Requirements
It requires the following CPAN distributions:
- CGI-Simple
- Config-Tiny
- Data-Dump
- DateTime
- List-MoreUtils
- Locale-Maketext-Lexicon
- Log-Any
- Email-MIME
- Email-Sender
- Rose-DB-Object
- Template-Toolkit
- Text-CSV
- UNIVERSAL-require
- XML-LibXML
Installation:
Installation follows the usual autotools-based procedure:
configure
make
make install
Next we need to create the database, for example MariaDB
Mysql config
$> mysqladmin create -u root -p access_check Enter password: $> mysql -u root -p access_check < conf/manager.sql Enter password: $> mysql -u root -p mysql Enter password: MariaDB [mysql]> grant all privileges on access_check.* to access_check@localhost identified by 's3cr3t'; Query OK, 0 rows affected (0.00 sec) MariaDB [mysql]> quit
Next follows the configuration of Apache:
Apache2 configuration
Alias /access-check /usr/local/share/access-check/www
<Directory /usr/local/share/access-check/www>
Require all granted
Options ExecCGI
DirectoryIndex access-check-manager.cgi
AddHandler cgi-script .cgi
</Directory>
Additional directories have to be created for logs and data, with write permission for the web server:
Additional directories
$> sudo mkdir /var/log/access-check $> sudo mkdir /var/lib/access-check $> sudo chown apache.apache /var/log/access-check $> sudo chown apache.apache /var/lib/access-check
The application has to be properly configured, using the installed manager.conf file. See example:
manager.conf
[app] support_email = support@example name = Community Tagging Access url = https://hadem.vm.grnet.gr login_url = jagger = https://hadem.vm.grnet.gr/rr3 [setup] # base templates directory templates_dir = /usr/local/share/access-check/templates # templates theme templates_theme = default accounts_file = /var/simplesamlphp/config/authsources.php federation_metadata_file = /var/lib/access-check/metadata.xml [federations] # list of all federations from which to fetch metadata #edugain = https://mds.edugain.org/ #aconet = https://md.aai.grnet.gr/aggregates/grnet-metadata.xml grnet = https://hadem.vm.grnet.gr/rr3/metadata/federation/Pixie_test/metadata.xml #grnet = https://md.aai.grnet.gr/aggregates/grnet-metadata.xml [logger] file = /var/log/access-check/manager.log level = debug [mailer] # from field use by the account manager from = no-reply@hadem.vm.grnet.gr [database] type = mysql host = localhost name = access_check username = access_check password = s3cr3t options = mysql_enable_utf8 [idp] scope = hadem.vm.grnet.gr entityid = https://hadem.vm.grnet.gr/simplesaml/saml2/idp/metadata.php name = Pixie Dust Account Creation IdP #authsources = /var/simplesamlphp/config/authsource.php # default parameters for all services [service] # test accounts validity period, in days account_validity_period = 1 # token validity period, in hours tokens_validity_period = 2 # valid account profiles account_profiles = fullset1 # if you want more accounts enabled see: # limitedset1, generic1, student1, student2, teacher1, teacher2, alumni1, librarywalkin1, employee1, researcher1 # override contacts defined in metadata if defined #contacts = hadem@noc.grnet.gr #root@hademaccesscheckproxy.vm.grnet.gr # service-specific parameters [https://hadem.vm.grnet.gr/rr3] account_validity_period = 90 account_profiles = student1, teacher1 contacts = hadem@grnet.gr
A cron task has to be set for downloading federation metadata. For instance:
Fetch metadata
# download eduGAIN metadata hourly 01 * * * * root curl --silent http://mds.edugain.org/ -o /var/lib/access-manager/edugain.xml
Purge expired tokens and accounts
# purge expired tokens hourly 01 * * * * root /usr/local/bin/access-check-manager.pl list_tokens --expired --delete > /dev/null # purge expired accounts daily 02 0 * * * root /usr/local/bin/access-check-manager.pl list_accounts --expired --delete > /dev/null