Master Controller/Software

From ESCTL
< Master Controller(Difference between revisions)
Jump to: navigation, search
(Add esctl schema extension)
(xinetd)
 
(18 intermediate revisions by one user not shown)
Line 1: Line 1:
  
 
=== Download esctl software ===
 
=== Download esctl software ===
* apt-get install subversion
+
* apt-get install git
* cd /root
+
 
* mkdir esctl
 
* mkdir esctl
* svn co svn://giles.northenden.ninja.org.uk/esctl/server/trunk/ esctl/
+
* cd esctl
 +
* git archive --remote=ssh://username@giles.northenden.ninja.org.uk/data/code/git/esctl master server/trunk/controller | tar xv --strip-components=3 -f -
 +
* git archive --remote=ssh://username@giles.northenden.ninja.org.uk/data/code/git/esctl master server/trunk/schema | tar xv --strip-components=2 -f -
  
 
=== Configure LDAP ===
 
=== Configure LDAP ===
Line 17: Line 18:
 
==== If you are using Debian ====
 
==== If you are using Debian ====
  
* apt-get install slapd ldap-utils
+
* sudo apt-get install slapd ldap-utils
 
It will ask you for the root password, but no other information. So, reconfigure the LDAP server as follows
 
It will ask you for the root password, but no other information. So, reconfigure the LDAP server as follows
* dpkg-reconfigure --force slapd
+
* sudo dpkg-reconfigure --force slapd
 +
** Do not omit initial configuration
 
** DNS domain name: customername.hosted.esctl.co.uk
 
** DNS domain name: customername.hosted.esctl.co.uk
 
** Organization name: customername
 
** Organization name: customername
 
** Administrator password: ****
 
** Administrator password: ****
** Database backend to use: HDB
+
** Database backend to use: MDB (if available), else HDB
 
** Remove database when slapd is purged? Yes (??!!)
 
** Remove database when slapd is purged? Yes (??!!)
 +
** Move old files out of the way: Yes
 
** Allow LDAPv2 protocol?: No
 
** Allow LDAPv2 protocol?: No
  
* /etc/init.d/slapd restart
+
* sudo /etc/init.d/slapd restart
  
 
===== Add esctl schema extension =====
 
===== Add esctl schema extension =====
  
* mkdir /root/schemaconv
+
* mkdir ~/schemaconv
* cd /root/schemaconv
+
* cd ~/schemaconv
 +
* cp -p ~/esctl/schema/70esctl.schema .
 
* touch empty
 
* touch empty
 
Now create a config file to generate the appropriate LDIF from the supplied .schema file. The earlier includes are present to ensure that the output LDIF file has the prefix of {4}, which ensures it is loaded 5th by the LDAP server (so that any pre-requisites are present by the time it loads). Check the /etc/ldap/slapd.d/cn\=config/cn\=schema/ directory to make sure this will be correct.
 
Now create a config file to generate the appropriate LDIF from the supplied .schema file. The earlier includes are present to ensure that the output LDIF file has the prefix of {4}, which ensures it is loaded 5th by the LDAP server (so that any pre-requisites are present by the time it loads). Check the /etc/ldap/slapd.d/cn\=config/cn\=schema/ directory to make sure this will be correct.
 
* vi convert.conf
 
* vi convert.conf
 
<pre>
 
<pre>
include /root/schemaconv/empty
+
include /home/pi/schemaconv/empty
include /root/schemaconv/empty
+
include /home/pi/schemaconv/empty
include /root/schemaconv/empty
+
include /home/pi/schemaconv/empty
include /root/schemaconv/empty
+
include /home/pi/schemaconv/empty
include /root/schemaconv/70esctl.schema
+
include /home/pi/schemaconv/70esctl.schema
 
</pre>
 
</pre>
 +
(Change /home/pi to your own home directory)
  
Your directory should look something like this:
+
Your schemaconv directory should look something like this:
 
  ~/schemaconv# ls -l
 
  ~/schemaconv# ls -l
 
  total 16
 
  total 16
 
  -rw-r--r-- 1 root root 2497 Nov 20 19:01 70esctl.schema
 
  -rw-r--r-- 1 root root 2497 Nov 20 19:01 70esctl.schema
 
  -rw-r--r-- 1 root root  162 Nov 20 18:59 convert.conf
 
  -rw-r--r-- 1 root root  162 Nov 20 18:59 convert.conf
 +
-rw-r--r-- 1 root root    0 Nov 20 18:56 empty
  
 
Next, create the LDIF file using the slaptest utility:
 
Next, create the LDIF file using the slaptest utility:
* slaptest -f convert.conf -F /root/schemaconv
+
* slaptest -f convert.conf -F ~/schemaconv
 
  config file testing succeeded
 
  config file testing succeeded
 
Move the file into place and restart the LDAP server:
 
Move the file into place and restart the LDAP server:
* cp -p /root/schemaconv/cn=config/cn=schema/cn={4}70esctl.ldif /etc/ldap/slapd.d/cn\=config/cn\=schema/
+
* sudo cp -p ~/schemaconv/cn=config/cn=schema/cn={4}70esctl.ldif /etc/ldap/slapd.d/cn\=config/cn\=schema/
* chown openldap /etc/ldap/slapd.d/cn\=config/cn\=schema/{4}70esctl.ldif
+
* sudo chown openldap /etc/ldap/slapd.d/cn\=config/cn\=schema/cn={4}70esctl.ldif
* service slapd restart
+
* sudo service slapd restart
 +
 
 +
==== Active Directory notes ====
 +
 
 +
* There is an installer for schema extensions; this is in the form of a .cmd file that must be run from the same directory as the accompanying LDIFs.
 +
 
 +
===== If you are using Samba as an Active Directory domain controller =====
 +
* The user you run as, may need to be added as a member of the 'Schema Admins' group
 +
* You may need to add the following to smb.conf:
 +
  dsdb:schema update allowed = true
 +
 
 +
''Note that '''there is a [https://bugzilla.samba.org/show_bug.cgi?id=9810 bug]''' in earlier versions of Samba 4, if you are using this as an Active Directory controller. Time/date entries are not processed correctly, so if you use Active Directory Users and Computers or ADSI Edit to populate a time/date based attribute e.g. escDateFrom, you may get an error such as "Operation failed. Error code: 0x200b  The attribute syntax specified to the directory service is invalid. 000200B: objectclass_attrs: attribute 'escDateFrom' on entry 'ET=xxx,OU=xxx,DC=xxx' contains at least one invalid value!"''
 +
 
 +
===== To set up the tree and populate with user information =====
 +
* Create the esctl tree in Active Directory first, using Active Directory Users and Computers. (Create Organisational Unit for ‘esctl’, then OUs for ‘readers’ and ‘tokens’)
 +
 
 +
** Remove the default ‘authenticated users’ permissions on this tree, and replace with a specific user, which should be read-only for esctl, at the top of this tree. Modify the permission for this user in Advanced so that it applies to ‘This object and all descendant objects’
 +
 
 +
** User could for example be cn=esctl,cn=Users,dc=mydomain,dc=co,dc=uk
 +
 
 +
** This user also needs to have 'List contents' permission for any higher level objects e.g. I needed to grant this for ou=mylocation,dc=mydomain,dc=com as my entire esctl tree is under ou=esctl,ou=mylocation,dc=mydomain,dc=com (and users are in ou=Users,ou=mylocation,dc=mydomain,dc=com
 +
 
 +
* To easily display the escuid, escgid and other information in Active Directory Users and Computers, assuming US-English locale (409), follow the guide [http://www.pberblog.com/blog/add-extra-columns-to-active-directory-users-and-computers-display/ here] and add the following to extraColumns of CN=organizationalUnit-Display,CN=409,CN=DisplaySpecifiers of the Configuration naming context.
 +
  escuid,esctl UID,0,-1,0
 +
  escgid,esctl GID,0,-1,0
 +
  escDays,Days,0,65,0
 +
  escTimeFrom,Time From,0,-1,0
 +
  escTimeTo,Time To,0,-1,0
 +
  escDateFrom,Date From,0,-1,0
 +
  escDateTo,Date To,0,-1,0
 +
  escDoor,Door,0,-1,0
 +
Also see Display Specifier docs [https://msdn.microsoft.com/en-us/library/bb727026.aspx here]
 +
 
 +
 
 +
=== Create standard groups & users ===
 +
In a fresh OpenLDAP installation you will need to create the following standard LDAP groups, users etc:
 +
** ou=Special Users
 +
** ou=People
 +
** ou=Groups
 +
 
 +
<pre>
 +
dn: ou=People,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk
 +
changetype: add
 +
objectClass: organizationalUnit
 +
objectClass: top
 +
ou: People
 +
 
 +
dn: ou=Groups,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk
 +
changetype: add
 +
objectClass: organizationalUnit
 +
objectClass: top
 +
ou: Groups
 +
 
 +
</pre>
 +
 
 +
Create a file e.g. esc-users.ldif with the entries from above (change customername & password) and add it using:
 +
sudo ldapmodify -H ldapi:/// -D "cn=admin,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk" -x -W -f ./esc-users.ldif
  
 
=== Add read-only access to LDAP for esctl controller ===
 
=== Add read-only access to LDAP for esctl controller ===
If you would like your esctl controller software to connect to your LDAP server via a read-only user, rather than using the LDAP admin user, you can use something like this:
+
If you would like your esctl controller software to connect to your LDAP server via a read-only user, rather than using the LDAP admin user, you first need to add a ESCTL Controller user:
* vi olc-esc-access.ldif
+
 
<pre>
 
<pre>
dn: olcDatabase={1}hdb,cn=config
+
dn: ou=Special Users,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk
changetype: modify
+
changetype: add
add: olcAccess
+
objectClass: organizationalUnit
olcAccess: {1}to dn.sub="ou=esctl,dc=<<ROOTDN>>"
+
objectClass: top
  by dn="cn=ESCTL Controller,dc=<<ROOTDN>>" read
+
ou: Special Users
  by self write
+
 
  by * none
+
dn: cn=ESCTL Controller,ou=Special Users,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk
 +
changetype: add
 +
objectClass: simpleSecurityObject
 +
objectClass: organizationalRole
 +
userPassword: ********
 +
description: ESCTL Controller
 +
cn: ESCTL Controller
 +
 
 
</pre>
 
</pre>
* ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olcAccess.ldif
+
 
 +
Then you can use something like the sample olc-esc-access.ldif file supplied, to tell OpenLDAP to allow the "ESCTL Controller" user to access the esctl data in LDAP:
 +
* cd ~/esctl/schema
 +
* cp olc-esc-access.ldif.template olc-esc-access.ldif
 +
* vi olc-esc-access.ldif  (Ensure the root DN is correct, i.e. perhaps replace CUSTOMERNAME with your customer name, and '''change hdb to mdb''' if that is what was used during installation)
 +
Then apply the LDIF:
 +
* ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olc-esc-access.ldif
 +
SASL/EXTERNAL authentication started
 +
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
 +
SASL SSF: 0
 +
modifying entry "olcDatabase={1}hdb,cn=config"
 +
 
 +
=== Create indexes to optimise performance ===
 +
* cd ~/esctl/schema/
 +
* ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olc-db-index.ldif
  
  
Line 122: Line 204:
  
 
</pre>
 
</pre>
 
 
* Need to create:
 
** ou=Special Users
 
** ou=People
 
** ou=Groups
 
 
<pre>
 
dn: cn=ESCTL Controller,ou=Special Users,dc=<<ROOTDN>>
 
changetype: add
 
objectClass: simpleSecurityObject
 
objectClass: organizationalRole
 
userPassword:: ********
 
description: ESCTL Controller
 
cn: ESCTL Controller
 
 
</pre>
 
 
=== Create indexes to optimise performance ===
 
* vi olcDbIndex.ldif
 
<pre>
 
dn: olcDatabase={1}hdb,cn=config
 
changetype: modify
 
add: olcDbIndex
 
olcDbIndex: cn pres,sub,eq
 
-
 
add: olcDbIndex
 
olcDbIndex: et pres,eq
 
-
 
add: olcDbIndex
 
olcDbIndex: memberUid pres,sub,eq
 
</pre>
 
* ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olcDbIndex.ldif
 
  
  
Line 162: Line 211:
  
 
The script below (log.mysql) will automatically create the 'esctl' database, and within this database will create the 'log' table that is required for the controller to log any accesses.
 
The script below (log.mysql) will automatically create the 'esctl' database, and within this database will create the 'log' table that is required for the controller to log any accesses.
* mysql -p < ~/esctl/controller/log.mysql
+
* mysql -u root -p < ~/esctl/controller/log.mysql
  
 
You must also create a MySQL user for the controller to use when adding new log entries.
 
You must also create a MySQL user for the controller to use when adding new log entries.
* mysql -p
+
* mysql -u root -p
 
** grant insert,select on esctl.log to esctl_log@localhost identified by '***********';
 
** grant insert,select on esctl.log to esctl_log@localhost identified by '***********';
  
Line 177: Line 226:
 
=== System logging ===
 
=== System logging ===
 
esctl logs via the standard syslog mechanism, using the "local3" facility. You can redirect these log entries to a specific file as below - by default these are not saved anywhere on a Debian system.
 
esctl logs via the standard syslog mechanism, using the "local3" facility. You can redirect these log entries to a specific file as below - by default these are not saved anywhere on a Debian system.
* vi /etc/rsyslog.d/esctl.conf
+
* sudo vi /etc/rsyslog.d/esctl.conf
 
<pre>
 
<pre>
 
local3.*        /var/log/esctl
 
local3.*        /var/log/esctl
 
</pre>
 
</pre>
* service rsyslog restart
+
* sudo service rsyslog restart
 
+
  
 
=== xinetd ===
 
=== xinetd ===
 
For the controller to operate, 'xinetd' is used. A sample configuration file is supplied - copy this into place and check that the path to esctl-node.pl is correct for your installation.
 
For the controller to operate, 'xinetd' is used. A sample configuration file is supplied - copy this into place and check that the path to esctl-node.pl is correct for your installation.
* cp -p /root/esctl/controller/xinetd.d-esctl /etc/xinetd.d/esctl
+
* sudo cp -p xinetd.d-esctl /etc/xinetd.d/esctl
  
 
Finally, restart xinetd to enable esctl!
 
Finally, restart xinetd to enable esctl!
* service xinetd restart
+
* sudo service xinetd restart
 +
 
 +
=== Web lastlog ===
 +
Optionally, you can configure a web server to serve out information on who most recently accessed doors via esctl. Make sure you secure this appropriately, via firewall and/or htaccess & password controls.
 +
 
 +
On the Raspberry Pi platform I usually use mini-httpd:
 +
* apt-get install mini-httpd
 +
* vi /etc/default/mini-httpd (Set START=1)
 +
* vi /etc/mini-httpd.conf (Comment out host=localhost)
 +
 
 +
 
 +
Copy the 'lastlog' web application into place, and ensure it is able to read its configuration (can be shared with esctl controller):
 +
* mkdir /usr/share/mini-httpd/html/cgi-bin
 +
* cp -p /root/esctl/httpd/lastlog/lastlog /usr/share/mini-httpd/html/cgi-bin/
 +
* cp -p /root/esctl/controller/config.pm /usr/share/mini-httpd/html/cgi-bin/
 +
Edit config.pm to remove everything other than $DB_* and the trailing 1;

Latest revision as of 01:39, 24 January 2016

Contents

[edit] Download esctl software

  • apt-get install git
  • mkdir esctl
  • cd esctl
  • git archive --remote=ssh://username@giles.northenden.ninja.org.uk/data/code/git/esctl master server/trunk/controller | tar xv --strip-components=3 -f -
  • git archive --remote=ssh://username@giles.northenden.ninja.org.uk/data/code/git/esctl master server/trunk/schema | tar xv --strip-components=2 -f -

[edit] Configure LDAP

[edit] If you are using [Netscape/Fedora/CentOS/389] Directory Server

  • cd esctl/schema/
  • cp -p 70esctl.ldif /etc/ldap/schema/
  • vi /usr/share/slapd/slapd.conf
    • include /etc/ldap/schema/70esctl.ldif

[edit] If you are using Debian

  • sudo apt-get install slapd ldap-utils

It will ask you for the root password, but no other information. So, reconfigure the LDAP server as follows

  • sudo dpkg-reconfigure --force slapd
    • Do not omit initial configuration
    • DNS domain name: customername.hosted.esctl.co.uk
    • Organization name: customername
    • Administrator password: ****
    • Database backend to use: MDB (if available), else HDB
    • Remove database when slapd is purged? Yes (??!!)
    • Move old files out of the way: Yes
    • Allow LDAPv2 protocol?: No
  • sudo /etc/init.d/slapd restart
[edit] Add esctl schema extension
  • mkdir ~/schemaconv
  • cd ~/schemaconv
  • cp -p ~/esctl/schema/70esctl.schema .
  • touch empty

Now create a config file to generate the appropriate LDIF from the supplied .schema file. The earlier includes are present to ensure that the output LDIF file has the prefix of {4}, which ensures it is loaded 5th by the LDAP server (so that any pre-requisites are present by the time it loads). Check the /etc/ldap/slapd.d/cn\=config/cn\=schema/ directory to make sure this will be correct.

  • vi convert.conf 
include /home/pi/schemaconv/empty
include /home/pi/schemaconv/empty
include /home/pi/schemaconv/empty
include /home/pi/schemaconv/empty
include /home/pi/schemaconv/70esctl.schema

(Change /home/pi to your own home directory)

Your schemaconv directory should look something like this: 

~/schemaconv# ls -l
total 16
-rw-r--r-- 1 root root 2497 Nov 20 19:01 70esctl.schema
-rw-r--r-- 1 root root  162 Nov 20 18:59 convert.conf
-rw-r--r-- 1 root root    0 Nov 20 18:56 empty

Next, create the LDIF file using the slaptest utility:

  • slaptest -f convert.conf -F ~/schemaconv 
config file testing succeeded

Move the file into place and restart the LDAP server:

  • sudo cp -p ~/schemaconv/cn=config/cn=schema/cn={4}70esctl.ldif /etc/ldap/slapd.d/cn\=config/cn\=schema/
  • sudo chown openldap /etc/ldap/slapd.d/cn\=config/cn\=schema/cn={4}70esctl.ldif
  • sudo service slapd restart

[edit] Active Directory notes

  • There is an installer for schema extensions; this is in the form of a .cmd file that must be run from the same directory as the accompanying LDIFs.
[edit] If you are using Samba as an Active Directory domain controller
  • The user you run as, may need to be added as a member of the 'Schema Admins' group
  • You may need to add the following to smb.conf: 
 dsdb:schema update allowed = true

Note that there is a bug in earlier versions of Samba 4, if you are using this as an Active Directory controller. Time/date entries are not processed correctly, so if you use Active Directory Users and Computers or ADSI Edit to populate a time/date based attribute e.g. escDateFrom, you may get an error such as "Operation failed. Error code: 0x200b The attribute syntax specified to the directory service is invalid. 000200B: objectclass_attrs: attribute 'escDateFrom' on entry 'ET=xxx,OU=xxx,DC=xxx' contains at least one invalid value!"

[edit] To set up the tree and populate with user information
  • Create the esctl tree in Active Directory first, using Active Directory Users and Computers. (Create Organisational Unit for ‘esctl’, then OUs for ‘readers’ and ‘tokens’)
    • Remove the default ‘authenticated users’ permissions on this tree, and replace with a specific user, which should be read-only for esctl, at the top of this tree. Modify the permission for this user in Advanced so that it applies to ‘This object and all descendant objects’
    • User could for example be cn=esctl,cn=Users,dc=mydomain,dc=co,dc=uk
    • This user also needs to have 'List contents' permission for any higher level objects e.g. I needed to grant this for ou=mylocation,dc=mydomain,dc=com as my entire esctl tree is under ou=esctl,ou=mylocation,dc=mydomain,dc=com (and users are in ou=Users,ou=mylocation,dc=mydomain,dc=com
  • To easily display the escuid, escgid and other information in Active Directory Users and Computers, assuming US-English locale (409), follow the guide here and add the following to extraColumns of CN=organizationalUnit-Display,CN=409,CN=DisplaySpecifiers of the Configuration naming context. 
 escuid,esctl UID,0,-1,0
 escgid,esctl GID,0,-1,0
 escDays,Days,0,65,0
 escTimeFrom,Time From,0,-1,0
 escTimeTo,Time To,0,-1,0
 escDateFrom,Date From,0,-1,0
 escDateTo,Date To,0,-1,0
 escDoor,Door,0,-1,0

Also see Display Specifier docs here


[edit] Create standard groups & users

In a fresh OpenLDAP installation you will need to create the following standard LDAP groups, users etc:

    • ou=Special Users
    • ou=People
    • ou=Groups 
dn: ou=People,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk
changetype: add
objectClass: organizationalUnit
objectClass: top
ou: People

dn: ou=Groups,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk
changetype: add
objectClass: organizationalUnit
objectClass: top
ou: Groups

Create a file e.g. esc-users.ldif with the entries from above (change customername & password) and add it using: sudo ldapmodify -H ldapi:/// -D "cn=admin,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk" -x -W -f ./esc-users.ldif

[edit] Add read-only access to LDAP for esctl controller

If you would like your esctl controller software to connect to your LDAP server via a read-only user, rather than using the LDAP admin user, you first need to add a ESCTL Controller user: 

dn: ou=Special Users,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk
changetype: add
objectClass: organizationalUnit
objectClass: top
ou: Special Users

dn: cn=ESCTL Controller,ou=Special Users,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk
changetype: add
objectClass: simpleSecurityObject
objectClass: organizationalRole
userPassword: ********
description: ESCTL Controller
cn: ESCTL Controller

Then you can use something like the sample olc-esc-access.ldif file supplied, to tell OpenLDAP to allow the "ESCTL Controller" user to access the esctl data in LDAP:

  • cd ~/esctl/schema
  • cp olc-esc-access.ldif.template olc-esc-access.ldif
  • vi olc-esc-access.ldif (Ensure the root DN is correct, i.e. perhaps replace CUSTOMERNAME with your customer name, and change hdb to mdb if that is what was used during installation)

Then apply the LDIF:

  • ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olc-esc-access.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}hdb,cn=config"

[edit] Create indexes to optimise performance

  • cd ~/esctl/schema/
  • ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olc-db-index.ldif


[edit] Sample LDAP schema content 

version: 1

dn: ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk
objectClass: top
objectClass: organizationalUnit
ou: esctl

dn: ou=readers,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk
objectClass: top
objectClass: organizationalUnit
ou: readers

dn: ou=tokens,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk
objectClass: top
objectClass: organizationalUnit
ou: tokens

dn: ou=1,ou=readers,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk
objectClass: top
objectClass: organizationalUnit
ou: 1
description: Door 1

dn: cn=Manager,ou=1,ou=readers,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk
objectClass: escReader
cn: Manager
escDoor: 1
escgid: esctl Manager

dn: cn=Resident,ou=1,ou=readers,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk
objectClass: escReader
cn: Resident
escDoor: 1
escgid: esctl Resident

dn: et=PIN:1234,ou=tokens,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk
objectClass: escToken
et: PIN:1234
escuid: jbloggs

dn: et=C0572A00,ou=tokens,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk
objectClass: escToken
et: C15A2D03
escDateFrom: 20140128001003Z
escDateTo: 20380101000000Z
escuid: jbloggs


[edit] MySQL

You need to have the MySQL database server installed.

The script below (log.mysql) will automatically create the 'esctl' database, and within this database will create the 'log' table that is required for the controller to log any accesses.

  • mysql -u root -p < ~/esctl/controller/log.mysql

You must also create a MySQL user for the controller to use when adding new log entries.

  • mysql -u root -p
    • grant insert,select on esctl.log to esctl_log@localhost identified by '***********';

[edit] Local configuration

A sample configuration file is included - copy this in place and edit according to your local needs. At a minimum you will need to check the database and LDAP login details, and the LDAP Base DN.

  • cp config.pm.template config.pm
  • vi config.pm

[edit] System logging

esctl logs via the standard syslog mechanism, using the "local3" facility. You can redirect these log entries to a specific file as below - by default these are not saved anywhere on a Debian system.

  • sudo vi /etc/rsyslog.d/esctl.conf 
local3.*        /var/log/esctl
  • sudo service rsyslog restart

[edit] xinetd

For the controller to operate, 'xinetd' is used. A sample configuration file is supplied - copy this into place and check that the path to esctl-node.pl is correct for your installation.

  • sudo cp -p xinetd.d-esctl /etc/xinetd.d/esctl

Finally, restart xinetd to enable esctl!

  • sudo service xinetd restart

[edit] Web lastlog

Optionally, you can configure a web server to serve out information on who most recently accessed doors via esctl. Make sure you secure this appropriately, via firewall and/or htaccess & password controls.

On the Raspberry Pi platform I usually use mini-httpd:

  • apt-get install mini-httpd
  • vi /etc/default/mini-httpd (Set START=1)
  • vi /etc/mini-httpd.conf (Comment out host=localhost)


Copy the 'lastlog' web application into place, and ensure it is able to read its configuration (can be shared with esctl controller):

  • mkdir /usr/share/mini-httpd/html/cgi-bin
  • cp -p /root/esctl/httpd/lastlog/lastlog /usr/share/mini-httpd/html/cgi-bin/
  • cp -p /root/esctl/controller/config.pm /usr/share/mini-httpd/html/cgi-bin/

Edit config.pm to remove everything other than $DB_* and the trailing 1;

Retrieved from ‘http://www.esctl.co.uk/index.php?title=Master_Controller/Software&oldid=154
Personal tools
Namespaces

Variants
Actions
Navigation
Tools