How to Enable SSL for CSWapache2

If you’ve spent any time at all around Solaris 10, you know that Sun has invested a fair amount of effort developing a pretty snazzy Service Management Facility (SMF). It is extremely flexible and feature rich, but it’s not quite as strait forward as the old legacy /etc/init.d scripts. If you’re running the OpenCSW Apache package, it installs a Service Manifest into the SMF, so you’ll have to edit this to run Apache SSL… Here’s how:


# svccfg

svc:> select cswapache2
svc:/network/http:cswapache2> listprop httpd/ssl

httpd/ssl  boolean  false

svc:/network/http:cswapache2> setprop httpd/ssl=true
svc:/network/http:cswapache2> exit

Now, make the changes active:


# svcadm disable cswapache2
# svcadm enable cswapache2
# svcprop -p httpd/ssl svc:/network/http:cswapache2

false

# svcadm refresh cswapache2
# svcprop -p httpd/ssl svc:/network/http:cswapache2

true

Basic iptables Configuration

It’s always a good idea to setup a local firewall on hosts that are on unprotected networks. The internet “winds” blow harder and harder each day, and it’s only a matter of time before some daemon has an exploit that gets taken advantage of. I use CentOS 5 for all my web servers, and here is an example of the script I use to create a DEFAULT TO DENY set of firewall rules. This script generates a file called iptables in /etc/sysconfig.

I used to create a special rule for MySQL that only allowed connections from my own network, but lately I have been omitting this rule and tunneling the connection through ssh instead. That is why it is commented out in the script below.


### SCRIPT ###
#!/bin/sh
# Drop all incoming traffic
/sbin/iptables -P INPUT DROP
# Drop all forwarded traffic
/sbin/iptables -P FORWARD DROP
# Allow all outgoing traffic
/sbin/iptables -P OUTPUT ACCEPT
# Allow returning packets
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow incoming traffic on port 80 for web server
/sbin/iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# Allow MySQL only from a certain network
/sbin/iptables -A INPUT -p tcp -m tcp -s XXX.XXX.XXX.0/24 --dport 3306 -j ACCEPT
# Allow local traffic
/sbin/iptables -A INPUT -i lo -j ACCEPT
# Allow incoming SSH on port 22
#/sbin/iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# Allow ping
/sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
/sbin/iptables-save > /etc/sysconfig/iptables
chmod go-r /etc/sysconfig/iptables
/sbin/sudo service iptables restart
### /SCRIPT ###

Here is what /etc/sysconfig/iptables looks like after running this script:


# Generated by iptables-save v1.3.5 on Wed Dec 31 13:47:40 2008
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [12:8972]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
COMMIT
# Completed on Wed Dec 31 13:47:40 2008

After you are done, make sure you have iptables setup to start when the system boots.


# /sbin/chkconfig --list | grep iptables

iptables       	0:off	1:off	2:on	3:on	4:on	5:on	6:off

If it’s not on, just run:

/sbin/chkconfig iptables on

Horde / IMP on RHEL 4 From RPM HOWTO

Whenever you go to install applications and services on registered RHEL servers, it’s always nice to use the RPMs because up2date will keep everything current for you. Managing upgrades gets a whole lot easier when you can bring your system up to current with one simple command. Because of this, I decided that I would try to use as many RPMs as I could when I set up our latest Horde / IMP installation.

Unfortunately, RedHat does not supply RPMs for the Horde applications, but luckily CentOS does. You should be able to download them from here. Get the latest version, which at the time of this writing was horde-3.1.3-1 and imp-h3-4.1.3-1.

Don’t install them yet though because Horde and IMP have always had a lot of dependancies which must be installed and enabled first. Installing the following RPMs should take care of them.

  • mysql-4.1.20-1.RHEL4.1.i386.rpm
  • mysqlclient10-3.23.58-4.RHEL4.1.i386.rpm
  • mysqlclient10-devel-3.23.58-4.RHEL4.1.i386.rpm
  • mysql-devel-4.1.20-1.RHEL4.1.i386.rpm
  • mysql-server-4.1.20-1.RHEL4.1.i386.rpm
  • perl-DBD-MySQL-2.9004-3.1.i386.rpm
  • php-4.3.9-3.15.i386.rpm
  • php-devel-4.3.9-3.15.i386.rpm
  • php-domxml-4.3.9-3.15.i386.rpm
  • php-imap-4.3.9-3.15.i386.rpm
  • php-ldap-4.3.9-3.15.i386.rpm
  • php-mysql-4.3.9-3.15.i386.rpm
  • php-pear-4.3.9-3.15.i386.rpm

Assuming you will want up2date to handle upgrades of these packages, it is very important that you either use “up2date” to install them, or download them from correct channel at the RedHat website. You could also simply get them from the CD distribution that you used to install the system itself.

Once PEAR is installed, you will have to upgrade it, and install the PEAR::Log module.

[root@server]# pear upgrade -a PEAR-1.3.6
[root@server]# pear upgrade PEAR

Ok, now let’s make sure the web server is configured to start when the system comes up:

[root@server /]# /sbin/chkconfig --list httpd

You should see this:

httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

But if you see 5:off, simply run:

[root@server /]# /sbin/chkconfig httpd on

Now we enable and start up our new MySQL database server:

[root@server /]# /sbin/chkconfig mysqld on
[root@server /]# /sbin/service mysqld start

And we’re ready to install Horde and IMP. Install the following RPM’s, which will put everything in /usr/share/horde and creates a file called horde.conf in /etc/httpd/conf.d/

  • horde-3.1.3-1.c4.noarch.rpm
  • imp-h3-4.1.3-1.c4.noarch.rpm

This will install the HORDE and IMP packages in /usr/share, and /usr/share/horde respectively.

Finally, we start or restart apache:

[root@server /]# /sbin/service httpd start

Grab a browser and go to the following URL to proceed with the Horde and IMP configuration.

http://server.example.com/horde/

Installing OpenGroupWare 1.1.5 on RHEL 3

OpenGroupWare is an open source groupware package intended as an alternative to proprietary applications such as Exchange and PostPath. It is fairly robust in its feature set, and even integrates well with MS Outlook.

Its strongest points, in my opinion are that it does not depend in any way on Active Directory, and that it integrates well with open source standards like Open LDAP and University of Washington IMAP. Its downsides are that the documentation is sparse and scattered, that is is backed with PostgreSQL rather than MySQL, and that the package is bundled into a TON of RPM's.

I have not tried installing it from source, though I suspect that it would not be much more work than using the RPM's. Anyhow, if you want to install it for yourself, here are some quick scripts to help you, as well as some quick cookbook instructions. I installed it on RHEL 3 Workstation, though I suspect that it would work most Linux distributions.

The first thing we have to do is install the foundation for OpenGroupWare From the RHEL CD's or Website:

Install apache
Install PostgreSQL
Install PostgreSQL-devel
Install php
Install php_PostgreSQL

Next, run the following commands to get the database and webserver started:

# /sbin/chkconfig httpd on
# /sbin/chkconfig postgresql on
# /sbin/service postgresql start
# /sbin/service httpd start

Sendmail should already be installed and running, but if not, you will have to install it as well.

OK, so I said before that there are a TON of RPM's that you will have to install. These can be found at the OpenGroupWare website. Get them however you want, but if you have "wget" installed, you can use my script to fetch everything you need. You can omit the "devel" packages if you don't want to install the source code.

HTML:
  1. ###### SNIP #######
  2. #!/bin/sh
  3. #GetOpenGroupWare.sh
  4. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-gnustep_make-1.10.0-0.i386.rpm
  5. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/sope-4.5.8-sixtyfour/sope45-xml-4.5.8-r1321.0.i386.rpm
  6. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/sope-4.5.8-sixtyfour/sope45-xml-devel-4.5.8-r1321.0.i386.rpm
  7. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/ThirdParty/libfoundation11-1.1.3-r155.0.i386.rpm
  8. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/ThirdParty/libfoundation11-devel-1.1.3-r155.0.i386.rpm
  9. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/sope-4.5.8-sixtyfour/sope45-core-4.5.8-r1321.0.i386.rpm
  10. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/sope-4.5.8-sixtyfour/sope45-core-devel-4.5.8-r1321.0.i386.rpm
  11. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/sope-4.5.8-sixtyfour/sope45-appserver-4.5.8-r1321.0.i386.rpm
  12. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/sope-4.5.8-sixtyfour/sope45-appserver-devel-4.5.8-r1321.0.i386.rpm
  13. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/sope-4.5.8-sixtyfour/sope45-gdl1-4.5.8-r1321.0.i386.rpm
  14. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/sope-4.5.8-sixtyfour/sope45-gdl1-devel-4.5.8-r1321.0.i386.rpm
  15. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/sope-4.5.8-sixtyfour/sope45-ldap-4.5.8-r1321.0.i386.rpm
  16. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/sope-4.5.8-sixtyfour/sope45-ldap-devel-4.5.8-r1321.0.i386.rpm
  17. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/sope-4.5.8-sixtyfour/sope45-ldap-tools-4.5.8-r1321.0.i386.rpm
  18. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/sope-4.5.8-sixtyfour/sope45-mime-4.5.8-r1321.0.i386.rpm
  19. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/sope-4.5.8-sixtyfour/sope45-mime-devel-4.5.8-r1321.0.i386.rpm
  20. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-logic-1.1.5-r1717.0.i386.rpm
  21. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-logic-devel-1.1.5-r1717.0.i386.rpm
  22. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-logic-tools-1.1.5-r1717.0.i386.rpm
  23. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-docapi-1.1.5-r1717.0.i386.rpm
  24. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-docapi-devel-1.1.5-r1717.0.i386.rpm
  25. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-docapi-db-project-1.1.5-r1717.0.i386.rpm
  26. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-docapi-db-project-devel-1.1.5-r1717.0.i386.rpm
  27. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-docapi-fs-project-1.1.5-r1717.0.i386.rpm
  28. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-docapi-fs-project-devel-1.1.5-r1717.0.i386.rpm
  29. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-webui-core-1.1.5-r1717.0.i386.rpm
  30. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-webui-core-devel-1.1.5-r1717.0.i386.rpm
  31. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-webui-app-1.1.5-r1717.0.i386.rpm
  32. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-environment-1.1.5-0.i386.rpm
  33. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/sope-4.5.8-sixtyfour/sope45-ical-4.5.8-r1321.0.i386.rpm
  34. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/sope-4.5.8-sixtyfour/sope45-ical-devel-4.5.8-r1321.0.i386.rpm
  35. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/sope-4.5.8-sixtyfour/sope45-gdl1-postgresql-4.5.8-r1321.0.i386.rpm
  36. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/mod_ngobjweb-2.0.46-r1323.0.i386.rpm
  37. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-database-setup-1.1.5-0.i386.rpm
  38. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-pda-1.1.5-r1717.0.i386.rpm
  39. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-pda-devel-1.1.5-r1717.0.i386.rpm
  40. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-theme-blue-1.1.5-r1717.0.i386.rpm
  41. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-theme-default-1.1.5-r1717.0.i386.rpm
  42. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-theme-kde-1.1.5-r1717.0.i386.rpm
  43. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-theme-ooo-1.1.5-r1717.0.i386.rpm
  44. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-theme-orange-1.1.5-r1717.0.i386.rpm
  45. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-tools-1.1.5-r1717.0.i386.rpm
  46. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-webui-calendar-1.1.5-r1717.0.i386.rpm
  47. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-webui-contact-1.1.5-r1717.0.i386.rpm
  48. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-webui-mailer-1.1.5-r1717.0.i386.rpm
  49. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-webui-mailer-devel-1.1.5-r1717.0.i386.rpm
  50. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-webui-news-1.1.5-r1717.0.i386.rpm
  51. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-webui-project-1.1.5-r1717.0.i386.rpm
  52. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-webui-resource-basque-1.1.5-r1717.0.i386.rpm
  53. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-webui-resource-de-1.1.5-r1717.0.i386.rpm
  54. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-webui-resource-dk-1.1.5-r1717.0.i386.rpm
  55. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-webui-resource-en-1.1.5-r1717.0.i386.rpm
  56. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-webui-resource-es-1.1.5-r1717.0.i386.rpm
  57. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-webui-resource-fr-1.1.5-r1717.0.i386.rpm
  58. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-webui-resource-hu-1.1.5-r1717.0.i386.rpm
  59. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-webui-resource-it-1.1.5-r1717.0.i386.rpm
  60. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-webui-resource-jp-1.1.5-r1717.0.i386.rpm
  61. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-webui-resource-nl-1.1.5-r1717.0.i386.rpm
  62. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-webui-resource-no-1.1.5-r1717.0.i386.rpm
  63. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-webui-resource-pl-1.1.5-r1717.0.i386.rpm
  64. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-webui-resource-pt-1.1.5-r1717.0.i386.rpm
  65. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-webui-resource-ptbr-1.1.5-r1717.0.i386.rpm
  66. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-webui-resource-sk-1.1.5-r1717.0.i386.rpm
  67. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-webui-task-1.1.5-r1717.0.i386.rpm
  68. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-xmlrpcd-1.1.5-r1717.0.i386.rpm
  69. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-zidestore-1.1.5-r1717.0.i386.rpm
  70. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-zidestore-devel-1.1.5-r1717.0.i386.rpm
  71. wget http://download.opengroupware.org/nightly/packages/rhel3/releases/opengroupware-1.1.5-moveon/ogo-meta-1.1.5-r1717.0.i386.rpm
  72. ###### /SNIP #######

Ok, so now we have a directory filled up wit RPM's. Many of these have a lot of dependancies, so the order of install is important. The script below has them in the correct order, so you can either use it as a reference to install them yourself, or just save the script in the directory that has all your RPM's and run it. Your choice.

HTML:
  1. ###### SNIP #######
  2. # InstallOpenGroupware.sh
  3. #!/sbin/sh
  4. rpm -Uvh ogo-gnustep_make-1.10.0-0.i386.rpm
  5. rpm -Uvh sope45-xml-4.5.8-r1321.0.i386.rpm
  6. rpm -Uvh sope45-xml-devel-4.5.8-r1321.0.i386.rpm
  7. rpm -Uvh libfoundation11-1.1.3-r155.0.i386.rpm
  8. rpm -Uvh libfoundation11-devel-1.1.3-r155.0.i386.rpm
  9. rpm -Uvh sope45-core-4.5.8-r1321.0.i386.rpm
  10. rpm -Uvh sope45-core-devel-4.5.8-r1321.0.i386.rpm
  11. rpm -Uvh sope45-mime-4.5.8-r1321.0.i386.rpm
  12. rpm -Uvh sope45-mime-devel-4.5.8-r1321.0.i386.rpm
  13. rpm -Uvh sope45-appserver-4.5.8-r1321.0.i386.rpm
  14. rpm -Uvh sope45-appserver-devel-4.5.8-r1321.0.i386.rpm
  15. rpm -Uvh sope45-gdl1-4.5.8-r1321.0.i386.rpm
  16. rpm -Uvh sope45-gdl1-devel-4.5.8-r1321.0.i386.rpm
  17. rpm -Uvh sope45-ldap-4.5.8-r1321.0.i386.rpm
  18. rpm -Uvh sope45-ldap-devel-4.5.8-r1321.0.i386.rpm
  19. rpm -Uvh sope45-ldap-tools-4.5.8-r1321.0.i386.rpm
  20. rpm -Uvh ogo-logic-1.1.5-r1717.0.i386.rpm
  21. rpm -Uvh ogo-logic-devel-1.1.5-r1717.0.i386.rpm
  22. rpm -Uvh ogo-logic-tools-1.1.5-r1717.0.i386.rpm
  23. rpm -Uvh ogo-docapi-1.1.5-r1717.0.i386.rpm
  24. rpm -Uvh ogo-docapi-devel-1.1.5-r1717.0.i386.rpm
  25. rpm -Uvh ogo-docapi-db-project-1.1.5-r1717.0.i386.rpm
  26. rpm -Uvh ogo-docapi-db-project-devel-1.1.5-r1717.0.i386.rpm
  27. rpm -Uvh ogo-docapi-fs-project-1.1.5-r1717.0.i386.rpm
  28. rpm -Uvh ogo-docapi-fs-project-devel-1.1.5-r1717.0.i386.rpm
  29. rpm -Uvh ogo-webui-core-devel-1.1.5-r1717.0.i386.rpm
  30. rpm -Uvh ogo-webui-app-1.1.5-r1717.0.i386.rpm ogo-theme-default-1.1.5-r1717.0.i386.rpm ogo-webui-resource-en-1.1.5-r1717.0.i386.rpm ogo-webui-resource-de-1.1.5-r1717.0.i386.rpm
  31. rpm -Uvh ogo-environment-1.1.5-0.i386.rpm
  32. rpm -Uvh sope45-ical-4.5.8-r1321.0.i386.rpm
  33. rpm -Uvh sope45-ical-devel-4.5.8-r1321.0.i386.rpm
  34. rpm -Uvh sope45-gdl1-postgresql-4.5.8-r1321.0.i386.rpm
  35. rpm -Uvh mod_ngobjweb-2.0.46-r1323.0.i386.rpm
  36. rpm -Uvh ogo-database-setup-1.1.5-0.i386.rpm
  37. rpm -Uvh ogo-pda-1.1.5-r1717.0.i386.rpm
  38. rpm -Uvh ogo-pda-devel-1.1.5-r1717.0.i386.rpm
  39. rpm -Uvh ogo-theme-blue-1.1.5-r1717.0.i386.rpm
  40. rpm -Uvh ogo-theme-kde-1.1.5-r1717.0.i386.rpm
  41. rpm -Uvh ogo-theme-ooo-1.1.5-r1717.0.i386.rpm
  42. rpm -Uvh ogo-theme-orange-1.1.5-r1717.0.i386.rpm
  43. rpm -Uvh ogo-tools-1.1.5-r1717.0.i386.rpm
  44. rpm -Uvh ogo-webui-calendar-1.1.5-r1717.0.i386.rpm
  45. rpm -Uvh ogo-webui-contact-1.1.5-r1717.0.i386.rpm
  46. rpm -Uvh ogo-webui-core-1.1.5-r1717.0.i386.rpm
  47. rpm -Uvh ogo-webui-mailer-1.1.5-r1717.0.i386.rpm
  48. rpm -Uvh ogo-webui-mailer-devel-1.1.5-r1717.0.i386.rpm
  49. rpm -Uvh ogo-webui-news-1.1.5-r1717.0.i386.rpm
  50. rpm -Uvh ogo-webui-project-1.1.5-r1717.0.i386.rpm
  51. rpm -Uvh ogo-webui-resource-basque-1.1.5-r1717.0.i386.rpm
  52. rpm -Uvh ogo-webui-resource-dk-1.1.5-r1717.0.i386.rpm
  53. rpm -Uvh ogo-webui-resource-es-1.1.5-r1717.0.i386.rpm
  54. rpm -Uvh ogo-webui-resource-fr-1.1.5-r1717.0.i386.rpm
  55. rpm -Uvh ogo-webui-resource-hu-1.1.5-r1717.0.i386.rpm
  56. rpm -Uvh ogo-webui-resource-it-1.1.5-r1717.0.i386.rpm
  57. rpm -Uvh ogo-webui-resource-jp-1.1.5-r1717.0.i386.rpm
  58. rpm -Uvh ogo-webui-resource-nl-1.1.5-r1717.0.i386.rpm
  59. rpm -Uvh ogo-webui-resource-no-1.1.5-r1717.0.i386.rpm
  60. rpm -Uvh ogo-webui-resource-pl-1.1.5-r1717.0.i386.rpm
  61. rpm -Uvh ogo-webui-resource-pt-1.1.5-r1717.0.i386.rpm
  62. rpm -Uvh ogo-webui-resource-ptbr-1.1.5-r1717.0.i386.rpm
  63. rpm -Uvh ogo-webui-resource-sk-1.1.5-r1717.0.i386.rpm
  64. rpm -Uvh ogo-webui-task-1.1.5-r1717.0.i386.rpm
  65. rpm -Uvh ogo-xmlrpcd-1.1.5-r1717.0.i386.rpm
  66. rpm -Uvh ogo-zidestore-1.1.5-r1717.0.i386.rpm
  67. rpm -Uvh ogo-zidestore-devel-1.1.5-r1717.0.i386.rpm
  68. rpm -Uvh ogo-meta-1.1.5-r1717.0.i386.rpm
  69. ###### /SNIP #######

Some things to note about the install.

These all have to be done on one line or "rpm" will complain that it can's resolve dependancies:
rpm -Uvh ogo-webui-app-1.1.5-r1717.0.i386.rpm ogo-theme-default-1.1.5-r1717.0.i386.rpm ogo-webui-resource-en-1.1.5-r1717.0.i386.rpm ogo-webui-resource-de-1.1.5-r1717.0.i386.rpm

ogo-database-setup-1.1.5-0.i386.rpm sets up your PostgreSQL database and database user for you. The output should look something like this:


Preparing...                     ########################################### [100%]
1:ogo-database-setup             ########################################### [100%]
PostgreSQL seems to be already initialized
and I can see it running:
PIDS used: 3456 3458 3459
We're on PostgreSQL 7 (7.4)
checking /var/lib/pgsql/data/postgresql.conf
need to patch /var/lib/pgsql/data/postgresql.conf for 7.4
backup current one to /var/lib/pgsql/data/postgresql.conf.20061213-153319
checking /var/lib/pgsql/data/pg_hba.conf
need to patch /var/lib/pgsql/data/pg_hba.conf for 7.4
backup current one to /var/lib/pgsql/data/pg_hba.conf.20061213-153319
The changes we've made require that we restart PostgreSQL...
Stopping postgresql service:    [  OK  ]
Starting postgresql service:      [  OK  ]
OK! PostgreSQL runs again: (3909 3911 3912)
creating database user: OGo
creating the database itself: OGo
we've successfully created both the user OGo and the raw database OGo
we'll now fill the database with the scheme itself
checking the logfile created during scheme rollin... 
/tmp/database_setup_psql.sh.20061213-153319.log
removing log - not needed anymore

OK... Now everything is installed, and if you run the following command:

# /sbin/chkconfig --list | grep ogo

You should see the following output:

ogo-zidestore   0:off   1:off   2:on    3:on    4:on    5:on    6:off
ogo-webui       0:off   1:off   2:on    3:on    4:on    5:on    6:off
ogo-xmlrpcd     0:off   1:off   2:on    3:on    4:on    5:on    6:off
ogo-nhsd        0:off   1:off   2:on    3:on    4:on    5:on    6:off

Now, let's fire up these services:


# /sbin/service ogo-zidestore start
# /sbin/service ogo-webui start
# /sbin/service ogo-xmlrpcd start
# /sbin/service ogo-nhsd start

Everything should be up and running now, so you can grab a web browser and go to the following RUL:

http://server.domain.com/OpenGroupware

You will be logged in as the root user, so make sure to change the password.

If you are using this system as a stand-alone server, you are pretty much all set. We needed to authenticate it against our central LDAP, and point it towards our IMAP server though, so I added the following lines to "/var/lib/opengroupware.org/.libFoundation/DefaultsNSGlobalDomain.plist":


LSAuthLDAPServer = "ldapserver.domain.com";
LSAuthLDAPServerRoot = "dc=mydomain,dc=com";
imap_host = "imapserver.domain.com";
UseSkyrixLoginForImap = YES;

Make sure to put these lines at the end of the file, but before the closing braces.

The file should look something like this:

###### SNIP #######
{
"skyrix_id" = "server.domain.com";
LSConnectionDictionary = {
  databaseName = OGo;
  hostName = "127.0.0.1";
  password = "";
  port = 5432;
  userName = OGo;
};
  LSNewsImagesPath = "/var/lib/opengroupware.org/news";
  LSNewsImagesUrl = "/ArticleImages";
  Languages = (
  English
);
  TimeZoneName = GMT;
  WOHttpAllowHost = (
  localhost,
  "127.0.0.1",
  "localhost.localdomain"
);
  LSAuthLDAPServer = "ldapserver.domain.com";
  LSAuthLDAPServerRoot = "dc=domain,dc=com";
  imap_host = "imapserver.domain.com";
  UseSkyrixLoginForImap = YES;
}
###### /SNIP #######

Since the system won't let you authenticate the "root" user against the local database if your are using LDAP, you have to create a root user on your central LDAP.

Create an LDIF file called root.ldif like so:

###### SNIP #######
dn: uid=root,ou=People,dc=mydomain,dc=com
objectClass: organizationalPerson
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
uid: root
uidNumber: 0
gidNumber: 0
sn: Root
cn: Root
homeDirectory: /root
loginShell: /bin/bash
gecos: Root
###### /SNIP #######

Finally, run the following command to add the root user:


ldapadd -x -D "cn=Manager,dc=mydomain,dc=com" -W -f root.ldif"

You should now be authenticating against your central LDAP server. Have fun!

Quick and Easy Apache Password Protection

Here is a quick and easy HOWTO for setting up .htaccess password protection on web-accessable directories. It's really easy, but it's always nice to have the syntax right at your fingertips.

First, find your way into the directory you want to protect.

% cd /path/to/secure/directory

Next, create a file in this directory called ".htaccess" and insert the following lines:


AuthUserFile /path/to/secure/directory/.htpasswd
AuthGroupFile /dev/null
AuthName "Secure Document"
AuthType Basic

<LIMIT GET PUT POST>
require user username
</LIMIT>

Remember to change "/path/to/secure/directory" to your path, and "username" to the the username you want. You can use any username you wish, and it does not need to exist as a UNIX user.

Now we can create the username and password. The following command does this by creating a file called ".htpasswd" with the username and encrypted password inside.

% /path/to/apache/install/bin/htpasswd -c .htpasswd username

Again, remember to change "username" to the username you have chosen, and enter the password twice when prompted.

Finally, we just have to make sure these two files are readable, and we are all done.

% chmod 755 .htaccess
% chmod 755 .htpasswd

This directory and all subdirectories will now prompt for this username and password whenever they are browsed to.

Apache, MySql and PHP Howto (from source)

Everyone loves web applications that use Apache, PHP and MySQL, and everyone loves having their very own web servere that runs them. The problem is, how do you do it? If your're like me, you don't do it enough to remember, so here are some quick directions to get you started.

First we must download the latest versions of Apache, MySQL and PHP and extract them. You may have to dig a little since these places are always changing where they keep things, but the links below should be of some use. Just make sure you download the source distribution.

MySQL Download >
Apache Download >
PHP Download >

I always put these applications in /usr/local/server, but you can select whatever location you like. Simply add whatever directory you want into the --prefix directive.

First, let's build and install MySQL

# cd /path/to/mysql/source/directory
# ./configure --prefix=/usr/local/server/mysql
# make
# make install

Next, we have to build and install the Apache web server. In this example, we are building it with SSL, URL Rewrite and Shared Object support.

# cd /path/to/apache/source/directory
# ./configure --prefix=/usr/local/server/apache --enable-module=so --enable-rewrite -enable-ssl
# make
# make install

Finally, build and install PHP. There are lots of things you can include when building PHP, but these are the most common.

# ./configure --with-apxs2=/usr/local/server/apache/bin/apxs --with-mysql=/usr/local/server/mysql --enable-debug=no --enable-track-vars=yes --enable-bcmath=yes --enable-memory-limit=yes --with-imap --with-ldap=/usr/local/server/ldap --enable-ftp --with-gd --with-jpeg-dir=/usr/local --with-png-dir=/usr/local --with-zlib-dir=/usr
# make
# make install

That should do it... If everything went well, you can start up your fancy new apache web server.

# /usr/local/server/apache/bin/apachectl start

Things to remember when creating Apache SSL certs

Since I don't create certs all that often, I've always been frusterated by having to search out the commands every time I have to make one. Frequently I forget about removing tripple DES from the server.key file, and end up with a cert that makes me enter a psss phraze every time I start up Apache.

Thus, I decided to create an entry here with all the commands, so that I will never have to go searching for them again.

First, change directory into your Apache configuration directory:

# cd /path/to/httpd/conf

Generate the server key (with password):

# openssl genrsa -des3 -out server.key 1024

Optionally, we can generate a key file without a password. This means that Apache will start without requesting a password. This is important should there ever be a power failure, or when a reset is required and no one knows the password. Use the following command:

# openssl rsa -in server.key -out server.pem

A CSR (Certificate Signing Request) is required for afirming that the server key is valid. The server.pem is used in place of server.key as we don't require a password:

# openssl req -new -key server.pem -out server.csr

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.

-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Your State
Locality Name (eg, city) []:Your Cit
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Your Company Nam
Organizational Unit Name (eg, section) []:Department Name
Common Name (eg, YOUR name) []: server.spiralbound.net
Email Address []:me@spiralbound.net
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:

Finally, the certificate needs to be signed. Normally this is done by an official authority such as Thawte. However, if this is not available, we can sign the certificate ourselves. In this example a time limit of 3 years, or 1095 days is set for the amount of time to be valid. Again, we use the server.pem file without a password.

# openssl x509 -req -days 1095 -in server.csr -signkey server.pem -out server.crt