Thursday, July 07, 2011

Using TurnKey Linux Appliances

Introduction

TurnKey Linux (TKL) appliances provides an easy turn key solution to deploy essential and common network services for your organization or team on LAN or WAN.  It is deployed as an appliance.  All configurations is done via web browser.  It save your time to study and install related software packages by packing everything in a single 130~200MB ISO file.  You may install these software appliance in bare machine, virtual machine or even Amazon EC2 could server.

At the time this article is written, there are 45+ ready TurnKey appliances ranging from content management, web development, issue tracking and messaging.  These appliances are based on Ubuntu Linux – one of the most friendly and easy to use Linux distributor in the market.

Once install, the console will show you how to access the server.  The configuration may perform in Webmin GUI via HTTP web browser.  This save your time and efforts compare to command line configuration practice in used by Linux community.  User with little or no knowledge of Linux may perform the job well too.

However, TurnKey Linux appliance is not perfect.  This article is not about using TurnKey Linux appliance but attempt to illustrate some features that you may want in TKL appliance.  Some of these features need to configure in command line console.

Upgrade Webmin1

Webmin is widely used in TurnKey appliance as front end configuration control panel.  Both Webmin and TurnKey Linux are independent to each others.  You may attempt to upgrade Webmin to latest version to get more updated features.

To upgrade Webmin, simply use “Upgrade Webmin” icon in Webmin configuration page.

To ease the installation and save your time and bandwidth if you have many TKL appliances deployed, try download the latest Webmin .tar.gz file and use the upload option to upgrade Webmin.

Add or Upgrade Webmin modules

Use “Webmin Modules” icon in Webmin configuration page to manage Webmin modules.  You may install or upgrade new Webmin module that you need but missing in TKL appliance.

Add or Upgrade Software Packages

New features or updates may available in updated software packages.   Using System | Software Packages to upgrade to latest updates.

Webmin: Time

Webmin Time module is missing in TKL appliance.  Install a time module and you are ready to configure time zone and date time of TKL appliance instance.

LDAP Authentication

If LDAP directory services is available to serve the account information, you may configure TKL to support account authentication via LDAP.

First, install these packages:

  1. libpam-ldap
  2. libnss-ldap
  3. nss-updatedb
  4. libnss-db

You may use apt-get in console:

# apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db

or using the Webmin’s Software Packages to install those packages.

Configure LDAP client via:

# dpkg-reconfigure ldap-auth-config

Follow the screen instruction to fill in relevant LDAP parameters.2

LDAP client configuration is available in Webmin too.  Install “ldap-client” to get this feature in Webmin.

Edit /etc/nsswitch.conf to add ldap support:

# vi /etc/nsswitch.conf
passwd:         compat ldap
group:          compat ldap

This may also configured by “Services using LDAP” of Webmin LDAP client:

To verify the LDAP configuration,  run “getent passwd” to check if the LDAP accounts appears in the list.

If LDAP accounts are alias accounts.  You may add “DEREF always” in /etc/ldap.conf to make dereference works.

Create home directory

A common usage of LDAP account authentication is provide a secure shell login option for users.  Home directories will not be created for LDAP accounts by default.  There is a feature in pam that may automatically create home directory for user when login.

Edit “/etc/auth-client-config//profile.d/acc-default” to add pam_mkhomedir.so as follow:

# cat /etc/auth-client-config//profile.d/acc-default
...
#
# this example is for using ldap to authenticate and authorize.  This is only
# an example, and you will most likely have to create your own profiles to
# authenticate with your system. Note that this example requires the
# libpam-cracklib package to be installed.
#
[ldap_example]
nss_passwd=passwd: files ldap
nss_group=group: files ldap
nss_shadow=shadow: files ldap
nss_netgroup=netgroup: nis
pam_auth=auth       required     pam_env.so
        auth       sufficient   pam_unix.so likeauth nullok
        auth       sufficient   pam_ldap.so use_first_pass
        auth       required     pam_deny.so
pam_account=account    sufficient   pam_unix.so
        account    sufficient   pam_ldap.so
        account    required     pam_deny.so
pam_password=password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
        password   sufficient   pam_unix.so nullok md5 shadow use_authtok
        password   sufficient   pam_ldap.so use_first_pass
        password   required     pam_deny.so
pam_session=session    required     pam_limits.so
        session    required     pam_unix.so
        session    required     pam_mkhomedir.so skel=/etc/skel/
        session    optional     pam_ldap.so

Next execute this to update pam configuration:

# auth-client-config -a -p ldap_example

Now, user login to via ssh may have the home directory created automatically.

Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)