Copyright © 2007,2008,2009 Cédric Delfosse - Mandriva
| Revision History | ||
|---|---|---|
| Revision $Revision: 3928 $ | $Date: 2009-03-20 09:16:05 +0100 (Fri, 20 Mar 2009) $ | $Author: cdelfosse $ |
Abstract
How to install the MMC (Mandriva Management Console) on a Linux distribution
Table of Contents
The MMC (Mandriva Management Console) is made of two parts:
An agent running on the machine to manage. We call it « MMC agent ». The agent exports to the network several plugins that allow to manage the machine. Of course, there can be multiple agents running on the network. The agent and its plugins are written in Python.
A web interface, that talks to the agent(s) using XML-RPC. The interface is written in PHP4, and use the scriptaculous framework to feature an AJAX experience.
In this document, we will first explain how to install and configure the MMC agent and its plugins, and then how to install the web interface.
These installations instructions are generic: this means they should work on most Linux Distribution.
If you have any installation issues, please use the MDS users mailing list.
Here are the packages naming conventions:
mmc-agent: the MMC agent package
python-mmc-PLUGIN: MMC agent plugin
mmc-web-PLUGIN: web interface plugin
![[Note]](/content/images/docbook/note.png) |
Sample configuration files |
|---|---|
|
All MMC related sample configuration files are available in the
python-mmc-base package, in directory |
... because Mandriva RPM packages for the MDS and the MMC are available.
Packages for Mandriva 2009 and Mandriva Cooker are available on Mandriva official repository. You will find an official mirror using the Mandriva mirror finder module.
Then, you can register a package repository with this command:
urpmi.addmedia Community_Main ftp://ftp.free.fr/mirrors/ftp.mandriva.com/MandrivaLinux/official/current/i586/media/main/backports/
For 64 bits architecture:
urpmi.addmedia Community_Main ftp://ftp.free.fr/mirrors/ftp.mandriva.com/MandrivaLinux/official/current/x86_64/media/main/backports/
Corporate Server 4 packages are also available.
You can register the CS4 package repository with this command for 32 bits architecture:
urpmi.addmedia mds http://mds.mandriva.org/pub/mds/RPM/i586
For 64 bits architecture:
urpmi.addmedia mds http://mds.mandriva.org/pub/mds/RPM/x86_64
To install all the MDS related packages, just type:
# urpmi mmc-web-base mmc-web-mail mmc-web-network mmc-web-proxy mmc-web-samba \
mmc-agent \
python-mmc-base python-mmc-mail python-mmc-network python-mmc-proxy python-mmc-samba
For Debian Sarge, add this in your sources.list:
deb http://mds.mandriva.org/pub/mds/debian sarge main
For Debian Etch:
deb http://mds.mandriva.org/pub/mds/debian etch main
To install all the MDS related packages, just type:
# apt-get install mmc-web-base mmc-web-mail mmc-web-network mmc-web-proxy mmc-web-samba \
mmc-agent python-mmc-base python-mmc-mail python-mmc-network python-mmc-proxy python-mmc-samba
Since version 1.1.2, the MMC supports both OpenLDAP and Fedora Directory Server.
One LDAP schema called MMC schema is mandatory. This schema and
others are available in the mmc-agent tarball, in the directory
contrib/ldap/.
The OpenLDAP configuration can be easily done using the openldap-mandriva-dit-package.
# urpmi openldap-mandriva-dit
...
# /usr/share/openldap/scripts/mandriva-dit-setup.sh
Please enter your DNS domain name [localdomain]:
mandriva.com
Administrator account
The administrator account for this directory is
uid=LDAP Admin,ou=System Accounts,dc=mandriva,dc=com
Please choose a password for this account:
New password:[type password]
Re-enter new password:[type password]
Summary
=======
Domain: mandriva.com
LDAP suffix: dc=mandriva,dc=com
Administrator: uid=LDAP Admin,ou=System Accounts,dc=mandriva,dc=com
Confirm? (Y/n)
Y
config file testing succeeded
Stopping ldap service
Finished, starting ldap service
Running /usr/bin/db_recover on /var/lib/ldap
remove /var/lib/ldap/alock
Starting slapd (ldap + ldaps): [ OK ]
And you're done, the LDAP directory has been populated and the LDAP service has been started.
Some tweaks needs to be done to the LDAP configuration so that the LDAP service suits to the MDS.
First, copy the MDS LDAP schema to the LDAP schemas directory:
# cd /usr/share/doc/python-mmc-base*/contrib/ldap/
# cp dhcp.schema dnszone.schema mail.schema mmc.schema /etc/openldap/schema/
Then, add these lines to the file /etc/openldap/schema/local.schema:
include /etc/openldap/schema/mmc.schema
include /etc/openldap/schema/mail.schema
include /etc/openldap/schema/dnszone.schema
include /etc/openldap/schema/dhcp.schema
Then, to avoid LDAP schemas conflicts, comment or remove these
lines at the beginning of the file /etc/openldap/slapd.conf:
#include /usr/share/openldap/schema/misc.schema
#include /usr/share/openldap/schema/kolab.schema
#include /usr/share/openldap/schema/dnszone.schema
#include /usr/share/openldap/schema/dhcp.schema
Last, comment or remove these lines at the end of the file
/etc/openldap/mandriva-dit-access.conf:
#access to dn.one="ou=People,dc=mandriva,dc=com"
# attrs=@inetLocalMailRecipient,mail
# by group.exact="cn=MTA Admins,ou=System Groups,dc=mandriva,dc=com" write
# by * read
To check that the LDAP service configuration is right, run slaptest:
# slaptest
config file testing succeeded
Now you can restart the LDAP service:
# service ldap restart
Checking config file /etc/openldap/slapd.conf: [ OK ]
Stopping slapd: [ OK ]
Starting slapd (ldap + ldaps): [ OK ]
|
OpenLDAP example configuration |
|---|---|
|
You will find an example of OpenLDAP configuration in the
directory |
|
Already existing directory |
|---|---|
|
If you already have an OpenLDAP directory, all you need to do is to include the mmc.schema file. |
|
Debian based distribution |
|---|---|
|
When installing the slapd package, debconf allows you to configure the root DN of your LDAP directory, set the LDAP manager password and populate the directory. So you only need to include the mmc.schema in slapd configuration and you are done. |
Get the file mmc.schema from the
mmc-agent tarball, and copy it to /etc/openldap/schema/ (or maybe /etc/ldap/schema/).
Include this schema in the OpenLDAP configuration, in
/etc/ldap/slapd.conf (or maybe
/etc/openldap/slapd.conf):
include /etc/openldap/schema/mmc.schema
This schema must be included after the inetorgperson.schema file. On Mandriva, the
kolab.schema file is conflicting with
mmc.schema, so you need to comment
the include directive for the Kolab schema, else OpenLDAP won't
start.
In the OpenLDAP configuration file, we also define the LDAP DN suffix, the LDAP manager (rootdn) and its password (rootpw):
suffix "dc=mandriva,dc=com"
rootdn "cn=admin,dc=mandriva,dc=com"
rootpw {SSHA}gqNR92aL44vUg8aoQ9wcZYzvUxMqU6/8
The SSHA password is computed using the slappasswd command:
# slappasswd -s secret
{SSHA}gqNR92aL44vUg8aoQ9wcZYzvUxMqU6/8
Once the OpenLDAP server is configured, the base LDAP directory
architecture must be created. Create a file called /tmp/ldap-init.ldif containing:
dn: dc=mandriva,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
dc: mandriva
o: mandriva
dn: cn=admin,dc=mandriva,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP Administrator
userPassword: gqNR92aL44vUg8aoQ9wcZYzvUxMqU6/8
The userPassword field must be filled with the output of the slappasswd command. Now we inject the LDIF file into the directory:
# /etc/init.d/ldap stop
# slapadd -l /tmp/ldap-init.ldif
# /etc/init.d/ldap start
|
LDAP suffix |
|---|---|
|
In this example, the LDAP suffix is dc=mandriva,dc=com. Of course, you can choose another suffix. |
|
Changing the OpenLDAP manager password |
|---|---|
|
You can't change this password using the MMC interface. You must use this command line:
ldappasswd -s NewPassword -D "cn=admin,dc=mandriva,dc=com" -w OldPassword -x cn=admin,dc=mandriva,dc=com
|
This part is written in Python, and use lots of third party tools.
In this table, we give the needed packages for each distribution and each MMC components.
If you have informations for other distributions, you're welcome :)
| Vendor / MMC component | MMC agent | Python base plugin | Python samba plugin | Python mail plugin | Python ox plugin | Python proxy plugin |
|---|---|---|---|---|---|---|
| Mandriva 2006 | python-twisted | python-ldap pylibacl | samba | python-psycopg | squid squidguard | |
| CentOS 4.3 | python-twisted | python-ldap python-libacl | samba | python-psycopg postgresql-python | squid squidguard |
|
CentOS DAG repository |
|---|---|
|
For some package, you will need to add the DAG repository to
yum. Create a file named
# DAG Repository for RedHat Enterprise 4 / CentOS 4
[dag]
name=DAG Repository
baseurl = http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
gpgkey=http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt
gpgcheck=1
enabled=0
|
Get the current mmc-agent tarball at this URL: ftp://mds.mandriva.org/pub/mds/sources/current/
# tar xzf mmc-agent-x.y.z.tar.gz
# cd mmc-agent-x.y.z
# make install
The last command starts the installation: the MMC agent and all its plugins are byte-compiled and installed.
The default $PREFIX for installation is /usr/local. Here are how the files are
installed:
$PREFIX/sbin/mmc-agent: the MMC
agent
$PREFIX/lib/mmc/: helpers for some
MMC plugins
/etc/mmc/: all MMC configuration
files. There files are sample files you will need to edit.
/etc/init.d/mmc-agent: MMC agent
init script
$PREFIX/lib/pythonX.Y/site-packages/mmc: MMC
Python libraries and plugins.
$PREFIX/lib/pythonX.Y/site-packages/mmc/plugins/:
MMC Python plugins
When the MMC agent starts, it looks for all the installed plugins, and tries to activate them. Each plugin has a self-test function to check if it can be activated or not. For example, if the « base » plugin can't contact the LDAP, it won't be activated. It the SAMBA schema is not available in the LDAP, the « samba » plugin won't start.
The MMC agent always tries to enable the plugin « base » first. The MMC agent won't start if the plugin « base » can't be activated.
You can find a full description of the MMC agent configuration file there.
With the default configuration file we provide (/etc/mmc/agent/config.ini), the MMC agent listen
locally to incoming XMLRPC over HTTPS connections on port 7080.
You can find a full description of the MMC base plugin configuration file there.
The main part of the configuration (/etc/mmc/plugins/base.ini) is to set the LDAP
server to connect to, and the credentials to use to write into the
LDAP.
The « defaultUserGroup » option must be set to an existing group in the LDAP. You will have to create it using the MMC web interface if this group does not exist.
You can find a full description of the MMC SAMBA plugin configuration file there.
You shouldn't need to edit the configuration file (/etc/mmc/plugins/samba.ini). This plugin won't be
activated if your LDAP directory does not include the SAMBA schema,
and well-known RIDs. See the section Section 6, “MDS SAMBA
configuration”.
ACLs must be enabled on your filesystem. The SAMBA plugin needs them to set the ACLs when creating shares, and SAMBA will be able to map NTFS ACLs to the POSIX ACLs.
If you use XFS, ACLs are enabled by default. For ext3, you need
to enable ACLs in /etc/fstab.
You can find a full description of the MMC mail plugin configuration file there.
This plugin won't be activated if your LDAP directory does not include a special mail schema. See the section Section 7, “MDS mail service configuration”.
You can find a full description of the MMC network plugin configuration file there.
This plugin won't be activated if your LDAP directory does not include special schemas. See the section Section 8, “MDS network plugin configuration for integrated DNS/DHCP”.
To start and stop the MMC agent, use the /etc/init.d/mmc-agent script:
# /etc/init.d/mmc-agent stop
# /etc/init.d/mmc-agent start
The MMC agent must be started to use the MMC web interface.
When the MMC agent is started, all startup log messages are
written to stderr and /var/log/mmc/mmc-agent.log.
Here is what is written (for example) if there is no error:
# /etc/init.d/mmc-agent start
Starting Mandriva Management Console XML-RPC Agent: mmc-agent starting...
Plugin base loaded, API version: 4:0:0 build(82)
Plugin mail loaded, API version: 3:0:1 build(78)
Plugin samba loaded, API version: 3:0:2 build(78)
Plugin proxy loaded, API version: 1:0:0 build(78)
Daemon PID 13943
done.
If there is an error:
# /etc/init.d/mmc-agent start
Starting Mandriva Management Console XML-RPC Agent: mmc-agent starting...
Can't bind to LDAP: invalid credentials.
Plugin base not loaded.
MMC agent can't run without the base plugin. Exiting.
failed.
The base plugin can't bind to LDAP, because the credentials we used to connect to the LDAP server are wrong. As the base plugin must be activated to use the MMC agent, the MMC agent exits.
# /etc/init.d/mmc-agent start
Starting Mandriva Management Console XML-RPC Agent: mmc-agent starting...
Plugin base loaded, API version: 4:0:0 build(82)
Plugin mail loaded, API version: 3:0:1 build(78)
Samba schema are not included in LDAP directory
Plugin samba not loaded.
Plugin proxy loaded, API version: 1:0:0 build(78)
Daemon PID 14010
done.
In this example, the SAMBA schema has not been detected in the LDAP directory, so the SAMBA plugin is not started. But this plugin is not mandatory, so the MMC agent doesn't exit.
The MMC web interface is written in PHP4. Basically, you just need to install an Apache2 server with PHP4 (or PHP5) support.
The XML-RPC module of PHP is needed too.
The mmc-web-base package contains:
the base infrastructure used by all the others MMC web modules
the MMC login page
the users and groups management pages
The others MMC web modules available are:
mmc-web-samba: SAMBA users, groups and computers management, shares management
mmc-web-mail: mail delivery and mail virtual domains management
mmc-web-proxy: blacklist management for squidGuard
mmc-web-network: DNS/DHCP management
All this module depends on the mmc-web-base module. They won't work if the mmc-web-base module is not installed.
A MMC web modules won't show in the web interface if the corresponding Python plugin is not loaded by the contacted MMC agent.
For example, you installed the SAMBA web module, but the SAMBA Python plugin of the MMC agent the web interface is connected to has not been activated. This will be detected and automatically the SAMBA management module of the web interface won't be displayed.
Get the current mmc-web-base tarball there.
# tar xvzpf mmc-web-base-x.y.z.tar.gz
# cd mmc-web-base-x.y.z
# make install HTTPDUSER=apache
For some distribution (e.g. Debian based distro), you must use HTTPDUSER=www-data.
The installation process copies files to:
/usr/local/share/mmc/: all MMC web
interface related files (PHP, images, ...)
/etc/mmc/mmc.ini: MMC web
configuration file
You can find a full documentation of the mmc.ini file there.
What you need to change in this file is:
« login » and « password »: these are the
credentials to connect to the MMC agents on your network (the same
credentials as in /etc/mmc/agent/config.ini)
« url » option of the [server_x]: the URL to connect to the MMC agent.
To connect to the MMC web interface using an URL like http://IP/mmc, we add an alias to Apache2:
# cp confs/apache/mmc.conf /etc/httpd/conf.d/mmc.conf
Then don't forget to reload the Apache service.
Now you should be able to see the MMC login screen at this URL: http://IP/mmc
|
PHP configuration notes |
|---|---|
|
The directive magic_quotes_gpc must be enabled in Apache PHP
configuration, either in the globap PHP configuration file, either
in the
php_flag magic_quotes_gpc on
The MMC web interface is not compatible with php-eaccelerator. Please uninstall it else you won't be able to connect to the MMC. |
You can always login to the MMC web interface using the login « root » with the LDAP administrator password.
After you installed the MMC, this is the only user you can use to log in, because the LDAP directory entry is empty.
The MMC web tarballs are available there.
They are all easy to install. For example:
# tar xvzpf mmc-web-samba-x.y.z.tar.gz
# cd mmc-web-samba-x.y.z
# make install
There are no configuration files for all the additional modules.
The MMC web interface communicate with the MMC agent using the TCP port 7080 (default configuration). Please check that your firewall configuration doesn't block this port.
This section explains how to configure SAMBA with a LDAP directory so that it works with the MMC.
Basically, you need to do a classic SAMBA/LDAP setup, SAMBA running as a PDC.
|
Configuration files |
|---|---|
|
A slapd.conf for OpenLDAP and a smb.conf for SAMBA are included
into the MMC agent tarball: |
If you aren't familiar with SAMBA/LDAP installation, read the SAMBA LDAP HOWTO. SAMBA LDAP setup is not easy.
You need to import the SAMBA schema into the LDAP directory. The
schema file is provided into the MMC agent tarball: contrib/ldap/samba.schema. But you can also use
the schema provided by the SAMBA project.
Stop samba before modifying its configuration:
# /etc/init.d/samba stop
Or according to your distribution:
# /etc/init.d/smb stop
In /etc/samba/smb.conf, you need
to modify the « workgroup », « ldap admin dn » and
« ldap suffix » to suit your configuration.
SAMBA also needs the credentials of the LDAP manager to write into the LDAP:
# smbpasswd -w secret
Setting stored password for "cn=admin,dc=mandriva,dc=com" in secrets.tdb
Now, SAMBA needs to create the SID for your workgroup:
# net getlocalsid MANDRIVA
SID for domain MANDRIVA is: S-1-5-21-128599351-419866736-2079179792
Use slapcat to check that the SID has really been recorded into the LDAP. You should find an entry like this:
# slapcat | grep sambaDomainName
dn: sambaDomainName=MANDRIVA,dc=mandriva,dc=com
...
Now you can start SAMBA:
# /etc/init.d/samba start
The LDAP directory needs to be populated so that SAMBA can use it. We use the smbldap-populate command from smbldap-tools.
This command populates the LDAP with the OUs (Organizational Unit), users and groups needed by SAMBA.
A RPM package of smbldap-tools is available there.
Now the smbldap-tools conf file need to be edited. Put this in
/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf:
slaveDN="cn=admin,dc=mandriva,dc=com"
slavePw="secret"
masterDN="cn=admin,dc=mandriva,dc=com"
masterPw="secret"
smbldap_bind.conf defines how to
connect to and write to the LDAP server.
Then edit smbldap.conf and set
those fields:
SID="S-1-5-21-128599351-419866736-2079179792"
sambaDomain="MANDRIVA"
ldapTLS="0"
suffix="dc=mandriva,dc=com
sambaUnixIdPooldn="sambaDomainName=MANDRIVA,${suffix}"
#defaultMaxPasswordAge="45"
userSmbHome=""
userProfile=""
userHomeDrive=""
Now the directory can be populated. Type:
# /opt/IDEALX/sbin/smbldap-populate -m 512 -a administrator
A user called « administrator » will be created, and a prompt will ask you to give its password. Thanks to the « -m 512 » option, this user will belong to the « Domain Admins » group.
SAMBA needs that the OS use the LDAP directory to get user and group lists.
To do this, /etc/nsswitch.conf and
/etc/ldap.conf (/etc/libnss-ldap.conf for Debian based distros)
should be configured.
Your /etc/nsswitch.conf should
look like this:
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: files
automount: files
aliases: files
Your /etc/ldap.conf:
host 127.0.0.1
base dc=mandriva,dc=com
By default, you want your new user to belong to the « Domain Users » group.
You just need to set the « defaultUserGroup » option
to « Domain Users » in /etc/mmc/plugins/base.ini.
By default, the maximum password age of a SAMBA user is 42 days. Then the user will need to change his/her password.
If you don't want password to expire, type:
# pdbedit -P "maximum password age" -C 0
If you want to check your current password expiration policy:
# pdbedit -P "maximum password age"
If « enable privileges = yes » is set on your smb.conf, you can give privileges to SAMBA users
and groups.
For example, to give to "Domain Admins" users the right to join a machine to the domain:
# net -U administrator rpc rights grant 'DOMAIN\Domain Admins' SeMachineAccountPrivilege
Password:
Successfully granted rights.
Notice that you must replace « DOMAIN » by your SAMBA domain name in the command line.
|
Users that can give privileges |
|---|---|
|
Only users that belong to the "Domain Admins" group can use the net rpc rights grant command to assign privileges. |
You need to import our mail schema into the LDAP directory. The
schema file is provided into the MMC agent tarball: contrib/ldap/mail.schema.
Once this schema is imported, you will be able to manage mail delivery attributes thanks to the MMC.
Example Postfix configuration files are included into the MMC
agent tarball: contrib/postfix/.
We provide two kinds of configuration:
no-virtual-domain: the mail domain is fixed in the « mydestination » option in main.cf
with-virtual-domains: mails are delivered to all mail domains created thanks to the MMC
NSS LDAP configuration is needed to deliver mails with the right UIDs/GIDs.
This plugin allows to store in a LDAP directory:
DNS zones declarations and related DNS records as needed for a standard LAN;
DHCP server configuration with DHCP subnet, dynamic pool and static host declarations.
The MMC web interface allows to easily manage the DNS and DHCP services.
The network plugin relies on patched version of ISC DHCP 3 and ISC BIND 9:
ISC BIND: a patch featuring a LDAP sdb backend must be applied to your BIND installation. With this patch BIND will be able to read DNS zone declarations from a LDAP directory. This patch is available there. The stable release of this patch (version 1.0) works fine.
ISC DHCP: the patch on this page
allows to store into a LDAP the DHCP service configuration (instead
of /etc/dhcp3/dhcpd.conf).
We provide Debian (Sarge/Etch) packages for LDAP patched versions of BIND and DHCP.
Configure your APT repository as in Section 2.3, “Debian packages”, and type:
# apt-get update
# apt-get install dhcp3-server
# apt-get install dhcp3-server-ldap
# apt-get install bind9
When managing the DNS zones, the MMC agent will create files
into the BIND configuration directory (located in /etc/bind/). These files must be included in the
main BIND configuration file so that the corresponding zones are
loaded from the LDAP directory.
All the DNS zones are defined in the file named.conf.ldap. This file must be included in
the main BIND configuration file named.conf. Adding this line at the end of BIND
named.conf should be sufficient:
include "/etc/bind/named.conf.ldap";
An example of named.conf filename
for Debian based system is available in the directory contrib/bind/ of the mmc-agent tarball.
|
BIND and OpenLDAP services startup order |
|---|---|
|
On most distributions, BIND is started before OpenLDAP during the boot sequence. If BIND/LDAP is used, BIND won't be able to connect to the LDAP directory, and won't start. So you may need to tweak your system boot scripts to fix this. The following command line should work on Debian based systems:
# update-rc.d -f slapd remove && update-rc.d slapd start 14 2 3 4 5 . stop 86 0 1 6 .
|
The DHCP server needs to know how to load its configuration from
LDAP. Here is a typical /etc/dhcp3/dhcpd.conf:
ldap-server "localhost";
ldap-port 389;
ldap-username "cn=admin, dc=mandriva, dc=com";
ldap-password "secret";
ldap-base-dn "dc=mandriva, dc=com";
ldap-method dynamic;
ldap-debug-file "/var/log/dhcp-ldap-startup.log";
An example of dhcpd.conf filename
is available in the directory contrib/dhcpd/ of the mmc-agent tarball.
Two new LDAP schemas must be imported into your LDAP directory: dnszone.schema and dhcp.schema.
Both are available in the directory contrib/ldap of the mmc-agent tarball.
To speed up LDAP search, you can index these attributes: zoneName, relativeDomainName, dhcpHWAddress, dhcpClassData.
For OpenLDAP slapd.conf
configuration file, you will add:
index zoneName,relativeDomainName eq
index dhcpHWAddress,dhcpClassData eq
For the DHCP service only, the MMC network plugin needs to create into the LDAP directory two objects:
the container called "DHCP config" (objectClass dhcpService), where all the DHCP service configuration will be stored
the primary server (objectClass dhcpServer) that links to the DHCP service configuration. The hostname of the machine running the MMC network plugin will be use to name this entry.
The first start of the MMC network plugin should look like:
...
Created OU ou=DHCP,dc=mandriva,dc=com
Created DHCP config object
The server 'your_server_hostname' has been set as the primary DHCP server
Plugin network loaded ...
...