Admins Guide 2.X.X
Because PrivCore is only a bunch of highly integrated components, it wouldn’t be a good idea to create here alternative documentation for those components. Instead, you will find here relevant information about the configuration details which are non-standard, in relation to the default Debian packages configuration.
PrivCore creates its own self signed CA certificate and uses it to sign appropriate client and server certificates:
- /etc/ssl/CA – directory containing local CA certs and configuration files
- /etc/ssl/CA/private/ca_key.pem – local CA private key
- /etc/ssl/certs/ca_cert.pem – local CA certificate
- /etc/ssl/private/$(hostname -f)_key.pem – local machine’s private key
- /etc/ssl/certs/$(hostname -f)_cert.pem – local machine’s certificate
CRL and CA files are also available through HTTP:
- http://$(hostname -f)/ca_cert.der
- http://$(hostname -f)/ca_crl.pem
Certificate preview, eg:
$ openssl x509 -noout -text -in /etc/ssl/certs/$(hostname -f)_cert.pem | lessCertificate verification, eg:
$ openssl verify -CAfile <( cat /etc/ssl/certs/ca_cert.pem /etc/ssl/CA/certs/ca_crl.pem )
-crl_check /etc/ssl/certs/$(hostname -f)_cert.pemIt’s a PrivCore‘s heart. Virtually every other service was integrated with OpenLDAP, including your Linux system users and groups. Most convenient way to manage OpenLDAP‘s objects is through phpldapadmin (available at https://yourserver/ldapadmin/ ). Default PrivCore LDAP tree include following objects:
- cn=admins, ou=groups – users who can manage LDAP objects
- cn=ssh, ou=groups – users who can login to system via ssh
- cn=users, ou=groups – collective group for all users
- ou=users – organization unit where you can create new users
- uid=readonly, ou=users – user for various system services to read LDAP data
When you try to login, as username you should use value of uid attribute. In phpLdapAdmin it’s called as “User Name“. You should also change your password scheme to encrypted one i.e. ssha
Contrary to most services, bind daemon doesn’t use LDAP at all. However package named bind9-dyndb-ldap which appeared in Debian9, make it possible. So that kind of configuration may become available in future PrivCore releases.
Why we need that?
- it serve as DNS cache
- based on your hostname and local ip, PrivCore creates local DNS zone for your local network
- you can add here any other zones, including internet ones
Default configuration, with minor changes like:
- redirecting to HTTPS for key services
- support for default PrivCore services and change password script
Exim configuration is the most complicated, by far too complicated to cover it here. So we write only about few settings that you could perform via LDAP. First of, it uses following attributes for users:
- mail (Email in phpLdapAdmin) – user primary email address
- mailLocalAddress – an additional email aliases. You can add it more than once to given user
Beside that, under “ou=SMTP Groups,ou=groups“, you can define email distributed groups. In the following example we created group all@privcore.local. Email addressed to that address, will be delivered to all emails stored in rfc822MailMember attributes – in this case to privcore@privcore.local :
It holds all your emails and stores them on disk in /var/lib/dovecot/maildirs directory. You can test whatever it operates correctly using the session similar to this one:
$ openssl s_client -host localhost -port 993 1 LOGIN username pass 2 LIST "" "*" 3 EXAMINE INBOX 4 FETCH 1 BODY[] 5 LOGOUT
It works as a backend database for NextCloud – it have it’s own database and user with automatically generated password. Access to MySQL root account is allowed only from Linux system root user.
Nothing fancy here, just regular configuration, with automatically preinstalled and configured apps:
- user_ldap (integration with OpenLDAP)
- calendar
- contacts
- spreed (Audio and Video conferencing)
About Author
