11. OMF Login Aggregate Manager

Login aggregate manager (AM) is an OMF service that is used to manage testbed users and groups, schedule access to resources and provide support for resource access control. It is distributed as a Debian package targeted for Ubuntu 10.10 (but it might work with other distributions as well).

Prerequisites

DHCP and DHS server

apt-get install dhcp3-server

Apache WEB server

apt-get install apache2

LDAP server

Decide on the organizational structure for ldap:

orbit-lab.org ⇒ dc=orbit-lab,dc=org

Install the server and utilities:

apt-get install slapd, ldap-utils, phpldapadmin, 

Modify the /etc/default/slapd file and edit the SLAPD_CONF and SLAPD_PIDFILE values to

SLAPD_CONF="/etc/ldap/slapd.conf"
SLAPD_PIDFILE="/var/run/slapd/slapd.pid"

This is our slapd.conf file, please change it according to your organization

allow bind_v2
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/ldapns.schema
loglevel 256
modulepath	/usr/lib/ldap
moduleload	back_bdb

backend	bdb
database bdb
index objectclass,entryCSN,entryUUID eq
suffix "dc=orbit,dc=lab,dc=org"
rootdn "dc=orbit,dc=lab,dc=org"
directory "/var/lib/ldap"
access to dn.base="" by * read
access to * by dn.regex="cn=admin,dc=orbit,dc=lab,dc=org" write by * read

Start the service:

/etc/init.d/slapd start

Make sure it is running by checking that ldap server is listening on both ports:

netstat -an | grep 389
netstat -an | grep 636

Stop the service:

/etc/init.d/slapd stop

Import initial content (first group and account that will be used as administrators for the login service):

slapadd -l init.ldif -f /etc/ldap/slapd.conf
chown openldap:openldap /var/lib/ldap/*

Start the service:

/etc/init.d/slapd start

make sure you can access the service with admin credentials:

ldapsearch -x   -b "dc=orbit,dc=lab,dc=org"  "objectclass=organizationalRole" 
ldapsearch -x   -b "dc=orbit,dc=lab,dc=org"  objectclass=organizationalUnit
ldapsearch -x   -b "dc=orbit,dc=lab,dc=org"  "objectclass=organizationalUnit"
ldapsearch -x   -b "dc=orbit,dc=lab,dc=org"  "objectclass=posixGroup"
ldapsearch -x localhost -D "cn=admin,dc=orbit,dc=lab,dc=org" -W -b "dc=orbit,dc=lab,dc=org" uid=*

Login service

server_name – how you access your server externally

host - internal server name

port - by default is 5052

Example: Orbit parameters:

<server_name> ⇒ www.orbit-lab.org

<host> ⇒ internal1.orbit-lab.org

<port> ⇒ 5052 These parameters are used in login.yam and to configure apache.

login.yaml

registration:

baseURL: '​http://<server_name>/userManagement'

publicURL: '​http://<server_name>/status/orbit'

Apache configuration

The assumption is that user facing services are supported with Apache WEB server (and possibly on a separate machine). In order to make login AM pages available on the outside, Apache proxy service will be used. In order to use proxy you will have to install apache's proxy package and enable it.

 apt-get install libapache2-mod-proxy-html
 a2enmod proxy
 a2enmod proxy_http

Also, the assumption is that the access to all pages requiring user credentials is protected with ssl so we need to enable the ssl module

 a2enmod ssl

We need to configure all the proxy URLs in the open (i.e. in /etc/apache2/sites-available/default)

In the following we are assuming that <host> is the internal hostname or IP address of the machine running the login AM, and <port> is the IP port on which the service is running (default is 5052 for OMF 5.2 services). For example, forn internal IP 172.16.250.7 and port 5025 the <host>:<port> would be: 172.16.250.7:5052.

ServerName <server_name>
...

  ProxyPass /status "http://<host>:<port>/public_html/"
  <Location /status>
    Order allow,deny
    Allow from all
  </Location>

  ProxyPass /userManagement "http://<host>:<port>/login/userManagement"
  <Location /userManagement>
    Order allow,deny
    Allow from all
  </Location>
...

Note: If you change baseURL and publicURL in login.yaml it is necessary to change corresponding values in apache default file.

For SSL services (in /etc/apache2/sites-available/default-ssl) we need:

...
  ProxyPass /schedule/  "http://<host>:<port>/login/ShowScheduler"
  <Location /schedule>
    Order allow,deny
    Allow from all
  </Location>

  ProxyPass /loginService/  http://<host>:<port>/login/
  <Location  /loginService>
     AllowOverride None
     order allow,deny
     allow from all
  </Location>
  <Proxy http://<host>:<port>/login/*>
     AllowOverride None
     order allow,deny
     allow from all
   </Proxy>
...

Scheduler Database

Please create a user in mysql that will own the scheduler database, we create user called 'omf' with password 'omf'.

use mysql;
create user 'omf'@'localhost';
grant all on *.* to 'omf'@'localhost';
set password for 'omf'@'localhost'=password('omf');

To create database run login.sql script file which is attached to this page. Resources table need to be fill out with data manually.

For example:

#> mysql -p -u omf
Enter password: 
mysql> use newScheduler;
mysql> INSERT into resources (machid,name,location,rphone,notes,minRes,maxRes) VALUES ('sc1431b400c5f130', 'grid', 'Orbit Facility', '(732) 932-6857', 'Main 400 node grid',30,120);
mysql> select * from resources;
+------------------+------+----------------+----------------+--------------------+--------+--------+--------+------------+----------+-------------+
| machid           | name | location       | rphone         | notes              | status | minRes | maxRes | autoAssign | approval | allow_multi |
+------------------+------+----------------+----------------+--------------------+--------+--------+--------+------------+----------+-------------+
| sc1431b400c5f130 | grid | Orbit Facility | (732) 932-6857 | Main 400 node grid | a      |     30 |    120 |       NULL |     NULL |        NULL |
+------------------+------+----------------+----------------+--------------------+--------+--------+--------+------------+----------+-------------+
1 row in set (0.00 sec)

mysql> quit
Bye
#>

Here:

• machid – unique resource identifier
• name – resource name
• rphone – phone number
• notes – resource description
• minRes – minimal reservation length in minutes
• maxRes – maximal reservation length in minutes

How to access login service

1. Scheduler:

​https://<server_name>/schedule/ This is how scheduler is mapped in default-ssl. This is not obligatory, so it is possible to change this link. But, it is necessary to keep “/loginService” link name

2. ControlPanel – for administrators; to View, Approve and Delete reservation, to Administrate Users and Groups etc.

​https://<server_name>/loginService/ControlPanel

3. User Registration

​http://<server_name>/userManagement/register ( userManagement same as one in login.yaml and apache default)

4. Group/Organization Registration

​http://<server_name>/userManagement/orgReg ( userManagement same as one in login.yaml and apache default)

Note: There is file /usr/share/omf-aggmgr-5.2/omf-aggmgr/public_html/template/ogs_login/orbit_banner.png, used for user management pages. Replace content of that file to show your logo.