ComBase has three executable programs that do all the work: sysadmin-form, acct-form, and sysmaint. The sysadmin-form program handles CGI requests for the forms used for ComBase functions; it is the CGI script behind the user interface, and runs as user 'www' (or whatever your web server is). The acct-form program is similar, with limited capabilities for users to change passwords, etc. The sysmaint program is invoked by the CGI programs to actually perform updating of the system password, shadow, and Radius user files. This program runs using the 'suid' capability as root, and requires a special token called a sessionID that is generated by logging on. This security token is generated when a user logs in on the ComBase sign-on screen.
ComBase installs in a sub-folder of isptools that is of the form combase-2.1. There will also be a symbolic link created to the active ComBase folder, with the name of combase. Consequently, you can connect to the active ComBase root folder by cd ~/combase.
Installation OverviewInstallation steps are described in the following categories below:
1. Obtaining ComBase
ComBase is downloaded or transmitted via email as a tar.gz file. (Work is
in progress to also distribute it as an .rpm file). Download the file from
the Comware International anonymous FTP site at: ftp://www.comnets.com under the
directory 'downloads', or use a web browser to obtain it at
Downloadable DEMO versions of ComBase are available for operation for a
specified period of time (i.e., with expiration date). Production versions
of ComBase are available at time of purchase. DEMO Versions are named like:
combase-demo-2.1.tar.gz, while Production Versions are named like:
combase-2.1.tar.gz.
2. Creation of ISP Tools and User Account/Directory
ComBase is assumed to be installed under a user account/directory called isptools, with a group code of daemon. It is assumed (as described later in this document) that the web server runs as www with a group ID of daemon, allowing the web server to correctly invoke the ComBase CGI program. Consequently, the user ID isptools is created with a default group of daemon.
2a. Create a user login account for ComBase. This is typically called isptools, and must be included in the group named daemon. (Group names are defined in /etc/group.) Make sure to set the active group name for isptools to be daemon. This is typically done with the following command:
| useradd -A "ISP Software Tools" -d /home/isptools -m -g daemon isptools |
|
passwd isptools (newpasswd) (newpasswd) |
Make sure the new user isptools is a member of group daemon by examining the /etc/group file; the group daemon should include the user name isptools.
2b. Logout, then Login as isptools, with the password chosen above.
3b. Place the ComBase executable file in the isptools home directory. This is typically named combase-demo-1.0b.tar.gz (demo version) or combase-1.0b.tar.gz (production version). This can be obtained by download from the Comware International website, via E-mail, or via other software distribution medium.
Note: if you are upgrading to a new version of ComBase, you may should delete the old version prior to expanding the above tar file. This can be done by simply issuing the following:
|
cd rm -fr combase |
The following assumes you are installing the demo version of the software. If you are installing the production version, ignore the –demo suffix below.
2c. After obtaining the file, de-compress it using gunzip, as in:
| gunzip combase-demo* (or gunzip combase-* for production versions) |
This results in a tar file (e.g., combase-demo-2.1a.tar).
2d. Now expand the tar file using the following command:
|
tar -x -v --same-owner -p -f combase-demo-2.1a.tar (demo version) -or- tar -x -v --same-owner -p -f combase-2.1a.tar (production version) |
The above creates a directory named combase-2.1 as well as a group of sub-directories. The ---same-owner option to the tar command tells it to create the new files under the same user ID and group ID as that saved (isptools:daemon). The -p option tells it to install the files with the same protection attributes.
You now need to define a symbolic link to the active combase folder, using the following commands:
|
cd ~ rm -f combase ln -s combase-2.1 combase |
At this point, the ComBase distribution folder may be referenced as /home/isptools/combase.
2e. Verify (using the ls -l command) that the owner of the files is isptools, with a group owner of daemon.
If not, you can make sure you have correct file ownership (user isptools, group daemon) using the following command:|
cd ~ chown -R isptools:daemon combase |
3. Defining Administrative Users
ComBase requires that each administrative user have a login account on the target server, and be listed in a file named "allowed-users". To set up this file, do the following (assuming you’re in the isptools the home directory):
|
cd ~/combase/cgi-bin edit allowed-users (using your favorite editor: joe, vim, vi, emacs, etc.) |
You might notice the format of the file consists of a set of lines containing username null null. You might expand on this as follows:
|
isptools null null joeschmoe null null sally null null |
Having an entry in this file grants administrative authority to the named user. The named user must have a login account on the system on which ComBase is installed.
After changing this file, make sure you set the protection on it so it is only writable as a root user, as follows:
|
su (enter root password) chown root:daemon allowed-users chmod 750 allowed-users exit |
The above protection allows the file to be read by group daemon (of
which both the isptools user ID and the Web Server (presumably www) and its CGI program
are members - by extension of the assumed webserver group
ID, daemon).
4. Configuring/Customizing the ComBase
program
ComBase normally requires a configuration step, although in many cases it will run by simply installing the binaries. It is highly recommended that the shipped software be configured an re-linked because of differences between runtime libraries.
This step requires that you edit the file isptools/combase/src/syscnf.h
The shipped ComBase binaries make the following assumptions about your system in order to work without any changes to the configuration.
The shipped executables are linked under RedHat Version 6.2 distribution, and are assumed to run on glibc Version 2. Typically, however, you want to check the configuration files and do a 'make' for this particular installation.
The process of configuration includes specifying the locations of the files such as /etc/shadow and /etc/passwd. The binary distribution of ComBase assumes the implementation of shadow passwords.
4a. Edit the configuration file ~/combase/src/sysmaint/syscnf.h, checking each entry against the configuration on your system (See syscnf.h notes). Save the file.
4b. Change the working directory to ~/combase/src, and issue a make command to create a new sysmaint program and sysacct program.
4c. Now set correct authorizations on sysmaint and sysacct. To do this, issue the following commands:
|
cd ~/combase su (root) ./combase-enable exit |
5. Providing Symbolic Links to ComBase
ComBase is connected to your Root Web by means of symbolic links. These commands provide for HTML and CGI requests to the combase folders (/home/isptools/combase, and /home/isptools/combase/cgi-bin, respectively).5a. The following steps require change the web server configuration files, and therefore require you change to root authority. Issue the su command, then enter the root password.
5b. Change to the "home" directory of your web server, and provide a symbolic link to ComBase. This is usually /home/httpd/htdocs for RedHat distributions, but may be other values for other distributions of Linux. For example, /usr/local/etc/httpd/htdocs (Slackware distributions).
|
cd /home/httpd/htdocs |
5c. Locate the home directory for the isptools directory by doing a finger isptools command (e.g., Directory: /home/isptools).
5d. Create a symbolic link to the combase directory from the web server home directory. Assuming your isptools directory is /home/isptools, use the following command:
| ln -s /home/isptools/combase combase |
5e. Change to the web server CGI directory (cgi-bin). On RedHat Linux systems, this is typically /home/httpd/cgi-bin, but may be other values like /usr/local/etc/httpd/cgi-bin on other distributions such as Slackware.
|
cd /home/httpd/cgi-bin |
5f. Create a symbolic link to the combase cgi-bin directory.
| ln -s /home/isptools/combase/cgi-bin combase |
6. Configuring the Apache Web Server
ComBase has been tested on the Apache webserver that is distributed with RedHat Linux. The configuration files for Apache are located in the /etc/httpd/conf folder.
6a. ComBase requires that the server run as group ID daemon. It is also preferable to have the server run as user ID www. Combase assumes that the web server has the ability to access and execute the Combase CGI-BIN programs located in /home/isptools/cgi-bin. By default, the apache web server sets the User ID/Group ID to "nobody"/"nobody". Change the User ID to a valid user ID such as "www" and a group ID of "daemon". Edit the httpd.conf file so it contains the following:
|
User www Group daemon |
6b. Combase requires the ability to follow symbolic links to the isptools/combase directory, and also requires the ability to execute CGI-BIN programs. These are controlled by the following settings in the web server configuration file httpd.conf. Edit this file to make sure that the following are included in the Options statement for <Directory /home/httpd/htdocs>: ExecCGI and FollowSymLinks.
6c. ComBase requires the ability to follow symbolic links to the isptools/combase directory, and also requires the ability to execute CGI-BIN programs. These are controlled by the following settings in the web server configuration file httpd.conf. Edit this file to make sure that the following are included in the Options statement for <Directory /home/httpd/htdocs: ExecCGI and FollowSymLinks.
6d. If not already defined, add a new user for your Linux system called "www". You can check to see if this user already exists by doing a finger www command. If it doesn't exist, define a user ID for the web server of "www", and make it a member of group "daemon". Set the default group name for user "www" to be "daemon". This can be specified by setting the group number in the passwd file to be the group number of "daemon". The group number of "daemon" is listed in the file /etc/group; the default group number of a user is the fourth parameter in each line of the passwd file (following the user name, an optional password, and a UID value - separated by the ':' character). The name www should be include in the list of users associated with user daemon in the /etc/group file.
6e. After making changes to the configuration files, you will have to restart the web server to get it to re-read the configuration files. This can be done changing to the start-up directory (e.g., /etc/rc.d/rc3.d and issuing the following command:
|
cd /etc/rc.d/rc3.d ./S??httpd restart |
(If the above command yields an error, check to make sure your web server is included in your system configuration; there should be a startup file of the form S85httpd in that directory!)
Upon completion of these steps, it should be possible to access the ComBase login sequence using the URL:
7. Create User Home Directories
Home directories are assumed whenever a user login directory is created.
These are assumed to be the following:
| Home Directory Path | User Directories beginning with... |
|---|---|
| /home/AF/ | A through F (e.g., charlie) |
| /home/GM/ | G through M (e.g., oscar) |
| /home/NS/ | N through S (e.g., tango) |
| /home/TZ/ | T through Z (e.g., uniform) |
User directories are created of sub-directories of the above directories. User 'oscar' thus has a home directory of /home/NS/oscar.
It is also possible to use an alternate scheme: for example, the home directories for all users beginning with the letter 'b' might be found under /home/B, and all users beginning with the letter 'c' under the directory /home/C etc. In this case, you need to edit the table in ~/combase/src/sysmaint/syscnf.h, including the names of the root directories to be used when Login Account are created.
If the above directory-naming scheme is used, create each of the above directories after logging in as root, as follows:.
|
su (enter root password) mkdir /home/AF mkdir /home/GM mkdir /home/NS mkdir /home/TZ exit |
8. Installing the PAM Configuration File
In order for PAM to authenticate users by request of ComBase, you have to add a file in the /etc/pam.d directory, with the following name: combase.
Of course, you have to have root authority at this point to modify this directory, so first su to root. Then add a file having the following content:
| auth required /lib/security/pam_pwdb.so shadow nullok nodelay |
9. Trouble-shooting
Here are some things to check if things go awry when you try to login or use ComBase: