dkassemos
Wed May 21, 2014 3:04:16 pm
Hi Everyone,
I volunteer for a small private school in Northern KY, as the only IT person on staff.
By trade I have close to 20 years experience and today I am an Amazon AWS Architect at my full time job.
The school I volunteer at is VERY small and has little to no resources for IT purchases, so almost all of the equipment is donated and manufactured in 2001 with a XP license.
I originally set up the environment with Windows AD and XP clients to segregate the students from the faculty.
Last year I installed 24 stand alone Zorin OS 7 lite pc's in the Lab and library for student use, and the transition was seamless.
This year I will be transitioning the entire school's computers over to a complete Linux based enterprise, removing ALL windows services and using Zorin OS as the only client PC in the school.
So Here is my small contribution to the Zorin community:
Systems Used:
CentOS 6.5 Server running (Server Build and configuration NOT documented here since this is a Zorin OS Forum)
SSL/TLS LDAP Server - 389 Directory Server (Centralized user administration)
DHCP / BIND DNS / CUPS Printer Server/ WebMin for Enterprise Management of Services
Zorin OS 8.x Core / Educational / lite Clients (Based upon Hardware capability)
Goals & Requirements:
Students logon with a generic id with no password and no permissions
Faculty will have personal logon id in LDAP and teachers goup will have sudo permissions
Faculty logon id will match Google Apps for Education Domain logins to sync Chrome apps (email, drive, calendar, etc..)
Zorin OS Image Build Instructions:
Install Zorin OS as documented
Create local user without automatic logon
On first boot logon as local user and open a Terminal Window
#sudo su - ( this will make you root)
#passwd - (This will set the root password so you can manage remotely later)
#apt-get update - (Updates the software repositories list)
#apt-get upgrade - (Get all the updates)
---- Now add ssh server & Student User -----
#adduser student - (Follow the prompts)
#apt-get install ssh - (Allows you to ssh in to support the system.... as root )
**** Note the standard logon screen will NOT allow a user to logon that is NOT a local user so now we have to change the Greeter Display Manager *****
#apt-get install kdm systemsettings - (KDM is the Display Manager and the "system settings" provides an applet to change the settings of the greeter)
***** Note : during the install process you will be prompted for a greeter to use --- Choose KDM -----
***** Note 2: By default the initial KDM theme is broke and will not allow the Greeter to start
so before rebooting do the following:
Use System Tools > Preferences > KDE System Settings
and Change " Login Screen" settings
Here is where you can:
Convenience Tab - set Student allowed "No Password" option in the Display Manager
Pre-selected user = None
---- Next connect to LDAP ------
Prerequisites:
Configure your LDAP server for TLS port 636 connections
I placed my ca.ldap.pem certificate & sssd.conf on my web server for easy access.
Just make sure that your paths in the sssd.conf match the paths on you Zorin OS client!
#apt-get install sssd sssd-tools - (LDAP Authentication integration with PAM & NSS)
#mkdir -p /etc/openldap/cacerts - (my location specified in sssd.conf for my ca certificate)
#cd /etc/openldap/cacerts
#wget http://www.mydomin.com/ldap/ca.ldap.pem - (download ldap ca certificate created when you built the LDAP server)
#cd /etc/sssd
#wget http://www.mydomain.com/ldap/sssd.conf - (download sssd.conf)
#chmod 600 sssd.conf - sssd service will NOT start until this is set
----Create home directory on first login --------
#cd /etc/pam.d
#nano common-session
insert line after "session required pam_unix.so" usually about line 30
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
Save and close
--- Change Sudo users -----
#cd /etc
nano /etc/sudoers
# insert lines
%sudo_Admins ALL=(ALL:ALL) ALL - (aka Domain Admins)
%teachers ALL=(ALL:ALL) ALL - (aka Faculty Members)
Save and close
Reboot !!!!
These are the steps that work for me....
I hope this helps someone else.
DKASSEMOS
I could not have done this without the hard work of others! Here are the links I used that help me piece this together.
Fedora 389 Directory Server - http://directory.fedoraproject.org/
http://www.unixmen.com/setup-directory- ... -rhel-6-4/
http://trialanderrorlinux.wordpress.com ... using-tls/
LDAP Client Authentication - https://sites.google.com/site/guenterba ... ithsssdtls
Changing the Greeter - http://askubuntu.com/questions/75755/ho ... me-greeter
NOTE: This document gave me the idea to try gdm and kdm. KDM was the only one that maintained the existing ZorinOS Session
---
I volunteer for a small private school in Northern KY, as the only IT person on staff.
By trade I have close to 20 years experience and today I am an Amazon AWS Architect at my full time job.
The school I volunteer at is VERY small and has little to no resources for IT purchases, so almost all of the equipment is donated and manufactured in 2001 with a XP license.
I originally set up the environment with Windows AD and XP clients to segregate the students from the faculty.
Last year I installed 24 stand alone Zorin OS 7 lite pc's in the Lab and library for student use, and the transition was seamless.
This year I will be transitioning the entire school's computers over to a complete Linux based enterprise, removing ALL windows services and using Zorin OS as the only client PC in the school.
So Here is my small contribution to the Zorin community:
Systems Used:
CentOS 6.5 Server running (Server Build and configuration NOT documented here since this is a Zorin OS Forum)
SSL/TLS LDAP Server - 389 Directory Server (Centralized user administration)
DHCP / BIND DNS / CUPS Printer Server/ WebMin for Enterprise Management of Services
Zorin OS 8.x Core / Educational / lite Clients (Based upon Hardware capability)
Goals & Requirements:
Students logon with a generic id with no password and no permissions
Faculty will have personal logon id in LDAP and teachers goup will have sudo permissions
Faculty logon id will match Google Apps for Education Domain logins to sync Chrome apps (email, drive, calendar, etc..)
Zorin OS Image Build Instructions:
Install Zorin OS as documented
Create local user without automatic logon
On first boot logon as local user and open a Terminal Window
#sudo su - ( this will make you root)
#passwd - (This will set the root password so you can manage remotely later)
#apt-get update - (Updates the software repositories list)
#apt-get upgrade - (Get all the updates)
---- Now add ssh server & Student User -----
#adduser student - (Follow the prompts)
#apt-get install ssh - (Allows you to ssh in to support the system.... as root )
**** Note the standard logon screen will NOT allow a user to logon that is NOT a local user so now we have to change the Greeter Display Manager *****
#apt-get install kdm systemsettings - (KDM is the Display Manager and the "system settings" provides an applet to change the settings of the greeter)
***** Note : during the install process you will be prompted for a greeter to use --- Choose KDM -----
***** Note 2: By default the initial KDM theme is broke and will not allow the Greeter to start
so before rebooting do the following:
Use System Tools > Preferences > KDE System Settings
and Change " Login Screen" settings
Here is where you can:
Convenience Tab - set Student allowed "No Password" option in the Display Manager
Pre-selected user = None
---- Next connect to LDAP ------
Prerequisites:
Configure your LDAP server for TLS port 636 connections
I placed my ca.ldap.pem certificate & sssd.conf on my web server for easy access.
Just make sure that your paths in the sssd.conf match the paths on you Zorin OS client!
#apt-get install sssd sssd-tools - (LDAP Authentication integration with PAM & NSS)
#mkdir -p /etc/openldap/cacerts - (my location specified in sssd.conf for my ca certificate)
#cd /etc/openldap/cacerts
#wget http://www.mydomin.com/ldap/ca.ldap.pem - (download ldap ca certificate created when you built the LDAP server)
#cd /etc/sssd
#wget http://www.mydomain.com/ldap/sssd.conf - (download sssd.conf)
#chmod 600 sssd.conf - sssd service will NOT start until this is set
----Create home directory on first login --------
#cd /etc/pam.d
#nano common-session
insert line after "session required pam_unix.so" usually about line 30
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
Save and close
--- Change Sudo users -----
#cd /etc
nano /etc/sudoers
# insert lines
%sudo_Admins ALL=(ALL:ALL) ALL - (aka Domain Admins)
%teachers ALL=(ALL:ALL) ALL - (aka Faculty Members)
Save and close
Reboot !!!!
These are the steps that work for me....
I hope this helps someone else.
DKASSEMOS
I could not have done this without the hard work of others! Here are the links I used that help me piece this together.
Fedora 389 Directory Server - http://directory.fedoraproject.org/
http://www.unixmen.com/setup-directory- ... -rhel-6-4/
http://trialanderrorlinux.wordpress.com ... using-tls/
LDAP Client Authentication - https://sites.google.com/site/guenterba ... ithsssdtls
Changing the Greeter - http://askubuntu.com/questions/75755/ho ... me-greeter
NOTE: This document gave me the idea to try gdm and kdm. KDM was the only one that maintained the existing ZorinOS Session
---