2016-12-29
HomeDocumentationAdmins Guide

Admins Guide

By  Documentation, PrivCore 1.0.X  0 Comments

Because PrivCore is only a bunch of highly integrated components, it wouldn’t be a good idea to create here alternative documentation for those projects. Instead, you will find here relevant information about the configuration details which are non-standard, in relation to the default configuration.

OpenSSL

PrivCore creates its own self signed CA certificate and uses it to sign appropriate client and server certificates:

  • /etc/ssl/CA – directory containing local CA certs and configuration files
  • /etc/ssl/CA/private/ca_key.pem – local CA private key
  • /etc/ssl/certs/ca_cert.pem – local CA certificate
  • /etc/ssl/private/$(hostname -f)_key.pem – local machine’s private key
  • /etc/ssl/certs/$(hostname -f)_cert.pem – local machine’s certificate

CRL and CA files are also available through HTTP:

  • http://$(hostname -f)/ca_cert.der
  • http://$(hostname -f)/ca_crl.pem

Certificate preview, eg:

$ openssl x509 -noout -text -in /etc/ssl/certs/$(hostname -f)_cert.pem | less

Certificate verification, eg:

$ openssl verify -CAfile <( cat /etc/ssl/certs/ca_cert.pem /etc/ssl/CA/certs/ca_crl.pem )
 -crl_check /etc/ssl/certs/$(hostname -f)_cert.pem

OpenLDAP

It’s a PrivCore‘s heart. Virtually every other service was integrated with OpenLDAP, including your system users and groups. Most convenient way to manage OpenLDAP‘s objects is through phpldapadmin. On the picture below you can see the default PrivCore LDAP tree :

ldap_tree

  • cn=admins, ou=groups – users who can manage LDAP objects
  • cn=ssh, ou=groups – users who can login to system via ssh and use shell
  • cn=users, ou=groupscollective group for all users
  • ou=users – organization unit where you can create new users
  • uid=readonly, ou=users – user for various system services

Remember, when you log on, as username you should type uid attribute content. In phpLdapAdmin it’s called as “User Name“. You should also change your password scheme to encrypted form like ssha

Bind (DNS)

Contrary to most services, bind daemon doesn’t use LDAP at all. Simply because it lacks that functionality at this moment in Debian 8.

Why we need that?

  • it serve as DNS cache
  • based on your hostname and local ip, PrivCore creates local DNS zone for your local network
  • you can add here any other zones, including internet ones

 

Apache (HTTP/HTTPS)

Default configuration, with minor changes like:

  • redirecting to HTTPS for key services
  • configuration for BOSH – through which you can connect to the XMPP server using a web interface

 

Exim (SMTP)

Exim configuration is the most complicated, by far too complicated to cover it here. So we write only about few settings that you could perform via LDAP. First of, it uses following attributes for users :

  • mail (Email in phpLdapAdmin) – your primary email address
  • mailLocalAddress – an additional email alias

Beside that, under “ou=SMTP Groups,ou=groups“, you can define email distributed groups :

smtp_group

Dovecot (IMAP)

It holds all your emails and stores them on disk in /var/lib/dovecot/maildirs directory. You can test whatever it operates correctly using the session similar to this one:

$ openssl s_client -host localhost -port 993
1 login username pass
2 LIST "" "*"
3 EXAMINE INBOX
4 FETCH 1 BODY[]
5 logout

Prosody (XMPP)

Have you ever heard about Jabber? Now it’s standardized and called XMPP. It uses standard client (5222) and server (5269) ports. Contacts groups (in XMPP terminology it’s called roster) are loaded from tree “ou=XMPP Contacts,ou=groups“. If you want to add some new groups, beside adding them in LDAP, you need also update your configuration in /etc/prosody/prosody.cfg.lua file and restart prosody service.

xmpp_group

If you want to try you own web XMPP client, then you need to use BOSH interface at url https://<your_domain>/http-bind

MySQL

It works as a backend storage for Roundcube and ownCloud metadata. These services have own users in mysql with automatically generated passwords. Access to root account is allowed only from Linux system root user.

Roundcube

Web mail client which uses Exim and Dovecot to route and store your emails. It’s also integrated with ownCloud contacts and Prosody server via BOSH interface :

roundcube_contacts

roundcube_converse

ownCloud

Nothing fancy here, just regular configuration, but there is one catch. ownCloud requires that user need to have displayName attribute in LDAP. Without that it won’t allow you to login in.

 

Related Posts

About Author

adrb

Add a Comment

Help-Desk
Tickets