Admins Guide
Because PrivCore is only a bunch of highly integrated components, it wouldn’t be a good idea to create here alternative documentation for those projects. Instead, you will find here relevant information about the configuration details which are non-standard, in relation to the default configuration.
PrivCore creates its own self signed CA certificate and uses it to sign appropriate client and server certificates:
- /etc/ssl/CA – directory containing local CA certs and configuration files
- /etc/ssl/CA/private/ca_key.pem – local CA private key
- /etc/ssl/certs/ca_cert.pem – local CA certificate
- /etc/ssl/private/$(hostname -f)_key.pem – local machine’s private key
- /etc/ssl/certs/$(hostname -f)_cert.pem – local machine’s certificate
CRL and CA files are also available through HTTP:
- http://$(hostname -f)/ca_cert.der
- http://$(hostname -f)/ca_crl.pem
Certificate preview, eg:
$ openssl x509 -noout -text -in /etc/ssl/certs/$(hostname -f)_cert.pem | less
Certificate verification, eg:
$ openssl verify -CAfile <( cat /etc/ssl/certs/ca_cert.pem /etc/ssl/CA/certs/ca_crl.pem )
-crl_check /etc/ssl/certs/$(hostname -f)_cert.pem
It’s a PrivCore‘s heart. Virtually every other service was integrated with OpenLDAP, including your system users and groups. Most convenient way to manage OpenLDAP‘s objects is through phpldapadmin. On the picture below you can see the default PrivCore LDAP tree :
- cn=admins, ou=groups – users who can manage LDAP objects
- cn=ssh, ou=groups – users who can login to system via ssh and use shell
- cn=users, ou=groups – collective group for all users
- ou=users – organization unit where you can create new users
- uid=readonly, ou=users – user for various system services
Remember, when you log on, as username you should type uid attribute content. In phpLdapAdmin it’s called as “User Name“. You should also change your password scheme to encrypted form like ssha
Contrary to most services, bind daemon doesn’t use LDAP at all. Simply because it lacks that functionality at this moment in Debian 8.
Why we need that?
- it serve as DNS cache
- based on your hostname and local ip, PrivCore creates local DNS zone for your local network
- you can add here any other zones, including internet ones
Default configuration, with minor changes like:
- redirecting to HTTPS for key services
- configuration for BOSH – through which you can connect to the XMPP server using a web interface
Exim configuration is the most complicated, by far too complicated to cover it here. So we write only about few settings that you could perform via LDAP. First of, it uses following attributes for users :
- mail (Email in phpLdapAdmin) – your primary email address
- mailLocalAddress – an additional email alias
Beside that, under “ou=SMTP Groups,ou=groups“, you can define email distributed groups :
It holds all your emails and stores them on disk in /var/lib/dovecot/maildirs directory. You can test whatever it operates correctly using the session similar to this one:
$ openssl s_client -host localhost -port 993 1 login username pass 2 LIST "" "*" 3 EXAMINE INBOX 4 FETCH 1 BODY[] 5 logout
Have you ever heard about Jabber? Now it’s standardized and called XMPP. It uses standard client (5222) and server (5269) ports. Contacts groups (in XMPP terminology it’s called roster) are loaded from tree “ou=XMPP Contacts,ou=groups“. If you want to add some new groups, beside adding them in LDAP, you need also update your configuration in /etc/prosody/prosody.cfg.lua file and restart prosody service.
If you want to try you own web XMPP client, then you need to use BOSH interface at url https://<your_domain>/http-bind
It works as a backend storage for Roundcube and ownCloud metadata. These services have own users in mysql with automatically generated passwords. Access to root account is allowed only from Linux system root user.
Web mail client which uses Exim and Dovecot to route and store your emails. It’s also integrated with ownCloud contacts and Prosody server via BOSH interface :
Nothing fancy here, just regular configuration, but there is one catch. ownCloud requires that user need to have displayName attribute in LDAP. Without that it won’t allow you to login in.