User Tools

Site Tools


adm:setting_up_ldap

Setting up LDAP

Introduction

Zibawa uses OpenLDAP to manage user and device authorization and access to all applications (Zibawa itself, rabbitMQ and Grafana dashboards).

A new user creates their ID via the Zibawa application. Zibawa stores these credentials internally, and also on LDAP.

Users may also be created directly in LDAP by other applications (such as phpLdapAdmin), so long as the group structure is respected.

All Zibawa applications validate logins based on the uid (username) parameter in LDAP.

Zibawa applications then provide permissions according to the user groups stored in LDAP.

Installing OpenLDAP

There is a good tutorial that explains how to install OpenLDAP and PHPLdapAdmin

You will also need to configure NGINX to use PHPLDAPAdmin . It is important to force ssl connection to PHPLDAPAdmin to encrypt all passwords.

If LDAP is not on the same server as the other applications then you will also need to configure StartTLS on the LDAP server.

Configure StartTLS on the LDAP server

cd ~
nano addcerts.ldif

The contents of addcerts.ldif should be as follows, edit the paths to point to your certificates

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ca_server.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap_server.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap_server.key
sudo ldapmodify -H ldapi:// -Y EXTERNAL -f addcerts.ldif
sudo service slapd force-reload

dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/letsencrypt/live/zibawa.com/chain.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/letsencrypt/live/zibawa.com/cert.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/letsencrypt/live/zibawa.com/privkey.pem

</code>

Stopping and Starting

sudo systemctl start slapd.service
sudo systemctl status slapd.service

LDAP setup for Zibawa

Using PhpLDAPAdmin you will need to set up the following elements:

Create Organizational Units

usersthis will hold all of the users and devices
groupsthis will hold the groups we create below

To create an Organizational Unit you need to click:

Create new entry here> Organizational Groups > Create Object > Commit

Create Groups

GIDGroup NameDefinition
500superuserdefines user with access to all applications including the rabbitMQ management dashboard
501editordefines user with edit access to Zibawa management panel and Grafana dashboards
502activeenables us to disactivate users without eliminating completely
503deviceuser Group which can send and read messages on its own topic

It is essential to respect the names and GID of the LDAP groups as defined above. The GID (group ID) of superuser which must be used in the rabbitMQ.config file.

From within the “groups organizational unit, click:

create a child entry> posix group > enter name of group > create object > commit

Create Super User

Create a system super user via PhpLDAPAdmin

Click on OU= users in the tree on the left Create a child entry> Generic User Account > (enter details as shown below) > create object > commit

cnzadmin
gidNumber500
givenNamezibawa
homeDirectory/home/users/zadmin
snadmin
uidNumber1000
userNamezadmin

Configure The Other Apps to Use LDAP

Add Super User to Groups

The super user created should be added to the groups, superuser,active, staff using the following:

Click on group > add attribute > select memberUID > <enter userName ie zadmin> > update object

It is recommended to create all remaining users via the Zibawa interface

Super Users

Super users are able to access and edit all of the Zibawa system, the rabbitmq administrator panel and all dashboards.

Super users must be members of the groups active,editor,superuser. (It is important to include “editor” as well as “superuser”)

Application Users

Create IDs and passwords via the Zibawa application. They will have permissions according to the groups they are assigned to. Typically “public” which is basic non-edit user group.

Application users are able to publish or subscribe to messages */userName/*/*

Application users are members of the groups:

active,editor

Devices

A device will login with

<device_id> <password> Created from Zibawa device manager.

Devices are members of LDAP groups:

active and devices (Note- currently the group functionality has no effect!).

A device has permission to subscribe and publish to */device_id/*/*

Disactivating Devices

To disactivate (or ban) a device it is necessary to eliminate from LDAP (or change its password). Currently the group functionality “active” does not work with rabbitMQ.

adm/setting_up_ldap.txt · Last modified: 2017/03/24 10:06 by matt