Debian testing installation:
----------------------------
It is sometimes wanted to use a testing installation instead of the stable
branch. The changeover is best (and easiest) done just after basic install
and upgrade of system. This is because this is where the minimum amount of
packages has been installed, and the impact to Your system is minimal.
When using a testing system, there are some deviations from the normal
routine. I will in this document describe each deviation as they occur in
regards to the original document.
2.3.1. Updating to testing
--------------------------
Time to update to a testing distribution. When installing the system a
source for packages was selected. Hopefully the location You picked for
Your installation also mirrors the testing (sarge) version of the Debian
distribution.
Edit the /etc/apt/sources.list file, and update
Run "apt-get update"
Run "apt-get dist-upgrade"
Congratulations - You are now running Debian/Testing, and the rest of
the instrcutions are now going to be applied to this distribution
instead of the stable version of the distribution.
3.2.1. Creating missing directories
-----------------------------------
As it is, the testing installation does not create the /var/lib/iptables
directory, which is needed to hold the various chains with the save
option of the /etc/init.d/iptables script. We need to create this
directory ourselves.
mkdir /var/lib/iptables
4.2.1. Upgrade webmin
---------------------
As the Debian/Testing distribution does not include all the needed
modules necessary for the system, we will need to upgrade from the
webmin home location instead of the debian repository.
Go to the webmin administration interface, and select
Webmin configuration -> Update
Now select to upgrade directly from www.webmin.com, and do the upgrade.
5.1.1. Installing webmin module
-------------------------------
The upgrade in 4.2.1. also updated some standard modules, og which
bind is one of them. It is not required to install webmin-bind8 in this
case.
If however the packages installed by Debian was already the latest
versions, then You need to manually install the bind8 module. This
is done by
Webmin -> Webmin Configuration -> Webmin Modules
Select standard module from www.webmin.com, and select bind8.
Let webmin install the module, and You should be ready to continue.
This will be the standard method to install modules required by Webmin.
6.1.1. Configuring slapd
------------------------
At this point You should disable the v2 protocol. That means answering
no to "Allow LDAPv2 pærotocol".
6.4.1. Configuring SLAPD
------------------------
In the file /etc/default/slapd You can define which ports slapd is
supposed to listen on. This is described by the SLAPD_SERVICES directive
which is further described in the file itself.
You can therefore enter the following in this file:
SLAPD_SERVICES="ldap://127.0.0.1:389/ ldap://192.168.228.10/"
and the service will then only listen on those two IP addresses.
6.6.3.1. I have no name!
------------------------
You might get this strange message when using LDAP as a login service.
This means that You are unable to resolve the UID as a normal user, which
implies that the normal user is not allowed to make a search in the
LDAP database.
More frequently it is a sign that the user is unaware of how to get to
the information needed to resolve these group and user ids.
I usually find that /etc/libnss-ldap.conf are root-access only. As there
are no critical security information in this file - unless You put it
there - it can be safely modified to be readable by everyone
chmod a+r /etc/libnss-ldap.conf
This is important because we are using NSS (Name Service Switch) to look
up the IDs of users and groups. If we are not allowed to look in the
config file as normal users, these users are unable to look this up, and
consequently You get these weird messages.
Later we will configure services to use LDAP, and here we need to enter
the groups the services use into LDAP. This makes for some duality, as
the group-ids are both in LDAP and in flat file, but it saves on the
confusion when looking up UIDS and permissions for various users.
6.6.5.1 Editing the tools
-------------------------
Remember that we only allow protocol version 3?
Well, these scripts were written when only protocol version 2 was
available, and therefore they use protocol 2.
Change the scripts, so that they use version 3 instead. In each script
make sure that the following is present:
$config{ldap_version} = 3;
And You should be good to go.
8.2.1 Spamassassin as a daemon
------------------------------
Using the newer versions of spamassassin does not really require all that
much difference in setup, but the methods has changed a bit...
The thing is, that spamassassin now runs as a daemon, and as such, we
don't want to rely on a shell script, but utilize the spamd daemon
instead. This is done by simply changing the transport for the spamassasin
filter
--------
#
# Spamassassin filter
#
spamassassin unix - n n - - pipe
user=filter argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}
--------
The rest stays the same. You might want to read up on spamc, as this
provides a method to avoid making the shell script.
8.2.2 Adding SPF (Sender Policy Framework)
------------------------------------------
A new way to combat spam is to add the SPF, which checks where the
mail was sent from, and if it is allowed to send from the address
it was coming from.
!!! Caution !!!
Adding this will make delivery of incoming mails slower, as there
is a DNS lookup involved, and this can take some time.
!!! Caution !!!
--------
policy unix - n n - - spawn
user=nobody argv=/usr/bin/perl /usr/lib/postfix/smtpd-policy.pl
--------
--------
smtpd_recipient_restrictions =
...
check_policy_service unix:private/policy
...
--------
Then download the script smtpd-policy.pl from spf.pobox.com and copy
it to /usr/lib/postfix/smtpd-policy.pl. Remember to make it executable.
9.1.1 Editing /etc/pam.d/imap
-----------------------------
Instead of adding a lot of lines with auth... session... and so on, all
You need to do now is to include the common-
--------
@include common-auth
@include common-account
@include common-password
@include common-session
--------
And You should be ready to go. This also applies later when more services
need to do the same thing.
10.2.1 Also needed for Group lookup
-----------------------------------
In addition to the other LDAP entries in the configuration file, You also
need to add the following
LDAPDoGIDLookups on "dc=abode,dc=dk"
And one little extra thingie...
PersistenPasswd off
Just as described in the default configuration file...
10.2.2.x Enabling special shells
--------------------------------
If a user is unable to login, it might be because the user is assigned a
special shell (/bin/true could be an example). To enable proftpd to allow
login when this shell has been assigned, You need to update the /etc/shells
file to also include these non-standard shells.
13.1.0 Installing apache
------------------------
This is a newer version. We want to use a newer web server, and we go with
apache2 instead of apaceh.
We need to be carefull here, as a lot of packages default to apache 1.3.x
instead of the installed version.
The key here is to keep an eye on which packages it wants to install, and
here the order of packages is important.
Example:
--------
If You use "apt-get install apache2 libapache2-mod-perl2 php4" which would
be the logical replacement for the stable guide, a lot of packages having to
do with apache 1.3.37 will be installed.
If You use "apt-get install apache2 libapache2-mod-php4 libapache2-mod-perl2
php4", You will get more in line with a newer installation.
I therefore use the following:
apt-get install apache2 libapache2-mod-php4 php4 php4-pear \
libapache2-mod-perl2
13.2.x Configuring apache2
--------------------------
When following the above, there is some changes to the normal procedure.
Some of the most significant changes are in how the configuration files
are set up. You could keep the all in one approach, but in the Debian
universe, this is not really a good idea.
Configuration in Debian apache2 are primarily directory/file based. This
means that each module and virtual site has their own configuration file.
Enabling a module/virtual site requires only that a symbolic link in an
enabling directory points to the configurations to be used. Everything in
the enabling directories is then included in the main apache2.conf file.
As I said earlier, You could still just use one huge configuration file,
but it's somewhat more versatile using lots of different small files.
Directory structure:
/etc/apache2
/etc/apache2/mods-available
/etc/apache2/mods-enabled
/etc/apache2/sites-available
/etc/apache2/sites-enabled
Configuration files go to the (mods|sites)-available directories.
Enabling a site is just linking to these files
cd /etc/apache2/x-enabled
ln -s /etc/apache2/x-available/
I like to have the extension .php4 execute as a php4 script. Weird huh?
In apache2 I just do the following
cd /etc/apache2/mods-enabled
vi php4.conf
Add .php4 to the application handler, just as in apache.
I then update DirectoryIndex in /etc/apache2/apache2.conf, or i specify
DirectoryIndex for each virtual site.
13.3.1 Disabling perl not necessary
-----------------------------------
It seems that a new policy has been implemented, and that You really need
to set up perl-script execution from the bottom now. There is no need to
disable perl anymore, just remember to enable it in the sites that need it.
14.1.x Installing PostgreSQL
----------------------------
apt-get install postgresql php4-pgsql libdbd-pg-perl \
postgresql-doc libpg-perl
You will not get to chose unicode, but between European or American
dates. I chose European, as I live in Europe.
14.2.x Configuring PostgreSQL
-----------------------------
Some changes has been made to the standard securing of PostgreSQL.
pg_hba.conf is now to contain the following:
host template1 all 192.168.228.0 255.255.255.0 md5
local sameuser all ident sameuser
host sameuser all 127.0.0.1 255.0.0.0 ident.sameuser
host sameuser all 192.168.228.0 255.255.255.0 md5
local all postgres 0.0.0.0 0.0.0.0 ident sameuser
host all all 0.0.0.0 0.0.0.0 reject
15.2.x Configuring MySQL
------------------------
Hurray... Debian maintainers has set more reasonable values for the
MySQL setup. The anonymous user now has NO permissions, but You still
need to set a root password.
16.1.x Installing
-----------------
A bit of changes in the packages.
apt-get install cupsys
cupsys-client
cupsys-bsd
cupsys-pdf
cupsys-driver-gimpprint
foomatic-bin
foomatic-filters
foomatic-filters-ppds
foomatic-db
foomatic-db-engine
foomatic-db-gimp-print
gs-esp
a2ps
mpage
enscript
groff
html2ps
psutils
A bit of an expansion, but formats keeps changing. This selection also
installs some X packages. This is because some of the packages includes
programs build on some X libraries (gs-esp is a prime example).
16.2.1 Configuring a printer
----------------------------
I skipped this step in the original, so here it comes...
Point a browser at http://:631/
Select "Do administration tasks"
Do Your configuring.
19. ntp server
--------------
apt-get install ntp-server
Add a line in /etc/ntp.conf with
server
20. Zope/Plone
--------------
Mainly, it's a case of installing zope and plone packages.
apt-get install zope2.7 zope plone
If You want to add modules, this can be done later. It's pretty
important to add the zope2.7 package, even if zope can run without it.
This is because it seems to add som basic utilities for zope. While
zope does function without these files, it's still better to get them
onto the system.
Browse which packages You want to add by issuing
apt-cache search zope
apt-cache search plone
and afterwards inspect each package
apt-cache show
Zope/Plone is a very CPU intensive system. Even very small sites gets
intolerably slow on a PIII-450 with 386 Mb RAM. It maxes cpu-usage -
even on static pages delivered by plone.
It's seems to work reasonably well on an AMD XP1800+ with 512 Mb RAM.