Do-It-Yourself: Introduction to OpenLDAP

What is Lightweight Directory Access Protocol (LDAP)? How does it work, and how can it be used to centralize employee and system information? This article by Scott Courtney (August 2003, PDF) explains LDAP in simple terms and uses the OpenLDAP software to illustrate a hands-on implementation of a company directory.

Do-It-Yourself Part X: Setting up a Web Server

by Scott Courtney

Last month, Penny got her mail and mailing list software installed and configured in order to provide mail transport and access for her employees and to bring mailing list services to her customers.

This month, she will start to assemble her Web presence. She will start by installing and configuring the Apache web server.

Apache—Basic Installation

Fortunately for Penny, Apache is one of the packages that comes with every Linux distribution. Installing it and configuring it to serve pages (albeit not very exciting pages) is as simple as going into YaST (if you, like Penny, are running SuSE) and installing the package from within it. SuSE will put the Apache configuration into /etc/httpd/httpd.conf, and the documents being served to users can be found in /usr/local/httpd/htdocs by default in SuSE 7.x; in 8.1 this has moved to /srv/www/htdocs (I don't know where 8.0 put it, and I don't have an 8.0 system handy to check; if you're running SuSE 8.0, check both). This location can easily be changed in /etc/httpd/httpd.conf simply by modifying the DocumentRoot configuration variable (if you're relocating the whole tree. For Linux/390 users, please note that putting the directory tree in /usr/local means that this doesn't work very well if you're sharing a read-only copy of /usr between different machines (and do not have a per-machine /usr/local disk). I don't know for sure, but I suspect that this change was largely made to make SuSE more compliant with the FHS standard, which specifies that it must be possible to mount /usr read-only.

Penny has installed the Apache server on her machine, and tells YaST to start it at boot time. She can also manually control it with the init script in /etc/init.d; she simply types /etc/init.d/apache start to start the Apache server.

After having installed Apache, Penny uses the YaST Online Update function to apply any recommended service to Apache. The Web server is probably the favorite avenue of penetration for system crackers, and therefore it is crucial to keep current with security updates for it.

Penny has installed the Web server on her server machine at 192.168.1.2; if she points a Web browser at that address, and the default port 80, she will see a test page, which is installed by SuSE. This verifies that the web server itself and any extensions she installed are working correctly.

Apache Versions

Although the current Apache release is 2.0.x, SuSE will install a 1.3.x version. Apache 2.0 does bring some new features to the party; among them are the use of the standard Unix/Linux autoconf system for building the software, a hybrid multi-threaded multi-process model which improves scalability for some workloads, improved portability for non-Unix operating systems, and an easier-to-use module API. None of these are particularly important to Penny, so she plans to go with 1.3.x because it is what SuSE provides and meets all her needs adequately.

In general, however, if you are planning a large site, and have the luxury of starting from scratch, I would recommend you begin with Apache 2.0.x. Although it may be more difficult to configure initially, especially if you're already comfortable with 1.3, you will be spared the pain of a major-version upgrade on a live site.

Customizing the Default Installation

The first thing Penny wants to do is to replace the test page with a page that identifies the site as belonging to Ice Floe Housing and at least reassures her customers that a more complete and useful web site is in the works—over the next couple articles, she will elaborate on this theme and gradually make her website more helpful to her customers.

Let's begin by assuming that Penny has a logo for Ice Floe Housing, which she has named logo.jpg. In addition she has pictures of two of her igloo styles, house1.jpg and house2.jpg. She begins by putting these all into her DocumentRoot directory.

Next she will create a placeholder web page.

She goes into her DocumentRoot directory (/usr/local/httpd/htdocs or /srv/www/htdocs) and backs up the existing index.html with mv index.html index.html.orig.

Then she creates the following file, using the text editor of her choice (for Penny, this is emacs; you may prefer pico, or—ugh!—vi, or, if you're from a VM background, THE, which is more-or-less a Unix/Linux clone of CMS XEDIT):


 

 

 

 

Ice Floe Housing

Welcome to Ice Floe Housing. This site is under construction. For information about Ice Floe Housing's modular living solutions, “Truly Cool Igloo Housing for the Terminally Hip,” please send mail to sales@icefloehousing.com.

Two of our best-selling models

”The ”The
The EKX-48 is an affordable starter igloo, designed to provide first-tier functionality at a fraction of the price of comparable solutions. The IFH-99B XTreme! Sport 2002 is the latest in our line of XTreme! Igloos, providiing the hottest amenities for the truly discerning cognoscenti in the field of modular igloo housing. Available in Fearsome Fuschia, Screaming Chartreuse, or Eye-Popping Cobalt!

This, when viewed in a Web browser, will look like:


<>

Next Penny will need to make sure that both info and sales point to an email address that is monitored, so she can respond to any leads this page generates. She edits the file /etc/aliases and inserts the lines:

info: penny
sales: penny

Then she runs the command “newaliases” to rebuild the alias database. As she gets more employees, she will change this alias to point to her sales and marketing employees.

Merging the mailing list changes

Last month we said that Penny would need to modify her Web server config to allow her to run the Web-accessible mailing list archive. She inserts the following into /etc/httpd/httpd.conf:

ScriptAlias /mailman/	/usr/lib/mailman/cgi-bin
Alias /pipermail/		/usr/lib/mailman/archives/public/

Suddenly, Penny is in the world of dynamic content: Mailman uses CGI scripts to present its information to users. Writing static HTML is very easy; presenting dynamic content gets more difficult.

However, Mailman contains all the necessary scripts; what she needs to do is to tell the Web server that it's OK to run the mailman scripts.

#
# set up Mailman for CGI execution
#

AllowOverride None
Options +ExecCGI -Includes
SetHandler cgi-script

However, if Penny had set up her Web server first, and then installed Mailman from an RPM—which YaST would force her to do, as Apache is a prerequisite for Mailman—then the package management process would have ensured that she already had the necessary configuration in /etc/httpd/httpd.conf. Thus, we're showing these options for completeness, but it should not be necessary to manually configure them as long as you install from RPM.

Virtual Hosts

Wally the Walrus has let Penny know that he's going to call in her debt for providing her secondary DNS. He wants to put his personal web site, wallythewalrus.cx, up on her machine, because her connection is faster and more reliable than his. (Wally decided on the Christmas Island top-level domain in part because it's inexpensive and distinctive, but mostly because I'm writing this article on Christmas Eve.) Apache makes it easy to do virtual hosting, so Penny is able to provide him with this easily.

What she will do is allow Wally some personal space on her system, and then map http://www.wallythewalrus.cx to that directory. That way, Wally can put all the HTML he wants into the wally.cx directory of his own account, and it will be served up by the Ice Floe Housing web server.

First, Wally and Penny set up DNS handling for wallythewalrus.cx so that wallythewalrus.cx resolves to the correct machine (which will be Penny's externally-visible IP address, 10.23.46.57). This is done in very much the same way that configuring DNS for Ice Floe Housing was done a few months ago; please refer to the August 2002 Technical Support for details.

Next she creates a user ID for wally with the “useradd” command. Wally's web pages will be in his wally.cx directory. What she then needs is a statement in httpd.conf to create a virtual host; she does that by adding a stanza like the following:


ServerName www.wallythewalrus.cx
DocumentRoot /home/wally/wally.cx

Now any requests for documents under www.wallythewalrus.cx will be redirected to the wally.cx directory, where Wally can put whatever content he wants.

Note that the IP address for the VirtualHost is the real, internal IP address. The translation of Penny's external address to her internal address is still handled on the firewall by iptables. The Web server itself has no idea at all that people connect to it with some other IP address, nor does it need to.

Conclusion

At this point, Penny has a fully-functional Web server, not just for herself, but also for Wally the Walrus's personal web site. In addition to simple static content, she has made her Mailman-managed mailing lists web-accessible, so that users can manage their subscription settings and view archived posts to the list with their web browsers.

Next Steps

Penny's ultimate goal is to allow on-line ordering of her products and a browseable catalogue. Next month we will look at how she can provide dynamic content to present a continuously-updated catalogue to her customers with minimal maintenance effort. This will also have the side benefit of allowing her to easily maintain a consistent page style across her entire site.