Master Controller/Software
From ESCTL
< Master Controller(Difference between revisions)
(→Add read-only access to LDAP for esctl controller) |
(→MySQL) |
||
| Line 151: | Line 151: | ||
=== MySQL === | === MySQL === | ||
| − | + | You need to have the MySQL database server installed. | |
| − | * mysql -p < log.mysql | + | |
| + | The script below (log.mysql) will automatically create the 'esctl' database, and within this database will create the 'log' table that is required for the controller to log any accesses. | ||
| + | * mysql -p < ~/esctl/controller/log.mysql | ||
| + | |||
| + | You must also create a MySQL user for the controller to use when adding new log entries. | ||
| + | * mysql -p | ||
** grant insert,select on esctl.log to esctl_log@localhost identified by '***********'; | ** grant insert,select on esctl.log to esctl_log@localhost identified by '***********'; | ||
Revision as of 09:17, 21 November 2014
Contents |
Download esctl software
- apt-get install subversion
- cd /root
- mkdir esctl
- svn co svn://giles.northenden.ninja.org.uk/esctl/server/trunk/ esctl/
Configure LDAP
- cd esctl/schema/
- cp -p 70esctl.ldif /etc/ldap/schema/
- vi /usr/share/slapd/slapd.conf
- include /etc/ldap/schema/70esctl.ldif
- [ dpkg-reconfigure --force slapd ]
- DNS domain name: customername.hosted.esctl.co.uk
- Organization name: customername
- Administrator password: ****
- Database backend to use: HDB
- Remove database when slapd is purged? Yes (??!!)
- Allow LDAPv2 protocol?: No
- /etc/init.d/slapd restart
Add esctl schema extension
- mkdir /root/schemaconv
- cd /root/schemaconv
- vi test.conf
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema include /root/schemaconv/70esctl.schema
ls -l
- ~/schemaconv# ls -l
total 16 -rw-r--r-- 1 root root 2497 Nov 20 19:01 70esctl.schema -rw-r--r-- 1 root root 162 Nov 20 18:59 test.conf
- slaptest -f test.conf -F /root/schemaconv
- vi cn\=config/cn\=schema/cn\=\{3\}70esctl.ldif
- (Change {3}70esctl to {4}70esctl or whichever number is next in your LDAP tree
- Find out via ls /etc/ldap/slapd.d/cn\=config/cn\=schema/
- cp -p /root/schemaconv/cn=config/cn=schema/cn={3}70esctl.ldif /etc/ldap/slapd.d/cn\=config/cn\=schema/{4}70esctl.ldif
- chown openldap /etc/ldap/slapd.d/cn\=config/cn\=schema/{4}70esctl.ldif
- service slapd restart
Add read-only access to LDAP for esctl controller
If you would like your esctl controller software to connect to your LDAP server via a read-only user, rather than using the LDAP admin user, you can use something like this:
- vi olc-esc-access.ldif
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {1}to dn.sub="ou=esctl,dc=<<ROOTDN>>"
by dn="cn=ESCTL Controller,dc=<<ROOTDN>>" read
by self write
by * none
- ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olcAccess.ldif
Sample LDAP schema content
version: 1 dn: ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk objectClass: top objectClass: organizationalUnit ou: esctl dn: ou=readers,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk objectClass: top objectClass: organizationalUnit ou: readers dn: ou=tokens,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk objectClass: top objectClass: organizationalUnit ou: tokens dn: ou=1,ou=readers,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk objectClass: top objectClass: organizationalUnit ou: 1 description: Door 1 dn: cn=Manager,ou=1,ou=readers,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk objectClass: escReader cn: Manager escDoor: 1 escgid: esctl Manager dn: cn=Resident,ou=1,ou=readers,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk objectClass: escReader cn: Resident escDoor: 1 escgid: esctl Resident dn: et=PIN:1234,ou=tokens,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk objectClass: escToken et: PIN:1234 escuid: jbloggs dn: et=C0572A00,ou=tokens,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk objectClass: escToken et: C15A2D03 escDateFrom: 20140128001003Z escDateTo: 20380101000000Z escuid: jbloggs
- Need to create:
- ou=Special Users
- ou=People
- ou=Groups
dn: cn=ESCTL Controller,ou=Special Users,dc=<<ROOTDN>> changetype: add objectClass: simpleSecurityObject objectClass: organizationalRole userPassword:: ******** description: ESCTL Controller cn: ESCTL Controller
Create indexes to optimise performance
- vi olcDbIndex.ldif
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: et pres,eq
-
add: olcDbIndex
olcDbIndex: memberUid pres,sub,eq
- ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olcDbIndex.ldif
MySQL
You need to have the MySQL database server installed.
The script below (log.mysql) will automatically create the 'esctl' database, and within this database will create the 'log' table that is required for the controller to log any accesses.
- mysql -p < ~/esctl/controller/log.mysql
You must also create a MySQL user for the controller to use when adding new log entries.
- mysql -p
- grant insert,select on esctl.log to esctl_log@localhost identified by '***********';
xinetd
- cd /root/esctl/controller
- cp -p xinetd.d-esctl /etc/xinetd.d/esctl
- service xinetd restart
Final configuration
- cp config.pm.template config.pm
- vi config.pm
- vi /etc/rsyslog.d/esctl.conf
local3.* /var/log/esctl
- service rsyslog restart
