[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
This is a step-by-step guide for installing the StockholmOpen.Net system. It is assumed that the reader has knowledge of Un*x administration in general and Un*x networking in particular. Installation of the StockholmOpen.Net system is more of "plug-and-pray" than "plug-and-play" right now.
Choose what machines should run the configuration services (BOOTP relay agent, MAC database and registration). Choose if the access server and firewall should be colocated in the same machine. A tip is to start with one machine for access server and firewall if you're not sure you will need them separated (perhaps you're using a Ciso router?). They can easily be separated later.
The relay agent machine needs one additional interface for each operator
present in order for the DHCP server to accept the request as
authoritative. These interfaces should be aliases and assigned an IP
address belonging to the operators subnet. In Linux aliased interfaces
can be created with ifconfig eth0:0 10.0.0.1
(the first alias,
starting with 0, for interface eth0).
/usr/local/sbin/oasis-firewall-sample
. If the firewall is
colocated with the access server (ie, local access to the firewall), the
sample script will probably work fine (assuming you use iptables),
otherwise use your imagination (SSH could be used to securely control a
remote PC-based firewall, in which case you must set up public keys
appropriately for automatic root access).
In the reset section you might want to include static rules for access to an upstream DNS and other services that should be provided before authentication.
The default firewall script includes redirection to a local webserver for unauthenticated users. If you decided to separate oasis and the firewall this will not work directly. Install a simple webserver on the firewall that issues a http redirect to the oasis web server.
client
program. It's
available in the src
subdirectory in the source distribution.
/usr/local/var/www
) and tailor it to your taste. They are quite
minimal in order to make it easier to modify the design/layout.
/lib/security
) and
create a PAM configuration file for oasis.
Assuming you name your PAM service "gazonk", create the file
/etc/pam.d/gazonk
with the following contents for a Kerberos
service (a Kerberos 4 PAM module is available at
http://software.stockholmopen.net/):
auth required pam_krb4.so MY.REALM
Then point oasis to this PAM service by setting pam-service
in
the oasis configuration file to "gazonk". Now oasis will use the PAM
rules in /etc/pam.d/gazonk
when authenticating users for that
domain. You can have different authentication mechanisms for different
domains.
PAM is very flexible. For example to use an existing Kerberos database but only allow a subset of the users in the Kerberos database, one can use the following in the PAM configuration file:
@verbatim auth required pam_listfile.so onerr=fail sense=allow item=user file=/etc/userlist auth required pam_krb4.so
[Top] | [Contents] | [Index] | [ ? ] |
[Top] | [Contents] | [Index] | [ ? ] |
1. Step-by-step installation instructions
[Top] | [Contents] | [Index] | [ ? ] |
Button | Name | Go to | From 1.2.3 go to |
---|---|---|---|
[ < ] | Back | previous section in reading order | 1.2.2 |
[ > ] | Forward | next section in reading order | 1.2.4 |
[ << ] | FastBack | previous or up-and-previous section | 1.1 |
[ Up ] | Up | up section | 1.2 |
[ >> ] | FastForward | next or up-and-next section | 1.3 |
[Top] | Top | cover (top) of document | |
[Contents] | Contents | table of contents | |
[Index] | Index | concept index | |
[ ? ] | About | this page |