is the access control list for krb5 administration. # When this file is edited run /etc/init.d/krb5-admin-server restart to activate # One common way to set up Kerberos administration is to allow any principal # ending in /admin is given full administrative rights. # To enable this, uncomment the following line: */admin@PROGCLUB.ORG *
root@charity:/etc/krb5kdc# krb5_newrealm This script should be run on the master KDC/admin server to initialize a Kerberos realm. It will ask you to type in a master key password. This password will be used to generate a key that is stored in /etc/krb5kdc/stash. You should try to remember this password, but it is much more important that it be a strong password than that it be remembered. However, if you lose the password and /etc/krb5kdc/stash, you cannot decrypt your Kerberos database. Loading random data Initializing database '/var/lib/krb5kdc/principal' for realm 'PROGCLUB.ORG', master key name 'K/M@PROGCLUB.ORG' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: Now that your realm is set up you may wish to create an administrative principal using the addprinc subcommand of the kadmin.local program. Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that you can use the kadmin program on other computers. Kerberos admin principals usually belong to a single user and end in /admin. For example, if jruser is a Kerberos administrator, then in addition to the normal jruser principal, a jruser/admin principal should be created. Don't forget to set up DNS information so your clients can find your KDC and admin servers. Doing so is documented in the administration guide.
root@charity:/etc/krb5kdc# kadmin -p admin/admin Authenticating as principal admin/admin with password. kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface
root@charity:/etc# /etc/init.d/k killprocs krb5-admin-server krb5-kdc root@charity:/etc# /etc/init.d/krb5-kdc restart * Restarting Kerberos KDC krb5kdc ...done. root@charity:/etc# /etc/init.d/krb5-admin-server restart * Restarting Kerberos administrative servers kadmind root@charity:/etc#
root@charity:/var/lib/krb5kdc# kadmin -p admin/admin Authenticating as principal admin/admin with password. kadmin: Client not found in Kerberos database while initializing kadmin interface
root@charity:/var/lib/krb5kdc# kadmin.local Authenticating as principal root/admin@PROGCLUB.ORG with password. kadmin.local: addprinc jj5/admin@PROGCLUB.ORG WARNING: no policy specified for jj5/admin@PROGCLUB.ORG; defaulting to no policy Enter password for principal "jj5/admin@PROGCLUB.ORG": Re-enter password for principal "jj5/admin@PROGCLUB.ORG": Principal "jj5/admin@PROGCLUB.ORG" created. kadmin.local: quit root@charity:/var/lib/krb5kdc# kadmin -p jj5/admin Authenticating as principal jj5/admin with password. Password for jj5/admin@PROGCLUB.ORG: kadmin: ? Available kadmin requests: add_principal, addprinc, ank Add principal delete_principal, delprinc Delete principal modify_principal, modprinc Modify principal change_password, cpw Change password get_principal, getprinc Get principal list_principals, listprincs, get_principals, getprincs List principals add_policy, addpol Add policy modify_policy, modpol Modify policy delete_policy, delpol Delete policy get_policy, getpol Get policy list_policies, listpols, get_policies, getpols List policies get_privs, getprivs Get privileges ktadd, xst Add entry(s) to a keytab ktremove, ktrem Remove entry(s) from a keytab lock Lock database exclusively (use with extreme caution!) unlock Release exclusive database lock list_requests, lr, ? List available requests. quit, exit, q Exit program. kadmin: listprincs K/M@PROGCLUB.ORG jj5/admin@PROGCLUB.ORG kadmin/admin@PROGCLUB.ORG kadmin/changepw@PROGCLUB.ORG kadmin/charity.progclub.org@PROGCLUB.ORG kadmin/history@PROGCLUB.ORG krbtgt/PROGCLUB.ORG@PROGCLUB.ORG kadmin: quit
root@charity:/etc# cat krb5.conf [logging] default = FILE:/var/log/krb5.log [libdefaults] default_realm = PROGCLUB.ORG # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # # Thie only time when you might need to uncomment these lines and change # the enctypes is if you have local software that will break on ticket # caches containing ticket encryption types it doesn't know about (such as # old versions of Sun Java). # default_tgs_enctypes = des3-hmac-sha1 # default_tkt_enctypes = des3-hmac-sha1 # permitted_enctypes = des3-hmac-sha1 # The following libdefaults parameters are only for Heimdal Kerberos. v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] PROGCLUB.ORG = { kdc = kerberos.progclub.org:88 admin_server = kerberos.progclub.org default_domain = progclub.org } [domain_realm] .progclub.org = PROGCLUB.ORG progclub.org = PROGCLUB.ORG .progclub.com = PROGCLUB.ORG progclub.com = PROGCLUB.ORG .progclub.info = PROGCLUB.ORG progclub.info = PROGCLUB.ORG .progclub.net = PROGCLUB.ORG progclub.net = PROGCLUB.ORG .progclub.co = PROGCLUB.ORG progclub.co = PROGCLUB.ORG .progclub.mobi = PROGCLUB.ORG progclub.mobi = PROGCLUB.ORG [login] krb4_convert = true krb4_get_tickets = false
root@charity:/etc# kadmin -p jj5/admin kadmin: cpw jj5/admin Enter password for principal "jj5/admin@PROGCLUB.ORG": Re-enter password for principal "jj5/admin@PROGCLUB.ORG": Password for "jj5/admin@PROGCLUB.ORG" changed. kadmin: quit
John 2011-08-03 07:42
Adding user friggles
jj5@charity:~$ sudo adduser friggles [sudo] password for jj5: Adding user `friggles' ... Adding new group `friggles' (1005) ... Adding new user `friggles' (1005) with group `friggles' ... Creating home directory `/home/friggles' ... Copying files from `/etc/skel' ... Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Changing the user information for friggles Enter the new value, or press ENTER for the default Full Name []: <full name> Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n]
jj5@charity:~$ sudo gpasswd -a friggles sudo Adding user friggles to group sudo
John 2011-08-01 00:12
Configured /wiki URLs
Decided that 'wiki' rather than 'pc' is more appropriate in the URLs for ProgClub. Updated the Apache web-site configuration files, patched LocalSettings.php in the pcwiki directory, and updated the root redirection script. The old 'pc' links will remain functional.
John 2011-07-31 19:47
Adding user jav
jj5@charity:~$ sudo adduser jav [sudo] password for jj5: Adding user `jav' ... Adding new group `jav' (1004) ... Adding new user `jav' (1004) with group `jav' ... Creating home directory `/home/jav' ... Copying files from `/etc/skel' ... Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Changing the user information for jav Enter the new value, or press ENTER for the default Full Name []: <full name> Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n]
John 2011-07-30 17:15
Configuring IPSec
jj5@charity:~$ sudo -s [sudo] password for jj5: root@charity:~# apt-get install racoon Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: racoon 0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded. Need to get 0B/433kB of archives. After this operation, 1,217kB of additional disk space will be used. Committing to: /etc/ modified ipsec-tools.conf modified iptables.up.rules Committed revision 22. Preconfiguring packages ... Selecting previously deselected package racoon. (Reading database ... 17754 files and directories currently installed.) Unpacking racoon (from .../racoon_1%3a0.7.1-1.6ubuntu1_amd64.deb) ... Processing triggers for man-db ... Processing triggers for ureadahead ... Setting up racoon (1:0.7.1-1.6ubuntu1) ... Starting IKE (ISAKMP/Oakley) server: racoon. Processing triggers for libc-bin ... ldconfig deferred processing now taking place
root@charity:~# cd /etc/network/if-pre-up.d/ root@charity:/etc/network/if-pre-up.d# ll total 16 drwxr-xr-x 2 root root 4096 2011-07-26 17:49 ./ drwxr-xr-x 6 root root 4096 2010-04-22 19:09 ../ -rwxr-xr-x 1 root root 344 2011-05-17 07:41 ethtool* -rwxr-xr-x 1 root root 58 2011-07-26 17:49 iptables* root@charity:/etc/network/if-pre-up.d# cat iptables #!/bin/sh /sbin/iptables-restore < /etc/iptables.up.rules root@charity:/etc/network/if-pre-up.d# vim ip
#!/bin/sh # Hope ip route add 67.207.130.204 dev eth0 advmss 200 # Honesty ip route add 67.207.129.103 dev eth0 advmss 200
root@charity:/etc/network/if-pre-up.d# chmod +x ip root@charity:/etc/network/if-pre-up.d# cd /etc/ root@charity:/etc# vim iptables.up.rules
*filter # Allow all loopback (lo0) traffic -A INPUT -i lo -j ACCEPT # Drop all traffic to 127/8 that does use lo0 -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT # Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow all outbound traffic -A OUTPUT -j ACCEPT # Allow HTTP and HTTPS connections from anywhere -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # Allow SSH connections -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Accept anything from hope -A INPUT -s 67.207.130.204 -j ACCEPT # Accept anything from honesty -A INPUT -s 67.207.129.103 -j ACCEPT # Allow MySQL connections from John's house -A INPUT -s 60.240.67.126/32 -p tcp -m tcp --dport 3306 -j ACCEPT # Allow MySQL connections from localhost -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT # Allow IPSec traffic #-A INPUT -p 50 -j ACCEPT #-A INPUT -p 51 -j ACCEPT # Allow ping -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 #-A INPUT -j LOG --log-prefix "iptables debug: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT
root@charity:/etc# vim ipsec-tools.conf
#!/usr/sbin/setkey -f # Charity/Hope security policy spdadd 67.207.128.184 67.207.130.204 any -P out ipsec esp/transport//require ah/transport//require; spdadd 67.207.130.204 67.207.128.184 any -P in ipsec esp/transport//require ah/transport//require; # Charity/Honesty security policy spdadd 67.207.128.184 67.207.129.103 any -P out ipsec esp/transport//require ah/transport//require; spdadd 67.207.129.103 67.207.128.184 any -P in ipsec esp/transport//require ah/transport//require;
root@charity:/etc# vim racoon/psk.txt
# Hope 67.207.130.204 <secret> # Honesty 67.207.129.103 <secret>
root@charity:/etc# vim racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; remote anonymous { exchange_mode main,aggressive; proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method pre_shared_key; dh_group modp1024; } generate_policy off; } sainfo anonymous { pfs_group modp768; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } #log debug2;
root@charity:/etc# /etc/init.d/racoon stop Stopping IKE (ISAKMP/Oakley) server: racoon. root@charity:/etc# /etc/init.d/setkey restart Reloading IPsec SA/SP database: done. root@charity:/etc# /etc/init.d/racoon start Starting IKE (ISAKMP/Oakley) server: racoon. root@charity:/etc# ll racoon/psk.txt -rw------- 1 root root 92 2011-07-30 07:37 racoon/psk.txt root@charity:/etc# etckeeper commit "Configured IPSec" Committing to: /etc/ modified ipsec-tools.conf modified ipsec-tools.conf.bak modified iptables.up.rules added network/if-pre-up.d/ip modified racoon/psk.txt modified racoon/racoon.conf Committed revision 23. root@charity:/etc/racoon# /etc/network/if-pre-up.d/ip RTNETLINK answers: File exists
Now off to configure hope and...
...damn, it didn't work. Oh well, no racoon for you!
root@charity:~# apt-get remove racoon Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be REMOVED: racoon 0 upgraded, 0 newly installed, 1 to remove and 2 not upgraded. After this operation, 1,217kB disk space will be freed. Do you want to continue [Y/n]? (Reading database ... 17818 files and directories currently installed.) Removing racoon ... Stopping IKE (ISAKMP/Oakley) server: racoon. Processing triggers for ureadahead ... Processing triggers for man-db ... Processing triggers for libc-bin ... ldconfig deferred processing now taking place
root@charity:~# cp /etc/ipsec-tools.conf.bak /etc/ipsec-tools.conf root@charity:~# dd if=/dev/random count=24 bs=1 | xxd -ps root@charity:~# dd if=/dev/random count=24 bs=1 | xxd -ps root@charity:~# dd if=/dev/random count=24 bs=1 | xxd -ps root@charity:~# dd if=/dev/random count=24 bs=1 | xxd -ps root@charity:~# dd if=/dev/random count=20 bs=1 | xxd -ps root@charity:~# dd if=/dev/random count=20 bs=1 | xxd -ps root@charity:~# dd if=/dev/random count=20 bs=1 | xxd -ps root@charity:~# dd if=/dev/random count=20 bs=1 | xxd -ps root@charity:~# vim /etc/ipsec-tools.conf
#!/usr/sbin/setkey -f # Flush the SAD and SPD flush; spdflush; # Charity/Hope configuration # ESP SAs using 192 bit long keys (168 + 24 parity) add 67.207.128.184 67.207.130.204 esp 1 -E aes-cbc 0xdeadb33fdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f; add 67.207.130.204 67.207.128.184 esp 2 -E aes-cbc 0xdeadb33fdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f; # AH SAs using 160 bit long keys add 67.207.128.184 67.207.130.204 ah 3 -A hmac-sha1 0xdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f; add 67.207.130.204 67.207.128.184 ah 4 -A hmac-sha1 0xdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f; # Security policies spdadd 67.207.128.184 67.207.130.204 any -P out ipsec esp/transport//require ah/transport//require; spdadd 67.207.130.204 67.207.128.184 any -P in ipsec esp/transport//require ah/transport//require; # Charity/Honesty configuration # ESP SAs using 192 bit long keys (168 + 24 parity) add 67.207.128.184 67.207.129.103 esp 5 -E aes-cbc 0xdeadb33fdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f; add 67.207.129.103 67.207.128.184 esp 6 -E aes-cbc 0xdeadb33fdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f; # AH SAs using 160 bit long keys add 67.207.128.184 67.207.129.103 ah 7 -A hmac-sha1 0xdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f; add 67.207.129.103 67.207.128.184 ah 8 -A hmac-sha1 0xdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f; # Security policies spdadd 67.207.128.184 67.207.129.103 any -P out ipsec esp/transport//require ah/transport//require; spdadd 67.207.129.103 67.207.128.184 any -P in ipsec esp/transport//require ah/transport//require;
root@charity:~# /etc/init.d/setkey restart Reloading IPsec SA/SP database: done. root@charity:~# cd /etc/network root@charity:/etc/network# mv if-pre-up.d/ip if-up.d/ root@charity:/etc/network# if-up.d/ip root@charity:/etc# etckeeper commit "Configured IPSec" Committing to: /etc/ modified ipsec-tools.conf missing network/if-pre-up.d/ip modified network/if-pre-up.d/ip added network/if-up.d/ip Committed revision 24.
That should do it. Off to configure the other end... on hope and honesty...
...works!
John 2011-07-30 09:38
Configuring racoon
See this article for a run-down.
# vim /etc/racoon/psk.txt
# Hope 67.207.130.204 <secret>
# vim /etc/racoon/racoon.conf
remote 67.207.130.204 { exchange_mode main,aggressive; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group modp1024; } generate_policy off; }
sainfo address 67.207.130.204[any] any address 67.207.130.204/32[any] any { pfs_group modp768; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; }
# vim /etc/ipsec-tools.conf
# Security policies spdadd 67.207.128.184 67.207.130.204 any -P out ipsec esp/transport//require ah/transport//require; spdadd 67.207.130.204 67.207.128.184 any -P in ipsec esp/transport//require ah/transport//require;
root@charity:/etc/racoon# /etc/init.d/racoon stop Stopping IKE (ISAKMP/Oakley) server: racoon. root@charity:/etc/racoon# /etc/init.d/setkey restart Reloading IPsec SA/SP database: done. root@charity:/etc/racoon# /etc/init.d/racoon start Starting IKE (ISAKMP/Oakley) server: racoon.
Still no dice... :(
John 2011-07-29 23:59
Installing racoon
Having trouble getting IPSec to work, gonna try installing racoon and giving that a go.
root@charity:/etc# apt-get install racoon Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: racoon 0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded. Need to get 433kB of archives. After this operation, 1,217kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main racoon 1:0.7.1-1.6ubuntu1 [433kB] Fetched 433kB in 1s (329kB/s) Committing to: /etc/ modified .etckeeper modified ipsec-tools.conf added ipsec-tools.conf.bak Committed revision 19. Preconfiguring packages ... Selecting previously deselected package racoon. (Reading database ... 17749 files and directories currently installed.) Unpacking racoon (from .../racoon_1%3a0.7.1-1.6ubuntu1_amd64.deb) ... Processing triggers for man-db ... Processing triggers for ureadahead ... Setting up racoon (1:0.7.1-1.6ubuntu1) ... Generating /etc/default/racoon... Starting IKE (ISAKMP/Oakley) server: racoon.
Processing triggers for libc-bin ... ldconfig deferred processing now taking place Committing to: /etc/ modified .etckeeper added racoon added default/racoon added init.d/racoon added racoon/psk.txt added racoon/racoon-tool.conf added racoon/racoon.conf added rc1.d/K89racoon added rcS.d/S40racoon Committed revision 20.
The install promped for Package configuration information, and I choose the 'direct' configuration method (the default) over 'racoon-tool', the other option.
┌──────────────────────────┤ Configuring racoon ├──────────────────────────┐ │ Racoon can be configured two ways, either by directly editing │ │ /etc/racoon/racoon.conf or using the racoon-tool administrative front │ │ end. racoon-tool is now deprecated and is only available for backward │ │ compatibility. New installations should always use the "direct" method. │ │ │ │ Configuration mode for racoon IKE daemon. │ │ │ │ direct │ │ racoon-tool │ │ │ │ │ │ <Ok> │ │ │ └──────────────────────────────────────────────────────────────────────────┘
John 2011-07-28 11:32
Firstly some house-keeping
$ cd /etc $ sudo bzr status [sudo] password for jj5: modified: shadow $ sudo etckeeper commit "Changed password for jj5" Committing to: /etc/ modified shadow Committed revision 13.
Installing IPSec
See this article for instructions.
$ sudo apt-get install ipsec-tools Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: ipsec-tools 0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded. Need to get 111kB of archives. After this operation, 274kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main ipsec-tools 1:0.7.1-1.6ubuntu1 [111kB] Fetched 111kB in 0s (116kB/s) Selecting previously deselected package ipsec-tools. (Reading database ... 17714 files and directories currently installed.) Unpacking ipsec-tools (from .../ipsec-tools_1%3a0.7.1-1.6ubuntu1_amd64.deb) ... Processing triggers for man-db ... Processing triggers for ureadahead ... Setting up ipsec-tools (1:0.7.1-1.6ubuntu1) ...
Processing triggers for libc-bin ... ldconfig deferred processing now taking place Committing to: /etc/ added ipsec-tools.conf added default/setkey added init.d/setkey added rcS.d/S37setkey Committed revision 14.
To generate two 128-bit 'ah' keys:
$ dd if=/dev/random count=16 bs=1| xxd -ps $ dd if=/dev/random count=16 bs=1| xxd -ps
To generate two 192-bit 'esp' keys:
$ dd if=/dev/random count=24 bs=1| xxd -ps $ dd if=/dev/random count=24 bs=1| xxd -ps
Then edit the ipsec-tools.conf file,
$ sudo vim /etc/ipsec-tools.conf
#!/usr/sbin/setkey -f
# NOTE: Do not use this file if you use racoon with racoon-tool # utility. racoon-tool will setup SAs and SPDs automatically using # /etc/racoon/racoon-tool.conf configuration. #
# Flush the SAD and SPD flush; spdflush;
# AH SAs using 128 bit long keys add 67.207.128.184 67.207.130.204 ah 0x200 -A hmac-md5 0x<ah_1>; add 67.207.130.204 67.207.128.184 ah 0x300 -A hmac-md5 0x<ah_2>;
# ESP SAs using 192 bit long keys (168 + 24 parity) add 67.207.128.184 67.207.130.204 esp 0x201 -E 3des-cbc 0x<esp_1>; add 67.207.130.204 67.207.128.184 esp 0x301 -E 3des-cbc 0x<esp_2>;
# Security policies spdadd 67.207.128.184 67.207.130.204 any -P out ipsec esp/transport//require ah/transport//require;
spdadd 67.207.130.204 67.207.128.184 any -P in ipsec esp/transport//require ah/transport//require;
Make sure the ipsec-tools.conf file is not world-readable:
$ sudo chmod 750 ipsec-tools.conf
Now I'll go and setup the other side of the connection...
Then,
$ sudo /etc/init.d/setkey start * Loading IPsec SA/SP database from /etc/ipsec-tools.conf: [ OK ] $ sudo etckeeper commit "Configured IPSec between charity and hope" Committing to: /etc/ modified .etckeeper modified ipsec-tools.conf Committed revision 15.
Done!
...or, not-so-done. After testing discovered that IPTables was getting in the way of IPSec traffic.
John 2011-07-27 12:01
Public read-only svn access via HTTPS and HTTP
See this article for the general idea.
# cd /etc/apache2/ # vim dav_svn.ro.authz
[/] * = r
# vim dav_svn.rw.authz
[/] jj5 = rw
# vim sites-available/default-ssl
<Location /svn> DAV svn SVNParentPath /var/svn AuthType Basic AuthName "Subversion Repository" AuthUserFile /etc/apache2/dav_svn.passwd AuthzSVNAccessFile /etc/apache2/dav_svn.rw.authz Require valid-user </Location>
<Location /svnro> DAV svn SVNParentPath /var/svn AuthzSVNAccessFile /etc/apache2/dav_svn.ro.authz </Location>
# vim sites-available/default
<Location /svnro> DAV svn SVNParentPath /var/svn AuthzSVNAccessFile /etc/apache2/dav_svn.ro.authz </Location>
# apache2ctl graceful # etckeeper commit "Public read-only svn access" Committing to: /etc/ added apache2/dav_svn.ro.authz added apache2/dav_svn.rw.authz modified apache2/sites-available/default modified apache2/sites-available/default-ssl Committed revision 12.
John 2011-07-27 06:12
Installing Subversion with HTTPS support
See this article for a primer.
# apt-get install subversion libapache2-svn Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: libneon27-gnutls libsvn1 Suggested packages: db4.8-util subversion-tools The following NEW packages will be installed: libapache2-svn libneon27-gnutls libsvn1 subversion 0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded. Need to get 1,595kB of archives. After this operation, 7,250kB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libneon27-gnutls 0.29.0-1 [136kB] Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libsvn1 1.6.6dfsg-2ubuntu1.3 [906kB] Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/universe libapache2-svn 1.6.6dfsg-2ubuntu1.3 [168kB] Get:4 http://archive.ubuntu.com/ubuntu/ lucid-updates/main subversion 1.6.6dfsg-2ubuntu1.3 [385kB] Fetched 1,595kB in 1s (866kB/s) Selecting previously deselected package libneon27-gnutls. (Reading database ... 17613 files and directories currently installed.) Unpacking libneon27-gnutls (from .../libneon27-gnutls_0.29.0-1_amd64.deb) ... Selecting previously deselected package libsvn1. Unpacking libsvn1 (from .../libsvn1_1.6.6dfsg-2ubuntu1.3_amd64.deb) ... Selecting previously deselected package libapache2-svn. Unpacking libapache2-svn (from .../libapache2-svn_1.6.6dfsg-2ubuntu1.3_amd64.deb) ... Selecting previously deselected package subversion. Unpacking subversion (from .../subversion_1.6.6dfsg-2ubuntu1.3_amd64.deb) ... Processing triggers for man-db ... Setting up libneon27-gnutls (0.29.0-1) ...
Setting up libsvn1 (1.6.6dfsg-2ubuntu1.3) ...
Setting up libapache2-svn (1.6.6dfsg-2ubuntu1.3) ... Considering dependency dav for dav_svn: Enabling module dav. Enabling module dav_svn. Run '/etc/init.d/apache2 restart' to activate new configuration!
Setting up subversion (1.6.6dfsg-2ubuntu1.3) ... Processing triggers for libc-bin ... ldconfig deferred processing now taking place Committing to: /etc/ added emacs added subversion added apache2/mods-available/dav_svn.conf added apache2/mods-available/dav_svn.load added apache2/mods-enabled/dav.load added apache2/mods-enabled/dav_svn.conf added apache2/mods-enabled/dav_svn.load added bash_completion.d/subversion added emacs/site-start.d added emacs/site-start.d/50psvn.el added subversion/config added subversion/servers Committed revision 9.
# apache2ctl graceful # cd /var # ls backups cache crash lib local lock log mail opt run spool tmp www # mkdir svn # cd svn # svnadmin create pcrepo # ls pcrepo # chown -R www-data:www-data pcrepo/ # chmod -R g+ws pcrepo/ # htpasswd -c /etc/apache2/dav_svn.passwd jj5 New password: Re-type new password: Adding password for user jj5 # vim /etc/apache2/sites-enabled/000-default-ssl
Add the following,
<Location /svn> DAV svn SVNParentPath /var/svn AuthType Basic AuthName "Subversion Repository" AuthUserFile /etc/apache2/dav_svn.passwd Require valid-user </Location>
# apache2ctl graceful
$ pwd /home/jj5 $ mkdir test $ cd test $ svn co https://www.progclub.org/svn/pcrepo . Authentication realm: <https://www.progclub.org> Subversion Repository Password for 'jj5': Checked out revision 0.
Works!
Migrating mediawiki-1.17.0 to pcwiki, and checking into svn
$ cd .. $ mv test pcrepo $ ls bin pcrepo $ cd pcrepo/ $ mkdir pcwiki $ cd pcwiki/ $ mkdir trunk $ mkdir branches $ mkdir tags $ cp -R /var/www/www.progclub.org/mediawiki-1.17.0/* trunk/ $ ls branches tags trunk $ cd trunk/ $ ls api.php images maintenance RELEASE-NOTES api.php5 img_auth.php math resources bin img_auth.php5 mw-config serialized cache includes opensearch_desc.php skins config index.php opensearch_desc.php5 StartProfiler.sample COPYING index.php5 php5.php5 thumb.php CREDITS INSTALL profileinfo.php thumb.php5 docs languages README trackback.php extensions load.php redirect.php trackback.php5 FAQ load.php5 redirect.php5 UPGRADE HISTORY LocalSettings.php redirect.phtml wiki.phtml $ rm LocalSettings.php $ cd ../.. $ svn add pcwiki/ $ svn ci -m "Checking in original mediawiki files" $ sudo etckeeper commit "Subversion HTTPS" [sudo] password for jj5: Committing to: /etc/ added apache2/dav_svn.passwd modified apache2/sites-available/default-ssl Committed revision 10.
Then using TortoiseSVN on my workstation I checked out,
https://www.progclub.org/svn/pcrepo/pcwiki/trunk
into
C:\Inetpub\wwwroot\pcwiki
Copied in LocalSettings.php, added it to the ignore list, and checked in.
# cd /var/www/www.progclub.org/ # svn co https://www.progclub.org/svn/pcrepo/pcwiki/trunk pcwiki # cp mediawiki-1.17.0/LocalSettings.php pcwiki/ # cd /etc/apache2/sites-enabled/ # vim 000-default
Changed alias on line 17,
Alias /pc /var/www/www.progclub.org/pcwiki/index.php
# vim 000-default-ssl
Changed alias on line 17,
Alias /pc /var/www/www.progclub.org/pcwiki/index.php
# apache2ctl graceful # etckeeper commit "pcwiki web" Committing to: /etc/ modified apache2/sites-available/default modified apache2/sites-available/default-ssl Committed revision 11.
Reloaded a page from the web-site, and everything seems to be working well.
Copied in changes for mediawiki skin oldskool on my workstation and checked in to svn. There seems to be a new-line thing going on whereby every file got updated with different line-feed sequence (I'm guessing \r\n rather than just \n) -- it changed nearly every file, but I just checked it in anyway.
# cd /var/www/www.progclub.org/pcwiki # svn update
Reloaded a page from the web-site, and everything seems to be in order.
# cd /var/www/www.progclub.org/ # svn co https://www.progclub.org/svn/pcrepo/pcwiki/trunk pcwiki-dev # cp pcwiki/LocalSettings.php pcwiki-dev/ # cd pcwiki-dev/ # vim LocalSettings.php (reconfigured style and script path) # svn update
John 2011-07-27 04:44
Configuring MySQL for (not too) public access
# cd /etc/mysql # vim my.cnf
Changed from line 52,
#bind-address = 127.0.0.1 bind-address = 67.207.128.184
# service mysql restart mysql start/running, process 2598
# etckeeper commit "Bound MySQL to public IP address" Committing to: /etc/ modified mysql/my.cnf Committed revision 7.
# vim /etc/iptables.up.rules
# Allows MySQL connections from John's house -A INPUT -s <John's IP>/32 -p tcp -m tcp --dport 3306 -j ACCEPT # Allows MySQL connections from localhost -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT
# iptables -F # iptables-restore < /etc/iptables.up.rules # etckeeper commit "Updated firewall rules -- MySQL from John's house" Committing to: /etc/ modified iptables.up.rules Committed revision 8.
# mysql -uroot -p mysql> use mysql; mysql> select host, user from user mysql> create user 'pcwiki'@'<John's house>' identified by '<password>'; mysql> grant all privileges on pcwiki.* to 'pcwiki'@'<John's house>' with grant option; mysql> flush privileges;
My development version of MediaWiki can now connect to the production database!
John 2011-07-27 04:09
Installing fail2ban
See Fail2ban for information about installing and configuring the program.
# apt-get install fail2ban Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: whois Suggested packages: python-gamin mailx The following NEW packages will be installed: fail2ban whois 0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded. Need to get 129kB of archives. After this operation, 1032kB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://archive.ubuntu.com/ubuntu/ lucid/universe fail2ban 0.8.4-1ubuntu1 [96.0kB] Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main whois 5.0.0ubuntu3 [32.6kB] Fetched 129kB in 1s (123kB/s) Selecting previously deselected package fail2ban. (Reading database ... 17493 files and directories currently installed.) Unpacking fail2ban (from .../fail2ban_0.8.4-1ubuntu1_all.deb) ... Selecting previously deselected package whois. Unpacking whois (from .../whois_5.0.0ubuntu3_amd64.deb) ... Processing triggers for man-db ... Processing triggers for ureadahead ... Setting up fail2ban (0.8.4-1ubuntu1) ...
Setting up whois (5.0.0ubuntu3) ... Processing triggers for python-central ... Committing to: /etc/ added fail2ban added default/fail2ban added fail2ban/action.d added fail2ban/fail2ban.conf added fail2ban/filter.d added fail2ban/jail.conf added fail2ban/action.d/complain.conf added fail2ban/action.d/dshield.conf added fail2ban/action.d/hostsdeny.conf added fail2ban/action.d/ipfilter.conf added fail2ban/action.d/ipfw.conf added fail2ban/action.d/iptables-allports.conf added fail2ban/action.d/iptables-multiport-log.conf added fail2ban/action.d/iptables-multiport.conf added fail2ban/action.d/iptables-new.conf added fail2ban/action.d/iptables.conf added fail2ban/action.d/mail-buffered.conf added fail2ban/action.d/mail-whois-lines.conf added fail2ban/action.d/mail-whois.conf added fail2ban/action.d/mail.conf added fail2ban/action.d/mynetwatchman.conf added fail2ban/action.d/sendmail-buffered.conf added fail2ban/action.d/sendmail-whois-lines.conf added fail2ban/action.d/sendmail-whois.conf added fail2ban/action.d/sendmail.conf added fail2ban/action.d/shorewall.conf added fail2ban/filter.d/apache-auth.conf added fail2ban/filter.d/apache-badbots.conf added fail2ban/filter.d/apache-nohome.conf added fail2ban/filter.d/apache-noscript.conf added fail2ban/filter.d/apache-overflows.conf added fail2ban/filter.d/common.conf added fail2ban/filter.d/courierlogin.conf added fail2ban/filter.d/couriersmtp.conf added fail2ban/filter.d/cyrus-imap.conf added fail2ban/filter.d/exim.conf added fail2ban/filter.d/gssftpd.conf added fail2ban/filter.d/lighttpd-fastcgi.conf added fail2ban/filter.d/named-refused.conf added fail2ban/filter.d/pam-generic.conf added fail2ban/filter.d/php-url-fopen.conf added fail2ban/filter.d/postfix.conf added fail2ban/filter.d/proftpd.conf added fail2ban/filter.d/pure-ftpd.conf added fail2ban/filter.d/qmail.conf added fail2ban/filter.d/sasl.conf added fail2ban/filter.d/sieve.conf added fail2ban/filter.d/sshd-ddos.conf added fail2ban/filter.d/sshd.conf added fail2ban/filter.d/vsftpd.conf added fail2ban/filter.d/webmin-auth.conf added fail2ban/filter.d/wuftpd.conf added fail2ban/filter.d/xinetd-fail.conf added init.d/fail2ban added logrotate.d/fail2ban added rc0.d/K99fail2ban added rc1.d/K99fail2ban added rc2.d/S99fail2ban added rc3.d/S99fail2ban added rc4.d/S99fail2ban added rc5.d/S99fail2ban added rc6.d/K99fail2ban Committed revision 6.
# iptables -L ... Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- anywhere anywhere
Then I tried dud logins from loki.progsoc.uts.edu.au, and
# iptables -L ... Chain fail2ban-ssh (1 references) target prot opt source destination DROP all -- loki.progsoc.uts.edu.au anywhere RETURN all -- anywhere anywhere
Which is what we wanted to see.
John 2011-07-27 03:41
Configuring IPTables
See this article for information on configuring IPTables.
# vim /etc/iptables.up.rules
*filter # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT # Accepts all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allows all outbound traffic # You can modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites) -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # Allows SSH connections -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Allow ping -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT
# iptables-restore < /etc/iptables.up.rules # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere REJECT all -- anywhere 127.0.0.0/8 reject-with icmp-port-unreachable ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:www ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:30000 ACCEPT icmp -- anywhere anywhere icmp echo-request LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix `iptables denied: ' REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere
# vim /etc/network/if-pre-up.d/iptables
#!/bin/sh /sbin/iptables-restore < /etc/iptables.up.rules
# chmod +x /etc/network/if-pre-up.d/iptables # etckeeper commit "Configured IPTables" Committing to: /etc/ added iptables.up.rules added network/if-pre-up.d/iptables Committed revision 4.
The commands for modifying IPTables firewall rules are now:
# vim /etc/iptables.up.rules # /sbin/iptables -F # /sbin/iptables-restore < /etc/iptables.up.rules # etckeeper commit "Updated firewall rules"
John 2011-07-27 03:33
Disabling root SSH login
Per the instructions Disabling Direct Root Login (SSH),
$ sudo -s # cd /etc/ssh # vim sshd_config
Changed line 26 to,
PermitRootLogin no
Then,
$ sudo service ssh restart $ sudo etckeeper commit "Disabled root logins"
John 2011-07-27 03:27
Configuring the system locale
Per the instructions,
$ sudo /usr/sbin/locale-gen en_AU.UTF-8 Generating locales... en_AU.UTF-8... done Generation complete. $ sudo /usr/sbin/update-locale LANG=en_AU.UTF-8 $ sudo etckeeper commit "Set system locale"
John 2011-07-27 03:20
Configuring jj5's environment
Per the instructions about configuring the Environment, I added,
# JE 2011-07-27 03:16 export EDITOR=/usr/bin/vim
to end of /home/jj5/.profile
and ran,
$ sudo update-alternatives --config editor There are 3 choices for the alternative editor (providing /usr/bin/editor).
Selection Path Priority Status ------------------------------------------------------------ * 0 /bin/nano 40 auto mode 1 /bin/nano 40 manual mode 2 /usr/bin/vim.basic 30 manual mode 3 /usr/bin/vim.tiny 10 manual mode
Press enter to keep the current choice[*], or type selection number: 2 update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/editor (editor) in manual mode.
to configure the visudo editor. (Forgot to commit with etckeeper!)
John 2011-07-27 01:20
Creating a favicon.ico
MediaWiki is configured to use one, and web-browsers are requesting it, and it's 404ing, so best if I put a file there. Used iconj to generate a favicon.ico file, and used WinSCP to copy it to /var/www/www.progclub.org/favicon.ico on Charity.
Was having a problem with the favicon.ico loading in firefox, so I generated a new one with favicon.cc. I don't actually think the favicon.ico file was the problem though. But the change has been made now, and there's no point reverting it, because it's all working.
John 2011-07-27 01:01
Configuring robots.txt
Having some trouble with search engine looking for URLs from the previous domain owners. Going to setup a robots.txt file to try and fix up what I can there. Found 6 methods to control what and how your content appears in search engines to help guide me.
# cd /var/www/www.progclub.org/ # vim robots.txt
User-agent: * Disallow: /stories/ Disallow: /story/ Disallow: /members/ Disallow: /vehicles/
Will expand on this as other URLs that need addressing become apparent in the logs.
Watching the Apache web-logs
Created /home/jj5/bin/spy to setup a window to watch the web-logs.
#!/bin/bash sudo tail -f /var/log/apache2/access.log /var/log/apache2/ssl_access.log
John 2011-07-26 22:25
Adding user key720
# adduser key720 Adding user `key720' ... Adding new group `key720' (1003) ... Adding new user `key720' (1003) with group `key720' ... Creating home directory `/home/key720' ... Copying files from `/etc/skel' ... Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Changing the user information for key720 Enter the new value, or press ENTER for the default Full Name []: <name> Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n]
Also added Key to the wiki.
Tasaio 2011-07-26 21:39
Setting up Etckeeper
$ sudo apt-get install etckeeper
That's really all there is to it. There's an auto commit every day, an autocommit whenever you apt-get install something and you can manually commit your changes using:
$ sudo etckeeper commit "Changed foo to achieve bar"
See the commit log for a file with:
$ sudo bzr log /etc/passwd
This means we should be able to see with reasonable accuracy what changed when, and as long as people commit their changes (and use sudo rather than abusing sudo su or the like), we'll even know who did it. Useful for quickly rolling back silly changes and catching those changes people forget to log on the wiki.
John 2011-07-26 09:55
Adding user sanguinev
# adduser sanguinev Adding user `sanguinev' ... Adding new group `sanguinev' (1002) ... Adding new user `sanguinev' (1002) with group `sanguinev' ... Creating home directory `/home/sanguinev' ... Copying files from `/etc/skel' ... Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Changing the user information for sanguinev Enter the new value, or press ENTER for the default Full Name []: Thomas Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n]
# gpasswd -a sanguinev sudo Adding user sanguinev to group sudo
Added a wiki user too.
John 2011-07-26 09:13
Adding user jj5
root@charity:~# adduser jj5 Adding user `jj5' ... Adding new group `jj5' (1000) ... Adding new user `jj5' (1000) with group `jj5' ... Creating home directory `/home/jj5' ... Copying files from `/etc/skel' ... Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Changing the user information for jj5 Enter the new value, or press ENTER for the default Full Name []: John Elliot Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n]
root@charity:~# gpasswd -a jj5 sudo Adding user jj5 to group sudo
That was easy. PuTTY says it works!
Adding user tasaio
root@charity:~# adduser tasaio Adding user `tasaio' ... Adding new group `tasaio' (1001) ... Adding new user `tasaio' (1001) with group `tasaio' ... Creating home directory `/home/tasaio' ... Copying files from `/etc/skel' ... Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Changing the user information for tasaio Enter the new value, or press ENTER for the default Full Name []: Justin Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n] root@charity:~# gpasswd -a tasaio sudo Adding user tasaio to group sudo
That was easy too! Will create a wiki user for him too.
John 2011-07-26 08:47
I could be accused of ignorance. When I created my key file for the CSR request I nominated a pass-phrase. This phrase is required to be entered every time you restart Apache. Gah! Until I can figure out a way to fix it I've created a script in /sbin called restart-apache which enters the key's pass-phrase automatically.
# cd /sbin # vim restart-apache
#!/bin/bash echo <the pass phrase> | apache2ctl graceful
# chmod u+x restart-apache # restart-apache
Works swimmingly. Will reboot to see what happens when apache tries to load from a boot.
Apache chokes on boot. Found this article, which suggests,
# cd ~ # cp progclub.key progclub.key.pass-phrase # openssl rsa -in progclub.key.pass-phrase -out progclub.key # chmod 400 progclub.* # reboot
Hopefully Apache comes back up this time... yep!
Will keep the restart-apache script in sbin, but will remove the part that specified the key pass-phrase.
John 2011-07-26 06:20
Getting an HTTPS certificate
Searched for certificate sni cheap, found Go Daddy SSL Certificate. Decided on the Multiple Domains UCC - A$82.93/yr setup, which looks like it will suit us. Picked up to 5 domains for 3 years. It offered me free .mobi registration, so I added progclub.mobi. I then also added progclub.biz and progclub.co, I'm a sucker. Registration information recorded in Blackbrick Account Manager. Setup the nameservers for the new domains to point to ns*.slicehost.net via My Account.
Had to generate a Certificate Signing Request (CSR) per these instructions (for Apache 2.x).
# cd ~ # openssl genrsa -des3 -out progclub.key 2048 # openssl req -new -key progclub.key -out progclub.csr
See Blackbrick Account Manager for full details.
Certificate Type
- Hosting: Third Party Hosting
- Domain Name: www.progclub.org
- Certificate Issuing Organization: Go Daddy
- Subject Alt Names: www.progclub.net www.progclub.mobi www.progclub.info www.progclub.co
You're through!
Your certificate will be issued shortly.
You can monitor the progress of your certificate application by going to the Pending Requests folder and clicking your Common Name. When we are through verifying your application, you will receive an email with further instructions.
Downloaded the progclub.org.zip that was eventually generated, and used WinSCP to copy it to root's home directory on charity. Found info about Installing an SSL Certificate in Apache.
# cd /etc/apache2/sites-available/ # vim default-ssl
Set,
ServerAdmin jj5@jj5.net DocumentRoot /var/www/www.progclub.org
# cd ~ # ls progclub.csr progclub.key progclub.org.zip # unzip progclub.org.zip -bash: unzip: command not found # apt-get install unzip Reading package lists... Done Building dependency tree Reading state information... Done Suggested packages: zip The following NEW packages will be installed: unzip 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 189kB of archives. After this operation, 406kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main unzip 6.0-1build1 [189kB] Fetched 189kB in 0s (195kB/s) Selecting previously deselected package unzip. (Reading database ... 15343 files and directories currently installed.) Unpacking unzip (from .../unzip_6.0-1build1_amd64.deb) ... Processing triggers for man-db ... Setting up unzip (6.0-1build1) ... # unzip progclub.org.zip Archive: progclub.org.zip inflating: gd_bundle.crt inflating: progclub.org.crt # ls gd_bundle.crt progclub.csr progclub.key progclub.org.crt progclub.org.zip # cd /etc/apache2/sites-available/ # vim default-ssl
#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateFile /root/progclub.org.crt #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key SSLCertificateKeyFile /root/progclub.key
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt SSLCertificateChainFile /root/gd_bundle.crt
Saved changes.
# a2ensite default-ssl # /etc/init.d/apache2 reload * Reloading web server config apache2 [ OK ] # a2enmod ssl Enabling module ssl. See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates. Run '/etc/init.d/apache2 restart' to activate new configuration! # /etc/init.d/apache2 restart
Navigated to https://www.progclub.org/, and it worked!
# cd /etc/apache2/sites-enabled/ # vim 000-default-ssl
Alias /pc /var/www/www.progclub.org/mediawiki-1.17.0/index.php
The secure wiki is now working!
John 2011-07-25 17:53
Installing MediaWiki
Found the MediaWiki download page, which references mediawiki-1.17.0.tar.gz.
# cd /var/www/www.progclub.org/ # wget http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.0.tar.gz # ls index.html mediawiki-1.17.0.tar.gz test.php # tar xzf mediawiki-1.17.0.tar.gz # ls index.html mediawiki-1.17.0 mediawiki-1.17.0.tar.gz test.php # rm mediawiki-1.17.0.tar.gz # cd mediawiki-1.17.0/ # ls COPYING bin languages redirect.php5 CREDITS cache load.php redirect.phtml FAQ config load.php5 resources HISTORY docs maintenance serialized INSTALL extensions math skins README images mw-config thumb.php RELEASE-NOTES img_auth.php opensearch_desc.php thumb.php5 StartProfiler.sample img_auth.php5 opensearch_desc.php5 trackback.php UPGRADE includes php5.php5 trackback.php5 api.php index.php profileinfo.php wiki.phtml api.php5 index.php5 redirect.php
Didn't find a LocalSettings.php, which is what I was expecting, so reading INSTALL.
# less INSTALL
It told me to navigate to the setup page. The setup page complained about a missing LocalSettings.php, so they haven't changed that after all. Clicked on setup the wiki.
Specified,
* Your language: en - English * Wiki language: en - English
Clicked continue, and amoung it's checks was a complaint:
Could not find a suitable database driver! You need to install a database driver for PHP. The following database types are supported: MySQL, PostgreSQL, Oracle, SQLite.
If you are on shared hosting, ask your hosting provider to install a suitable database driver. If you compiled PHP yourself, reconfigure it with a database client enabled, for example using ./configure --with-mysql. If you installed PHP from a Debian or Ubuntu package, then you also need install the php5-mysql module.
So,
# apt-get install php5-mysql # apache2ctl graceful
Then reloaded the config page,
The environment has been checked. You can install MediaWiki.
Clicked continue, and got the Connect to database page. Looks like I'm going to need a database user for the wiki, so
# mysql -h localhost -u root --password=<password> Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 36 Server version: 5.1.41-3ubuntu12.10 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> create user 'pcwiki'@'localhost' identified by '<password>'; Query OK, 0 rows affected (0.00 sec)
mysql> exit Bye
Back on the config page:
* Database type: MySQL * Database host: localhost * Database name: pcwiki * Database table prefix: pcwiki__ * Database username: pcwiki * Database password: <password>
Clicked continue, and got the Database settings page. Specified,
* Database account for web access: Use the same account as for installation * Storage engine: InnoDB (the default, other choice was MyISAM) * Database character set: UTF-8 (not the default, the default choice was Binary)
Clicked continue, and got the Name page. Specified,
* Name of wiki: ProgClub * Project namespace: Same as the wiki name: ProgClub
Configuration for the Administrator account,
* Your name: John * Password: <password> * Password again: <password> * E-mail address: jj5@jj5.net
You are almost done! You can now skip the remaining configuration and install the wiki right now.
Chose Ask me more questions, and got the Options page. Specified,
* User rights profile: Traditional wiki * Copyright and license: No license footer
* Enable outbound e-mail: true * Return e-mail address: wiki@progclub.org * Enable user-to-user e-mail: true * Enable user talk page notification: true * Enable watchlist notification: true * Enable e-mail authentication: true
* Enable file uploads: true * Directory for deleted files: /var/www/www.progclub.org/mediawiki-1.17.0/images/deleted * Logo URL: /res/img/logo.png
* Settings for object caching: No caching
Clicked Continue, and got the confirmation page. Clicked Continue again. Got an error because the database user couldn't create the database. Created the database manually,
# mysql -h localhost -u root --password=<password> Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 43 Server version: 5.1.41-3ubuntu12.10 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> create database `pcwiki`; Query OK, 1 row affected (0.00 sec)
mysql> exit Bye
Decided it would be easier to let MediaWiki create the database, so went back and specified the database config details to use the root user. I will change this to be the pcwiki user manually after the database has been created.
Setting up database... done Creating tables... done Creating database user... done Populating default interwiki table... done Initializing statistics... done Generating secret keys... done Creating administrator user account... done Creating main page with default content... done
Clicked continue,
Congratulations! You have successfully installed MediaWiki.
The installer has generated a LocalSettings.php file. It contains all your configuration.
You will need to download it and put it in the base of your wiki installation (the same directory as index.php). The download should have started automatically.
If the download was not offered, or if you cancelled it, you can restart the download by clicking the link below: Download LocalSettings.php
Note: If you do not do this now, this generated configuration file will not be available to you later if you exit the installation without downloading it.
When that has been done, you can enter your wiki.
Downloaded the LocalSettings.php file and copied it to /var/www/www.progclub.org/mediawiki.1.17.0
Edited LocalSettings.php and changed the database user:
$wgDBuser = "pcwiki"; $wgDBpassword = "<password>";
Also added an article path:
$wgArticlePath = "/pc/$1";
Also need to grant access for pcwiki user:
# mysql -h localhost -u root --password=<password> Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 54 Server version: 5.1.41-3ubuntu12.10 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> grant all privileges on pcwiki.* to pcwiki@localhost; Query OK, 0 rows affected (0.11 sec)
mysql> exit Bye
Then need to edit apache conf file to include the pc alias:
# cd /etc/apache2/sites-enabled/ # vim 000-default
added,
Alias /pc /var/www/www.progclub.org/mediawiki-1.17.0/index.php
then,
# apache2ctl graceful
Also,
# cd /var/www/www.progclub.org/ # mkdir res # mkdir res/img
Then uploaded a logo.png to there with WinSCP. The logo settings hadn't been properly specified in the generated LocalSettings.php file, so,
# cd /var/www/www.progclub.org/mediawiki-1.17.0/ # vim LocalSettings.php
and changed the logo setting,
$wgLogo = "/res/img/logo.png";
Checked the wiki, and it's all working nicely.
John 2011-07-25 17:12
Preparing WWW hosting
# cd /var/www # mkdir www.progclub.org # mv index.html test.php www.progclub.org/ # ls # cd www.progclub.org/ # ls index.html test.php
Everything is in order.
# cd /etc/apache2/sites-enabled/ # ls 000-default # vim 000-default
Specified ServerAdmin,
ServerAdmin jj5@progclub.org
Changed document root,
DocumentRoot /var/www/www.progclub.org/
Changed the <Directory /var/www/> section to,
<Directory /var/www/www.progclub.org/>
Saved changes and quit vim. Restarted apache,
# apache2ctl graceful
Apache complained,
apache2: Could not reliably determine the server's fully qualified domain name, using charity.progclub.org for ServerName
Searched for "apache2: Could not reliably determine the server's fully qualified domain name, using " and found an answer.
Ran,
# hostname charity.progclub.org
which I guess is a better way to set the hostname than editing /etc/hostname like I did. :P
Ran,
# apache2ctl graceful
again, and got the same error,
apache2: Could not reliably determine the server's fully qualified domain name, using charity.progclub.org for ServerName
Tried a reboot to see if the hostname is updated after that,
# reboot
Still having problems with,
# apache2ctl graceful
So read more of the answer, and then,
# hostname charity # vim /etc/hosts
Specified the file contents as
127.0.0.1 localhost localhost.localdomain 67.207.128.184 charity charity.progclub.org
Then rebooted,
# reboot
Ran hostname and got,
# hostname charity.progclub.org
So edited /etc/hostname and specified
charity
Rebooted,
# reboot
Searched for "/etc/hostname", and found an answer. Short name goes in /etc/hostname, so we should be configured correctly now. Apache is still complaining though,
# apache2ctl graceful apache2: Could not reliably determine the server's fully qualified domain name, using 67.207.128.184 for ServerName
and it's using the IP address rather than charity.progclub.org now. Will manually specify ServerName in /etc/apache2/sites-enabled/000-default
# cd /etc/apache2/sites-enabled/ # vim 000-default
Added,
ServerName charity.progclub.org
Ran,
# apache2ctl graceful
again, and got the same friggin' error! More web-searching... found a different answer, tried editing /etc/hosts to put the names the other way around,
# vim /etc/hosts
127.0.0.1 localhost.localdomain localhost 67.207.128.184 charity.progclub.org charity
Rebooted,
# reboot
Tried apache2ctl again,
# apache2ctl graceful
And got no error! Yay!
Checked
* www.progclub.org
and found everything to be working. Web hosting is now configured.
John 2011-07-25 17:11
PHP software installation
I created a test.php file at /var/www/test.php to see if PHP was working out-of-the-box. I navigated to test.php to check, and it tried to download the PHP file, so I guess PHP isn't installed.
The test.php file I used was,
<? phpinfo(); ?>
Searched for PHP installation candidate,
# apt-cache search php5 | less
Found php5, which looks promising.
# apt-get install php5
The following extra packages will be installed: apache2-mpm-prefork libapache2-mod-php5 php5-common Suggested packages: php-pear php5-suhosin The following packages will be REMOVED: apache2-mpm-worker The following NEW packages will be installed: apache2-mpm-prefork libapache2-mod-php5 php5 php5-common 0 upgraded, 4 newly installed, 1 to remove and 0 not upgraded. Need to get 3544kB of archives. After this operation, 9568kB of additional disk space will be used. Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main apache2-mpm-prefork 2.2.14-5ubuntu8.4 [2420B] Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main php5-common 5.3.2-1ubuntu4.9 [551kB] Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libapache2-mod-php5 5.3.2-1ubuntu4.9 [2990kB] Get:4 http://archive.ubuntu.com/ubuntu/ lucid-updates/main php5 5.3.2-1ubuntu4.9 [1112B] Fetched 3544kB in 1s (1913kB/s) dpkg: apache2-mpm-worker: dependency problems, but removing anyway as you requested: apache2 depends on apache2-mpm-worker (= 2.2.14-5ubuntu8.4) | apache2-mpm-prefork (= 2.2.14-5ubuntu8.4) | apache2-mpm-event (= 2.2.14-5ubuntu8.4) | apache2-mpm-itk (= 2.2.14-5ubuntu8.4); however: Package apache2-mpm-worker is to be removed. Package apache2-mpm-prefork is not installed. Package apache2-mpm-event is not installed. Package apache2-mpm-itk is not installed. (Reading database ... 15291 files and directories currently installed.) Removing apache2-mpm-worker ... * Stopping web server apache2 apache2: Could not reliably determine the server's fully qualified domain name, using 67.207.128.184 for ServerName ... waiting . [ OK ] Selecting previously deselected package apache2-mpm-prefork. (Reading database ... 15283 files and directories currently installed.) Unpacking apache2-mpm-prefork (from .../apache2-mpm-prefork_2.2.14-5ubuntu8.4_amd64.deb) ... Selecting previously deselected package php5-common. Unpacking php5-common (from .../php5-common_5.3.2-1ubuntu4.9_amd64.deb) ... Selecting previously deselected package libapache2-mod-php5. Unpacking libapache2-mod-php5 (from .../libapache2-mod-php5_5.3.2-1ubuntu4.9_amd64.deb) ... Selecting previously deselected package php5. Unpacking php5 (from .../php5_5.3.2-1ubuntu4.9_all.deb) ... Setting up apache2-mpm-prefork (2.2.14-5ubuntu8.4) ... * Starting web server apache2 apache2: Could not reliably determine the server's fully qualified domain name, using 67.207.128.184 for ServerName [ OK ] Setting up php5-common (5.3.2-1ubuntu4.9) ... Setting up libapache2-mod-php5 (5.3.2-1ubuntu4.9) ... Creating config file /etc/php5/apache2/php.ini with new version * Reloading web server config apache2 apache2: Could not reliably determine the server's fully qualified domain name, using 67.207.128.184 for ServerName [ OK ] Setting up php5 (5.3.2-1ubuntu4.9) ...
Noticed the complaining about the server's fully qualified domain name, so
# vim /etc/hostname
and changed from
charity
to
charity.progclub.org
Then I rebooted,
# reboot
Logged in again and checked the hostname,
# hostname
which was correctly reported as,
charity.progclub.org
Then I navigated to the test.php page, and got back the phpinfo().
John 2011-07-25 16:40
Apache and MySQL software installation
Searched for MySQL software,
# apt-cache search mysql | less
Found mysql-server, which looks like a good candidate.
Searched for Apache software,
# apt-cache search apache2 | less
Found apache2, which looks like a good candidate.
# apt-get install apache2 mysql-server
The following extra packages will be installed: apache2-mpm-worker apache2-utils apache2.2-bin apache2.2-common libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libdbd-mysql-perl libdbi-perl libexpat1 libhtml-template-perl libmysqlclient16 libnet-daemon-perl libplrpc-perl mysql-client-5.1 mysql-client-core-5.1 mysql-common mysql-server-5.1 mysql-server-core-5.1 psmisc ssl-cert Suggested packages: www-browser apache2-doc apache2-suexec apache2-suexec-custom ufw dbishell libipc-sharedcache-perl tinyca mailx The following NEW packages will be installed: apache2 apache2-mpm-worker apache2-utils apache2.2-bin apache2.2-common libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libdbd-mysql-perl libdbi-perl libexpat1 libhtml-template-perl libmysqlclient16 libnet-daemon-perl libplrpc-perl mysql-client-5.1 mysql-client-core-5.1 mysql-common mysql-server mysql-server-5.1 mysql-server-core-5.1 psmisc ssl-cert
Configuring mysql-server-5.1
Dpkg showed a configuration screen for configuring the root password. I set one.
Apache and MySQL software installation, continued
I rebooted after installing the above software,
# reboot
I checked the Apache installation by navigating to www.progclub.org and It Works!
John 2011-07-25 16:34
SSH'ed in as root and ran:
# apt-get update # apt-get dist-upgrade # reboot
John 2011-07-25 16:00
Had to stuff around with resetting the root password on charity, but remote logins via SSH are working now for root.
John 2011-07-25 15:52
Configured the name server with progclub.org, progclub.net and progclub.info DNS zones on slicehost. The SliceManager should be used to maintain the DNS records for progclub.