forked from extern/egroupware
149 lines
5.2 KiB
Plaintext
149 lines
5.2 KiB
Plaintext
|
eGroupWare for Debian
|
||
|
=====================
|
||
|
|
||
|
Table of Contents
|
||
|
-----------------
|
||
|
|
||
|
- General
|
||
|
- Security Advisory
|
||
|
- Preparation Steps for PostgreSQL
|
||
|
- Preparation Steps for MySQL
|
||
|
- LDAP Setup
|
||
|
|
||
|
|
||
|
General
|
||
|
-------
|
||
|
|
||
|
It is highly recommended that eGroupWare only be accessible through
|
||
|
SSL (https). This will protect the transmission of your users'
|
||
|
passwords and personal data. Users of Apache 1 can achieve that by
|
||
|
configuring eGroupWare only for Apache-SSL. For users of Apache 2, it
|
||
|
may be necessary to explicitly disable access to eGroupWare without
|
||
|
SSL, for example with the following configuration in the respective
|
||
|
virtual host definition:
|
||
|
|
||
|
<Directory /usr/share/egroupware>
|
||
|
Order deny,allow
|
||
|
Deny from all
|
||
|
</Directory>
|
||
|
|
||
|
The URL for the eGroupWare installation is of the form
|
||
|
<http(s)://yourhostname/egroupware/>. You can change this and some
|
||
|
other web-related settings in /etc/egroupware/apache.conf. But you
|
||
|
first need to do some setup, so read on ...
|
||
|
|
||
|
Please log in to the web-based eGroupWare setup tool after installing
|
||
|
or upgrading the eGroupWare packages. The URL is of the form
|
||
|
<http(s)://yourhostname/egroupware/setup/>. If this is your first
|
||
|
installation, you should first prepare the database management system
|
||
|
of your choice and optionally an LDAP server as outlined below. The
|
||
|
connection parameters for the database and optionally the LDAP server
|
||
|
must later be entered in the setup tool.
|
||
|
|
||
|
Also log in to the web-based setup tool before uninstalling eGroupWare
|
||
|
application packages to unregister those applications. The Debian
|
||
|
package management system cannot do that automatically. If you forget
|
||
|
that, you will have leftovers from the uninstalled applications in the
|
||
|
database. (If you forget, you can reinstall the package, unregister
|
||
|
the application, and remove it again.)
|
||
|
|
||
|
The eGroupWare Debian package does not clear out or drop the database
|
||
|
when the package is purged. You need to do that yourself.
|
||
|
|
||
|
|
||
|
Security Advisory
|
||
|
-----------------
|
||
|
|
||
|
eGroupWare stores the database password in plain text in
|
||
|
/var/lib/egroupware/header.inc.php. This file is readable by the user
|
||
|
www-data, which means that every user that can execute user-defined
|
||
|
scripts (PHP, CGI, etc.) running as the web server user www-data can
|
||
|
read this file and steal all your eGroupWare data. Therefore you
|
||
|
should do at least one of the following:
|
||
|
|
||
|
- Don't allow any untrusted users on your machine.
|
||
|
|
||
|
- Don't allow any untrusted users to run their own PHP, CGI, etc.
|
||
|
|
||
|
- Make sure all the user-defined content is run as a different user,
|
||
|
for example using suEXEC.
|
||
|
|
||
|
Alternatively, you may want to run eGroupWare as a separate user or in
|
||
|
a separate Apache instance altogether, but this is nontrivial to set
|
||
|
up and not supported by this package (yet). Suggestions are welcome.
|
||
|
|
||
|
|
||
|
Preparation Steps for PostgreSQL
|
||
|
--------------------------------
|
||
|
|
||
|
The PostgreSQL database system can be on a remote host, of course.
|
||
|
Substitute the appropriate IP addresses below.
|
||
|
|
||
|
Create a user and database for eGroupWare:
|
||
|
|
||
|
# su - postgres
|
||
|
$ createuser -A -D -P egroupware
|
||
|
[enter a password for the user when prompted]
|
||
|
$ createdb egroupware
|
||
|
|
||
|
You need to configure PostgreSQL to allow connections from the web
|
||
|
server. This is not allowed by default. Add a line like this to
|
||
|
/etc/postgresql/x.y/foo/pg_hba.conf (where "x.y" is the version number
|
||
|
such as "8.1", and "foo" is the name of the cluster instance such as
|
||
|
"main"), most simply before all other records:
|
||
|
|
||
|
host egroupware egroupware 127.0.0.1 255.255.255.255 md5
|
||
|
|
||
|
(This allows any OS user from 127.0.0.1 to connect to the PostgreSQL
|
||
|
database "egroupware" as PostgreSQL user "egroupware" if they can
|
||
|
supply a valid password.)
|
||
|
|
||
|
If you are using PostgreSQL 7.4, you need to allow TCP/IP access to the
|
||
|
database server by setting the parameter tcpip_socket to true in
|
||
|
postgresql.conf. In 8.0 and later, the parameter is called
|
||
|
listen_addresses and the default is sufficient.
|
||
|
|
||
|
After having made these changes, run
|
||
|
|
||
|
# /etc/init.d/postgresql-x.y reload
|
||
|
|
||
|
More information about PostgreSQL client authentication can be found
|
||
|
in the file
|
||
|
/usr/share/doc/postgresql-doc-x.y/html/client-authentication.html in
|
||
|
the package postgresql-doc-x.y.
|
||
|
|
||
|
|
||
|
Preparation Steps for MySQL
|
||
|
---------------------------
|
||
|
|
||
|
Set up a database for eGroupWare and grant user access:
|
||
|
|
||
|
$ mysql -u root
|
||
|
mysql> CREATE DATABASE egroupware;
|
||
|
mysql> GRANT ALL ON egroupware.* TO 'egroupware'@'localhost' IDENTIFIED BY "password";
|
||
|
|
||
|
If the MySQL server is on a remote host, substitute the name of the
|
||
|
host of the web server for localhost in the statement above.
|
||
|
Additionally, the option bind-address in /etc/mysql/my.cnf may need to
|
||
|
be changed to accept connections from remote hosts.
|
||
|
|
||
|
|
||
|
LDAP Setup
|
||
|
----------
|
||
|
|
||
|
To be able to store eGroupWare user or addressbook data in an LDAP
|
||
|
server (not required; you can use an SQL database):
|
||
|
|
||
|
1. Install the package egroupware-ldap on the machine hosting the LDAP
|
||
|
server (only OpenLDAP 2.x is supported), and follow the
|
||
|
instructions in its /usr/share/doc/egroupware-ldap/README.Debian.
|
||
|
This prepares the LDAP server for eGroupWare data.
|
||
|
|
||
|
2. Follow the instructions in
|
||
|
/usr/share/doc/egroupware-core/setup/README.ldap.gz once you are in
|
||
|
the domain configuration phase. This tells eGroupWare to use the
|
||
|
LDAP server.
|
||
|
|
||
|
|
||
|
-- Peter Eisentraut <petere@debian.org>, August 2006
|