Difference between revisions of "OwnCloud"

From SME Server
Jump to navigationJump to search
m (→‎About: Correction)
Line 5: Line 5:
  
 
=='''Warning'''==
 
=='''Warning'''==
{{warning box|Actual versions of owncloud show an security-related warning on SME 8.x like:
+
{{warning box|msg=Actual versions of owncloud show an security-related warning on SME 8.x like:
  
 
Your PHP version is vulnerable to the NULL Byte attack (CVE-2006-7243)
 
Your PHP version is vulnerable to the NULL Byte attack (CVE-2006-7243)
Line 12: Line 12:
 
This is because SME8.x ships with PHP version 5.3.3 where Owncloud 5.x checks for PHP version 5.3.4
 
This is because SME8.x ships with PHP version 5.3.3 where Owncloud 5.x checks for PHP version 5.3.4
  
You should take this very serious as long as this warning appears, because the installation of owncloud on your server could cause a servere risk. Perhaps it is safer for you to wait until the reason for this warning is solved.}}
+
You should take this very serious as long as this warning appears, because the installation of owncloud on your server could cause a servere risk. Perhaps it is safer for you to wait until the reason for this warning is solved.
 +
 
 +
'''A new version available  of php53 of centos/redhat which corrects the CVE-2006-7243, but the package is not yet in SME server repository, please see [[bugzilla:7613#c18]]'''  }}
  
 
see [[bugzilla:7613]] and most particularly [http://bugs.contribs.org/show_bug.cgi?id=7613#c3 bugzilla:7613#c3] and [http://bugs.contribs.org/show_bug.cgi?id=7613#c8 this one] for a workaround. An alternative method is mentioned in the forums [http://forums.contribs.org/index.php/topic,50335.msg252984.html#msg252984 here].
 
see [[bugzilla:7613]] and most particularly [http://bugs.contribs.org/show_bug.cgi?id=7613#c3 bugzilla:7613#c3] and [http://bugs.contribs.org/show_bug.cgi?id=7613#c8 this one] for a workaround. An alternative method is mentioned in the forums [http://forums.contribs.org/index.php/topic,50335.msg252984.html#msg252984 here].

Revision as of 07:55, 2 January 2014

PythonIcon.png Skill level: Medium
The instructions on this page require a basic knowledge of linux.


About

"ownCloud ( http://owncloud.org ) gives you universal access to your files through a web interface or WebDAV. It also provides a platform to easily view & sync your contacts, calendars and bookmarks across all your devices and enables basic editing right on the web. Installation has minimal server requirements, doesn’t need special permissions and is quick. ownCloud is extendable via a simple but powerful API for applications and plugins."

Warning

Warning.png Warning:
Actual versions of owncloud show an security-related warning on SME 8.x like:

Your PHP version is vulnerable to the NULL Byte attack (CVE-2006-7243) Please update your PHP installation to use ownCloud securely.

This is because SME8.x ships with PHP version 5.3.3 where Owncloud 5.x checks for PHP version 5.3.4

You should take this very serious as long as this warning appears, because the installation of owncloud on your server could cause a servere risk. Perhaps it is safer for you to wait until the reason for this warning is solved.

A new version available of php53 of centos/redhat which corrects the CVE-2006-7243, but the package is not yet in SME server repository, please see bugzilla:7613#c18


see bugzilla:7613 and most particularly bugzilla:7613#c3 and this one for a workaround. An alternative method is mentioned in the forums here.


Important.png Note:
Currently ownCloud 6 is available. Do not try to install/upgrade to version 6 on SME8/9 for ownCloud 6 requires PHP 5.3.8


Forum discussion

This how-to can be discussed on the forums here (locked) or here or here. Search for other posts.

Quick install

Download the latest version from here http://download.owncloud.org/community/owncloud-5.0.14a.tar.bz2

  • Create an ibay in server manager, with the following typical settings:
Information bay name - owncloud, Description - owncloud site, Group - Admin, User access - Write = group, Read = everyone, 
Public access via web - Entire Internet (no password required), Execution of dynamic content - Enabled
  • Extract ownCloud into the html directory of the new ibay (in this example called 'owncloud' )

In the following code, change the version number of owncloud to suit the current version downloaded from the owncloud website

cd /home/e-smith/files/ibays/owncloud/html/
wget http://download.owncloud.org/community/owncloud-5.0.14a.tar.bz2
tar xvf owncloud-5.0.14a.tar.bz2 
mv owncloud/* .
mv owncloud/.htaccess .
rm  index.html 
  • Set appropriate ibay settings at the command line prompt:
db accounts setprop owncloud \
AllowOverride All \
FollowSymLinks enabled \
Group www \
PHPBaseDir /home/e-smith/files/ibays/owncloud/:/tmp/ \
PublicAccess global \
UserAccess wr-group-rd-everyone

  • Update the ibay
signal-event ibay-modify owncloud

  • you also need to allow the "allow_url_fopen"
 mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
 nano -w /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/99allow_url_fopen
 
  • and paste the following and save this
 <Directory /home/e-smith/files/ibays/owncloud/html>
 php_admin_flag allow_url_fopen on
 </Directory>
 
  • then at the command line prompt enter:
 expand-template /etc/httpd/conf/httpd.conf
 /etc/init.d/httpd-e-smith restart
 

4. Create a new MySQL database (In this example the database name is databasename. Change databasename, username and password with your own choices as required)

Login as root and issue the following command:

mysql
create database databasename;
grant all privileges on databasename.* to username identified by 'password';
flush privileges;
exit

5. Browse to http://yourserver/owncloud and follow install script

Optional Addons & Settings

Force Https

You can force https by checking 'Enforce HTTPS' in the Security section of the Admin section.

You can also force the https redirection whenever you use the http protocol:

see Https_redirection

User login and permissions

owncloud provides several ways for users to login/authenticate. Next to the internal user authentication of owncloud, you can authenticate SME users:


LDAP Authentication

Configure owncloud to authenticate against the internal SME OpenLDAP server (all SME users)

  • log into your owncloud webapp as admin who installed owncloud
  • go to apps and enable ldap authentication backend
  • go to admin, ldap section and use below settings
Host: localhost
Base DN: dc=[yourdomain],dc=[com] (as seen in the 'domains' section in SME server manager)
User DN: uid=admin,ou=Users,dc=[yourdomain],dc=[com]
Password: [SME admin password]
User Login Filter: uid=%uid
User List Filter: objectClass=person

For the variables between brackets [], use your specific settings. Test creating a specific user and use that username password opposed to using the admin's credentials. For more info on using SME OpenLDAP for authentication please see: http://wiki.contribs.org/LDAP_Authentication


LDAP Tweaks

It seems when creating a user in SME, and ownCloud integrated via LDAP, it takes a while before the new user can log into ownCloud. Also, the error "Can't get cache storage, user not logged in" begins to log in the ownCloud Warning Log. To fix this, and allow the new user to log in immediately, go to Settings -> Admin -> LDAP/Advanced Tab Change the Cache Time To Live + or -1. This forces the cache to update, and the new user will be able to log in to ownCloud straight away.


Important.png Note:
When setting up ldap following these instructions you may need to uncheck "tls" in the advanced tab of the ldap admin section in owncloud.


IMAP Authentication

Configure owncloud to authenticate against an IMAP server


Enable and Configure IMAP Authentication
  1. Login to your running owncloud configuration as an administrator
  2. Enable the app named "External user support"
    Note: "External user support" is included with owncloud as an "Internal app". There is an older add-on app named "IMAP user backend" that did not work for me.
  3. Edit <owncloud>/config/config.php and insert the text below inside the $CONFIG array
    • in front of the last closing parenthesis in the file (make sure there's a comma at the end of the preceding entry)
    • Replace [mail.yourdomain.com] with your mail server name or IP address
    • Remove "/novalidate-cert" if your chosen mail server uses a signed SSL certificate):
  'user_backends' => 
  array (
    0 => 
    array (
      'class' => 'OC_User_IMAP',
      'arguments' => 
      array (
        0 => '{[mail.yourdomain.com]:993/imap/ssl/novalidate-cert}',
      ),
    ),
  ),

When done, users will be able to login to your owncloud web interface using their mail server username and password. More information can be found here: http://owncloud.org/support/custom-user-configuration/

Enable Automatic IMAP User Creation

This discussion on the Owncloud bug tracker describes patches that provide more automated IMAP user management: https://github.com/owncloud/apps/issues/302

The patches provide these capabilities:

  • Create new Owncloud users when unrecognized users login using IMAP
  • Add new users to a group named for the domain portion of their email address
  • Optionally set an Owncloud quota based on the user's email domain
  • Update the Owncloud password for any existing user who logs in using IMAP
Sync Issues (Turning off magic quotes in php)

I had issues when deleting files in my client. Turing off magic quotes fixed the problem. Edit your php.ini using custom templates.

cd /etc/e-smith/templates-custom/etc/php.ini
  • Edit template-begin file
  • Add the following and save file:
php_value magic_quotes_gpc = Off
php_value magic_quotes_runtime = Off
php_value magic_quotes_sybase = Off
expand-template /etc/php.ini
sv t httpd-e-smith
Allow Sharing with IMAP Users

To allow sharing with your IMAP users, you need to manually add each IMAP user account to the oc_users table using commands like those below at a shell prompt on your SME server:

mysql owncloud
insert into oc_users (uid,password) values ('[xyzuser@mail.yourdomain.com]','*');
  • owncloud: replace with the name of the database you created for owncloud
  • [xyzuser@mail.yourdomain.com]: replace with the exact login string used by the user when they login
Problems
  • By default:
  • Users who login using IMAP Authentication are not automatically added to the owncloud "oc_users" table. Consequently, they are not offered as options when other users want to share files with them.
  • IMAP authenticated users will be unable to connect using the owncloud client sync program.
  • If your IMAP server allows alternative username syntax, owncloud will create a separate account for each username format that allows successful authentication. That is, if your IMAP server allows users to optionally include or omit the domain name, you might create a user account entry for "xyzuser@mail.yourdomain.com", then find that the user always logs in using simply "xyzuser", which succeeds during the IMAP authentication, but is a different account within owncloud.
Using the Owncloud Client

In order for an IMAP-authenticated user to configure the owncloud client sync program:

  • The system administrator must add the username to the oc_users table manually as described above

Then the user must:

  • login to the web interface
  • open his/her personal settings
  • "change" the password in owncloud to match the password on the IMAP server.

Mozilla Sync

Mozilla Sync is an addon for OwnCloud that allows users to securely synchronize Firefox settings across multiple devices (tabs, bookmarks, history, saved passwords).

The owncloud instructions for installing and configuring Mozilla Sync addon can be found here: https://github.com/owncloud/mozilla_sync/blob/master/INSTALL.md

The Mozilla Sync addon is included by default in OwnCloud 6 and simply needs to be 'enabled' by an admin. The addon requires separate installation steps in Owncloud 5.

Install Mozilla Sync in OwnCloud 5

These instructions assume that you have installed owncloud into an ibay named owncloud:

Using a zipped tarball:

cd /home/e-smith/files/ibays/owncloud/files
wget https://github.com/owncloud/mozilla_sync/archive/master.zip -O master.zip
sudo -u www unzip master.zip
mv mozilla_sync-master /home/e-smith/files/ibays/owncloud/html/apps/mozilla_sync

Using Git:

cd /home/e-smith/files/ibays/owncloud/html/apps
sudo -u www git clone https://github.com/owncloud/mozilla_sync.git
sudo -u www git checkout master

Server settings to enable Mozilla Sync

Now, on the server:

  • login to your owncloud instance as an administrator
  • Open the 'Apps' page
  • 'Enable' the Mozilla Sync app
  • Verify that all 'Mozilla Sync' users have a unique email address configured in their user profile (Mozilla sync (in Firefox) authenticates using the user's email address).

Firefox settings to enable Mozilla Sync

Setup sync using the email address you verified above, using the password for the user that matches the email address.

The address for your 'custom server' should look like:
https://'''<path-to-your-owncloud>'''/remote.php/mozilla_sync/

References

Interesting relations to other Contribs or How-to's