Master Controller/Software

Now create a config file to generate the appropriate LDIF from the supplied .schema file. The earlier includes are present to ensure that the output LDIF file has the prefix of {4}, which ensures it is loaded 5th by the LDAP server (so that any pre-requisites are present by the time it loads). Check the /etc/ldap/slapd.d/cn\=config/cn\=schema/ directory to make sure this will be correct.

vi convert.conf

include /root/schemaconv/empty
include /root/schemaconv/empty
include /root/schemaconv/empty
include /root/schemaconv/empty
include /root/schemaconv/70esctl.schema

Your directory should look something like this:

~/schemaconv# ls -l
total 16
-rw-r--r-- 1 root root 2497 Nov 20 19:01 70esctl.schema
-rw-r--r-- 1 root root  162 Nov 20 18:59 convert.conf

Next, create the LDIF file using the slaptest utility:

slaptest -f convert.conf -F /root/schemaconv

config file testing succeeded

Move the file into place and restart the LDAP server:

cp -p /root/schemaconv/cn=config/cn=schema/cn={4}70esctl.ldif /etc/ldap/slapd.d/cn\=config/cn\=schema/
chown openldap /etc/ldap/slapd.d/cn\=config/cn\=schema/{4}70esctl.ldif
service slapd restart

Active Directory notes

There is an installer for schema extensions; this is in the form of a .cmd file that must be run from the same directory as the accompanying LDIFs.

Note that there is a bug in earlier versions of Samba 4, if you are using this as an Active Directory controller. Time/date entries are not processed correctly, so if you use Active Directory Users and Computers or ADSI Edit to populate a time/date based attribute e.g. escDateFrom, you may get an error such as "Operation failed. Error code: 0x200b The attribute syntax specified to the directory service is invalid. 000200B: objectclass_attrs: attribute 'escDateFrom' on entry 'ET=xxx,OU=xxx,DC=xxx' contains at least one invalid value!"

Create the esctl tree in Active Directory first, using Active Directory Users and Computers. (Create Organisational Unit for ‘esctl’, then OUs for ‘readers’ and ‘tokens’)

- Remove the default ‘authenticated users’ permissions on this tree, and replace with a specific user, which should be read-only for esctl, at the top of this tree. Modify the permission for this user in Advanced so that it applies to ‘This object and all descendant objects’

- User could for example be cn=esctl,cn=Users,dc=mydomain,dc=co,dc=uk

To easily display the escuid, escgid and other information in Active Directory Users and Computers, assuming US-English locale (409), follow the guide here and add the following to extraColumns of CN=organizationalUnit-Display,CN=409,CN=DisplaySpecifiers of the Configuration naming context.

 escuid,esctl UID,0,-1,0
 escgid,esctl GID,0,-1,0
 escDays,Days,0,65,0
 escTimeFrom,Time From,0,-1,0
 escTimeTo,Time To,0,-1,0
 escDateFrom,Date From,0,-1,0
 escDateTo,Date To,0,-1,0
 escDoor,Door,0,-1,0

Also see Display Specifier docs here

Add read-only access to LDAP for esctl controller

If you would like your esctl controller software to connect to your LDAP server via a read-only user, rather than using the LDAP admin user, you can use something like the sample olc-esc-access.ldif file supplied, to tell OpenLDAP to allow the "ESCTL Controller" user (defined elsewhere) to access the esctl data in LDAP:

cd ~/esctl/schema
cp olc-esc-access.ldif.template olc-esc-access.ldif
vi olc-esc-access.ldif (Ensure the root DN is correct, i.e. perhaps replace CUSTOMERNAME with your customer name)

Then apply the LDIF:

ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olc-esc-access.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}hdb,cn=config"

Create indexes to optimise performance

cd ~/esctl/schema/
ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olc-db-index.ldif

In a fresh OpenLDAP installation you will need to create the following standard LDAP groups, users etc:

- ou=Special Users
- ou=People
- ou=Groups

dn: cn=ESCTL Controller,ou=Special Users,dc=<<ROOTDN>>
changetype: add
objectClass: simpleSecurityObject
objectClass: organizationalRole
userPassword:: ********
description: ESCTL Controller
cn: ESCTL Controller

Sample LDAP schema content

version: 1

dn: ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk
objectClass: top
objectClass: organizationalUnit
ou: esctl

dn: ou=readers,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk
objectClass: top
objectClass: organizationalUnit
ou: readers

dn: ou=tokens,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk
objectClass: top
objectClass: organizationalUnit
ou: tokens

dn: ou=1,ou=readers,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk
objectClass: top
objectClass: organizationalUnit
ou: 1
description: Door 1

dn: cn=Manager,ou=1,ou=readers,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk
objectClass: escReader
cn: Manager
escDoor: 1
escgid: esctl Manager

dn: cn=Resident,ou=1,ou=readers,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk
objectClass: escReader
cn: Resident
escDoor: 1
escgid: esctl Resident

dn: et=PIN:1234,ou=tokens,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk
objectClass: escToken
et: PIN:1234
escuid: jbloggs

dn: et=C0572A00,ou=tokens,ou=esctl,dc=customername,dc=hosted,dc=esctl,dc=co,dc=uk
objectClass: escToken
et: C15A2D03
escDateFrom: 20140128001003Z
escDateTo: 20380101000000Z
escuid: jbloggs

MySQL

You need to have the MySQL database server installed.

The script below (log.mysql) will automatically create the 'esctl' database, and within this database will create the 'log' table that is required for the controller to log any accesses.

mysql -p < ~/esctl/controller/log.mysql

You must also create a MySQL user for the controller to use when adding new log entries.

mysql -p
- grant insert,select on esctl.log to esctl_log@localhost identified by '***********';

Local configuration

A sample configuration file is included - copy this in place and edit according to your local needs. At a minimum you will need to check the database and LDAP login details, and the LDAP Base DN.

cp config.pm.template config.pm
vi config.pm

System logging

esctl logs via the standard syslog mechanism, using the "local3" facility. You can redirect these log entries to a specific file as below - by default these are not saved anywhere on a Debian system.

vi /etc/rsyslog.d/esctl.conf

local3.*        /var/log/esctl

service rsyslog restart

xinetd

For the controller to operate, 'xinetd' is used. A sample configuration file is supplied - copy this into place and check that the path to esctl-node.pl is correct for your installation.

cp -p /root/esctl/controller/xinetd.d-esctl /etc/xinetd.d/esctl

Finally, restart xinetd to enable esctl!

service xinetd restart

Web lastlog

Optionally, you can configure a web server to serve out information on who most recently accessed doors via esctl. Make sure you secure this appropriately, via firewall and/or htaccess & password controls.

On the Raspberry Pi platform I usually use mini-httpd:

apt-get install mini-httpd
vi /etc/default/mini-httpd (Set START=1)
vi /etc/mini-httpd.conf (Comment out host=localhost)

Copy the 'lastlog' web application into place, and ensure it is able to read its configuration (can be shared with esctl controller):

mkdir /usr/share/mini-httpd/html/cgi-bin
cp -p /root/esctl/httpd/lastlog/lastlog /usr/share/mini-httpd/html/cgi-bin/
cp -p /root/esctl/controller/config.pm /usr/share/mini-httpd/html/cgi-bin/

Edit config.pm to remove everything other than $DB_* and the trailing 1;

Master Controller/Software

Contents

Download esctl software

Configure LDAP

If you are using [Netscape/Fedora/CentOS/389] Directory Server

If you are using Debian

Add esctl schema extension

Active Directory notes

Add read-only access to LDAP for esctl controller

Create indexes to optimise performance

Sample LDAP schema content

MySQL

Local configuration

System logging

xinetd

Web lastlog

Personal tools

Namespaces

Variants

Views

Actions

Search

Navigation

Tools