Skip to content

Installation

Jump to bottom
Distributed Systems and Internet Technology Lab, Distributed Data Intelligence and Tech. Lab edited this page Nov 25, 2019 · 20 revisions

front end installation

install apache2 and php7

apt install apache2
apt install php7.2
apt install php7.2-mysqli php7.2-ldap php7.2-xml php7.2-curl

# for resource manager
apt install php7.2-zip
apt install php7.2-gd
apt install php-pear
apt install php7.2-dev
pear install pecl/solr
# add extension=solr.so to your php.ini

install openldap

apt-get install slapd ldap-utils

for basic configuration of openldap see for example https://www.unixmen.com/install-openldap-in-ubuntu-15-10-and-debian-8/

you can add users like the following:

dn: cn=user1,dc=ldap,dc=myorg,dc=org
cn: user1
sn: user1
userpassword: {SHA}...base64 encoded password hash...
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top

you need to define on LDAP the user roles used by snap4city that are: Manager, AreaManager, ToolAdmin, RootAdmin. The following are examples written in LDIF format (you need to change the base DN with that of your LDAP installation)

dn: cn=Manager,dc=ldap,dc=myorg,dc=org
cn: Manager
objectclass: organizationalRole
objectclass: top
roleoccupant: cn=user1,dc=ldap,dc=myorg,dc=org
roleoccupant: cn=user2,dc=ldap,dc=myorg ,dc=org

dn: cn=AreaManager,dc=ldap,dc=myorg,dc=org
cn: AreaManager
objectclass: organizationalRole
objectclass: top
roleoccupant: cn=user3,dc=ldap,dc=myorg,dc=org

dn: cn=ToolAdmin,dc=ldap,dc=myorg,dc=org
cn: ToolAdmin
objectclass: organizationalRole
objectclass: top
roleoccupant: cn=user4,dc=ldap,dc=myorg,dc=org

dn: cn=RootAdmin,dc=ldap,dc=myorg,dc=org
cn: RootAdmin
objectclass: organizationalRole
objectclass: top
roleoccupant: cn=root,dc=ldap,dc=myorg,dc=org

Moreover for each tool (Dashboard, ProcessLoader, Notificator, IOTDirectory, etc.) you need to define a posixGroup and put in this group the users that are allowed to use the tool. For example the following LDIF states that user1, user2, user3, user4 and root belong to group Dashboard and thus can use the Dashboard Builder.

dn: cn=Dashboard,dc=ldap,dc=myorg,dc=org
cn: Dashboard
gidnumber: 501
objectclass: posixGroup
objectclass: top
memberuid: cn=user1,dc=ldap,dc=myorg,dc=org
memberuid: cn=user2,dc=ldap,dc=myorg,dc=org
memberuid: cn=user3,dc=ldap,dc=myorg,dc=org
memberuid: cn=user4,dc=ldap,dc=myorg,dc=org
memberuid: cn=root,dc=ldap,dc=myorg,dc=org

note: the memberuid field is a case-sensitive string, so when adding a user make it lowercase (this does not happens with other fields referring to users)

Users are grouped in organizations, you need to define your own and make users belong to it, a user should belong to only one organization.

dn: ou=MyOrg,dc=ldap,dc=myorg,dc=org
objectclass: organizationalUnit
ou: MyOrg
l: cn=user1,dc=ldap,dc=myorg,dc=org
l: cn=user2,dc=ldap,dc=myorg,dc=org
l: cn=user3,dc=ldap,dc=myorg,dc=org
l: cn=user4,dc=ldap,dc=myorg,dc=org
l: cn=root,dc=ldap,dc=myorg,dc=org

A user may belong to specific groups of the organization, the following LDIF example defines group Group1 in organization MyOrg and only user1 and user2 belong to this group.

dn: cn=Group1,ou=MyOrg,dc=ldap,dc=myorg,dc=org
cn: Group1
member: cn=user1,dc=ldap,dc=myorg,dc=org
member: cn=user2,dc=ldap,dc=myorg,dc=org
objectclass: groupOfNames
ou: MyOrg

We suggest to install phpldapadmin on your server to administer the users.

Note: if you are using a newer version of openldap it by default do not allow access to user listing to the anonymous user, some of the snap4city tools currently still use the anonymous user to query the ldap server. If tools fail when searching data on LDAP you can change the ldap configuration to allow read access to the anonymous user.

install keycloak

To install keycloak you can follow this guide https://medium.com/@hasnat.saeed/setup-keycloak-server-on-ubuntu-18-04-ed8c7c79a2d9 but install version 4.8.3-Final https://downloads.jboss.org/keycloak/4.8.3.Final/keycloak-4.8.3.Final.tar.gz and configure it to be running on port 8088. If you plan to use it on a production environment DO NOT use the H2 database, use a MySQL database.

When you have it running on port 8088, connect to the admin console (http://hostname:8088/auth/admin/) and:

  1. configure keycloak to use the users of the ldap server

1.1. select User Federation menu and select Add provider... and select "ldap"

  • Edit Mode: READ_ONLY
  • Vendor: Other
  • Username LDAP attribute: cn
  • RDN LDAP attribute: cn
  • UUID LDAP attribute: cn
  • User Object Classes: inetOrgPerson
  • Connection URL: ldap://127.0.0.1 (change the IP to the IP address of the ldap server)
  • Users DN: dc=ldap,dc=myorg,dc=org (change to the one you choose for your ldap server)
  • Authentication Type: simple
  • Bind DN: cn=admin,dc=ldap,dc=myorg,dc=org (change to the one you choose for your ldap server)
  • Bind Credential: ...the password you choose for your admin user...

Save and then press on Synchronize all users button, if all is ok the users will be added to keycloak db.

1.2 select the "Mappers" tab and select "Create" button, write a name like "roles" and select "role-ldap-mapper" as Mapper Type, save it and then set the attributes:

  • LDAP Roles DN: "dc=ldap,dc=myorg,dc=org" (change to the one you choose for your ldap server)
  • Role Name LDAP Attribute: "cn"
  • Role Object Classes: organizationalRole
  • Membership LDAP Attribute: roleOccupant
  • Membership Attribute Type: DN
  • Membership User LDAP Attribute: "cn"
  • Mode: READ_ONLY
  • User Roles Retrieve Strategy: LOAD_ROLES_BY_MEMBER_ATTRIBUTE

Save and then press the Sync LDAP Roles To Keycloak button, it will add to keycloak the roles defined on LDAP.

  1. setup the clients allowed to login using the openid-connect protocol, in particular you need a client for dashboard-builder:

2.1. in the "Clients" select "Create" and set Client ID "php-dashboard-builder" and press Save.

2.2. Set "Access Type": "confidential" and for the "Valid redirect URIs" set something like "http://hostname/*" where hostname is the hostname (or IP address) that the clients will use to access to the dashboard-builder, then press "Save". In the "Credentials" tab you will find the client secret that you need to set in the dashboard-builder configuration.

2.3. Select the "Mappers" tab if it is empty press "Add builtin" an then select: "username" and then press "Add selected", it will add the username to the tokens sent to the application.

2.4 Then always in the "Mapper" tab select "Create" button to add the user role, write:

  • Name: "role",
  • Mapper Type: "User Realm Role",
  • Mulivalued: ON,
  • Token Claim Name: "roles"

then press "Save".

install and configure Ownership API

see https://github.com/disit/snap4city/tree/master/Ownership-API

install and configure PersonalData

see https://github.com/disit/snap4city/tree/master/PersonalDataManager

get sources

checkout the sources and make accessible from /var/www/html the dashboard-builder/dashboard_frontend directory, then you need to configure the application, following the instructions on Configuration page.

Clone this wiki locally