Difference between revisions of "Owncloud"

From Blue-IT.org Wiki

(Zentyal 4.0 (Ubuntu 14.04) / Owncloud 7.0)
 
(13 intermediate revisions by the same user not shown)
Line 161: Line 161:
  
 
=== Owncloud, LDAP and Zentyal ===
 
=== Owncloud, LDAP and Zentyal ===
 +
 +
==== Zentyal 4.2 (Ubuntu 14.04) / Owncloud 8.2 ====
 +
 +
* Servername: use IP Port: 389
 +
* DN to login: someuser@zentyaldomain.lan
 +
* Password: "thepassfor someuser"
 +
* Base DN: As mentioned at the LDAP information in the webinterface
 +
 +
 +
TIP: using the qualified domainname (e.g. server.zentyaldomain.lan) did NOT work for me.
 +
 +
See:
 +
* https://forum.zentyal.org/index.php/topic,23844.new.html#new
  
 
==== Zentyal 4.0 (Ubuntu 14.04) / Owncloud 7.0 ====
 
==== Zentyal 4.0 (Ubuntu 14.04) / Owncloud 7.0 ====
Line 173: Line 186:
  
 
'''Server:'''
 
'''Server:'''
 +
 +
First check, if your setup is working correctly:
 +
 +
#> ldapsearch -H ldap://YOUR_LDAP_SERVER -x -b "" -s base -LLL supportedSASLMechanisms
 +
 +
dn:
 +
supportedSASLMechanisms: GSS-SPNEGO
 +
supportedSASLMechanisms: GSSAPI
 +
supportedSASLMechanisms: NTLM
  
 
The main change is, that there is no user 'zentyal-ro' any more to make anonymous ldap queries.  
 
The main change is, that there is no user 'zentyal-ro' any more to make anonymous ldap queries.  
Line 181: Line 203:
 
  cat /var/lib/zentyal/conf/zentyal-mail-*.passwd
 
  cat /var/lib/zentyal/conf/zentyal-mail-*.passwd
  
On a fresh Znetyal 4.0 install you have to create an ''domain admin user'' and use its credentials.
+
On a fresh Zentyal 4.0 install you have to create an ''domain admin user'' and use its credentials.
  
 
A simple ldap-query can be mad with:
 
A simple ldap-query can be mad with:
Line 277: Line 299:
 
  # start owncloud with custom confdir
 
  # start owncloud with custom confdir
 
  exec "${HOME}/bin/owncloud_${INSTANCE}.bin" --confdir "${CONFDIR}" "$@"
 
  exec "${HOME}/bin/owncloud_${INSTANCE}.bin" --confdir "${CONFDIR}" "$@"
 +
 +
 +
=== Troubleshooting ===
 +
==== Maintenence mode off ====
 +
./occ maintenance:mode --off
 +
 +
#>vim config/config.php
 +
[...]
 +
  'maintenance' => false,
 +
[...]
 +
 +
==== Update with console ====
 +
#> cd /var/www/owncloud
 +
 
 +
./occ maintenance:mode --on
 +
sudo -u  www-data php occ upgrade
 +
./occ maintenance:mode --off
 +
 +
==== occ ====
 +
* https://doc.owncloud.com/server/8.0/admin_manual/configuration_server/occ_command.html
 +
 +
==== ETags ====
 +
sudo -u www-data php occ maintenance:repair
 +
 +
==== SSH security ====
 +
 +
vim /etc/apache2/apache2.conf
 +
 +
LoadModule headers_module modules/mod_headers.so
 +
SSLProtocol All -SSLv2 -SSLv3
 +
SSLCompression off
 +
SSLHonorCipherOrder On
 +
SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
 +
Header add Strict-Transport-Security "max-age=15768000"
 +
 +
==== Memcache ====
 +
* https://owncloud.org/blog/making-owncloud-faster-through-caching
 +
 +
On Ubuntu 14.04 with Owncloud >=8.1  there is a wrong version for memcache apcu. If you use the standard php5-acpu package, this which will result in a blank screen. So as described above, you can manually install a newer version from the ubuntu repos:
 +
 +
sudo apt-get remove php5-apcu
 +
cd /tmp
 +
# sudo wget http://mirrors.kernel.org/ubuntu/pool/universe/p/php-apcu/php5-apcu_4.0.6-1_amd64.deb
 +
# [UPDATE] this version changed on the online repositories to php5-apcu_4.0.7-1build1_amd64.deb 
 +
# which is NOT binary compatible any more to 8.1 -
 +
# you can download it from code-engine as time of writing
 +
wget http://code-engine.org/wp-content/uploads/2015/10/php5-apcu_4.0.6-1_amd64.deb
 +
# sudo dpkg -i php5-apcu_4.0.6-1_amd64.deb
 +
sudo dpkg -i php5-apcu_4.0.6-1_amd64.deb
 +
sudo rm php5-apcu*.deb
 +
 +
Configure PHP:
 +
#> vim /etc/php5/apache2/php.ini
 +
apc.enable_cli = 1
 +
 +
Configure Owncloud
 +
#> vim /var/www/ownclooud/config/config.php
 +
 +
/**
 +
* Memcache
 +
*/
 +
'memcache.local' => '\OC\Memcache\APCu',
 +
 +
Restart apache
 +
service apache2 restart 
 +
 +
 +
== Security ==
 +
 +
=== Official owncloud security adcice ===
 +
 +
In any case you should follow the security advices here:
 +
 +
=== Fail2ban ===
 +
 +
* http://www.everybodyhertz.co.uk/fail2ban-for-owncloud-brute-force-prevention-and-alerting/
 +
 +
*  https://owncloud.org/security/
  
  
 
[[Category:Ubuntu]]
 
[[Category:Ubuntu]]
 
[[Category:OwnCloud]]
 
[[Category:OwnCloud]]

Latest revision as of 18:35, 25 May 2016

Ubuntu 12.04 LTS

Backup users

Source:

It might happen, that you need to copy files from one users owncloud installation to another.

Or - like in my case - you change from owncloud inline users creation to an LDAP backend (AD / Zentyal 4.0). Changing the authentification backend without deletion of old users with the same usernames leads to new users on the filesystem like this:

owncloud/data/user_a -> owncloud/data/user_a_7532 (new user_a after LDAP)

Despite the login name will be the same it is not within the owncloud directory! If you login into the "user_a" and it's old password, you should get to the old account. When you login with user_a and the new LDAP password, you will get to the new account! Owncloud nows which is which.

But: I recommend to delete the old user and backup the directory.

Here is how to copy over the files:

Prerequisites:

A. Backup the complete /var/www/owncloud directory

B. VERY, VERY IMPORTANT - backup the old "user_a" - don't mix the two ways up !!!

  • EITHER alter the password of the old user_a, before you add a new "user_a" via e.g. LDAP !!! But this will lead to new usernames on file system level!
  • OR
    • backup the folder of your "user_a"
      • and later delete the user (see B.)
rsync -av --delete /var/www/owncloud/data/user_a -> user_a_backup

B. Create a new "user_a" - don't mix the two ways up !!!

  • EITHER - when you changed the password - add your new authentification backend - e.g. LDAP . witch leads to the new "user_a"
  • OR
    • first delete the old "user_a" in the administration interface of owncloud
    • and then add your new authentification backend

C. Test the new "user_a" login credentials inside of the webinterface of owncloud.

D. Stop apache (so no one would accidentally interfere with your owncloud installation)

E. Sync the folders for the new

apt-get install sqlite3 rsync

1. Copy everything from the old user_a to the new user_a_#### preserving the file and folder attributes !!!

cd /var/www/owncloud # depends on your install directory
rsync -av --delete data/user_a/. data/user_a_####/.

2. Trucate the file cache table in the owncloud database. OC version 6 and 7 differ a little bit in the sqlite version:

sqlite /var/www/owncloud/owncloud.db
sqlite> .tables

sqlite> DELETE FROM oc_fscache;   # oc version 6
sqlite> DELETE FROM oc_filecache; # oc version 7

sqlite> VACUUM
sqlite> .quit

F. Login in to the adminitration interface of owncloud (user admin ...) and check the users!

G. Login into your new "user_a" and the file cache will be recreated.

Sources.list and Installation

For the official installation manual see:

Accourding to the manual

  • Add the appropriate key for your distribution (here for Ubuntu 12.04):
 wget -qO - http://download.opensuse.org/repositories/isv:ownCloud:community/xUbuntu_12.04/Release.key | sudo apt-key add -
  • Add a sources list file and
apt-get update
  • Install the server package
apt-get install owncloud

Update

Owncloud server version 6.0 -> 7.0 / 8.0

When updating from 6.0 you might encounter the problem, that the "Shared" folder is gone. If you have had an corporate setup an used this hierarchy, you can add the line

'share_folder' => '/Shared',

to /where_ever_location_is/owncloud/config/config.php

BUT, to get a corresponding client structure, you have to

  1. detach the permissions of every share on the server
  2. reattach the permissions for the shared folders
  3. perform a full resynchronisation at the owncloud client. That is: remove the sync folder with in the client settings dialog, reattach the folder and perform a complete new download of all folder contents.

WebDav support

apt-get install davfs2

Configure unpriviledged (non-root) user access:

dpkg-reconfigure davfs2

Prepare apache2 for owncloud

This is necessary to get access to the webinterface of owncloud.

HINT: If you are behind a NAT, you have to add your domain to your /etc/hosts file due to a problem with curl:

vim /etc/hosts
127.0.0.1  localhost owncloud.yourserver.tld

Then configure your apache2 hosts file:

vim /etc/apache2/sites-avaible/owncloud.conf
<VirtualHost *:80>
        ServerAdmin webmaster@YOURSERVER.TLD

        ServerName owncloud.yourserver.tld
        DocumentRoot /path_to/www/owncloud.yourserver.tld

        <Directory /path_to/www/owncloud.yourserver.tld>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory> 

</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin webmaster@YOURSERVER.TLD

        ServerName owncloud.yourserver.tld
        DocumentRoot /path_to/www/owncloud.yourserver.tld

        <Directory /path_to/www/owncloud.yourserver.tld>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory> 

        # SSL
        SSLEngine on
        SSLCertificateFile    /etc/apache2/ssl/ssl.pem
</VirtualHost>
</IfModule>

Create a database

If you like to use a database like mysql you have to create a database, user and password in advance!

Settings

Now open your new Owncloud webpage and

  1. Add admin account settings
  2. Optional: enter database settings

Then you can enter new users!

Owncloud, LDAP and Zentyal

Zentyal 4.2 (Ubuntu 14.04) / Owncloud 8.2

  • Servername: use IP Port: 389
  • DN to login: someuser@zentyaldomain.lan
  • Password: "thepassfor someuser"
  • Base DN: As mentioned at the LDAP information in the webinterface


TIP: using the qualified domainname (e.g. server.zentyaldomain.lan) did NOT work for me.

See:

Zentyal 4.0 (Ubuntu 14.04) / Owncloud 7.0


[UPDATE] --Apos (talk) 09:01, 16 February 2015 (CET)

  • Owncloud Version 8.0 works like expected. Added "shared_folder" directive. See #Update).

There have been major changes to ldap on Zentyal 4.0 due to the new Samba backend:

Server:

First check, if your setup is working correctly:

#> ldapsearch -H ldap://YOUR_LDAP_SERVER -x -b "" -s base -LLL supportedSASLMechanisms

dn:
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: NTLM

The main change is, that there is no user 'zentyal-ro' any more to make anonymous ldap queries.

If you updated from former versions, you'll get the user and is's password:

ls -lta /var/lib/zentyal/conf/zentyal-mail-*.passwd
cat /var/lib/zentyal/conf/zentyal-mail-*.passwd

On a fresh Zentyal 4.0 install you have to create an domain admin user and use its credentials.

A simple ldap-query can be mad with:

ldapsearch  -h 127.0.0.1 -U zentyal-mail_USER.org -b 'dc=DOMAIN,dc=tld' 'uid' | grep zentyal-mail

Which leads to the new credentials (you can use lower case: cn=, dc=, ...!):

cn=zentyal-mail-DOMAIN.TLD,cn=,dc=DOMAIN,dc=TLD


Other users you can check with:

 ldapsearch  -h 127.0.0.1 -U ldapuser -b 'dc=DOMAIN,dc=TLD' 'sAMAccountName=USERNAME'

Zentyal 3.3 (Ubuntu 12.04) / Owncloud 6.0

Activate the LDAP Backend:

[...]

To connect to an LDAP server the configuration needs to be set up properly. Once the LDAP backend is activated (Apps Sidebar→Apps, choose LDAP user and group backend, click on Enable) the configuration can be found on Settings→Admin. Read on for a detailed description of the configuration fields. [2]

[...]

See:

apt-get install php5-ldap
a2enmod ldap
service apache2 restart

From: [2]

Owncloud 6, Zentyal 3.3 , I added 2 Groups (AdminHomeUser, HomeUser) and 5 Users. Following worked:

Server:

ServerIP: Server IP of Zentyal Server (for example: ldap://127.0.0.1)
Port: 390
DN of Client User: Root DN of Zentyal
Password: Password of ldap
Base DN: Zentyal Base DN

User Filter:

only those object classes: inetOrgPerson
only from those groups: AdminHomeUser, HomeUser


Login Filter:

LDAP Username: checked


Group Filter:

only those object classes: posixGroup
only from those groups: AdminHomeUser, HomeUser

Advanced - Directory Settings:

User Display Name Field: uid

Start multiple instances of owncloud client

Since the owncloud is not able to access multiple servers (as time of writign 08/2014), there is a workaround described in issue #43:


#!/bin/bash
#
# https://github.com/owncloud/mirall/issues/43
# Thanks to lazyfrosch (commented on 5 Dec 2013) and ogasser (commented on 1 Jul 2014) 

##############################
# Give this instance a unique name
INSTANCE=business
 
##############################
# DO NOT ALTER FROM HERE
CONFDIR="${HOME}/.local/share/data/ownCloud_${INSTANCE}"
TMPDIR="/tmp/${INSTANCE}"

# ensure path exists
test -e "${CONFDIR}" || mkdir "${CONFDIR}"
test -e "${TMPDIR}" || mkdir "${TMPDIR}"

# change the temporary directory where the lockfile is located
export TMPDIR

# copy the binary
# yes we need to do this, or owncloud will think it's the same instance
# NOTE: symlink won't help unfortunatly
cp /usr/bin/owncloud "${HOME}/bin/owncloud_${INSTANCE}.bin"

# start owncloud with custom confdir
exec "${HOME}/bin/owncloud_${INSTANCE}.bin" --confdir "${CONFDIR}" "$@"


Troubleshooting

Maintenence mode off

./occ maintenance:mode --off
#>vim config/config.php
[...]
 'maintenance' => false,
[...]

Update with console

#> cd /var/www/owncloud
 
./occ maintenance:mode --on
sudo -u  www-data php occ upgrade
./occ maintenance:mode --off

occ

ETags

sudo -u www-data php occ maintenance:repair

SSH security

vim /etc/apache2/apache2.conf
LoadModule headers_module modules/mod_headers.so
SSLProtocol All -SSLv2 -SSLv3
SSLCompression off
SSLHonorCipherOrder On
SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
Header add Strict-Transport-Security "max-age=15768000"

Memcache

On Ubuntu 14.04 with Owncloud >=8.1 there is a wrong version for memcache apcu. If you use the standard php5-acpu package, this which will result in a blank screen. So as described above, you can manually install a newer version from the ubuntu repos:

sudo apt-get remove php5-apcu
cd /tmp
# sudo wget http://mirrors.kernel.org/ubuntu/pool/universe/p/php-apcu/php5-apcu_4.0.6-1_amd64.deb 
# [UPDATE] this version changed on the online repositories to php5-apcu_4.0.7-1build1_amd64.deb  
# which is NOT binary compatible any more to 8.1 - 
# you can download it from code-engine as time of writing
wget http://code-engine.org/wp-content/uploads/2015/10/php5-apcu_4.0.6-1_amd64.deb
# sudo dpkg -i php5-apcu_4.0.6-1_amd64.deb
sudo dpkg -i php5-apcu_4.0.6-1_amd64.deb
sudo rm php5-apcu*.deb

Configure PHP:

#> vim /etc/php5/apache2/php.ini
apc.enable_cli = 1

Configure Owncloud

#> vim /var/www/ownclooud/config/config.php
/**
* Memcache
*/
'memcache.local' => '\OC\Memcache\APCu',

Restart apache

service apache2 restart  

Security

Official owncloud security adcice

In any case you should follow the security advices here:

Fail2ban