16 Webinterface Configuration

16.1 SSL Certificate

This SSL certificate will be used for the MMC and the CUPS web-frontend.

mkdir /etc/apache2/ssl/
openssl req -new -x509 -keyout /etc/apache2/ssl/server.key -out /etc/apache2/ssl/server.crt -days 365 -nodes
chmod 600 /etc/apache2/ssl/server.key
cp /etc/apache2/ssl/* /etc/cups/ssl/

16.2 CUPS

In order that you can access the CUPS web-frontend from other machines in your network, you have to adjust some settings.

vi /etc/cups/cupsd.conf

Change:

Listen localhost:631

To:

Listen %server_ip%:631

Change:

# Restrict access to the server...
<Location />
Order allow,deny
Allow localhost
</Location>

# Restrict access to the admin pages...
<Location /admin>
Encryption Required
Order allow,deny
Allow localhost
</Location>

# Restrict access to configuration files...
<Location /admin/conf>
AuthType Basic
Require user @SYSTEM
Order allow,deny
Allow localhost
</Location>

To:

# Restrict access to the server...
<Location />
Order allow,deny
Allow localhost
Allow 192.168.0.0/24
</Location>

# Restrict access to the admin pages...
<Location /admin>
Encryption Required
Order allow,deny
Allow localhost
Allow 192.168.0.0/24
</Location>

# Restrict access to configuration files...
<Location /admin/conf>
AuthType Basic
Require user @SYSTEM
Order allow,deny
Allow localhost
Allow 192.168.0.0/24
</Location>

Afterwards restart CUPS.

/etc/init.d/cupsys restart

Now you're able to manage your CUPS printers via the CUPS webinterface from your workstation. Open https://192.168.0.100:631/ (Later, when the nameserver and the dhcp-server are configured, you should connect via https://server1.example.com:631) within your preferred browser and log in as root. Please note that if there is no Linux driver available for your printer and you want to use this printer only from your Windows workstations trough SAMBA, you can use the printer manufacturer "RAW" and install the correct driver on your Windows workstations.

Please note that if you are going to set up a HP printer, you should add it to CUPS via hplip (command line). The exact command depends on the connection type of your device - have a look at "hp-setup --help". E.g.: For a network-printer with the IP 192.168.0.20 the command is "hp-setup -i 192.168.0.20". Afterwards you can adjust the printer settings (resolution etc.) within the CUPS webinterface.

After you added a new printer to CUPS, you'll have to add it to Samba via

cupsaddsmb -a

16.3 MMC

We'll create two vhosts - one for http-connections and one for https-connections.

16.3.1 HTTP VHost

vi /etc/apache2/sites-available/http

Add the following configuration.

<VirtualHost 192.168.0.100:80>

   ServerName server1.example.com

   RewriteEngine On
   RewriteCond %{HTTPS} off
   RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

</VirtualHost>

16.3.2 HTTPS VHost

vi /etc/apache2/sites-available/https

Add the following configuration.

NameVirtualHost 192.168.0.100:443

<VirtualHost 192.168.0.100:443>

   ServerName server1.example.com
   ServerAdmin Administrator@example.com
   DocumentRoot /usr/share/mmc/

   SSLEngine on
   SSLCertificateKeyFile ssl/server.key
   SSLCertificateFile ssl/server.crt
   SSLProtocol all
   SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

   <Directory /usr/share/mmc/>
       AllowOverride None
       Order allow,deny
       Allow from 192.168.0.0/24
       php_flag short_open_tag on
       SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
   </Directory>

   ErrorLog /var/log/apache2/mmc_error.log
   CustomLog /var/log/apache2/mmc_access.log combined
   LogLevel warn

</VirtualHost>

Add the HTTPS listen port to the apache configuration.

vi /etc/apache2/ports.conf

Add the following line:

Listen 443

16.4 Modules & Sites

After that we enable the new sites, ...

a2ensite http
a2ensite https

... the rewrite module ...

a2enmod rewrite

... and the ssl module.

a2enmod ssl

Now restart apache.

/etc/init.d/apache2 restart

17 MMC Plugins

17.1 MMC Base-Plugin Configuration

Edit MMC base-plugin configuration file.

vi /etc/mmc/plugins/base.ini

Edit the baseDN that it fits to your domain, insert the correct ldap admin password and change the destination path for the archives - the content should look like this:

[ldap]
# LDAP we are connected to
host = 127.0.0.1
# LDAP base DN
baseDN = dc=example, dc=com
# Users location in the LDAP
baseUsersDN = ou=Users, %(basedn)s
# Groups location in the LDAP
baseGroupsDN = ou=Groups, %(basedn)s
# Computers Locations
baseComputersDN = ou=Computers, %(basedn)s
# LDAP manager
rootName = cn=admin, %(basedn)s
password = howtoforge
# If enabled, the MMC will create/move/delete the home of the users
# Else will do nothing, but only write user informations into LDAP
userHomeAction = 1
# Skeleton directory to populate a new home directory
skelDir = /etc/skel
# If set, all new users will belong to this group when created
defaultUserGroup = Domain Users
# Default home directory for users
defaultHomeDir = /home
# user uid number start
uidStart = 10000
# group gid number start
gidStart = 10000
# LDAP log file path
logfile = /var/log/ldap.log
# FDS log file path
# logfile = /opt/fedora-ds/slapd-hostname/logs/access
# you can specify here where you can authorized creation of your homedir
# default is your defaultHomeDir
# example:
# authorizedHomeDir = /home, /home2, /mnt/depot/newhome
[backup-tools]
# Path of the backup tools
path = /usr/lib/mmc/backup-tools
# Where are put the archives
destpath = /home/samba/archives

17.2 MMC Mail-Plugin Configuration

Edit MMC mail-plugin configuration file.

vi /etc/mmc/plugins/mail.ini

Edit the vDomainDN that it fits to your domain, comment the line for postfix delivery and comment out the line for dovecot delivery - the content should look like this:

[main]
disable = 0
# Enable virtual domain support
vDomainSupport = 0
# If vdomain enabled, OU where the domain are stored
vDomainDN = ou=mailDomains, dc=example, dc=com
[userDefault]
# For Postfix delivery
# mailbox = %homeDirectory%/Maildir/
# For Dovecot delivery
mailbox = maildir:%homeDirectory%/Maildir/
# Default quota (200 MBytes) set for user
mailuserquota = 204800

17.3 MMC Network-Plugin Configuration

Edit MMC network-plugin configuration file.

vi /etc/mmc/plugins/network.ini

Edit the domain name that it fits to your domain - the content should look like this:

[main]
disable = 0
[dhcp]
dn = ou=DHCP,dc=example,dc=com
pidfile = /var/run/dhcpd.pid
init = /etc/init.d/dhcp3-server
logfile = /var/log/daemon.log
leases = /var/lib/dhcp3/dhcpd.leases
[dns]
dn = ou=DNS,dc=example,dc=com
pidfile = /var/run/bind/run/named.pid
init = /etc/init.d/bind9
logfile = /var/log/daemon.log
bindroot = /etc/bind/
binduser = bind
# dnsreader = DNS Reader
# dnsreaderpassword = DNSReaderPassword

18 MMC Agent Initial Start

At this point the mmc-agent is ready for the initial start.

/etc/init.d/mmc-agent start

During the first startup the mmc-agent writes some bind and dhcp related settings into the LDAP - so you have to restart bind (the dhcp-server is not running at the moment).

/etc/init.d/bind9 restart