Difference between revisions of "SAC:betawebsite"

From OSGeo
Jump to navigation Jump to search
(Created page with "This is setup of Cloud server osgeo.public.cloudvps.com It is a debian 8, 4GB , 160 HDD server. These are the steps I did after it was created in attempt to implement LDAP...")
 
 
(28 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
This is setup of Cloud server osgeo.public.cloudvps.com
 
This is setup of Cloud server osgeo.public.cloudvps.com
 +
__FORCETOC__
 +
 +
== PHP Plugins installed for Wordpress ==
 +
 +
sudp apt-get install php5-mysql php5-curl php5-mcrypt php5-xmlrpc
 +
sudo apt-get install php5-xsl
 +
sudo apt-get install php5-ldap
 +
sudo apt-get install php5-gd sendmail
  
 
It is a debian 8, 4GB , 160 HDD server.
 
It is a debian 8, 4GB , 160 HDD server.
  
 +
== Martin's changes to get LDAP SSH working properly (per [https://trac.osgeo.org/osgeo/ticket/2010 ticket 2010] I presume these supercede the ones I made ==
 +
 +
    # Avoid error messages upon login
 +
 +
    root@osgeo:~# aptitude install locales-all
 +
 +
    # Have the preferred LDAP subsystem
 +
 +
    root@osgeo:~# aptitude install libpam-ldapd libnss-ldapd
 +
 +
    # Purge deprecated configs
 +
 +
    root@osgeo:~# dpkg -l | grep \^rc | awk '{print $2}' | cut -f 1 -d \: | xargs dpkg --purge
 +
 +
    # Purge local user
 +
 +
    root@osgeo:~# grep -v \^martin /etc/passwd > Hallo && cat Hallo > /etc/passwd
 +
    root@osgeo:~# grep -v \^martin /etc/shadow > Hallo && cat Hallo > /etc/shadow
 +
    root@osgeo:~# rm -vf Hallo
 +
 +
    # Purge cache and reload LDAP stuff
 +
 +
    root@osgeo:~# /etc/init.d/nscd stop; rm -vf /var/cache/nscd/*; /etc/init.d/nscd  start
 +
    root@osgeo:~# /etc/init.d/nslcd  restart
 +
 +
    # Voila
 +
 +
    root@osgeo:~# getent passwd martin
 +
    martin:x:10026:100:Martin Spott:/home/martin:/bin/tcsh
 +
 +
    # Have a homedir and proper login shell
 +
 +
    root@osgeo:~# cp -a /etc/skel /home/martin
 +
    root@osgeo:~# chown -R martin:100 /home/martin
 +
    root@osgeo:~# aptitude install tcsh
 +
 +
    # Reduce authentication error log
 +
 +
    root@osgeo:~# aptitude install fail2ban
 +
 +
    # Now test
 +
 +
    foehn: 17:06:08 ~> ssh osgeo.public.cloudvps.com
 +
    martin@osgeo.public.cloudvps.com's password:
 +
    [...]
 +
    osgeo:~>
 +
 +
    # Success
 +
 +
 +
== Original Setup Steps ==
 
These are the steps I did after it was created in attempt to implement LDAP
 
These are the steps I did after it was created in attempt to implement LDAP
  
 
First I installed updates
 
First I installed updates
  
apt-get update
+
  apt-get update
apt-get upgrade
+
  apt-get upgrade
 +
  apt-get install libpam-ldap nscd
 +
  apt-get install libnss-ldap #not sure if this one is needed
 +
  apt-get install locales-all
 +
  apt-get install sudo
  
 
Then to try the ldap
 
Then to try the ldap
Line 14: Line 77:
 
https://wiki.debian.org/LDAP/PAM
 
https://wiki.debian.org/LDAP/PAM
  
1) edit /etc/ldap/ldap.conf
+
1) edit /etc/ldap/ldap.conf (copied from osgeo6)
 
+
    BASE    dc=osgeo, dc=org
BASE    dc=osgeo,dc=org
+
    URI    ldaps://ldap.osgeo.org/
URI    ldaps://ldap.osgeo.org
+
    #SIZELIMIT      12
 
+
    #TIMELIMIT      15
 
+
    #DEREF          never
#SIZELIMIT      12
+
    TLS_CHECKPEER yes
#TIMELIMIT      15
+
    TLS_REQCERT demand
#DEREF          never
+
    TLS_CACERT /etc/ssl/certs/STAR_osgeo_org.ca-bundle  #this file you need to copy from osgeo6 as well
 +
    pam_groupdn cn=telascience,ou=Shell,dc=osgeo,dc=org  #not though telascience is defunct so not sure what that cn
 +
    nss_base_passwd ou=People,dc=osgeo,dc=org
 +
    nss_base_shadow ou=People,dc=osgeo,dc=org
 +
    nss_base_group  ou=Group,dc=osgeo,dc=org
 +
    ldap_version 3
 +
    pam_password md5
 +
    bind_policy soft
  
# TLS certificates (needed for GnuTLS)
 
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
 
  
 +
2) Copy contents of /etc/nslcd.conf from osgeo6
  
2) apt-get install libpam-ldap nscd
 
  
nano /etc/ssh/sshd_config
+
  nano /etc/ssh/sshd_config
  
 
(it will prompt for services you want to use ldap for )
 
(it will prompt for services you want to use ldap for )
Line 63: Line 131:
  
  
3)  
+
 
 +
3) pam-auth-update
 +
Make sure both Unix and LDAP authentication are checked
 +
4)  
 
   /etc/init.d/nscd restart
 
   /etc/init.d/nscd restart
 +
  /etc/init.d/nslcd restart
 
   /etc/init.d/ssh restart
 
   /etc/init.d/ssh restart
 
    
 
    
Line 70: Line 142:
 
[ ok ] Restarting ssh (via systemctl): ssh.service.
 
[ ok ] Restarting ssh (via systemctl): ssh.service.
  
4)
 
  
3) pam-auth-update
 
Make sure both Unix and LDAP authentication are checked
 
  
 +
5) Verify server can do ldap queries with Osgeo by running something like this
 +
 +
    ldapsearch -x uid=robe
 +
 +
 +
== Install LetsEncrypt SSL ==
 +
First logged in as me robe, and did sudo bash so I can install stuff
 +
 +
1) Add jessie backports with:
 +
 +
  echo "deb http://ftp.debian.org/debian jessie-backports main" | tee -a /etc/apt/sources.list
 +
  aptitude update
 +
 +
2) now install
 +
 +
  aptitude install certbot
 +
  aptitude install python-certbot-apache -t jessie-backports
 +
 +
3) #needed to then edit the /etc/apache2/sites-available/www.osgeo.org.conf to allow ./wellknown folder to be accessed by adding these lines
 +
 +
    Alias /.well-known "/var/www/osgeo.org/httpdocs/.well-known"
 +
    <Directory "/var/www/osgeo.org/httpdocs/.well-known/">
 +
        AllowOverride None
 +
        Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
 +
        Require method GET POST OPTIONS
 +
    </Directory>
 +
 +
After edit run:
 +
  service apache2 reload
 +
 +
 +
 +
 +
4) Get the cert had to do this since for some reason, trying to do normally gave error:  Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'
 +
 +
  certbot certonly -d staging.www.osgeo.org
 +
 +
#we will be temporarily hosting production on this box so also did
 +
 +
  certbot certonly -d www.osgeo.org
 +
  certbot certonly -d osgeo.org
 +
 +
 +
Fill in following for prompts:
 +
 +
    Press 1 [enter] to confirm the selection (press 'c' to cancel): 1
 +
    Input the webroot for staging.www.osgeo.org: (Enter 'c' to cancel):/var/www/osgeo.org/httpdocs
 +
    Waiting for verification...
 +
    Cleaning up challenges
 +
    Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
 +
    Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
 +
 +
5) Created two new files  /etc/apache2/sites-available/www.osgeo.org-le-ssl.conf and /etc/apache2/sites-available/www.osgeo.org-common.conf
 +
 +
The common one is pretty much copy of all stuff from the original www.osgeo.org.conf (that doesn't specifically reference host)
 +
and then included this in the new ssl.conf which is set to :443. So file looks like this
 +
 +
    <IfModule mod_ssl.c>
 +
    <VirtualHost *:443>
 +
    ServerAdmin support@osgeo.org
 +
    ServerName www.osgeo.org
 +
    ServerAlias staging.www.osgeo.org
 +
 +
    Include /etc/apache2/sites-available/www.osgeo.org-common.conf
 +
 +
    SSLCertificateFile /etc/letsencrypt/live/staging.www.osgeo.org/fullchain.pem
 +
    SSLCertificateKeyFile /etc/letsencrypt/live/staging.www.osgeo.org/privkey.pem
 +
    #Include /etc/letsencrypt/options-ssl-apache.conf
 +
    </VirtualHost>
 +
    </IfModule>
 +
 +
6) Now to enable the ssl config
 +
 +
  a2ensite www.osgeo.org-le-ssl
 +
  service apache2 reload
 +
 +
7) Added to cronjob of root, to schedule a monthly renewal every 15th day of month
 +
 +
  30 1 15 * * certbot renew
 +
 +
== Enabling LDAP Login for Wordpress ==
 +
 +
1) Edit the config.php in root of httpdocs and if not set change to
 +
$pluginAndThemeEditor = true;
 +
$pluginAndThemeUpdateAndInstallation = true;
 +
 +
2) Log in as an admin in wordpress.
 +
Go To Plugins -> Add New
 +
 +
Search for: wpDirAuth
 +
 +
Install the wpDirAuth plugin and activate
 +
 +
3) This should create a menu under Settings called: wpDirAuth
 +
 +
From there set the LDAP configs which have been set as follows:
 +
 +
    Enable Directory Authentication: Yes
 +
    Require SSL Login: Yes
 +
    Automatically Register Authenticated Users: Yes
 +
 +
 +
    Use SSL (ldaps)
 +
    Director Servers: ldap.osgeo.org
 +
    AccountFilter: uid
 +
    Base DN: dc=osgeo,dc=org
 +
 +
    Cookie Settings: 3
 +
 +
    Brading Settings: Fill in verbiage to your liking (probably needs to be redone)
 +
    Set Terms Of Service Agreement: No
 +
 +
    Leave other fields at the default (which is usually blank)
 +
 +
 +
4) There is no interface to convert existing users to LDAP, but luckily you can do this from the database.
 +
To convert Jody's account which had username: jodygarnett, I did this by connecting to MySQL -- details in secure server
 +
 +
  UPDATE fVT6y_users SET user_login = 'jive' WHERE user_login = 'jgarnett';
 +
 +
  -- This part is to insert the metadata bit that tells wordpress, authentication is done by wpAuthDir
 +
  -- I did this for a couple of users whose login already matched their ldap login
 +
  INSERT INTO fVT6y_usermeta(user_id, meta_key, meta_value)
 +
  SELECT u.ID, 'wpDirAuthFlag', '1'
 +
  FROM fVT6y_users AS u
 +
  WHERE u.ID NOT IN(SELECT wp.user_id FROM fVT6y_usermeta As wp WHERE wp.meta_key = 'wpDirAuthFlag')
 +
    AND u.user_login IN('jive','pramsey', 'strk', 'cvvergara', 'kalxas', 'evenr', 'jmckenna');
 +
 +
5) Todo I'm writing a script using ldap users directory output that will convert the remaining
 +
 +
== Convert MySQL Tables to InnoDb ==
 +
 +
1. Details of how to log in to MySQL are on Secure server /access/osgeo.public.cloudvps.com - refer to those.
 +
 +
2. connect to osgeo db
 +
 +
3. Run this statement to generate query that you will then run to convert existing tables:
 +
 +
    SELECT CONCAT('ALTER TABLE ' ,  '`' , table_name , '` ENGINE=''InnoDB'';')
 +
    FROM information_schema.tables
 +
    where table_name LIKE 'fVT%'
 +
    ORDER BY table_name;
 +
 +
4. Run the generated statements
 +
 +
5. SSH into server
 +
  sudo bash
 +
  cd /etc/mysql/conf.d
 +
6. Create a new file with new default_storage.cnf
  
4) Verify server can do ldap queries with Osgeo by running something like this
+
  vi default_storage.cnf
 +
should have these contents when done:
  
ldapsearch -x uid=robe
+
    default_storage_engine=InnoDB
  
This worked fine and gave answers as expected.
+
7. Restart service
  
 +
  service mysql restart
  
But I am still unable to log in with my OSGeo Ldap account so I feel I am missing something.
+
[[Category:Infrastructure]]

Latest revision as of 08:43, 15 January 2018

This is setup of Cloud server osgeo.public.cloudvps.com


PHP Plugins installed for Wordpress

sudp apt-get install php5-mysql php5-curl php5-mcrypt php5-xmlrpc
sudo apt-get install php5-xsl
sudo apt-get install php5-ldap 
sudo apt-get install php5-gd sendmail

It is a debian 8, 4GB , 160 HDD server.

Martin's changes to get LDAP SSH working properly (per ticket 2010 I presume these supercede the ones I made

    # Avoid error messages upon login
   root@osgeo:~# aptitude install locales-all
   # Have the preferred LDAP subsystem
   root@osgeo:~# aptitude install libpam-ldapd libnss-ldapd
   # Purge deprecated configs
   root@osgeo:~# dpkg -l | grep \^rc | awk '{print $2}' | cut -f 1 -d \: | xargs dpkg --purge
   # Purge local user
   root@osgeo:~# grep -v \^martin /etc/passwd > Hallo && cat Hallo > /etc/passwd
   root@osgeo:~# grep -v \^martin /etc/shadow > Hallo && cat Hallo > /etc/shadow
   root@osgeo:~# rm -vf Hallo
   # Purge cache and reload LDAP stuff
   root@osgeo:~# /etc/init.d/nscd stop; rm -vf /var/cache/nscd/*; /etc/init.d/nscd  start
   root@osgeo:~# /etc/init.d/nslcd  restart
   # Voila
   root@osgeo:~# getent passwd martin
   martin:x:10026:100:Martin Spott:/home/martin:/bin/tcsh
   # Have a homedir and proper login shell
   root@osgeo:~# cp -a /etc/skel /home/martin
   root@osgeo:~# chown -R martin:100 /home/martin
   root@osgeo:~# aptitude install tcsh
   # Reduce authentication error log
   root@osgeo:~# aptitude install fail2ban
   # Now test
   foehn: 17:06:08 ~> ssh osgeo.public.cloudvps.com
   martin@osgeo.public.cloudvps.com's password: 
   [...]
   osgeo:~>
   # Success 


Original Setup Steps

These are the steps I did after it was created in attempt to implement LDAP

First I installed updates

 apt-get update
 apt-get upgrade
 apt-get install libpam-ldap nscd
 apt-get install libnss-ldap #not sure if this one is needed 
 apt-get install locales-all
 apt-get install sudo

Then to try the ldap

https://wiki.debian.org/LDAP/PAM

1) edit /etc/ldap/ldap.conf (copied from osgeo6)

   BASE    dc=osgeo, dc=org
   URI     ldaps://ldap.osgeo.org/
   #SIZELIMIT      12
   #TIMELIMIT      15
   #DEREF          never
   TLS_CHECKPEER yes
   TLS_REQCERT demand
   TLS_CACERT /etc/ssl/certs/STAR_osgeo_org.ca-bundle  #this file you need to copy from osgeo6 as well
   pam_groupdn cn=telascience,ou=Shell,dc=osgeo,dc=org  #not though telascience is defunct so not sure what that cn
   nss_base_passwd ou=People,dc=osgeo,dc=org
   nss_base_shadow ou=People,dc=osgeo,dc=org
   nss_base_group  ou=Group,dc=osgeo,dc=org
   ldap_version 3
   pam_password md5
   bind_policy soft


2) Copy contents of /etc/nslcd.conf from osgeo6


  nano /etc/ssh/sshd_config

(it will prompt for services you want to use ldap for ) Selections will be written to /etc/nsswitch.conf

after conf looked like this

   after conf looked like this
   # /etc/nsswitch.conf
   #
   # Example configuration of GNU Name Service Switch functionality.
   # If you have the `glibc-doc-reference' and `info' packages installed, try:
   # `info libc "Name Service Switch"' for information about this file.
   passwd:         compat ldap
   group:          compat ldap
   shadow:         compat
   gshadow:        files
   hosts:          files dns
   networks:       files
   protocols:      db files ldap
   services:       db files ldap
   ethers:         db files
   rpc:            db files
   netgroup:       nis
   aliases:        ldap


3) pam-auth-update Make sure both Unix and LDAP authentication are checked 4)

  /etc/init.d/nscd restart
 /etc/init.d/nslcd restart
 /etc/init.d/ssh restart
 
 Should output something like this:

[ ok ] Restarting ssh (via systemctl): ssh.service.


5) Verify server can do ldap queries with Osgeo by running something like this

    ldapsearch -x uid=robe


Install LetsEncrypt SSL

First logged in as me robe, and did sudo bash so I can install stuff

1) Add jessie backports with:

  echo "deb http://ftp.debian.org/debian jessie-backports main" | tee -a /etc/apt/sources.list
  aptitude update

2) now install

 aptitude install certbot
 aptitude install python-certbot-apache -t jessie-backports

3) #needed to then edit the /etc/apache2/sites-available/www.osgeo.org.conf to allow ./wellknown folder to be accessed by adding these lines

   Alias /.well-known "/var/www/osgeo.org/httpdocs/.well-known"
   <Directory "/var/www/osgeo.org/httpdocs/.well-known/">
       AllowOverride None
       Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
       Require method GET POST OPTIONS
   </Directory>

After edit run:

 service apache2 reload



4) Get the cert had to do this since for some reason, trying to do normally gave error: Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'

 certbot certonly -d staging.www.osgeo.org
  1. we will be temporarily hosting production on this box so also did
 certbot certonly -d www.osgeo.org
 certbot certonly -d osgeo.org


Fill in following for prompts:

   Press 1 [enter] to confirm the selection (press 'c' to cancel): 1
   Input the webroot for staging.www.osgeo.org: (Enter 'c' to cancel):/var/www/osgeo.org/httpdocs
   Waiting for verification...
   Cleaning up challenges
   Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
   Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

5) Created two new files /etc/apache2/sites-available/www.osgeo.org-le-ssl.conf and /etc/apache2/sites-available/www.osgeo.org-common.conf

The common one is pretty much copy of all stuff from the original www.osgeo.org.conf (that doesn't specifically reference host) and then included this in the new ssl.conf which is set to :443. So file looks like this

   <IfModule mod_ssl.c>
   <VirtualHost *:443>
   ServerAdmin support@osgeo.org
   ServerName www.osgeo.org
   ServerAlias staging.www.osgeo.org
   Include /etc/apache2/sites-available/www.osgeo.org-common.conf
   SSLCertificateFile /etc/letsencrypt/live/staging.www.osgeo.org/fullchain.pem
   SSLCertificateKeyFile /etc/letsencrypt/live/staging.www.osgeo.org/privkey.pem
   #Include /etc/letsencrypt/options-ssl-apache.conf
   </VirtualHost>
   </IfModule>

6) Now to enable the ssl config

  a2ensite www.osgeo.org-le-ssl
  service apache2 reload

7) Added to cronjob of root, to schedule a monthly renewal every 15th day of month

  30 1 15 * * certbot renew

Enabling LDAP Login for Wordpress

1) Edit the config.php in root of httpdocs and if not set change to $pluginAndThemeEditor = true; $pluginAndThemeUpdateAndInstallation = true;

2) Log in as an admin in wordpress. Go To Plugins -> Add New

Search for: wpDirAuth

Install the wpDirAuth plugin and activate

3) This should create a menu under Settings called: wpDirAuth

From there set the LDAP configs which have been set as follows:

   Enable Directory Authentication: Yes
   Require SSL Login: Yes
   Automatically Register Authenticated Users: Yes


   Use SSL (ldaps)
   Director Servers: ldap.osgeo.org
   AccountFilter: uid
   Base DN: dc=osgeo,dc=org
   Cookie Settings: 3 
   Brading Settings: Fill in verbiage to your liking (probably needs to be redone)
   Set Terms Of Service Agreement: No
   Leave other fields at the default (which is usually blank)


4) There is no interface to convert existing users to LDAP, but luckily you can do this from the database. To convert Jody's account which had username: jodygarnett, I did this by connecting to MySQL -- details in secure server

  UPDATE fVT6y_users SET user_login = 'jive' WHERE user_login = 'jgarnett';
  -- This part is to insert the metadata bit that tells wordpress, authentication is done by wpAuthDir
  -- I did this for a couple of users whose login already matched their ldap login
  INSERT INTO fVT6y_usermeta(user_id, meta_key, meta_value)
  SELECT u.ID, 'wpDirAuthFlag', '1'
  FROM fVT6y_users AS u
  WHERE u.ID NOT IN(SELECT wp.user_id FROM fVT6y_usermeta As wp WHERE wp.meta_key = 'wpDirAuthFlag')
    AND u.user_login IN('jive','pramsey', 'strk', 'cvvergara', 'kalxas', 'evenr', 'jmckenna');

5) Todo I'm writing a script using ldap users directory output that will convert the remaining

Convert MySQL Tables to InnoDb

1. Details of how to log in to MySQL are on Secure server /access/osgeo.public.cloudvps.com - refer to those.

2. connect to osgeo db

3. Run this statement to generate query that you will then run to convert existing tables:

   SELECT CONCAT('ALTER TABLE ' ,  '`' , table_name , '` ENGINE=InnoDB;')
   FROM information_schema.tables 
   where table_name LIKE 'fVT%' 
   ORDER BY table_name;

4. Run the generated statements

5. SSH into server

  sudo bash
  cd /etc/mysql/conf.d

6. Create a new file with new default_storage.cnf

  vi default_storage.cnf

should have these contents when done:

   default_storage_engine=InnoDB

7. Restart service

  service mysql restart