Master Controller/Software
(→Configure LDAP) |
|||
| Line 27: | Line 27: | ||
* /etc/init.d/slapd restart | * /etc/init.d/slapd restart | ||
| − | === Add esctl schema extension === | + | ===== Add esctl schema extension ===== |
* mkdir /root/schemaconv | * mkdir /root/schemaconv | ||
Revision as of 23:45, 22 November 2014
Contents |
Download esctl software
- apt-get install subversion
- cd /root
- mkdir esctl
- svn co svn://giles.northenden.ninja.org.uk/esctl/server/trunk/ esctl/
Configure LDAP
If you are using [Netscape/Fedora/CentOS/389] Directory Server
- cd esctl/schema/
- cp -p 70esctl.ldif /etc/ldap/schema/
- vi /usr/share/slapd/slapd.conf
- include /etc/ldap/schema/70esctl.ldif
If you are using Debian
- [ dpkg-reconfigure --force slapd ]
- DNS domain name: customername.hosted.esctl.co.uk
- Organization name: customername
- Administrator password: ****
- Database backend to use: HDB
- Remove database when slapd is purged? Yes (??!!)
- Allow LDAPv2 protocol?: No
- /etc/init.d/slapd restart
Add esctl schema extension
- mkdir /root/schemaconv
- cd /root/schemaconv
- vi test.conf
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema include /root/schemaconv/70esctl.schema
ls -l
- ~/schemaconv# ls -l
total 16 -rw-r--r-- 1 root root 2497 Nov 20 19:01 70esctl.schema -rw-r--r-- 1 root root 162 Nov 20 18:59 test.conf
- slaptest -f test.conf -F /root/schemaconv
- vi cn\=config/cn\=schema/cn\=\{3\}70esctl.ldif
- (Change {3}70esctl to {4}70esctl or whichever number is next in your LDAP tree
- Find out via ls /etc/ldap/slapd.d/cn\=config/cn\=schema/
- cp -p /root/schemaconv/cn=config/cn=schema/cn={3}70esctl.ldif /etc/ldap/slapd.d/cn\=config/cn\=schema/{4}70esctl.ldif
- chown openldap /etc/ldap/slapd.d/cn\=config/cn\=schema/{4}70esctl.ldif
- service slapd restart
Add read-only access to LDAP for esctl controller
If you would like your esctl controller software to connect to your LDAP server via a read-only user, rather than using the LDAP admin user, you can use something like this:
- vi olc-esc-access.ldif
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {1}to dn.sub="ou=esctl,dc=<<ROOTDN>>"
by dn="cn=ESCTL Controller,dc=<<ROOTDN>>" read
by self write
by * none
- ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olcAccess.ldif
Sample LDAP schema content
version: 1 dn: ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk objectClass: top objectClass: organizationalUnit ou: esctl dn: ou=readers,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk objectClass: top objectClass: organizationalUnit ou: readers dn: ou=tokens,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk objectClass: top objectClass: organizationalUnit ou: tokens dn: ou=1,ou=readers,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk objectClass: top objectClass: organizationalUnit ou: 1 description: Door 1 dn: cn=Manager,ou=1,ou=readers,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk objectClass: escReader cn: Manager escDoor: 1 escgid: esctl Manager dn: cn=Resident,ou=1,ou=readers,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk objectClass: escReader cn: Resident escDoor: 1 escgid: esctl Resident dn: et=PIN:1234,ou=tokens,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk objectClass: escToken et: PIN:1234 escuid: jbloggs dn: et=C0572A00,ou=tokens,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk objectClass: escToken et: C15A2D03 escDateFrom: 20140128001003Z escDateTo: 20380101000000Z escuid: jbloggs
- Need to create:
- ou=Special Users
- ou=People
- ou=Groups
dn: cn=ESCTL Controller,ou=Special Users,dc=<<ROOTDN>> changetype: add objectClass: simpleSecurityObject objectClass: organizationalRole userPassword:: ******** description: ESCTL Controller cn: ESCTL Controller
Create indexes to optimise performance
- vi olcDbIndex.ldif
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: et pres,eq
-
add: olcDbIndex
olcDbIndex: memberUid pres,sub,eq
- ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olcDbIndex.ldif
MySQL
You need to have the MySQL database server installed.
The script below (log.mysql) will automatically create the 'esctl' database, and within this database will create the 'log' table that is required for the controller to log any accesses.
- mysql -p < ~/esctl/controller/log.mysql
You must also create a MySQL user for the controller to use when adding new log entries.
- mysql -p
- grant insert,select on esctl.log to esctl_log@localhost identified by '***********';
Local configuration
A sample configuration file is included - copy this in place and edit according to your local needs. At a minimum you will need to check the database and LDAP login details, and the LDAP Base DN.
- cp config.pm.template config.pm
- vi config.pm
System logging
esctl logs via the standard syslog mechanism, using the "local3" facility. You can redirect these log entries to a specific file as below - by default these are not saved anywhere on a Debian system.
- vi /etc/rsyslog.d/esctl.conf
local3.* /var/log/esctl
- service rsyslog restart
xinetd
For the controller to operate, 'xinetd' is used. A sample configuration file is supplied - copy this into place and check that the path to esctl-node.pl is correct for your installation.
- cp -p /root/esctl/controller/xinetd.d-esctl /etc/xinetd.d/esctl
Finally, restart xinetd to enable esctl!
- service xinetd restart
