FrBrGeorge/StudentServer/Deployment

�� -- ��

��

Apache +mod_php
ldap-account-manager
- http://@@@@@/lam -> LAM configuration -> Edit general settings -> Change master password (�� -- lam)
- http://@@@@@/lam -> LAM configuration -> Edit server profiles -> Manage server profiles
  - �� Profile name = lam, Profile password, Reenter profile password � (��) Master password; �� "OK"
- http://@@@@@/lam -> LAM configuration -> Edit server profiles -> OK (� ��)
  - Server address = ldap://192.0.2.100:389
  - Tree suffix = dc=math,dc=mpgu
  - Edit account types -> �� dc=my-domain,dc=com �� dc=math,dc=mpgu
  - Password hash type = BLOWFISH
  - Security settings = Fixed list � cn=adm,dc=math,dc=mpgu
    - �� : LDAP Search � dc=math,dc=mpgu
    - �� Fixed list
  - ��, �� . �.
  - �� LAM ��
$/!\$ �� iptables � proxyarp ��
$/!\$ phpMyAdmin

�� (�� , �� )

# cp -rp /etc/openssh/authorized_keys /var/lib/vz/private/@@@/etc/openssh/
# vzctl exec @@@ service sshd restart
# vzctl exec @@@ sed -i '"/HOSTNAME=localhost.localdomain/s/HOSTNAME=localhost.localdomain/HOSTNAME=@@@@@@.localdomain/"' /etc/sysconfig/network

��, �� ftp-��:

# vzctl exec @@@ sed -i '"/#rpm \[alt\] ftp/s/^#//"' /etc/apt/sources.list.d/alt.list
# vzctl exec @@@ apt-get update

echo "192.0.2.@@@ @@@@@@@.localdomain @@@@@@@" >> /etc/hosts
�� .??* � �� /root
```
# cat .bash_profile 
export PS1='\h# '
test -r ~/.bashrc && . ~/.bashrc
```

�� LDAP-��

�� /etc/openldap/slapd.conf:
- :%s/dc=example, *dc=com/dc=math,dc=mpgu/g
- :g/samba3/s/^#//

�� LDAP (-rw-r----- 2 root ldap 4065 Jul 19 10:03 slapd-hdb-math.conf ):

--- /etc/openldap/slapd-hdb-db01.conf   2009-05-19 03:26:01 +0400
+++ /etc/openldap/slapd-hdb-math.conf   2009-07-20 15:23:17 +0400
@@ -12 +12 @@
-suffix "dc=example,dc=com"
+suffix "dc=math,dc=mpgu"
@@ -19 +19 @@
-rootdn "cn=admin,dc=example,dc=com"
+rootdn "cn=adm,dc=math,dc=mpgu"
@@ -24 +24 @@
-rootpw secret
+rootpw {SSHA}cEdegLShioJ6y5U63as/RbIsbHXBqkNk
@@ -45 +45 @@
-directory /var/lib/ldap/bases/example.com
+directory /var/lib/ldap/bases/math.edu
@@ -119 +119 @@
-access to attrs=userPassword
+access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet
@@ -121,2 +121,5 @@
-        by anonymous auth
-        by * none
+        by * auth
+
+access to *
+       by self write
+       by * read

�� rootpw �� slappasswd

�� , �� LAM

�� LDAP-��

��: openssh-server openssh-clients openldap-clients nss-ldapd pam_ldap � etcskel (sshd � nslcd ��)

--- /etc/openldap/ldap.conf~    2009-05-19 03:31:25 +0400
+++ /etc/openldap/ldap.conf     2009-07-19 14:48:39 +0400
@@ -8,2 +8,2 @@
-#BASE  dc=example, dc=com
-#URI   ldap://ldap.example.com ldap://ldap-master.example.com:666
+BASE   dc=math, dc=mpgu
+URI    ldap://192.0.2.100

��: ldapsearch -x -W -D "cn=adm,dc=math,dc=mpgu"

--- /etc/nss-ldapd.conf~        2009-04-20 14:29:04 +0400
+++ /etc/nss-ldapd.conf 2009-07-19 15:21:44 +0400
@@ -14 +14 @@
-uri ldap://127.0.0.1/
+uri ldap://192.0.2.100/
@@ -21 +21 @@
-base dc=example,dc=net
+base dc=math,dc=mpgu

� /etc/nsswitch.conf �� ldap � �� passwd, shadow � group, �� files (��, �� nisplus nis):
```
# sed -i '/nisplus nis/s/nisplus nis/ldap/g' /etc/nsswitch.conf 
```
��: getent passwd (�� )

�� SSH � �� , �� system_auth � PAM: control system-auth ldap,

--- /etc/pam_ldap.conf~ 2007-12-14 01:54:13 +0300
+++ /etc/pam_ldap.conf  2009-07-19 17:14:21 +0400
@@ -15 +15 @@
-host 127.0.0.1
+host 192.0.2.100
@@ -18 +18 @@
-base dc=example,dc=com
+base dc=math,dc=mpgu

FTP

�� , �� LDAP �� PAM, �� mod_ldap, �� -�� ssh.

��: anonftp, cert-sh-functions, proftpd-mod_tls, proftpd-control (�� control proftpd standalone � cert-sh generate sandbox.localdomain)

--- /etc/proftpd.conf.orig      2009-07-19 18:58:10 +0400
+++ /etc/proftpd.conf   2009-07-19 19:59:55 +0400
@@ -10,6 +10,7 @@
 # Use pam to authenticate (default) and be authoritative
 # AuthPAMConfig                        proftpd
 AuthOrder                      mod_auth_pam.c* mod_auth_unix.c
+LoadModule                     mod_tls.c
 
 # Do not perform ident nor DNS lookups (hangs when the port is filtered)
 IdentLookups                   off
@@ -50,7 +51,7 @@
 
 # To cause every FTP user to be "jailed" (chrooted) into their home
 # directory, uncomment this line.
-#DefaultRoot ~
+DefaultRoot ~
 
 # Required by LDAP NIS etc
 PersistentPasswd        off
@@ -80,15 +81,15 @@
 #</IfModule>
 # TLS
 # Explained at http://www.castaglia.org/proftpd/modules/mod_tls.html
-#TLSEngine                     on
-#TLSRequired                   on
-#TLSRSACertificateFile         /var/lib/ssl/certs/proftpd.pem
-#TLSRSACertificateKeyFile      /var/lib/ssl/certs/proftpd.pem
+TLSEngine                      on
+TLSRequired                    on
+TLSRSACertificateFile /var/lib/ssl/private/sandbox.localdomain.pem
+TLSRSACertificateKeyFile /var/lib/ssl/private/sandbox.localdomain.key
 #TLSCipherSuite                        ALL:!ADH:!DES
-#TLSOptions                    NoCertRequest
+TLSOptions                     AllowPerUser
 #TLSVerifyClient               off
 ##TLSRenegotiate               ctrl 3600 data 512000 required off timeout 300
-#TLSLog                                /var/log/proftpd/tls.log
+TLSLog                         /var/log/proftpd/tls.log
 
 # SQL authentication Dynamic Shared Object (DSO) loading
 # See README.DSO and howto/DSO.html for more details.
@@ -106,8 +107,6 @@
 #CharsetLocal KOI8R
 #CharsetRemote WINDOWS-1251
 
-
-
 # A basic anonymous configuration, with an upload directory.
 #<Anonymous ~ftp>
 #  User                                ftp
@@ -182,6 +181,7 @@
   # in each newly chdired directory.
   DisplayLogin                 welcome.msg
   DisplayChdir                 .message
+  TLSRequired                  off
 
   # Limit WRITE everywhere in the anonymous chroot
   <Limit WRITE>
@@ -189,8 +189,8 @@
   </Limit>
  
   # Limit LOGIN for anonymous login
-  <Limit LOGIN>
-    DenyAll
-  </Limit>
+  #<Limit LOGIN>
+  #  DenyAll
+  #</Limit>
  
 </Anonymous>

SAMBA

��: samba

--- /etc/samba/smb.conf.orig    2009-07-20 15:15:38 +0400
+++ /etc/samba/smb.conf 2009-07-20 15:47:11 +0400
@@ -47,3 +47,3 @@
 # workgroup = NT-Domain-Name or Workgroup-Name
-   workgroup = ALTDOMAIN
+   workgroup = STUD
 
@@ -71,3 +71,3 @@
 # bsd, sysv, plp, lprng, aix, hpux, qnx, cups
-   printing = cups
+;   printing = cups
 
@@ -156,2 +156,3 @@
 ;   include = /etc/samba/smb.conf.%m
+include = /etc/samba/smb.conf.ldap

# cat /etc/samba/smb.conf.ldap   
        unix password sync = no
        ldap passwd sync = yes
        passdb backend = ldapsam:ldap://192.0.2.100/
        ldap suffix = dc=math,dc=mpgu
        ldap admin dn = cn=adm,dc=math,dc=mpgu
        ldap group suffix = ou=Group
        ldap user suffix = ou=Users
        ldap machine suffix = ou=Computers

SAMBA � �� , �� ACL-� ��, �� /etc/samba/secrets.tdb �� :
```
# smbpasswd -w ?rootdn_password?
```

Apache + PHP

��: apache2, apache2-mod_php5, php5-mysql, php5-mbstring, ��-�� ?

��~?��? == ~/public_html:

# a2enmod userdir
# a2enextra userdir_default
# control apache2-mod_php5 relaxed
# chkconfig httpd2 on

FrBrGeorge/StudentServer/Deployment

������������ ������ � ���� -- �������������

�� �������

�� LDAP-����������

�� ����������� � LDAP-���������

FTP

SAMBA

Apache + PHP

�� -- ��

��

�� LDAP-��

�� LDAP-��