View Source

Requirements

It requires the following CPAN distributions:

CGI-Simple
Config-Tiny
Data-Dump
DateTime
List-MoreUtils
Locale-Maketext-Lexicon
Log-Any
Email-MIME
Email-Sender
Rose-DB-Object
Template-Toolkit
Text-CSV
UNIVERSAL-require
XML-LibXML

Installation:

Installation follows the usual autotools-based procedure:

configure
make
make install

Next we need to create the database, for example MariaDB

$> mysqladmin create -u root -p access_check
Enter password:
$> mysql -u root -p access_check < conf/manager.sql
Enter password:
$> mysql -u root -p mysql
Enter password:
MariaDB [mysql]> grant all privileges on access_check.* to access_check@localhost identified by 's3cr3t';
Query OK, 0 rows affected (0.00 sec)
MariaDB [mysql]> quit

Next follows the configuration of Apache:

    Alias /access-check /usr/local/share/access-check/www
    <Directory /usr/local/share/access-check/www>
        Require all granted
        Options ExecCGI
        DirectoryIndex access-check-manager.cgi
        AddHandler cgi-script .cgi
    </Directory>

Additional directories have to be created for logs and data, with write permission for the web server:

$> sudo mkdir /var/log/access-check
$> sudo mkdir /var/lib/access-check
$> sudo chown apache.apache /var/log/access-check
$> sudo chown apache.apache /var/lib/access-check

The application has to be properly configured, using the installed manager.conf file. See example:

[app]
support_email = support@example
name = Community Tagging Access
url = https://hadem.vm.grnet.gr
login_url =
jagger = https://hadem.vm.grnet.gr/rr3

[setup]
# base templates directory
templates_dir = /usr/local/share/access-check/templates
# templates theme
templates_theme = default 
accounts_file = /var/simplesamlphp/config/authsources.php
federation_metadata_file = /var/lib/access-check/metadata.xml 
[federations]
# list of all federations from which to fetch metadata
#edugain = https://mds.edugain.org/
#aconet = https://md.aai.grnet.gr/aggregates/grnet-metadata.xml
grnet = https://hadem.vm.grnet.gr/rr3/metadata/federation/Pixie_test/metadata.xml
#grnet = https://md.aai.grnet.gr/aggregates/grnet-metadata.xml

[logger]
file = /var/log/access-check/manager.log
level = debug

[mailer]
# from field use by the account manager
from = no-reply@hadem.vm.grnet.gr

[database]
type = mysql
host = localhost
name = access_check
username = access_check
password = s3cr3t
options = mysql_enable_utf8

[idp]
scope = hadem.vm.grnet.gr
entityid = https://hadem.vm.grnet.gr/simplesaml/saml2/idp/metadata.php
name = Pixie Dust Account Creation IdP
#authsources = /var/simplesamlphp/config/authsource.php

# default parameters for all services
[service]
# test accounts validity period, in days
account_validity_period = 1
# token validity period, in hours
tokens_validity_period = 2
# valid account profiles
account_profiles = fullset1 
# if you want more accounts enabled see:
# limitedset1, generic1, student1, student2, teacher1, teacher2, alumni1, librarywalkin1, employee1, researcher1

# override contacts defined in metadata if defined
#contacts = hadem@noc.grnet.gr
#root@hademaccesscheckproxy.vm.grnet.gr

# service-specific parameters
[https://hadem.vm.grnet.gr/rr3]
account_validity_period = 90
account_profiles = student1, teacher1
contacts = hadem@grnet.gr

A cron task has to be set for downloading federation metadata. For instance:

# download eduGAIN metadata hourly
01 * * * * root curl --silent http://mds.edugain.org/ -o /var/lib/access-manager/edugain.xml


Another cron task has to be set for purging expired tokens and accounts. For instance:

# purge expired tokens hourly
01 * * * * root /usr/local/bin/access-check-manager.pl list_tokens --expired --delete > /dev/null
# purge expired accounts daily
02 0 * * * root /usr/local/bin/access-check-manager.pl list_accounts --expired --delete > /dev/null