![]() ingenieurbuero fuer innovative informationstechnikDipl.-Ing. Joerg Beckmann |
|||
Configuration Guide
|
|||
ContentConfiguration FileGlobal ParametersPlug-InsLDAP ConfigurationConfiguration FileThe iiitAccessServer uses a XML file for configuration data.
When starting, the program searches the directories We do not want to explain the usage of XML files. You will find documentation concerning XML at http://www.xml.org. To keep the parsing and processing of the configuration file simple, we do not use all capabilities of XML. In contrast to the usual XML notification, we do not distingiush between upper- and lower-case spelling of the names of items and attributes. The layout of the configuration file looks like the following example: <?xml version="1.0" encoding="UTF-8"?> <AccessServer> <Element1 Attribute1 = "value1" Attribute2 = "value2" AttributeN = "valueN" /> <Element2 Attribute1 = "value1" Attribute2 = "value2" AttributeN = "valueN" > <SubElement1 Attribute1 = "value1" Attribute2 = "value2" AttributeN = "valueN" /> <SubElement2 Attribute1 = "value1" Attribute2 = "value2" AttributeN = "valueN" /> </Element2> </AccessServer> Any item may contain any number of sub-items. Global ParametersLoggingThere are two wasy to configure logging. The simple way only configures the log-level by adding the attributeLogLevel
to the item AccessServer :
<?xml version="1.0" encoding="UTF-8"?> <AccessServer LogLevel = "DEBUG" > ... </AccessServer> The output will be sent to A little more sophisticated the logging may be configured using an item
named <?xml version="1.0" encoding="UTF-8"?> <AccessServer> <Logger LogLevel = "INFO" LogFile = "./accessserver.log" MaxFileSize = "1000000" MaxBackupFiles = "5" /> ... </AccessServer> The attribut The attributes The item LDAP InterfaceThe configuration of the built-in LDAP interface will be used by the LDAP resolver and by the CacheManager. It may be configured together with these plug-ins or for simplicity globaly as an item of its own. The configuration looks like this:<?xml version="1.0" encoding="UTF-8"?> <AccessServer> ... <LdapConfig RootDN = "dc=iiit,dc=de" LdapPersonSearchBase = "ou=person,dc=iiit,dc=de" LdapGroupSearchBase = "ou=group,dc=iiit,dc=de" LdapFormulaSearchBase = "ou=formula,dc=iiit,dc=de" LdapPersonClass = "iiitPerson" LdapGroupClass = "iiitGroup" LdapFormulaClass = "iiitFormula" LdapExpressionField = "iiitExpression" LdapCommonNameField = "cn" LdapUserIdField = "uid" LdapMemberUserIdField = "memberUid" > <server java.naming.provider.url = "ldap://ldap1.iiit.de/" java.naming.factory.initial = "com.sun.jndi.ldap.LdapCtxFactory" java.naming.security.protocol = "" java.naming.security.authentication = "simple" java.naming.security.principal = "" java.naming.security.credentials = "" /> <server java.naming.provider.url = "ldap://ldap2.iiit.de/" java.naming.factory.initial = "com.sun.jndi.ldap.LdapCtxFactory" java.naming.security.protocol = "" java.naming.security.authentication = "simple" java.naming.security.principal = "" java.naming.security.credentials = "" /> </LdapConfig> ... </AccessServer> The attribut Besides these base attributes you must configure how to access
the LDAP server. To do this, you have to enter IgnoreCaseThe item <?xml version="1.0" encoding="UTF-8"?> <AccessServer IgnoreCase = "true" > ... </AccessServer> Remark: The LDAP resolver
forces this attribut to be set to VerifyUserThe attribute <?xml version="1.0" encoding="UTF-8"?> <AccessServer VerifyUser = "true" > ... </AccessServer> Plug-InsThe iiitAccessServer knows three kinds of plug-ins described in following chapters. The base structure of the configuration is always the same: <?xml version="1.0" encoding="UTF-8"?> <AccessServer> ... <xxxPlugin PluginClass = [Classname] > <PluginConfig Attribute1 = "value1" Attribute2 = "value2" AttributeN = "valueN" > <Element Attribute1 = "value1" Attribute2 = "value2" AttributeN = "valueN" > <SubElement1 Attribute1 = "value1" Attribute2 = "value2" AttributeN = "valueN" /> <SubElement2 Attribute1 = "value1" Attribute2 = "value2" AttributeN = "valueN" /> </Element2> </PluginConfig> </xxxPlugin> ... </AccessServer> The name of the item is Resolver Plug-InsResolver Plug-Ins are used to resolve names requested by
the application. Therefore any valid configuration file must
contain exactly one Property-File ResolverThis resolver reads its data out of a aimple Java property file. Because the entries are read only once on start-up, this resolver may not be be used in production environments, but for tests and development. It must be configured like this: <?xml version="1.0" encoding="UTF-8"?> <AccessServer> ... <ResolverPlugin PluginClass = "de.iiit.AccessServer.parser.PropertyFileResolver" > <PluginConfig FileName = "etc/expressions.properties" /> </ResolverPlugin> ... </AccessServer> The only attribute is the name of the property file to be used. This example uses the name of the property file delivered together with the iiitAccessServer package. The layout of the property file should be like this: ga1=a1,a2 ga2=a3,a4 ga3=a5,a6 gn= ga12=ga1+ga2 ga23=ga2+ga3 ga13=ga1+ga3 ga=ga1 + ga2 + ga3
LDAP ResolverThe LDAP resolver is assumed to be used in production
environments. There must be a LDAP interface configuration
as shown above. The LDAP configuration
may be a global item or a sub-item of the <?xml version="1.0" encoding="UTF-8"?> <AccessServer> ... <LdapConfig ... > <server ... /> ... </LdapConfig> ... <ResolverPlugin PluginClass = "de.iiit.AccessServer.parser.LdapResolver" /> ... </AccessServer> Cache Plug-InsThe iiitAccessServer contains two implementations of caches. Simple CacheThe simple cache is a 1st-level only cache. The configuration looks like this: <?xml version="1.0" encoding="UTF-8"?> <AccessServer> ... <CachePlugin PluginClass = "de.iiit.AccessServer.cache.SimpleCache" > <PluginConfig InvalidationTimeout = "600" LRUTimeout = "100" SleepTime = "10" /> </CachePlugin> ... </AccessServer> The attribute Database-CacheThe database cache contains a 1st- and a persistent 2nd-level cache. The last mentioned one uses a MySQL database to store its items and is therefore a little more complex in configuration. This cache will not be filled automatically, but needs a separate plug-in - the CacheManager - to read the data from the LDAP database and write it in an optimized format into the cache database. <?xml version="1.0" encoding="UTF-8"?> <AccessServer> ... <CachePlugin PluginClass = "de.iiit.AccessServer.cache.DbCache" > <PluginConfig InvalidationTimeout = "600" LRUTimeout = "100" SleepTime = "10" Md5PatternLength = "1" > <JdbcDriver ClassName = "com.mysql.jdbc.Driver" /> <CacheDatabase Url = "jdbc:mysql://jacomo/AccessServerCache" UserName = "checker" Password = "checker" Connections = "5" /> <CacheDatabase Url = "jdbc:mysql://wuppi/AccessServerCache" UserName = "checker" Password = "checker" Connections = "5" /> </PluginConfig> </CachePlugin> ... </AccessServer> The attributes Inside the plug-in configuration, you must enter items containing
the database configuration. The item For every needed database, there must be one If there are more database definitions than needed, those further databases will be ignored. It is important, that all databases are listed in exactly the same order as they are listed at the CacheManager's configuration. If the are some database servers more powerful than others, you may use them more than once to give them a bigger part of the load. Thread Plug-InsRMI ServerThe RMI server is the prefered interface for Java applications. The only configuration option is the port number where the AccessServer's private RMI registry should listen on. The default port number is 54322. <?xml version="1.0" encoding="UTF-8"?> <AccessServer> ... <ThreadPlugin PluginClass = "de.iiit.AccessServer.server.RMIServer" > <PluginConfig Port = "54322" /> </ThreadPlugin> ... </AccessServer> TCP/IP ServerThe TCP/IP-server is currently the only interface to be used by applications not written in Java. The only configurable parameter is the number of the port, the server shall listen on. This plug-in may be configured more than once with different port numbers. The default port number is 54321. <?xml version="1.0" encoding="UTF-8"?> <AccessServer> ... <ThreadPlugin PluginClass = "de.iiit.AccessServer.server.TcpServer" > <PluginConfig Port = "54321" /> </ThreadPlugin> ... </AccessServer> CacheManagerIf you have more than one instance of the iiitAccessServer running in your network, you must have exactly one instance running the CacheManager. On its first start-up, the CacheManager reads the whole content of the LDAP databases and uses the data to fill the persistent 2nd-level cache. Afterwards all changes occuring in the LDAP database will be read and used to refresh the cache. In case of an error, the system administrator can be notified by an e-mail. <?xml version="1.0" encoding="UTF-8"?> <AccessServer> ... <ThreadPlugin PluginClass = "de.iiit.AccessServer.cachemanager.CacheManager" > <PluginConfig ReplicationFile = "/var/lib/ldap/replication.log" RefreshInterval = "10" Md5PatternLength = "1" SMTPServer = "jacomo.iiit.de" SMTPPort = "-1" SMTPUser = "" SMTPPassword = "" SMTPMailTo = "root@iiit.de" > <JdbcDriver ClassName = "com.mysql.jdbc.Driver" /> <AdminDatabase Url = "jdbc:mysql://wuppi/AccessServerAdmin" UserName = "checker" Password = "checker" Connections = "5" /> <CacheDatabase Url = "jdbc:mysql://jacomo/AccessServerCache" UserName = "checker" Password = "checker" Connections = "5" /> <CacheDatabase Url = "jdbc:mysql://wuppi/AccessServerCache" UserName = "checker" Password = "checker" Connections = "5" /> </PluginConfig> </ThreadPlugin> ... </AccessServer> As described at the LDAP resolver, the LDAP configuration may be entered globaly or as an sub-item of the plug-in configuration. The attributes The cache databases must be described the same way as they are with
the database cache configuration. Additionally
there must be one database used for temporary data of the CacheManager
itself. This has to be configured with an To refresh the persistent cache, the CacheManager reads the OpenLDAP's
replication log file and acts like the LDAP ConfigurationWe do not want to explain every configuration detail of OpenLDAP, but only those special configuration items, you need to observe to use the iiitAccessServer together with OpenLDAP. Schema ExtensionsIn the sub-directory To include these extensions into the OpenLDAP server configuration,
you must copy the file
include /etc/openldap/schema/iiit.schema
behind all other schema definitions in the configuration file The corresponding section of the configuration file sould now look like this: ... include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/iiit.schema ... Indexing the LDAP DatabaseTogether with iiitAccessServer, we found the following index definitions to be useful: ... index default pres,eq index uid index cn,sn pres,eq index objectClass eq ... ReplicationThe LDAP server must be configured to use replication to allow the
iiitAccessServer to read all changes. To replicate its data,
the OpenLDAP server writes all changes using the LDIF format into a
file, which is normaly read by the If the iiitAccessServer runs in an environment with replicated LDAP servers, it must not run together with the master server, to avoid conflicts while reading the replication log file. In these cases, the iiitAccessServer must run together with one of the slave servers. Important: The iiitAccessServer must not
run together with To switch on replication in OpenLDAP, you must enter entries like
the following to the configuration file ... replogfile /var/lib/ldap/replication.log replica host=AccessServer binddn="cn=Replicator,dc=iiit,dc=de" bindmethod=simple credentials=secret You must enter these lines behind the database
definition, usually at the end of the configuration file. Obviously,
the entry |
|||
|
|||
Most product names on our pages are registered trademarks of the trademark owners. Send mail with questions or comments regarding this web site to: webmaster@iiit.de Copyright © 2001 - 2003 ingenieurbuero fuer innovative informationstechnik, Dipl.-Ing. Joerg Beckmann, Dortmund, Germany |