I reached a milestone: I’ve gone through your howto again and the db connection to postgresql works now.
Now I have a working template I can build on.
Don’t know exactly what the problem was:
database had wrong collation
installing nethserver-postgresql as build-require sets a password for postgresql so the psql commands afterwards didn’t work non-interactively.
I hope I can release an update with working pgsql asap…
With these steps one can make a fresh 7.4 NS to a savapage server (also phppgadmin is installed to manage postgresql via web UI)
Savapage install
yum -y install http://mirror.de-labrusse.fr/NethServer/7/x86_64/nethserver-stephdl-1.0.6-1.ns7.sdl.noarch.rpm
yum -y update
yum -y install postgresql-server postgresql-contrib nethserver-cups nano which gzip strings perl java-1.8.0-openjdk-devel poppler-utils ImageMagick avahi-tools
useradd -r savapage
mkdir /opt/savapage
chown savapage:savapage /opt/savapage
grep -q -F "savapage" /etc/security/limits.conf || echo -e "savapage hard nofile 65535\nsavapage soft nofile 65535" >> /etc/security/limits.conf
config set savapage service status enabled TCPPorts 8631,8632,8639,5353,5222 UDPPorts 8631,8632,8639,5353,5222 access green
signal-event firewall-adjust
echo a4 > /etc/papersize
su savapage
cd /opt/savapage
wget https://www.savapage.org/download/snapshots/savapage-setup-0.9.12-linux-x64.bin
chmod u+x savapage-setup-0.9.12-linux-x64.bin
./savapage-setup-0.9.12-linux-x64.bin -n
exit
/opt/savapage/MUST-RUN-AS-ROOT
systemctl stop savapage
su savapage -c "/opt/savapage/server/bin/linux-x64/savapage-db --db-export"
postgresql-setup initdb
sed -i 's/ident/md5/g' /var/lib/pgsql/data/pg_hba.conf
sed -i 's/#password_encryption = on/password_encryption = on/g' /var/lib/pgsql/data/postgresql.conf
systemctl restart postgresql
su postgres -c "createuser savapage"
su postgres -c psql
alter user postgres with encrypted password 'POSTGRESSECRET';
alter user savapage with encrypted password 'SECRET';
\q
su postgres -c "createdb -O savapage savapage"
echo 'pathmunge /opt/savapage/server/bin/linux-x64/' > /etc/profile.d/savapage.sh
chmod +x /etc/profile.d/savapage.sh
sed -i 's/database.type=Internal/#database.type=Internal/g' /opt/savapage/server/server.properties
sed -i 's/#database.type=PostgreSQL/database.type=PostgreSQL/g' /opt/savapage/server/server.properties
sed -i 's/#database.driver=/database.driver=/g' /opt/savapage/server/server.properties
sed -i 's/#database.url=/database.url=/g' /opt/savapage/server/server.properties
sed -i 's/#database.user=/database.user=savapage/g' /opt/savapage/server/server.properties
sed -i 's/#database.password=/database.password=SECRET/g' /opt/savapage/server/server.properties
su savapage -c "/opt/savapage/server/bin/linux-x64/savapage-db --db-init"
yum -y install nethserver-phppgadmin
systemctl start savapage
I saw that savapage saves its config in the database, so we may use the db import/export function to provide some default settings. If we want more, we have to analyze how the savapage db is working and where the important values are saved. The AD/LDAP config is also stored in the DB.
So the question is now: how to create a specfile that specifies the described sequence of actions?
I do want to point that it should be considered to use backends that are already used with other applications (if possible)
Especially for Java and PostgreSQL. I would hate to see 2 different versions of java and PostgreSQL installed if it can be avoided.
AD only works when disabling TLS auth on nsdc container, did you ever try joining to AD with certs and java keystore?
Web printing works
Printing from my Windows 10 doesn’t work. The print stays for some seconds in the queue and then it’s gone without error. But may be a Windoze problem.
This seems the same issue @planet_jeroen found in another thread. I’d ask @gabriele_bulfon how he solved it for WebTop5 which runs on the same Java stack.
Hello, at the moment we added code to manage “trust all certs” etc during setup of SSL/TLS sockets.
This is a recurrent problem when working with secure sockets in Java, as installing certificates is always a headache.
Here you can see the ldap auth code that sets up the connection using a library that already features “AllowAnyTrustManager” and “AllowAnyHostnameVerifier”:
I will bring it under their attention and tell what their response will be.
Is a more elegant way not possible? Like a smooth cert import procedure? It is not for nothing that SSL cert verification is in place. Could turning off SSL cert verification compromise payed/authorized printing in some way?
Disabling security mechanisms is always bad, but as far as I understand:
The problem are the self-signed certs when connecting to Nethserver AD.
You also have this kind of problem in your browser when you browse to https server with self signed cert but you are able to just allow the site and it works (the connection is still encrypted but the identities are not authorized by a third site)
In this case savapage wants to connect to Nethserver container and Nethserver (and samba as well) defaults to using TLS/SSL auth. So savapage has to connect with certs and complains about the self-signed cert of Nethserver.
I’d like the possibility, like you have in the browser, to say: I know that site, I’ll accept this cert, even if it is not fully valid.
If we don’t have this possibility savapage and AD will only work with valid certs or at least with Letsencrypt I think. For sure valid certs should also work, I don’t want to turn it off forever, it should just be the possibility to make it work with self-signed certs.
Ik begrijp dat Markus direct in PostgreSQL schrijft? Met die encrypted
secrets heeft hij dan een “uitdaging”. Hij kan de SavaPage code op
GitLab natuurlijk bekijken, en zien hoe dat in Java wordt gedaan…
Maar, misschien is het handiger om, zoals ik eerder al voorstelde,
SavaPage commandline API uit te breiden met een methode om config items
te zetten (updaten). De gebruiker van de API hoeft (behoort) niets te
weten van database schema en hoe passwords e.d. als encrypted secrets
worden opgeslagen.
What translates as:
I understand that Markus is writing directly to PostgreSQL? In that case he will have a ‘challenge’ with the encrypted secret. Of course he can have a look at the SavaPage code on gitlab so he can see how this is done in Java.
But perhaps it is more convenient to extend the SavaPage commandline API with a method to place (update) configuration items De user of the API doesn’t need to know anything about the database schema and how encrypted passwords are stored.
and a mail later:
Ik zou in analogie met savapage-db bijvoorbeeld een savapage-cfg
command-line util kunnen maken. Zoiets als …
./savapage-cfg --set-property
–id auth.ldap.admin-password
–value “plain text password”
I tried to find the password encrypt part in that java code but without success. It’s done like this in Webtop where a Java code snippet is used to encrypt the password. But a command like savapage-cfg would make the whole thing easier I think.
Maybe in future the encryption method in savapage changes. When using “savapage-cfg” nothing has to be changed in nethserver-savapage.
Looks like the LDAP join is local ldap and not remote? Am I missing something here?
Also, before SavaPage admin interface will show (LDAP) users, it needs to be configured with some post install settings. For instance: Currency code in Options/Financial/Currency Code