Master Controller/Software

Revision as of 00:09, 23 November 2014

Download esctl software

• apt-get install subversion
• cd /root
• mkdir esctl
• svn co svn://giles.northenden.ninja.org.uk/esctl/server/trunk/ esctl/

Configure LDAP

If you are using [Netscape/Fedora/CentOS/389] Directory Server

• cd esctl/schema/
• cp -p 70esctl.ldif /etc/ldap/schema/
• vi /usr/share/slapd/slapd.conf
  • include /etc/ldap/schema/70esctl.ldif

If you are using Debian

• apt-get install slapd ldap-utils

It will ask you for the root password, but no other information. So, reconfigure the LDAP server as follows

• dpkg-reconfigure --force slapd
  • DNS domain name: customername.hosted.esctl.co.uk
  • Organization name: customername
  • Administrator password: ****
  • Database backend to use: HDB
  • Remove database when slapd is purged? Yes (??!!)
  • Allow LDAPv2 protocol?: No

• /etc/init.d/slapd restart

Add esctl schema extension

• mkdir /root/schemaconv
• cd /root/schemaconv
• touch empty

Now create a config file to generate the appropriate LDIF from the supplied .schema file. The earlier includes are present to ensure that the output LDIF file has the prefix of {4}, which ensures it is loaded 5th by the LDAP server (so that any pre-requisites are present by the time it loads). Check the /etc/ldap/slapd.d/cn\=config/cn\=schema/ directory to make sure this will be correct.

• vi convert.conf

include /root/schemaconv/empty
include /root/schemaconv/empty
include /root/schemaconv/empty
include /root/schemaconv/empty
include /root/schemaconv/70esctl.schema

Your directory should look something like this:

~/schemaconv# ls -l
total 16
-rw-r--r-- 1 root root 2497 Nov 20 19:01 70esctl.schema
-rw-r--r-- 1 root root  162 Nov 20 18:59 convert.conf

Next, create the LDIF file using the slaptest utility:

• slaptest -f convert.conf -F /root/schemaconv

config file testing succeeded

Move the file into place and restart the LDAP server:

• cp -p /root/schemaconv/cn=config/cn=schema/cn={4}70esctl.ldif /etc/ldap/slapd.d/cn\=config/cn\=schema/
• chown openldap /etc/ldap/slapd.d/cn\=config/cn\=schema/{4}70esctl.ldif
• service slapd restart

Add read-only access to LDAP for esctl controller

If you would like your esctl controller software to connect to your LDAP server via a read-only user, rather than using the LDAP admin user, you can use something like this:

• vi olc-esc-access.ldif

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {1}to dn.sub="ou=esctl,dc=<<ROOTDN>>"
  by dn="cn=ESCTL Controller,dc=<<ROOTDN>>" read
  by self write
  by * none

• ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olcAccess.ldif

Sample LDAP schema content

version: 1

dn: ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk
objectClass: top
objectClass: organizationalUnit
ou: esctl

dn: ou=readers,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk
objectClass: top
objectClass: organizationalUnit
ou: readers

dn: ou=tokens,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk
objectClass: top
objectClass: organizationalUnit
ou: tokens

dn: ou=1,ou=readers,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk
objectClass: top
objectClass: organizationalUnit
ou: 1
description: Door 1

dn: cn=Manager,ou=1,ou=readers,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk
objectClass: escReader
cn: Manager
escDoor: 1
escgid: esctl Manager

dn: cn=Resident,ou=1,ou=readers,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk
objectClass: escReader
cn: Resident
escDoor: 1
escgid: esctl Resident

dn: et=PIN:1234,ou=tokens,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk
objectClass: escToken
et: PIN:1234
escuid: jbloggs

dn: et=C0572A00,ou=tokens,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk
objectClass: escToken
et: C15A2D03
escDateFrom: 20140128001003Z
escDateTo: 20380101000000Z
escuid: jbloggs

• Need to create:
  • ou=Special Users
  • ou=People
  • ou=Groups

dn: cn=ESCTL Controller,ou=Special Users,dc=<<ROOTDN>>
changetype: add
objectClass: simpleSecurityObject
objectClass: organizationalRole
userPassword:: ********
description: ESCTL Controller
cn: ESCTL Controller

Create indexes to optimise performance

• vi olcDbIndex.ldif

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: et pres,eq
-
add: olcDbIndex
olcDbIndex: memberUid pres,sub,eq

• ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olcDbIndex.ldif

MySQL

You need to have the MySQL database server installed.

The script below (log.mysql) will automatically create the 'esctl' database, and within this database will create the 'log' table that is required for the controller to log any accesses.

• mysql -p < ~/esctl/controller/log.mysql

You must also create a MySQL user for the controller to use when adding new log entries.

• mysql -p
  • grant insert,select on esctl.log to esctl_log@localhost identified by '***********';

Local configuration

A sample configuration file is included - copy this in place and edit according to your local needs. At a minimum you will need to check the database and LDAP login details, and the LDAP Base DN.

• cp config.pm.template config.pm
• vi config.pm

System logging

esctl logs via the standard syslog mechanism, using the "local3" facility. You can redirect these log entries to a specific file as below - by default these are not saved anywhere on a Debian system.

• vi /etc/rsyslog.d/esctl.conf

local3.*        /var/log/esctl

• service rsyslog restart

xinetd

For the controller to operate, 'xinetd' is used. A sample configuration file is supplied - copy this into place and check that the path to esctl-node.pl is correct for your installation.

• cp -p /root/esctl/controller/xinetd.d-esctl /etc/xinetd.d/esctl

Finally, restart xinetd to enable esctl!

• service xinetd restart