-
Notifications
You must be signed in to change notification settings - Fork 149
RatticDB on Ubuntu 12.04 and integration with Zentyal via OpenLDAP
This tutorial does not aim to be a comprehensive reference but it hopes to be a “good enough” reference for any user with basic knowledge in the subject. There might be something missing, if that is the case, please take note of it and add it here, and by all means feel free to reorganize/clean/improve this! That said, let’s move on.
Also, I suck at markdown.
Overall view:
- Prepare the requirements (Apache, Python, Django, RatticDB)
- Configure Apache
- Tweak RatticDB (needed at the moment, v0.15, might be fixed later on, so proceed with common sense)
- Tweak Zentyal
It is assumed that the system is freshly installed with Ubuntu 12.04 and all commands are executed as root. It is also advisable to place this machine in paranoia mode (encrypt LVM, check logins, etc. etc.).
Install apache and required system libs:
aptitude install apache2 apache2.2-common apache2-mpm-prefork apache2-utils libexpat1 ssl-cert python-dev python-pip libapache2-mod-wsgi mysql-server libapache2-mod-auth-mysql libldap2-dev libsasl2-dev libssl-dev python-mysqldb
Secure MySQL:
mysql_install_db
/usr/bin/mysql_secure_installation
Now we can use pip to install all python related stuff:
pip install Django python-ldap django-auth-ldap django-tastypie south django-user-sessions django-otp django-two-factor-auth markdown
Prepare the folders and download Rattic:
mkdir /opt/apps
mkdir /opt/apps/RatticWeb
mkdir /opt/apps/RatticWeb/static
cd /opt/apps/RatticWeb/
wget https://github.com/tildaslash/RatticWeb/archive/v0.15.tar.gz
tar xvzf v0.15.tar.gz
rm v0.15.tar.gz
cp -Rv RatticWeb-0.15/* .
rm -Rv RatticWeb-0.15
I found some issues starting things up, doing it one by one automagically solved it (I repeated the all to make sure all components were happy):
./manage.py syncdb --noinput
./manage.py migrate --all
./manage.py migrate user_sessions
./manage.py migrate two_factor
./manage.py migrate tastypie
./manage.py migrate cred
./manage.py migrate account
./manage.py migrate --all
Collect all static files:
./manage.py collectstatic -c —noinput
And lets prepare the Apache website:
sudo a2enmod ssl
sudo a2ensite default-ssl
cd
openssl genrsa -des3 -out server.key 2048
openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
sudo cp server.crt /etc/ssl/certs
sudo cp server.key /etc/ssl/private
Make the default http site redirect to https (replace accordingly, without the <>):
cat /etc/apache2/sites-enabled/000-default
<VirtualHost *:80>
ServerAdmin webmaster@localhost
Redirect permanent / <FQDN>
</VirtualHost>
Add this to /etc/apache2/httpd.conf
Alias /robots.txt /opt/apps/RatticWeb/static/robots.txt
Alias /favicon.ico /opt/apps/RatticWeb/static/favicon.ico
AliasMatch ^/([^/]*\.css) /opt/apps/RatticWeb/static/styles/$1
Alias /media/ /opt/apps/RatticWeb/media/
Alias /static/ /opt/apps/RatticWeb/static/
<Directory /opt/apps/RatticWeb/static>
Order deny,allow
Allow from all
</Directory>
<Directory /opt/apps/RatticWeb/media>
Order deny,allow
Allow from all
</Directory>
WSGIScriptAlias / /opt/apps/RatticWeb/ratticweb/wsgi.py
WSGIPythonPath /opt/apps/RatticWeb
WSGIPassAuthorization On
<Directory /opt/apps/RatticWeb/ratticweb>
<Files wsgi.py>
Order deny,allow
Allow from all
</Files>
</Directory>
And adapt the /etc/apache2/sites-enabled/default-ssl
Change this section:
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
# SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
# SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
And remove everything between these lines since the required parameters are already on httpd.conf:
ServerAdmin webmaster@localhost
ErrorLog ${APACHE_LOG_DIR}/error.log
Restart Apache:
service apache2 restart
Tweak RatticDB:
I had to change these lines to include the full path, for some reason it was not working with relative ones:
This file: /opt/apps/RatticWeb/ratticweb/settings.py
These changes:
config = RawConfigParser()
config.readfp(open('/opt/apps/RatticWeb/conf/defaults.cfg'))
config.read(['/opt/apps/RatticWeb/conf/local.cfg', '/etc/ratticweb.cfg'])
Configure settings
Navigate to your Zentyal install and access “Office”, “Users and Computers”, “LDAP Settings” and check the needed info.
- binddn: Read-only root DN
- bindpw: Read-only password
- userbase: Default Users DN
- groupbase: Default Groups DN
Here are my local.cfg settings (I have changed identifiable information, that is)
[ratticweb]
debug = false
timezone = <YOUR TIMEZONE>
secretkey = <YOUR SECRET KEY>
passwordexpirydays = 90
urlroot = /
[filepaths]
static = /opt/apps/RatticWeb/static
[database]
engine = django.db.backends.mysql
name = ratticdatabase
user = ratticuser
password = awesomepassword
host = 127.0.0.1
port = 3306
[ldap]
# LDAP server details, note the port setting, this is important for Zentyal
uri = ldap://HOST:390
# Authentication
binddn = cn=zentyalro,dc=company,dc=com
bindpw = password
# User parameters
userbase = ou=Users,dc=company,dc=com
userfilter = (uid=%(user)s)
# Set up the basic group parameters.
groupbase = ou=Groups,dc=company,dc=com
groupfilter = (objectClass=zentyalDistributionGroup)
grouptype = GroupOfNamesType
# How do I find staff
staff = cn=TheRatticGroup,ou=Groups,dc=company,dc=com
Replace the fields accordingly. Notice that debug is set to false, so you need to configure the ALLOWED_HOSTS flag accordingly in /opt/apps/RatticWeb/ratticweb/settings.py
In my case I added this to the end of the file:
ALLOWED_HOSTS = [
‘<IP OF THE HOST>',
]
You can check more info on this here: https://docs.djangoproject.com/en/dev/ref/settings/
Now this will not work right away because Zentyal is blocking port 390, let’s add the exception to the firewall:
Go to “Gateway”, “Firewall”, “Packet Filter”, “Filtering rules from internal networks to Zentyal”, “Configure rules”
You will notice there is one rule with a red sign, click on “Edit” and change “Decision” from “DENY” to “ACCEPT”, click “Save changes”.
All should work now.