Cool Solution - Setting up an iTALC Master
From Univention Wiki
iTALC Master Installation
This Cool Solution will explain how to set up an iTALC Master on a Windows Client. For information on setting up an iTALC Client, head to the documentation on that.
Making the private iTALC key accessible
Execute the following command on your UCS server to make the private key accessible from your Admin user's home directory on the Windows client:
cp /etc/italc/keys/private/teacher/key /home/<ADMIN USER>
Install iTALC Master on Windows
On the Windows client open the network share of your UCS server. With the UCS@School installation a shared folder called "iTALC installation", containing the setup wizards for iTALC, has been created. Start the setup wizard for your architecture and make sure that "iTALC Master" is checked during the installation.
Open the iTALC Management Console and switch to the tab "Authentication". Click on "Launch key file assistant". Click "Next" and choose "Create new access keys", click "Next". Choose the role "Teacher" and click "Next". Uncheck "Export public key part" and click "Next". Finish the wizard.
Having created the folder structure now you can import the proper private key. Delete the file C:\ProgramData\iTALC\keys\private\teacher\key.Having logged in with your admin user on your Windows client you can access it's home directory on the UCS server by opening \\<UPPERCASE HOSTNAME OF YOUR UCS SERVER>\<ADMIN USER> in the explorer. Copy the file "key" from this folder to C:\ProgramData\iTALC\keys\private\teacher. Having imported the private key, you should also import the proper public key using the wizard as documented here.
Now you need to allow your admin user to authenticate. Open the iTALC management console and switch to the tab "Authentication", click on "Manage permissions" and "Add". In the text field "Enter the object names to select" you can specify one or multiple usernames or groups to add. You could for example add the group "Domain Admins". Click on "Check Names" and make sure the wizard found the right ldap objects. In that case click "OK", make sure the checkbox "Allow" for "Full control" is check for your groups or user names and click "OK" again.