Zibawa uses OpenLDAP to manage user and device authorization and access to all applications (Zibawa itself, rabbitMQ and Grafana dashboards).
A new user creates their ID via the Zibawa application. Zibawa stores these credentials internally, and also on LDAP.
Users may also be created directly in LDAP by other applications (such as phpLdapAdmin), so long as the group structure is respected.
All Zibawa applications validate logins based on the uid (username) parameter in LDAP.
Zibawa applications then provide permissions according to the user groups stored in LDAP.
There is a good tutorial that explains how to install OpenLDAP and PHPLdapAdmin
You will also need to configure NGINX to use PHPLDAPAdmin . It is important to force ssl connection to PHPLDAPAdmin to encrypt all passwords.
If LDAP is not on the same server as the other applications then you will also need to configure StartTLS on the LDAP server.
cd ~ nano addcerts.ldif
The contents of addcerts.ldif should be as follows, edit the paths to point to your certificates
dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/ca_server.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/ldap_server.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/ldap_server.key
sudo ldapmodify -H ldapi:// -Y EXTERNAL -f addcerts.ldif sudo service slapd force-reload
dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/letsencrypt/live/zibawa.com/chain.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/letsencrypt/live/zibawa.com/cert.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/letsencrypt/live/zibawa.com/privkey.pem
sudo systemctl start slapd.service sudo systemctl status slapd.service
Using PhpLDAPAdmin you will need to set up the following elements:
|users||this will hold all of the users and devices|
|groups||this will hold the groups we create below|
To create an Organizational Unit you need to click:
Create new entry here> Organizational Groups > Create Object > Commit
|500||superuser||defines user with access to all applications including the rabbitMQ management dashboard|
|501||editor||defines user with edit access to Zibawa management panel and Grafana dashboards|
|502||active||enables us to disactivate users without eliminating completely|
|503||device||user Group which can send and read messages on its own topic|
It is essential to respect the names and GID of the LDAP groups as defined above. The GID (group ID) of superuser which must be used in the rabbitMQ.config file.
From within the “groups organizational unit, click:
create a child entry> posix group > enter name of group > create object > commit
Create a system super user via PhpLDAPAdmin
Click on OU= users in the tree on the left Create a child entry> Generic User Account > (enter details as shown below) > create object > commit
The super user created should be added to the groups, superuser,active, staff using the following:
Click on group > add attribute > select memberUID > <enter userName ie zadmin> > update object
It is recommended to create all remaining users via the Zibawa interface
Super users are able to access and edit all of the Zibawa system, the rabbitmq administrator panel and all dashboards.
Super users must be members of the groups active,editor,superuser. (It is important to include “editor” as well as “superuser”)
Create IDs and passwords via the Zibawa application. They will have permissions according to the groups they are assigned to. Typically “public” which is basic non-edit user group.
Application users are able to publish or subscribe to messages */userName/*/*
Application users are members of the groups:
A device will login with
<device_id> <password> Created from Zibawa device manager.
Devices are members of LDAP groups:
active and devices (Note- currently the group functionality has no effect!).
A device has permission to subscribe and publish to */device_id/*/*
To disactivate (or ban) a device it is necessary to eliminate from LDAP (or change its password). Currently the group functionality “active” does not work with rabbitMQ.