This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
help:technical:znc [2017/05/23 15:51] rubin |
help:technical:znc [2017/05/26 15:55] (current) rubin |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== ZNC install for network Administrators ====== | ====== ZNC install for network Administrators ====== | ||
- | This guide tells how we install ZNC for our whole network, with integrated login to our X3 services. | ||
- | ===== Install ===== | + | This is a guide for IRC Network Administrators. If you just want to connect to AfterNET' |
+ | |||
+ | If you use X3 with ldap support (Or any services with ldap support) you can host a ZNC bouncer for all your users to use, by using ZNC's cyrusauth module. Here is how we build ZNC for afternet: | ||
+ | |||
+ | ===== Install | ||
+ | * Install saslauthd package: '' | ||
+ | * edit ''/ | ||
+ | |||
+ | START=yes | ||
+ | MECHANISM=" | ||
+ | |||
+ | * edit/create ''/ | ||
+ | |||
+ | ldap_servers: | ||
+ | ldap_search_base: | ||
+ | ldap_filter: | ||
+ | # | ||
+ | |||
+ | * Copy the CA certificate matching your ldap server to / | ||
+ | * start saslauthd: ''/ | ||
+ | * Test saslauthd: '' | ||
+ | * Troubleshooting: | ||
+ | * Stop saslauthd and run it in debug mode: ''/ | ||
+ | * check ''/ | ||
+ | * try ldapsearch and see if that works: | ||
+ | |||
+ | ldapsearch -D " | ||
+ | |||
+ | ===== Install ZNC ===== | ||
Assuming a debian 8 (jessie) base system: | Assuming a debian 8 (jessie) base system: | ||
+ | * Add the znc user account to the sasl group: '' | ||
* Install debian backports: add '' | * Install debian backports: add '' | ||
* Install build dependencies by cheating a bit using the debian dependency list: '' | * Install build dependencies by cheating a bit using the debian dependency list: '' | ||
Line 14: | Line 42: | ||
* git clone the repository. We maintain some patches to ZNC for integration with sasl/ldap etc so you'll want to use the latest version branch from our znc fork: [[https:// | * git clone the repository. We maintain some patches to ZNC for integration with sasl/ldap etc so you'll want to use the latest version branch from our znc fork: [[https:// | ||
* cd to the cloned repository | * cd to the cloned repository | ||
+ | * ./configure --prefix=/ | ||
* enable git submodules: '' | * enable git submodules: '' | ||
* compile: '' | * compile: '' | ||
* install: '' | * install: '' | ||
+ | * Remove plugins (See list below) that you don't want around for security or irrelevance | ||
* Run for the first time, from the install directory: '' | * Run for the first time, from the install directory: '' | ||
* Username: admin | * Username: admin | ||
Line 24: | Line 54: | ||
* Real name: ZNC Administrator | * Real name: ZNC Administrator | ||
* Bind host: empty | * Bind host: empty | ||
+ | * Connect to the ZNC using an irc client as the above user | ||
+ | * Load the cyrusauth module with subcomponents: | ||
+ | * Create a dummy user in znc to use as a skel/clone identity: ''/ | ||
+ | * Configure this user how you want them. Mainly use your above zncadmin account to disable their flag access to bind. | ||
+ | * Configure cyrusauth module: (''/ | ||
+ | * Set cyrusauth module to use it the cloneuser: '' | ||
+ | * Let it create users: '' | ||
+ | * Your services/ | ||
+ | * A network to configure for cloned users: '' | ||
+ | * A server to configure for them: '' | ||
+ | * Salt is used to unpredictibly hash usernames: '' | ||
+ | * A WebIRC Block in nefarious lets us setup our hostname: '' | ||
+ | * What hostname to use: '' | ||
+ | * Load the sasl module: ''/ | ||
+ | * Configure the sasl module (''/ | ||
+ | * Require authentication: | ||
+ | * SASL Mechanism to support: '' | ||
+ | * Set < | ||
+ | |||
+ | ===== Setup IRCD ===== | ||
+ | * Add a webIRC line: | ||
+ | |||
+ | WebIRC { | ||
+ | description = " | ||
+ | host = " | ||
+ | pass = " | ||
+ | }; | ||
+ | | ||
+ | * Except block to protect znc from flood limits: | ||
+ | |||
+ | Except { | ||
+ | host = " | ||
+ | gline = yes; | ||
+ | rdns = yes; | ||
+ | ipcheck = yes; | ||
+ | targetlimit = yes; | ||
+ | }; | ||
+ | |||
+ | ===== Security ===== | ||
+ | I run this script after '' | ||
+ | |||
+ | < | ||
+ | #!/bin/bash | ||
+ | |||
+ | RM='/ | ||
+ | echo "Lets delete modules we dont trust or need for security!" | ||
+ | |||
+ | #Lets remove unsafe modules! | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | $RM lib/ | ||
+ | # | ||
+ | # | ||
+ | $RM lib/ | ||
+ | # | ||
+ | $RM lib/ | ||
+ | $RM lib/ | ||
+ | # ADD? # | ||
+ | # | ||
+ | # | ||
+ | # ADD? # | ||
+ | # ADD? # | ||
+ | # | ||
+ | $RM lib/ | ||
+ | $RM lib/ | ||
+ | # | ||
+ | # | ||
+ | $RM lib/ | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | $RM lib/ | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | $RM lib/ | ||
+ | # | ||
+ | $RM lib/ | ||
+ | #$RM lib/ | ||
+ | $RM lib/ | ||
+ | $RM lib/ | ||
+ | $RM lib/ | ||
+ | $RM lib/ | ||
+ | #$RM lib/ | ||
+ | $RM lib/ | ||
+ | $RM lib/ | ||
+ | $RM lib/ | ||
+ | $RM lib/ | ||
+ | # | ||
+ | $RM lib/ | ||
+ | $RM lib/ | ||
+ | # | ||
+ | # ADD? # | ||
+ | # | ||
+ | # | ||
+ | $RM lib/ | ||
+ | $RM lib/ | ||
+ | $RM lib/ | ||
+ | $RM lib/ | ||
+ | # ADD? # | ||
+ | # ADD? # | ||
+ | # | ||
+ | $RM lib/ | ||
+ | # | ||
+ | $RM lib/ | ||
+ | $RM lib/ | ||
+ | $RM lib/ | ||
+ | # | ||
+ | # | ||
+ | # ADD? # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | </ | ||