Skip to content
This repository has been archived by the owner on Sep 18, 2018. It is now read-only.

RatticDB on Ubuntu 12.04 and integration with Zentyal via OpenLDAP

Jump to bottom
jpoa edited this page Feb 5, 2014 · 3 revisions

This tutorial does not aim to be a comprehensive reference but it hopes to be a “good enough” reference for any user with basic knowledge in the subject. There might be something missing, if that is the case, please take note of it and add it here, and by all means feel free to reorganize/clean/improve this! That said, let’s move on.

Also, I suck at markdown.

Overall view:

  • Prepare the requirements (Apache, Python, Django, RatticDB)
  • Configure Apache
  • Tweak RatticDB (needed at the moment, v0.15, might be fixed later on, so proceed with common sense)
  • Tweak Zentyal

It is assumed that the system is freshly installed with Ubuntu 12.04 and all commands are executed as root. It is also advisable to place this machine in paranoia mode (encrypt LVM, check logins, etc. etc.).

Install apache and required system libs: aptitude install apache2 apache2.2-common apache2-mpm-prefork apache2-utils libexpat1 ssl-cert python-dev python-pip libapache2-mod-wsgi mysql-server libapache2-mod-auth-mysql libldap2-dev libsasl2-dev libssl-dev python-mysqldb

Secure MySQL: mysql_install_db

/usr/bin/mysql_secure_installation

Now we can use pip to install all python related stuff: pip install Django python-ldap django-auth-ldap django-tastypie south django-user-sessions django-otp django-two-factor-auth markdown

Prepare the folders and download Rattic: mkdir /opt/apps

mkdir /opt/apps/RatticWeb

mkdir /opt/apps/RatticWeb/static

cd /opt/apps/RatticWeb/

wget https://github.com/tildaslash/RatticWeb/archive/v0.15.tar.gz

tar xvzf v0.15.tar.gz

rm v0.15.tar.gz

cp -Rv RatticWeb-0.15/* .

rm -Rv RatticWeb-0.15

I found some issues starting things up, doing it one by one automagically solved it (I repeated the all to make sure all components were happy):

./manage.py syncdb --noinput

./manage.py migrate --all

./manage.py migrate user_sessions

./manage.py migrate two_factor

./manage.py migrate tastypie

./manage.py migrate cred

./manage.py migrate account

./manage.py migrate --all

Collect all static files:

./manage.py collectstatic -c —noinput

And lets prepare the Apache website:

sudo a2enmod ssl

sudo a2ensite default-ssl

cd

openssl genrsa -des3 -out server.key 2048

openssl rsa -in server.key -out server.key.insecure

mv server.key server.key.secure

mv server.key.insecure server.key

openssl req -new -key server.key -out server.csr

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

sudo cp server.crt /etc/ssl/certs

sudo cp server.key /etc/ssl/private

Make the default http site redirect to https (replace accordingly, without the <>):

 cat /etc/apache2/sites-enabled/000-default
 <VirtualHost *:80>
      ServerAdmin webmaster@localhost
      Redirect permanent / <FQDN>
 </VirtualHost>

Add this to /etc/apache2/httpd.conf

 Alias /robots.txt /opt/apps/RatticWeb/static/robots.txt
 Alias /favicon.ico /opt/apps/RatticWeb/static/favicon.ico
 
 AliasMatch ^/([^/]*\.css) /opt/apps/RatticWeb/static/styles/$1
 
 Alias /media/ /opt/apps/RatticWeb/media/
 Alias /static/ /opt/apps/RatticWeb/static/
 
 <Directory /opt/apps/RatticWeb/static>
 Order deny,allow
 Allow from all
 </Directory>
 
 <Directory /opt/apps/RatticWeb/media>
 Order deny,allow
 Allow from all
 </Directory>
 
 WSGIScriptAlias / /opt/apps/RatticWeb/ratticweb/wsgi.py
 WSGIPythonPath /opt/apps/RatticWeb
 WSGIPassAuthorization On
 
 <Directory /opt/apps/RatticWeb/ratticweb>
   <Files wsgi.py>
     Order deny,allow
     Allow from all
   </Files>
 </Directory>

And adapt the /etc/apache2/sites-enabled/default-ssl

Change this section:

      SSLCertificateFile    /etc/ssl/certs/server.crt
      SSLCertificateKeyFile /etc/ssl/private/server.key
 #     SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
 #     SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

And remove everything between these lines since the required parameters are already on httpd.conf:

      ServerAdmin webmaster@localhost
 
      ErrorLog ${APACHE_LOG_DIR}/error.log

Restart Apache:

service apache2 restart

Tweak RatticDB:

I had to change these lines to include the full path, for some reason it was not working with relative ones:

This file: /opt/apps/RatticWeb/ratticweb/settings.py

These changes:

 config = RawConfigParser()
 config.readfp(open('/opt/apps/RatticWeb/conf/defaults.cfg'))
 config.read(['/opt/apps/RatticWeb/conf/local.cfg', '/etc/ratticweb.cfg'])

Configure settings

Navigate to your Zentyal install and access “Office”, “Users and Computers”, “LDAP Settings” and check the needed info.

  • binddn: Read-only root DN
  • bindpw: Read-only password
  • userbase: Default Users DN
  • groupbase: Default Groups DN

Here are my local.cfg settings (I have changed identifiable information, that is)

 [ratticweb]
 debug = false
 timezone = <YOUR TIMEZONE>
 secretkey = <YOUR SECRET KEY>
 passwordexpirydays = 90
 urlroot = / 
 
 
 [filepaths]
 static = /opt/apps/RatticWeb/static
 
 [database]
 engine = django.db.backends.mysql
 name = ratticdatabase
 user = ratticuser
 password = awesomepassword
 host = 127.0.0.1
 port = 3306
 
 
 [ldap]
 # LDAP server details, note the port setting, this is important for Zentyal
 uri = ldap://HOST:390
 
 # Authentication
 binddn = cn=zentyalro,dc=company,dc=com
 bindpw = password
 
 # User parameters
 userbase = ou=Users,dc=company,dc=com
 userfilter = (uid=%(user)s)
 
 # Set up the basic group parameters.
 groupbase = ou=Groups,dc=company,dc=com
 groupfilter = (objectClass=zentyalDistributionGroup)
 grouptype = GroupOfNamesType
 
 # How do I find staff
 staff = cn=TheRatticGroup,ou=Groups,dc=company,dc=com

Replace the fields accordingly. Notice that debug is set to false, so you need to configure the ALLOWED_HOSTS flag accordingly in /opt/apps/RatticWeb/ratticweb/settings.py

In my case I added this to the end of the file:

 ALLOWED_HOSTS = [
     ‘<IP OF THE HOST>',
 ]

You can check more info on this here: https://docs.djangoproject.com/en/dev/ref/settings/

Now this will not work right away because Zentyal is blocking port 390, let’s add the exception to the firewall:

Go to “Gateway”, “Firewall”, “Packet Filter”, “Filtering rules from internal networks to Zentyal”, “Configure rules”

You will notice there is one rule with a red sign, click on “Edit” and change “Decision” from “DENY” to “ACCEPT”, click “Save changes”.

All should work now.

Clone this wiki locally