Scribe update to 2.4

Scribe update to 2.4

Posted By: pmietlicki

Published to Work on Sep 14, 2015

EOLE 2.4 migration

  • Create a new file /etc/apt/apt.conf.d/02eolecache (if you have an apt-cacher server) :
Acquire::http::Proxy "http://apt-cache.ac-acad.fr:3142";
  • I had to modify the Maj-Auto script (line 291 after wget) :
if [ $? -ne 0 ]; then

instead of :

if [ $? = 0 ]; then
  • I've copied all new archives files for the new version (2.4) inside /var/cache/apt/archives
  • I've deleted /etc/apt/preferences.d/eole (apt-pinning)
  • Creation of a new apt pinning for lucid :
Package: php5 php5-cli php5-common php5-curl php5-gd php5-intl php5-ldap 
php5-mcrypt php5-mysql php5-readline php5-sqlite php5-xmlrpc php-pear 
libapache2-mod-php5	
Pin: release a=lucid
Pin-Priority: 1001

Don't forget to remove old versions inside sources.list, like, for example :

rm /etc/apt/sources.list.d/eole-2.4.list
apt-get dist-upgrade 
Maj-Auto -E

More informations on the official doc

  • Deactive : owncloud, moodle, jabberd (dans services), etherpad and ethercalc inside gen_config
reconfigure
reboot
apt-eole remove librpc-xml-perl
a2dismod auth_cas
a2dissite ethercalc
a2dissite etherpad
rm /etc/apt/preferences.d/lucid
apt-get update
apt-eole remove eole-ethercalc ethercalc-apps eole-etherpad etherpad-apps

Please don't forget to retrieve all new archive files and copy it inside /var/cache/apt/archives !

Don't forget to double check that the Maj-Auto script modification is still in place !

You'll have to remove the file /etc/apt/apt.conf.d/02aptdefaut because it contains an old reference to the old version :

APT::Default-Release "lucid"
/usr/share/eole/Upgrade-Auto -d
reboot
Maj-Auto
gen_config

The message La configuration a correctement été chargée depuis un fichier en version 2.3 should display, double check all values and save.

Important ! If needed, don't forget to change the web_url inside Web applications (if you want to update or change the final URL for the portal).

  • Deactivate sympa inside gen_config (may cause a bug inside the instance)
mkdir /var/run/network

That should contains :

eth0=eth0
lo=lo
instance
## Gestion du SID ##
run-parts: executing /usr/share/eole/posttemplate/02-annuaire instance
Voulez-vous regénérer l'annuaire LDAP ? oui

Envole install

Informations inside the official doc

apt-eole install eole-posh eole-bergamote eole-calendrier eole-dokuwiki eole-envole-connecteur eole-eportail eole-ethercalc eole-fengoffice eole-grr eole-jappix eole-limesurvey eole-mahara 
 eole-infosquota eole-mindmaps eole-opensondage eole-piwigo eole-pydio eole-sap eole-spipeva eole-taskfreak eole-webcalendar eole-wordpress eole-esb-glpi

A new tab "Envole" will appear with "Web applications" inside :

gen_config

Web applications available inside the official doc

To double check : etherpad should not be activated, there is a bug with the reconfigure !

Don't forget to set the CAS for GLPI, the configuration is made by indicating the complete external DNS of the CAS server with the 8443 port :
Home
ConfigurationAuthenticationOther methods of authentication

  • Import of LDAP users (teachers and administrative agents) from AAF export

TODO : automatic update from zephir server

AAF import

Connect to EAD and make a AAF import with all the teachers and administrative agents of the academy.

Automatic synchro of passwords

Our DWE (Digital Work Environment) is used to globalize / centralize our Web applications and local applications for use by our teachers and administrative agents of the whole academy. We also call it a AIP (Academic Intranet Portal).

So I configured 2 directories : the academic LDAP and the local LDAP integrated to the EOLE solution.

Our academic LDAP directory (like most of the other academies) was polluted with a lot of unused or obsolete accounts so much so that it no longer reflects the reality of the teachers and administrative agents that are really in activity.

One of my goal was to "rationalize" all our user accounts by creating the account that are really still in use inside the local LDAP. I load it once with a AAF export (Academic Directory Federator) and, then, I add gradually new users. But, I am obligated to give access to the account from the main LDAP (the academic one) because it is still the official directory.

That's why I made a small modification on the SSO authentication. I've created a "ticket" in order to take into account this change : https://dev-eole.ac-dijon.fr/issues/12521

dataproxy.py inside /usr/lib/python2.7/dist-packages/eolesso/dataproxy.py :

@@ -37,6 +37,8 @@
 from eoleldaptor import eoleldapproxy
 from twisted.python import log, failure
 from util import get_replication_branches
+from scribe.eoleldap import Ldap
+from scribe.linker import _user_factory
 import os, socket
 class LDAPProxy:
@@ -117,6 +119,7 @@
             self.search_branches[host] = search_branches
             self.ldap_infos[host] = ldap_infos
             self.otp_config[host] = login_otp
+            #log.msg("Eole proxy %s" % eole_proxy)
         if nb_branches > 1:
             self.use_branches = True
@@ -221,15 +224,28 @@
     def callb_auth(self, result_auth, user_id, passwd, search_branch, servers):
         success, user_data = result_auth
-        # vérification du résultat de l'authentification sur le serveur précédent
-        if success == False:
-            # echec de l'authentification  sur ce serveur
-            if len(servers) > 0:
-                # test sur le serveur suivant
-                return self.authenticate(user_id, passwd, search_branch, servers)
-            else:
-                # on a essayé sur tous les serveurs
-                return False, {}
+
+        if success == True and "localhost" not in servers:
+            #log.msg("MAJ pwd vers localhost")
+            #recupere de ead2 backend/actions/scribe/userpwd.py
+            try:
+                conn = Ldap()
+                conn.connect()
+                ldapuser = _user_factory(user_id, conn.connexion)
+                ldapuser.c_mod_password(user_id, passwd)
+                conn.close()
+            except:
+                pass
+
+        # echec de l'authentification  sur ce serveur
+        if len(servers) > 0:
+            # test sur le serveur suivant
+            return self.authenticate(user_id, passwd, search_branch, servers)
+
+        if success == False :
+            # on a essayé sur tous les serveurs
+            return False, {}
+
         # on supprime certains champs (mot de passe)
         for user_attr in self.ignored_attrs:
             if user_attr in user_data:

When the modification is in place, restart the service :

service eole-sso restart

Bug with already existing databases (from 2.3)

When the upgrade is done, the original user accounts do not have access to databases. To solve this problem, you'll have to :

  • Modify the root password with mysql_pwd.py command
  • Connect to phpmyadmin
  • Go to "Privileges" tab
  • Remake one by one each user account by clicking on "change privileges"
  • Select Create a new user with same privileges and... delete the old one, then refresh privileges to the server
reconfigure

Various

SSL certificate regeneration


  • Certificate regeneration with alternative names modification (IP adress + complete DNS) :
reconfigure
rm /etc/ssl/certs/eole.crt
/usr/share/creole/gen_certif.py -f

PHP5

To use PHP5 frameworks, you'll need at least a 5.4 php version !

There's a lot of conflicts with other eole packages, so the only way is to try to install it "by hand"... Liste of PHP 5 packages here

wget package_address.deb
dpkg -iphp5* php5-cli* php5-common* php5-curl* php5-gd* php5-intl* php5-ldap* php5-mcrypt* php5-mysql* php5-readline* php5-sqlite* php5-xmlrpc* php-pear* libapache2-mod-php5*


Force modification of a read only variable (please be careful...)

If you want to force the modification of a read only variable (https://dev-eole.ac-dijon.fr/issues/7343), modify setting.py (/usr/lib/python2.7/dist-packages/tiramisu)

if 'frozen' in properties:
properties.remove('frozen')

Then :

python
from eolegenconfig import lib
a=lib.get_config('web_url')
a.creole.applications_web.web_url=u'nouvelurl.ac-acad.fr'
reconfigure

Roundcube patch

Under EOLE, roundcube is used to connect to the local mail solution of the server. But, inside an academy, the mail server is generally made of external packaged proprietary solutions (like Oracle convergence).

Thus, the IMAP or POP protocol is not "cassified" (a solution would be to install PAM-CAS but it seems complicated with the convergence server).

So you'll have to change the EOLE webmail (roundcube) configuration in order to connect to the academic mail solution. We could upgrade the gen_config dictionary to take into accounts specific parameters for the academic mail solution. The main problem is that we lost the CAS authentication, I guess we should totally rethink the global academic mail solution.

roundcube-main.inc.php.patch :

// Adresse IP en dur
-$rcmail_config['default_host'] = '%%adresse_ip_mail';
+$rcmail_config['default_host'] = 'tls://mail.ac-acad.fr';
// 0 - disabled, 1 - username and host only, 2 - username, host, password -$rcmail_config['login_autocomplete'] = 0; +$rcmail_config['login_autocomplete'] = 2;

// Possible values: sameorigin|deny. Set to false in order to disable sending them -$rcmail_config['x_frame_options'] = 'sameorigin'; +$rcmail_config['x_frame_options'] = false;
// 0 - Do not expand threads // 1 - Expand all threads automatically // 2 - Expand only threads with unread messages -$rcmail_config['autoexpand_threads'] = 0; +$rcmail_config['autoexpand_threads'] = 2;

roundcube-config.inc.php.patch :

// Adresse IP en dur
-$config['default_host'] = '%%adresse_imap';
+$config['default_host'] = 'tls://mail.ac-acad.fr'; // List of active plugins (in plugins/ directory) -%if %%activer_sso != 'non' -$rcmail_config['plugins'] = array('cas_authentication'); -%else $rcmail_config['plugins'] = array(); -%end if

Various errors

Erreur :
Des erreurs ont été rencontrées pendant l'exécution :
apt-show-versions
libapache2-mod-rpaf
E: Sub-process /usr/bin/dpkg returned an error code (1)

Solution :

a2dismod auth_cas
a2dissite ethercalc
a2dissite etherpad
Erreur :
Les paquets suivants contiennent des dépendances non satisfaites :
libwww-perl: Casse: librpc-xml-perl (< 0.74-2) mais 0.72-1 devra être installé
E: Erreur, pkgProblemResolver::Resolve a généré des ruptures, ce qui a pu être causé par les paquets devant être gardés en l'état.

Solve conflictual packages :

apt-eole install upstart-job
apt-eole install xserver-xorg-coreapt-eole install exim4-config apt-eole install exim4-base reboot Upgrade-Auto --download
Impossible de récupérer http://eole.ac-dijon.fr/eole/pool/main/e/eole-ead/...  Taille incohérente
Impossible de récupérer http://eole.ac-dijon.fr/eole/pool/main/e/eole-ead/... Taille incohérente
Impossible de récupérer http://eole.ac-dijon.fr/eole/pool/main/e/eole-ead/... Taille incohérente

We can force the recuperation of the package with wget

wget http://eole.ac-dijon.fr/eole/pool/main/e/eole-ead/...

Remove non official php5 packages :

apt-eole remove php5
php5-cli php5-common php5-curl php5-gd php5-intl php5-ldap php5-mcrypt
php5-mysql php5-readline php5-sqlite php5-xmlrpc php-pear libapache2-mod-php5

Debug SSO connection

Inside /var/log/posh/eolecas.log

Don't forget to activate debug mode inside /usr/share/php/configCAS/cas.inc.php with __CAS_DEBUG set to true

Inside __construct, you'll see a URL with a validate service, you can test it with curl "https://address/serviceValidate" to see exactly what the SSO server respond.
To test curl without validating the certificate, use "-k" option.

APT PINNING


You may want to upgrade different packages from different sources. But if you do not want to break everything, then you should think about putting in place apt pinning.

Example (inconclusive) to create a preferences file for php5 in /etc/apt/preferences.d/ (the first rule disables all packets of the ppa, the second active those that concern us):

Package: *
Pin: release o=LP-PPA-ondrej-php5
Pin-Priority: 400

Package: php5 php5-cli php5-common php5-curl php5-gd php5-intl php5-ldap php5-mcrypt php5-mysql php5-readline php5-sqlite php5-xmlrpc php-pear libapache2-mod-php5
Pin: release o=LP-PPA-ondrej-php5
Pin-Priority: 500

Tags: envole, eole, scribe

Archive