Table of Contents
OMF Login Aggregate Manager
Login aggregate manager (AM) is an OMF service that is used to manage testbed users and groups, schedule access to resources and provide support for resource access control. It is distributed as a Debian package targeted for Ubuntu 10.10 (but it might work with other distributions as well).
Prerequisites
DHCP and DHS server
apt-get install dhcp3-server
Apache WEB server
apt-get install apache2
LDAP server
Decide on the organizational structure for ldap:
orbit-lab.org ⇒ dc=orbit-lab,dc=org
Install the server and utilities:
apt-get install slapd ldap-utils phpldapadmin
Modify the /etc/default/slapd file and edit the SLAPD_CONF and SLAPD_PIDFILE values to
SLAPD_CONF="/etc/ldap/slapd.conf" SLAPD_PIDFILE="/var/run/slapd/slapd.pid"
This is our slapd.conf file, please change it according to your organization
allow bind_v2 include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/ldapns.schema include /etc/ldap/schema/openssh-lpk_openldap.schema loglevel 256 modulepath /usr/lib/ldap moduleload back_bdb backend bdb database bdb index objectclass,entryCSN,entryUUID eq suffix "dc=orbit-lab,dc=org" rootdn "dc=orbit-lab,dc=org" directory "/var/lib/ldap" access to dn.base="" by * read access to * by dn.regex="cn=admin,dc=orbit,dc=lab,dc=org" write by * read access to attrs=userPassword by dn.regex="cn=admin,dc=orbit-lab,dc=org" write by anonymous auth by self write by * none
You can download openssh-lpk_openldap.schema from http://code.google.com/p/openssh-lpk/downloads/detail?name=openssh-lpk_openldap.schema
Set sizelimit to 10000 by editing slapd.conf file
sizelimit 10000
Start the service:
/etc/init.d/slapd start
Note: I ran into issues with the start/stop script not creating the .pid file. Without the pid file, the start/stop script fail to start/stop the daemon. This can be resolved by editing the /etc/init.d/slapd file and search for the function start_slapd(). Add this to the last line of that function before it exits:
pidof /usr/sbin/slapd > "$SLAPD_PIDFILE"
Make sure it is running by checking that ldap server is listening on both ports:
netstat -an | grep 389 netstat -an | grep 636
Stop the service:
/etc/init.d/slapd stop
Import initial content (first group and account that will be used as administrators for the login service): This is a brief reasoning behind the entries in the ldif file. Please change the file as per your organizational needs.
Each organizational unit(ou) has a PI who is the admin for the OU and a group which has all the accounts for the OU. So that is why your first organization and first acount have to conform to such a structure.
OU admin can only manage accounts for that organization.
Any person that is a member of sysadmin group in LDAP and admin group in login.yaml will be able to use ControlPanel of the ogs_login service to manage ALL accounts
cp /usr/share/slapd/DB_CONFIG /var/lib/ldap/ slapadd -l init.ldif -f /etc/ldap/slapd.conf chown openldap:openldap /var/lib/ldap/*
Start the service:
/etc/init.d/slapd start
make sure you can access the service with admin credentials:
ldapsearch -x -b "dc=orbit-lab,dc=org" "objectClass=organizationalRole" ldapsearch -x -b "dc=orbit-lab,dc=org" "objectClass=organizationalUnit" ldapsearch -x -b "dc=orbit-lab,dc=org" "objectclass=organizationalUnit" ldapsearch -x -b "dc=orbit-lab,dc=org" "objectClass=posixGroup" ldapsearch -x localhost -D "cn=admin,dc=orbit-=lab,dc=org" -W -b "dc=orbit-lab,dc=org" uid=*
Login service
server_name – how you access your server externally
host - internal server name
port - by default is 5052
Example: Orbit parameters:
<server_name> ⇒ www.orbit-lab.org
<host> ⇒ internal1.orbit-lab.org
<port> ⇒ 5052 These parameters are used in login.yam and to configure apache.
login.yaml
registration:
baseURL: 'http://<server_name>/userManagement'
publicURL: 'http://<server_name>/status'
Apache configuration
The assumption is that user facing services are supported with Apache WEB server (and possibly on a separate machine). In order to make login AM pages available on the outside, Apache proxy service will be used. In order to use proxy you will have to install apache's proxy package and enable it.
apt-get install libapache2-mod-proxy-html a2enmod proxy a2enmod proxy_http
Also, the assumption is that the access to all pages requiring user credentials is protected with ssl so we need to enable the ssl module. For detailed instruction how to set up SSL visit Setting SSL
a2enmod ssl
We need to configure all the proxy URLs in the open (i.e. in /etc/apache2/sites-available/default)
In the following we are assuming that <host> is the internal hostname or IP address of the machine running the login AM, and <port> is the IP port on which the service is running (default is 5052 for OMF 5.2 services). For example, forn internal IP 172.16.250.7 and port 5025 the <host>:<port> would be: 172.16.250.7:5052.
ServerName <server_name>
...
ProxyPass /status "http://<host>:<port>/public_html/"
<Location /status>
Order allow,deny
Allow from all
</Location>
ProxyPass /userManagement "http://<host>:<port>/login/userManagement"
<Location /userManagement>
Order allow,deny
Allow from all
</Location>
...
Note: If you change baseURL and publicURL in login.yaml it is necessary to change corresponding values in apache default file.
For SSL services (in /etc/apache2/sites-available/default-ssl) we need:
...
ProxyPass /schedule/ "http://<host>:<port>/login/ShowScheduler"
<Location /schedule>
Order allow,deny
Allow from all
</Location>
ProxyPass /loginService/ http://<host>:<port>/login/
<Location /loginService>
AllowOverride None
order allow,deny
allow from all
</Location>
<Proxy http://<host>:<port>/login/*>
AllowOverride None
order allow,deny
allow from all
</Proxy>
...
Scheduler Database
Please create a user in mysql that will own the scheduler database, we create user called 'omf' with password 'omf'.
use mysql;
create user 'omf'@'localhost';
grant all on *.* to 'omf'@'localhost';
set password for 'omf'@'localhost'=password('omf');
To create database newScheduler and populate it please do the following using the login.sql script file which is attached to this page.
mysql -u omf -pomf create database newScheduler; exit #mysql -u omf -pomf newScheduler < login.sql
Resources table need to be fill out with data manually.
For example:
#> mysql -p -u omf
Enter password:
mysql> use newScheduler;
mysql> INSERT into resources (machid,name,location,rphone,notes,minRes,maxRes,permission) VALUES ('sc1431b400c5f130', 'grid', 'Orbit Facility', '(732) 932-6857', 'Main 400 node grid',30,120,'console.grid.orbit-lab.org');
mysql> select * from resources;
+------------------+------+----------------+----------------+--------------------+--------+--------+--------+------------+----------+-------------+----------------------------+
| machid | name | location | rphone | notes | status | minRes | maxRes | autoAssign | approval | allow_multi | permission |
+------------------+------+----------------+----------------+--------------------+--------+--------+--------+------------+----------+-------------+----------------------------+
| sc1431b400c5f130 | grid | Orbit Facility | (732) 932-6857 | Main 400 node grid | a | 30 | 120 | NULL | NULL | NULL | console.grid.orbit-lab.org |
+------------------+------+----------------+----------------+--------------------+--------+--------+--------+------------+----------+-------------+----------------------------+
1 row in set (0.00 sec)
mysql> quit
Bye
#>
Here:
- machid – unique resource identifier
- name – resource name
- rphone – phone number
- notes – resource description
- minRes – minimal reservation length in minutes
- maxRes – maximal reservation length in minutes
How to access login service
- Scheduler:
https://<server_name>/schedule/ This is how scheduler is mapped in default-ssl. This is not obligatory, so it is possible to change this link. But, it is necessary to keep “/loginService” link name
- ControlPanel – for administrators; to View, Approve and Delete reservation, to Administrate Users and Groups etc.
https://<server_name>/loginService/ControlPanel
- User Registration
http://<server_name>/userManagement/register ( userManagement same as one in login.yaml and apache default)
- Group/Organization Registration
http://<server_name>/userManagement/orgReg ( userManagement same as one in login.yaml and apache default)
Note: There is file /usr/share/omf-aggmgr-5.2/omf-aggmgr/public_html/template/ogs_login/orbit_banner.png, used for user management pages. Replace content of that file to show your logo.
Login service and LDAP
- In LDAP there is a host attribute that is used by pam to check if user is allowed to access the machine.
- If that attribute has * in it then user is always allowed access.
- If that attribute is matching the FQDN user is also allowed access.
- Otherwise the auth contains line saying that host attribute didn't match
- For all of this to work it is necessary that host attribute in ldap.conf is enabled (i.e. uncommented).
- Login service(scheduler) operates on LDAP host attribute and changes it according to the time and schedule for users that don't have * in their host attribute.
Attachments (4)
-
jack.ldif
(586 bytes
) - added by 13 years ago.
SampleUserEntry
-
init.ldif
(2.2 KB
) - added by 13 years ago.
Initial Ldap Startup Config
-
omf-aggmgr-5.2_ubuntu6_all.deb
(3.9 MB
) - added by 13 years ago.
Upgraded ogs_login service for omf-5.2
- login.sql (6.1 KB ) - added by 13 years ago.
