Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
German / Re: Version 4.1 - Was soll das werden ...
« on: July 28, 2015, 07:04:26 am »
Hallo,
ich bin die Beschneidungen und Änderungen auch leid. Zentyal ist für mich keine Option mehr. Bei einem aktuellen Setup funktionieren immer wieder wichtige Komponenten nicht.
Auch die DNS-Reverse-Auflösung eines Backup-DC's mit DNS-Cache ist kaputt, hat nie richtig funktioniert, Workaround mit anderem Server ist notwendig.
Das Thema DNS macht einem ohnehin Kopfschmerzen mit Zentyal. So ist es z.B. tödlich wenn man versucht, einen IP-Range über mehrere Domains zu splitten. Dabei ist das durchaus üblich. Anfragen an Zentyal werden beantwortet in dem der Status auf 'accepted' gesetzt wird. ... sonst kein zucken :-(
Siehe: https://tracker.zentyal.org/issues/3675
Wenn ich als Beta-Tester (so sind ja die nicht-zahlenden Kunden von Zentyal eingestuft) kein Feedback zu gemeldeten essentiellen Problemen bekomme, dann taugt das Tool nix.
Fazit: wann immer es geht werde ich Zentyal mit Univention Corporate Server ablösen. Hier ist es sogar jederzeit möglich, die Subscription-Option für laufende Systeme zu kaufen.
https://www.univention.de/download/lizenzmodelle/lizenzbedingungen-ucs-core-edition/
Außerdem bin ich dann auch kein zwangs-Beta-Tester als nichtzahlender Kunde. Und Anfragen bei dem deutschsprachigen Forum werden meist schnell beantwortet. -- for free, ganz nach dem OpenSource Paradigma, obwohl ein Unternehmen mit klaren Gewinnabsichten dahinter steht. So funktioniert für mich Business mit OpenSource Software. Geben-Nehmen-Partizipieren
und Tschüßßß... Zentyal!
ich bin die Beschneidungen und Änderungen auch leid. Zentyal ist für mich keine Option mehr. Bei einem aktuellen Setup funktionieren immer wieder wichtige Komponenten nicht.
Auch die DNS-Reverse-Auflösung eines Backup-DC's mit DNS-Cache ist kaputt, hat nie richtig funktioniert, Workaround mit anderem Server ist notwendig.
Das Thema DNS macht einem ohnehin Kopfschmerzen mit Zentyal. So ist es z.B. tödlich wenn man versucht, einen IP-Range über mehrere Domains zu splitten. Dabei ist das durchaus üblich. Anfragen an Zentyal werden beantwortet in dem der Status auf 'accepted' gesetzt wird. ... sonst kein zucken :-(
Siehe: https://tracker.zentyal.org/issues/3675
Wenn ich als Beta-Tester (so sind ja die nicht-zahlenden Kunden von Zentyal eingestuft) kein Feedback zu gemeldeten essentiellen Problemen bekomme, dann taugt das Tool nix.
Fazit: wann immer es geht werde ich Zentyal mit Univention Corporate Server ablösen. Hier ist es sogar jederzeit möglich, die Subscription-Option für laufende Systeme zu kaufen.
https://www.univention.de/download/lizenzmodelle/lizenzbedingungen-ucs-core-edition/
Außerdem bin ich dann auch kein zwangs-Beta-Tester als nichtzahlender Kunde. Und Anfragen bei dem deutschsprachigen Forum werden meist schnell beantwortet. -- for free, ganz nach dem OpenSource Paradigma, obwohl ein Unternehmen mit klaren Gewinnabsichten dahinter steht. So funktioniert für mich Business mit OpenSource Software. Geben-Nehmen-Partizipieren
und Tschüßßß... Zentyal!
2
Installation and Upgrades / Re: usercorner wrong http state code 403 forbidden -- but it works
« on: April 04, 2014, 01:18:52 pm »
I enabled the following in /etc/zentyal/zentyal.conf
As you can see in the logs the return code is 403 but the page is rendered by the browser (additional content was load by the browser)
The Zentyal Interface log:
I don't know how to debug that behaviour :-(
debug = yesNo additional debugging messages have been written to the logfiles.
dump_exceptions = yes
As you can see in the logs the return code is 403 but the page is rendered by the browser (additional content was load by the browser)
The Zentyal Interface log:
Code: [Select]
/var/log/zentyal/access-perl.log
127.0.0.1 - - [04/Apr/2014:11:28:27 +0200] "GET /Users/UserCorner HTTP/1.0" 403 2923 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0" "-"
127.0.0.1 - - [04/Apr/2014:11:28:27 +0200] "GET /dynamic-data/css/login.css HTTP/1.0" 200 2534 "https://ZENTYAL_HOST:444/Users/UserCorner" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0" "-"
127.0.0.1 - - [04/Apr/2014:11:28:27 +0200] "GET /data/js/capsLock.js HTTP/1.0" 304 - "https://ZENTYAL_HOST:444/Users/UserCorner" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0" "-"
127.0.0.1 - - [04/Apr/2014:11:28:27 +0200] "GET /data/images/title-login.png HTTP/1.0" 304 - "https://ZENTYAL_HOST:444/Users/UserCorner" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0" "-"
The (local) apache reverse proxy logCode: [Select]
/var/log/zentyal/access.log
ZENTYAL_HOST_IP - - [04/Apr/2014:11:28:27 +0200] "GET /Users/UserCorner HTTP/1.1" 403 1223 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0"
ZENTYAL_HOST_IP - - [04/Apr/2014:11:28:27 +0200] "GET /dynamic-data/css/login.css HTTP/1.1" 200 806 "https://ZENTYAL_HOST:444/Users/UserCorner" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0"
ZENTYAL_HOST_IP - - [04/Apr/2014:11:28:27 +0200] "GET /data/js/capsLock.js HTTP/1.1" 304 0 "https://ZENTYAL_HOST:444/Users/UserCorner" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0"
ZENTYAL_HOST_IP - - [04/Apr/2014:11:28:27 +0200] "GET /data/images/title-login.png HTTP/1.1" 304 0 "https://ZENTYAL_HOST:444/Users/UserCorner" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0"
ZENTYAL_HOST_IP - - [04/Apr/2014:11:28:28 +0200] "GET /favicon.ico HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0"
I don't know how to debug that behaviour :-(
3
Installation and Upgrades / Re: usercorner wrong http state code 403 forbidden -- but it works
« on: March 27, 2014, 12:40:35 pm »
No comments yet?
I think this behavior is very interesting for the development/testing team of Zentyal!
I think this behavior is very interesting for the development/testing team of Zentyal!
4
Installation and Upgrades / usercorner wrong http state code 403 forbidden -- but it works
« on: March 20, 2014, 12:57:28 pm »
Hello community,
I have a strange behavior with Usercorner starting from (at least) 3.0.6 including actual 3.2 and also 3.3 release.
When i try to access usercorner with firefox directly all is working like a charm.
Accessing the same site via Squid Proxy or Apache reverse proxy the connection fails.
Digging deeper into it with firefox webdeveloper extension i was very suprised.
The site (/) or (/Login/Index) always return with http state 403 but the website is delivered as well and firefox is rendering it as expected.
Squid proxy and Apache reverse proxy are terminating the connection after receiving the 403.
Does anyone have some hints how to debug this strange behavior?
--> my configuration? See here https://forum.zentyal.org/index.php/topic,16724.0.html
I have a strange behavior with Usercorner starting from (at least) 3.0.6 including actual 3.2 and also 3.3 release.
When i try to access usercorner with firefox directly all is working like a charm.
Accessing the same site via Squid Proxy or Apache reverse proxy the connection fails.
Digging deeper into it with firefox webdeveloper extension i was very suprised.
The site (/) or (/Login/Index) always return with http state 403 but the website is delivered as well and firefox is rendering it as expected.
Squid proxy and Apache reverse proxy are terminating the connection after receiving the 403.
Does anyone have some hints how to debug this strange behavior?
--> my configuration? See here https://forum.zentyal.org/index.php/topic,16724.0.html
5
Installation and Upgrades / Re: Tip: usercorner (8888) redirect to new subdomain at port 443 with mod_proxy
« on: July 12, 2013, 02:10:43 pm »What I'm fighting against is to call this "subdomain".Now I got the point
So maybe let's say Third-level-Domain?
http://en.wikipedia.org/wiki/Domain_name#Second-level_and_lower_level_domains
6
Installation and Upgrades / Re: Tip: usercorner at port 445 redirect to new subdomain at port 443 with mod_proxy
« on: July 12, 2013, 07:53:09 am »BTW, what would be nice is that Zentyal provides, like they do for webmail, capability to configure user corner either with default configuration (i.e. as it is today) or using vhost.!THUMBS-UP!
7
Installation and Upgrades / Re: Tip: usercorner (8888) redirect to new subdomain at port 443 with mod_proxy
« on: July 12, 2013, 07:46:32 am »
Hello Christian,
So i want to provide a new unique subdomain to all our customers to give them the ability to change their passwords.
A lot of big companies provide internet access to their employes but do not allow access to ports other than 80 and 443.
So I tried to figure out how to access the usercorner via internet, port 443 and an unique subdomain.
Additionally, an unique Domain cant't work because you have to implement unique certificates and browsers without tls feature will get certificate errors when you try to access different domains at the same IP and port.
At the first impression you're right simply use a vhost and point it to the right place. But when zentyal do some miner changes your configuration will fail. Additionally in our environment we often make use of the reverse proxy feature to prevent application servers to be attacked directly from the internet. With this configuration I'm able to move the configuration to an other server and it will work out-of-the-box, I'm right?
The new one is 'tls' but It's not supported by a wide range of common (mostly older) browsers. Tls can handle multi domains because the encryption will start at a later communication level but ssl don't.
When a ssl connection will be initiated, first the connection will be secured and then the URL will be send to the server. Therefore the Server has to deliver it's certificate before the client told him which domain he want to contact. The client (Browser) verifies the certificate against the URL. If you are running multiple vhost with different domains only one Domain can be handled correctly via the ssl stack.
I'm right?
With one exception:
If all your domains are subdomains of the same domain and you are providing the same wildard certificate each connection is valid from the browser point of view.
In any other ssl-case (I hope) you will get a certification error (Invalid certificate ... bla, bla, bla...)
That's interesting although I'm doubtful.Please test some other approaches. I will be verry pleased if there ist an easy way to get it running
Above the general idea that is to share some trick you have deployed (BTW thanks a lot for this) I wonder if technical approach is the correct one.
I was first puzzled with the "extra subdomain" wording until I understood this is not really domain or subdomain but vhostIn this case I really want to have a new subdomain (yes, technical implemented as vhost) because we have multiple customers with different domains, services and servers. Some services are provided via the above described Zentyal machine and port 443.I know the subdomain wording is widely used to describe the leftest part of URL but such concept really can't hit me. If I do not make this translation (and effort) from subdomain or domain to host or vhost, I'm often lost. Anyway...
So i want to provide a new unique subdomain to all our customers to give them the ability to change their passwords.
A lot of big companies provide internet access to their employes but do not allow access to ports other than 80 and 443.
So I tried to figure out how to access the usercorner via internet, port 443 and an unique subdomain.
Additionally, an unique Domain cant't work because you have to implement unique certificates and browsers without tls feature will get certificate errors when you try to access different domains at the same IP and port.
Default listening port for user corner is 8888 so I suppose your proposal to redirect 445 is because you have already customized this, am I correct ?Thanks for the hint. I can't remember changing the port but i think you're right. I alredy changed it.
Furthermore it can't be changed to 443 because default server is already listening on this port but another vhost (as you rightly suggest with your reverse proxy configuration) can do this.
I'm, like you, promoting use of reverse proxy but I wonder if this makes sense for service that is running locally.As you can see in my post some deep changes have to be made insight the vhost configuration to get it running with the usercorner. I didn't do a test within zentyal and its vhost feature but in the past i got some bloddy nose when modifiying zentyal created configuration files. So I decided to go a safe way ;-)
I mean, from pure technical standpoint (I didn't investigate what you describe), can't same feature be achieved creating vhost (using Zentyal GUI) and configuring this vhost to point to the right place ?
At the first impression you're right simply use a vhost and point it to the right place. But when zentyal do some miner changes your configuration will fail. Additionally in our environment we often make use of the reverse proxy feature to prevent application servers to be attacked directly from the internet. With this configuration I'm able to move the configuration to an other server and it will work out-of-the-box, I'm right?
Very positive aspect of your post is that it shows that reverse proxy can be used to redirect HTTP requests and also rewrite parts, therefore providing great control over what goes through this reverse proxyThere are two techniques to get encrypted http connections known as 'ssl' and 'tls'.
One more question if you don't mind
What's this "certificate error" you describe ?
The new one is 'tls' but It's not supported by a wide range of common (mostly older) browsers. Tls can handle multi domains because the encryption will start at a later communication level but ssl don't.
When a ssl connection will be initiated, first the connection will be secured and then the URL will be send to the server. Therefore the Server has to deliver it's certificate before the client told him which domain he want to contact. The client (Browser) verifies the certificate against the URL. If you are running multiple vhost with different domains only one Domain can be handled correctly via the ssl stack.
I'm right?
With one exception:
If all your domains are subdomains of the same domain and you are providing the same wildard certificate each connection is valid from the browser point of view.
In any other ssl-case (I hope) you will get a certification error (Invalid certificate ... bla, bla, bla...)
8
Installation and Upgrades / Re: Owncloud 4.5, LDAP and Zentyal
« on: July 11, 2013, 03:33:21 pm »
Maybe you want to enhance your setup.
Each LDAP user can access the usercorner via port 443
Read my new howto:
http://forum.zentyal.org/index.php/topic,16724.0.html
Each LDAP user can access the usercorner via port 443
Read my new howto:
http://forum.zentyal.org/index.php/topic,16724.0.html
9
Installation and Upgrades / Tip: usercorner (port 8888) redirect to new subdomain at port 443 with mod_proxy
« on: July 10, 2013, 10:35:21 am »
It took me nearly 2 days to solve the above issue with zentyal but now it works and i want to share it with you.
The goal
the usercorner (port 8888) has to be redirected to an extra subdomain (port 443) at the same IP address as the current
The plan
First we have to define some dependencies for the specific environment. For this HowTo I take the following:
The solution
create a proxy statement
A ProxyPass/ProxyPassReverse statement will also lead to a running solution but I like that balancer features
extend apache module list
a2enmod headers proxy proxy_balancer proxy_connect proxy_html rewrite ssl
apache2ctl graceful
Proxy SSL
To allow access to https://localhost you have to enable SSLProxyEngine. Otherwise you can only connect via http://
redirect '/' to '/Login/Index'
I don't know why, but when I try to login via '/' after successful login I will be redirected the login again. Starting from '/Login/Index' will have success.
password change is only possible via changed referer header
To avoid man in the middle attacks zentyal will deny password changes if the referer header does not match the zentyal connection. (Thanks for the Zentyal Guys for that nice feature but we will break this feature, now)
In our case zentyal will be connected via https://localhost:8888 but the browser will send the referer header https://security.foobar.com.
apaches mod_header can do the trick:
Certificates
To avoid certificate errors i recommend to use a wildcard certificate.
And now the solution
EDIT: while using /etc/apache2/conf.d I had problems with the other vhosts at that domain while extending /etc/apache2/sites-available/ the whole stuff works as espected.
The goal
the usercorner (port 8888) has to be redirected to an extra subdomain (port 443) at the same IP address as the current
The plan
First we have to define some dependencies for the specific environment. For this HowTo I take the following:
- Current Domain (URL): https://www.foobar.com
- new Domain (URL): https://security.foobar.com
- local usercorner port: 8888
- create a working proxy (reverse proxy) from incoming requests at https://security.foobar.com to https://localhost:8888
The solution
create a proxy statement
A ProxyPass/ProxyPassReverse statement will also lead to a running solution but I like that balancer features
Code: [Select]
<Proxy balancer://usercorner>
BalancerMember https://localhost:8888/
</Proxy>
<Location / >
ProxyPass balancer://usercorner/
Order allow,deny
Allow from all
</Location>extend apache module list
a2enmod headers proxy proxy_balancer proxy_connect proxy_html rewrite ssl
apache2ctl graceful
Proxy SSL
To allow access to https://localhost you have to enable SSLProxyEngine. Otherwise you can only connect via http://
Code: [Select]
SSLProxyEngine Onredirect '/' to '/Login/Index'
I don't know why, but when I try to login via '/' after successful login I will be redirected the login again. Starting from '/Login/Index' will have success.
Code: [Select]
RewriteEngine On
RewriteRule ^/*$ /Login/Index [R]password change is only possible via changed referer header
To avoid man in the middle attacks zentyal will deny password changes if the referer header does not match the zentyal connection. (Thanks for the Zentyal Guys for that nice feature but we will break this feature, now)
In our case zentyal will be connected via https://localhost:8888 but the browser will send the referer header https://security.foobar.com.
apaches mod_header can do the trick:
Code: [Select]
RequestHeader edit Referer security\.foobar\.com localhost:8888 early
Header edit Location ^https://localhost:8888(/.*)$ https://security.foobar.com$1Certificates
To avoid certificate errors i recommend to use a wildcard certificate.
Code: [Select]
SSLEngine on
SSLCertificateFile /etc/apache2/ssl.pem/foobar.com/foobar.com.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/foobar.com/foobar.com.key
SSLCertificateChainFile /etc/apache2/ssl.crt/ca/foobar.com.ca-bundleAnd now the solution
EDIT: while using /etc/apache2/conf.d I had problems with the other vhosts at that domain while extending /etc/apache2/sites-available/ the whole stuff works as espected.
Code: [Select]
## create a file /etc/apache2/sites-available/security.foobar.com.conf
SSLProxyEngine On
<VirtualHost security.foobar.com:443>
ServerAdmin admin@foobar.com
ServerName security.foobar.com
DocumentRoot /srv/www/security.foobar.com
ErrorLog /var/log/apache2/security.foobar.com-error.log
CustomLog /var/log/apache2/security.foobar.com-access.log combined
RewriteEngine On
RewriteRule ^/*$ /Login/Index [R]
RequestHeader edit Referer security\.foobar\.com localhost:8888 early
Header edit Location ^https://localhost:8888(/.*)$ https://security.foobar.com$1
<Proxy balancer://usercorner>
BalancerMember https://localhost:8888/
</Proxy>
<Location / >
ProxyPass balancer://usercorner/
Order allow,deny
Allow from all
</Location>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl.pem/foobar.com/foobar.com.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/foobar.com/foobar.com.key
SSLCertificateChainFile /etc/apache2/ssl.crt/ca/foobar.com.ca-bundle
</VirtualHost>
Now, you have to enable the new site and restart apache.Code: [Select]
a2ensite security.foobar.com.conf
apache2ctl restartcomments or improvements are welcome
10
Installation and Upgrades / Re: Owncloud 4.5, LDAP and Zentyal
« on: November 30, 2012, 11:16:50 am »
HOWTO OwnCloud 4.5.X and Zentyal 3.0
You have to do some special adjustments with this combination and I want to give you the whole configuration to be done.
While there are no Ubuntu packages (PPA) available I will install plain OwnCloud Sources
Install Zentyal
I think you know how to install it ;-)
Install OwnCloud via plain tar.bz2 deploy
--> the actual Version is 4.5.3
Cleanup (if you did tests already)
Zentyal Server pre configuration installations
A OwnCloud Installation without Internet-Access doesn't makes sense. If you are behind a Firewall you need Access (port-forwarding) to your zentyal instance. In my case I have an ubuntu 10.04 Server that act as a firewall. Also Zentyal needs Updates and I give directly internet access:
initial OwnCloud configuration
Now It's time to access your OwnCloud Installations for the first time:
https://ZENTYAL_IP/owncloud
You have to create a new administrative (owncloud only) account. This Account has nothing to do with your Zentyal accounts and won't be visible within your Zentyal frontend. Don't choose an already existing Zentyal account name here. If you do the Zentyal-LDAP Account won't be accessible within your OwnCloud instance.
I suggest you to take the account name 'ownadmin' and the password generated above via $(pwgen -BC 12 -N 1).
At the advanced tab you have to add the mysql connection parameters
--> Finish Setup
Depending on your system performance It take about one minute to finish the setup precedure. You will be logged on as ownadmin afterwards.
LDAP integration -- now the topic starts
Login to your Zentyal web frontend and get informations about your LDAP at Office --> Users and Groups --> LDAP Settings
Let's assum your:
To connect your OwnCloud instance to your Zentyal LDAP do the following steps:
LDAP Basic
Advanced
--> SAVE
When you go to Users you should see all LDAP users. You can create additional users within your OwnCloud instance. That users won't be visible within your zentyal instance. In case of collisation the OwnCloud user will be visible in OwnCloud.
Prospection
An advanced Setup with multiple OwnCloud instances and one Zentyal can be done with an advanced filtering
EDIT:
Enable your usercorner to be accessible via port 443 to ensure your OwnCloud user can change his password.
http://forum.zentyal.org/index.php/topic,16724.0.html
You have to do some special adjustments with this combination and I want to give you the whole configuration to be done.
While there are no Ubuntu packages (PPA) available I will install plain OwnCloud Sources
Install Zentyal
I think you know how to install it ;-)
- My actual version is 2.3.24 but it should work for 3.0
- Configure your LDAP
Install OwnCloud via plain tar.bz2 deploy
--> the actual Version is 4.5.3
Cleanup (if you did tests already)
Code: [Select]
aptitude purge owncloud
rm -r /var/lib/owncloud/config /var/lib/owncloud/data /etc/apache2/conf.d/owncloud.conf
mysql -p
select * from mysql.user;
DROP USER 'owncloud'@'localhost';
FLUSH PRIVILEGES;
drop database owncloud;
commit;
exit
Code: [Select]
TARFILE="owncloud-4.5.3.tar.bz2"
cd /tmp
wget http://mirrors.owncloud.org/releases/${TARFILE}
tar -xjvf ${TARFILE}
rm -r /var/www/owncloud
mv owncloud /var/www/
mkdir -p /var/www/owncloud/install/data
chown -R www-data:www-data /var/www/owncloud/install/data
chown -R www-data:www-data /var/www/owncloud/apps
mkdir /var/www/owncloud/data
chown -R www-data:www-data /var/www/owncloud/data
chown -R www-data:www-data /var/www/owncloud/config
cat >> /etc/apache2/conf.d/owncloud.conf << EOF
Alias /owncloud /var/www/owncloud
<Directory /var/www/owncloud/>
Options +FollowSymLinks
AllowOverride All
order allow,deny
allow from all
</Directory>
EOF
Zentyal Server pre configuration installations
Code: [Select]
aptitude install zip mp3info php5-mysql php5-gd php-xml-parser libt1-5 php5-ldap pwgen
a2enmod rewrite
a2enmod headers
apache2ctl graceful
MYSQL_PWD="$(pwgen -BC 12 -N 1)"
mysql -p << EOF
CREATE DATABASE owncloud;
GRANT ALL PRIVILEGES ON owncloud.* TO 'owncloud'@'localhost'
IDENTIFIED BY '${MYSQL_PWD}';
FLUSH PRIVILEGES;
EOF
echo "Your secure MySQL Password is ${MYSQL_PWD} write it down you will need it later!"
echo "For your OwnCloud admin user you can take this secure password: $(pwgen -BC 12 -N 1)"
A OwnCloud Installation without Internet-Access doesn't makes sense. If you are behind a Firewall you need Access (port-forwarding) to your zentyal instance. In my case I have an ubuntu 10.04 Server that act as a firewall. Also Zentyal needs Updates and I give directly internet access:
- firewall rules
Code: [Select]
INET_IP="<TBD>" # eg. 1.2.3.4/32
ZENTYAL_IP="<TBD>" # eg. 192.168.0.100
cat >> /etc/ufw/before.rules << EOF
# Forward traffic to Zentyal with OwnCloud
-A PREROUTING -d ${INET_IP} -p tcp --dport 443 -j DNAT --to ${ZENTYAL_IP}:443
-A POSTROUTING -p tcp -d ${ZENTYAL_IP} --dport 443 -j MASQUERADE
-A PREROUTING -d ${INET_IP} -p tcp --dport 25 -j DNAT --to ${ZENTYAL_IP}:25
-A POSTROUTING -p tcp -d ${ZENTYAL_IP} --dport 25 -j MASQUERADE
-A PREROUTING -d ${INET_IP} -p tcp --dport 8443 -j DNAT --to ${ZENTYAL_IP}:8443
-A POSTROUTING -p tcp -d ${ZENTYAL_IP} --dport 8443 -j MASQUERADE
-A PREROUTING -d ${INET_IP} -p tcp --dport 993 -j DNAT --to ${ZENTYAL_IP}:993
-A POSTROUTING -p tcp -d ${ZENTYAL_IP} --dport 993 -j MASQUERADE
-A PREROUTING -d ${INET_IP} -p tcp --dport 995 -j DNAT --to ${ZENTYAL_IP}:995
-A POSTROUTING -p tcp -d ${ZENTYAL_IP} --dport 995 -j MASQUERADE
-A PREROUTING -d ${INET_IP} -p tcp --dport 237 -j DNAT --to ${ZENTYAL_IP}:237
-A POSTROUTING -p tcp -d ${ZENTYAL_IP} --dport 237 -j MASQUERADE
EOF
iptables -f -t nat ; ufw disable ; ufw --force enable
- Zentyal Server adjustments
Code: [Select]
INTERNAL_FW_IP="<TBD>" # eg. 192.168.0.1
route add default gw ${INTERNAL_FW_IP}
- If that works like a charm you can set the Gateway parameter at the Zentyal web frontend
initial OwnCloud configuration
Now It's time to access your OwnCloud Installations for the first time:
https://ZENTYAL_IP/owncloud
You have to create a new administrative (owncloud only) account. This Account has nothing to do with your Zentyal accounts and won't be visible within your Zentyal frontend. Don't choose an already existing Zentyal account name here. If you do the Zentyal-LDAP Account won't be accessible within your OwnCloud instance.
I suggest you to take the account name 'ownadmin' and the password generated above via $(pwgen -BC 12 -N 1).
At the advanced tab you have to add the mysql connection parameters
| username | ownadmin |
| password | use secure password |
| Data Folder | /var/www/owncloud |
| Database user | owncloud |
| Database password | (created during DB installation) |
| Database name | owncloud |
| mysql host | localhost |
Depending on your system performance It take about one minute to finish the setup precedure. You will be logged on as ownadmin afterwards.
LDAP integration -- now the topic starts
Login to your Zentyal web frontend and get informations about your LDAP at Office --> Users and Groups --> LDAP Settings
Let's assum your:
- Base-DN: dc=my,dc=company,dc=com
- Root DN: cn=zentyal,dc=my,dc=company,dc=com
- Password: ndeifbwkwz46wnd82nb
- Users DN: ou=Users,dc=my,dc=company,dc=com
- Groups DN: ou=Groups,dc=my,dc=company,dc=com
To connect your OwnCloud instance to your Zentyal LDAP do the following steps:
- Login to your owncloud instance as user ownadmin.
- Go to: Settings --> Apps --> Ldap user and group backend --> Enable
- Go to: Settings --> Admin
LDAP Basic
| Host | localhost |
| Base DN | dc=my,dc=company,dc=com |
| User DN | cn=zentyal,dc=my,dc=company,dc=com |
| Password | ndeifbwkwz46wnd82nb |
| User Login Filter | (uid=%uid) |
| User List Filter | (objectclass=inetOrgPerson) |
| Group Filter | (objectClass=posixGroup) |
Advanced
| Port | 390 |
| Base User Tree | ou=Users,dc=my,dc=company,dc=com |
| Base Group Tree | ou=Groups,dc=my,dc=company,dc=com |
| User Display Name Field | uid |
| Group Display Name Field | cn |
| Email Field |
When you go to Users you should see all LDAP users. You can create additional users within your OwnCloud instance. That users won't be visible within your zentyal instance. In case of collisation the OwnCloud user will be visible in OwnCloud.
Quote
Beware: All LDAP Users can't change their password within OwnCloud. You need to activate UserCorner feature within Zentyal
Prospection
An advanced Setup with multiple OwnCloud instances and one Zentyal can be done with an advanced filtering
EDIT:
Enable your usercorner to be accessible via port 443 to ensure your OwnCloud user can change his password.
http://forum.zentyal.org/index.php/topic,16724.0.html
Pages: [1]