summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com>2012-06-28 15:13:48 (GMT)
committerJeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com>2012-06-28 15:13:48 (GMT)
commitb9ffa7cf78a0e7b80966bf87fd65d46b50ffce77 (patch)
treee155c453c7b342384fc36f16137dd7238ccdabb1
parentcf18801214f9f73d5d467a14f859287bf20a18c7 (diff)
downloadkolab-docs-b9ffa7cf78a0e7b80966bf87fd65d46b50ffce77.tar.gz
Extend the documentation to include clearer instructions on;
- configuring SELinux to not enforce the targeted policy, - configure the system firewall to allow the standard ports in use. Also mention the system requires preparation in various locations; - First Login section, most likely on one's screen while making a few first attempts, which is where the issue of missing "Add user" button is likely to first be noticed. - At the start of the Installation chapter. Kolab Systems Support Ticket #4793.
-rwxr-xr-xInstallation_Guide/en-US/Kolab_Server_Configuration.xml2
-rw-r--r--Installation_Guide/en-US/Kolab_Server_First_Login.xml12
-rwxr-xr-xInstallation_Guide/en-US/Kolab_Server_Installation.xml2
-rw-r--r--Installation_Guide/en-US/Preparing_the_System.xml68
4 files changed, 80 insertions, 4 deletions
diff --git a/Installation_Guide/en-US/Kolab_Server_Configuration.xml b/Installation_Guide/en-US/Kolab_Server_Configuration.xml
index 73c6406..cff1d15 100755
--- a/Installation_Guide/en-US/Kolab_Server_Configuration.xml
+++ b/Installation_Guide/en-US/Kolab_Server_Configuration.xml
@@ -13,7 +13,7 @@
</para>
<important>
<para>
- The setup utility by default asks for a bare minimum of input, and uses data available from the system, such as the system's fully qualified domain name (hostname and domain name parts, obtained from the reverse DNS entry on the network) to setup the system with.
+ The setup utility by default asks for a bare minimum of input, and uses data available from the system, such as the system's fully qualified domain name (hostname and domain name parts, obtained from the reverse DNS entry on the network, <emphasis>not</emphasis> the configured FQDN) to setup the system with.
</para>
<para>
To use a custom hostname and domain-name, execute <command>setup-kolab</command> with the <literal>--fqdn</literal> option, specifying a fully qualified domain name. Fully qualified domain names are expected to consist of three components, the hostname, domain name and top-level domain, divided by a "." (dot) character.
diff --git a/Installation_Guide/en-US/Kolab_Server_First_Login.xml b/Installation_Guide/en-US/Kolab_Server_First_Login.xml
index 7a95dc1..1268c3d 100644
--- a/Installation_Guide/en-US/Kolab_Server_First_Login.xml
+++ b/Installation_Guide/en-US/Kolab_Server_First_Login.xml
@@ -14,6 +14,18 @@
<para>
Login using the username <literal>cn=Directory Manager</literal> and the password you supplied during the setup process.
</para>
+ <important>
+ <para>
+ It is important that the preparations listed in <xref linkend="sect-Community_Installation_Guide-Preparing_the_System-SELinux" /> and <xref linkend="sect-Community_Installation_Guide-Preparing_the_System-System_Firewall" /> are implemented at this point.
+ </para>
+ <para>
+ Without the adjustments to the SELinux configuration, any user, including the administrator user, that logs in to the web administration panel will effectively have no permissions and can not add, edit or delete any users, groups, resources, shared folders, domains or other object types.
+ </para>
+ <para>
+ Without the adjustments to the firewall configuration, you will not be able to connect to the /kolab-webadmin URL at all.
+ </para>
+
+ </important>
<section id="sect-Community_Installation_Guide-First_Login-Creating_a_User">
<title>Creating a User</title>
<para>
diff --git a/Installation_Guide/en-US/Kolab_Server_Installation.xml b/Installation_Guide/en-US/Kolab_Server_Installation.xml
index b129f26..628de85 100755
--- a/Installation_Guide/en-US/Kolab_Server_Installation.xml
+++ b/Installation_Guide/en-US/Kolab_Server_Installation.xml
@@ -11,7 +11,7 @@
<section id="sect-Community_Installation_Guide-Installation-Kolab_Server_Installation">
<title>Kolab Server Installation</title>
<para>
- To get a fully working Kolab installation all of the components listed in <xref linkend="chap-Community_Installation_Guide-First_Login" /> need to be installed.
+ To get a fully working Kolab installation all of the components listed in <xref linkend="chap-Community_Installation_Guide-Overview" /> need to be installed and the system needs to be prepared according to the instructions listed in <xref linkend="chap-Community_Installation_Guide-Preparing_the_System" />.
</para>
<para>
The Kolab community provides APT and RPM packages for most commonly used Linux distributions. To get a fully working Kolab server on a single system, please install the “kolab-groupware” meta-package which will install all components, and run the setup script on a single system.
diff --git a/Installation_Guide/en-US/Preparing_the_System.xml b/Installation_Guide/en-US/Preparing_the_System.xml
index 1c181f3..ddabdeb 100644
--- a/Installation_Guide/en-US/Preparing_the_System.xml
+++ b/Installation_Guide/en-US/Preparing_the_System.xml
@@ -90,6 +90,31 @@
<para>
Please consider configuring SELinux to be permissive. Please let us know what AVC denials occur so we can work on fixing the issue.
</para>
+ <important>
+ <para>
+ The Kolab Web Administration Panel currently depends on SELinux not enforcing the targeted policy.
+ </para>
+
+ </important>
+ <para>
+ To view the current mode SELinux operates in, execute the following command:
+ </para>
+ <para>
+
+<screen># <userinput>sestatus</userinput></screen>
+
+ </para>
+ <para>
+ To temporarily disable SELinux's enforcement of the targeted policy (without rebooting the system), issue the following command:
+ </para>
+ <para>
+
+<screen># <userinput>setenforce 0</userinput></screen>
+
+ </para>
+ <para>
+ To disable SELinux's enforcement of the targeted policy in a manner persistent across system restarts, edit <filename>/etc/selinux/config</filename> and set <literal>SELINUX</literal> to <literal>permissive</literal> rather than <literal>enforcing</literal>. Doing so also changes the <emphasis>Mode from config file:</emphasis> line in the output of <command>sestatus</command>.
+ </para>
</section>
@@ -171,8 +196,8 @@
</listitem>
<listitem>
- <formalpara id="form-Community_Installation_Guide-System_Firewall-Port_567_tcp">
- <title>Port 567, tcp</title>
+ <formalpara id="form-Community_Installation_Guide-System_Firewall-Port_587_tcp">
+ <title>Port 587, tcp</title>
<para>
Used for secure mail submission.
</para>
@@ -214,6 +239,45 @@
</itemizedlist>
</para>
+ <para>
+ Summarizing these changes into <filename>/etc/sysconfig/iptables</filename>, working off of an original, default installation of Centos 6, this file would look as follows:
+ </para>
+ <para>
+
+<screen># Firewall configuration written by system-config-firewall
+# Manual customization of this file is not recommended.
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
+-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
+-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
+-A INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
+-A INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT
+-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
+-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
+-A INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT
+-A INPUT -m state --state NEW -m tcp -p tcp --dport 587 -j ACCEPT
+-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
+-A INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT
+-A INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT</screen>
+
+ </para>
+ <para>
+ After changing <filename>/etc/sysconfig/iptables</filename>, execute a service restart:
+ </para>
+ <para>
+
+<screen># <userinput>service iptables restart</userinput></screen>
+
+ </para>
</section>