3.2 Configuring the Repo Agent

To configure Repo Agent, perform the following:

3.2.1 Setting Up the Config Folder of Repo Agent

The $AuCoreRepoAgent/config folder contains the following files:

  • EXAMPLE1.repo

  • etc.nginx

You must rename EXAMPLE1.repo with the repo name of your repository.

For example, mv EXAMPLE1.repo/ FOCUS.repo

NOTE:Repo Name must be same as the NETBIOS name for the Active Directory.

Create the following three files in the FOCUS.repo:

  • cron.py: This file allows you to configure the LDAP synchronization.

    For example, the file contains the following format:

    import schedule, aurepa.scheduler as au
run = au.run
###############################
# Schedule, please customize
schedule.every(10).minutes.do(run, command='aurepa.fast_sync')
#schedule.every().saturday.at("00:15").do(run, command='aurepa.full_sync')
# schedule.every(3).days.do(run, command='aurepa.full_sync')
# Help: see https://schedule.readthedocs.io/en/stable/
KILL_TIMEOUT_MINUTES = 60 * 4  # 4 hours, increase if your full sync may run longer
# End schedule
################################
# Do not change rest of the file
au.kill_timeout_seconds = KILL_TIMEOUT_MINUTES * 60
au.main_loop()
print(f"This message must not appear. File {__name__} must run aurepa.scheduler.main_loop() forever")

  • repo.json: This file helps you configure the LDAP parameters.

    For example, the file contains the following format:

    {
    "user": "CN=Administrator,CN=Users,DC=focus,DC=com",
    "base_dn": "cn=users,dc=focus,dc=com",
    "password": "sample@12345",
    "ldap_type": 1,
    "ldap_type_help": "(1, 'AD'), (2, 'AD LDS'), (3, 'eDirectory'), (4, 'Other'). This field is ignored",
    "paged_enabled": true,
    "nested_enabled": true,
    "base_dn_one_level": false,
    "group_dn_one_level": false,
    "user_mail_attrs": ["mail", "otherMailbox"],
    "user_name_attrs": ["sAMAccountName", "userPrincipalName"],
    "group_name_attrs": ["sAMAccountName"],
    "user_lookup_attrs": ["sAMAccountName", "userPrincipalName"],
    "group_lookup_attrs": ["sAMAccountName"],
    "user_mobile_phone_attrs": ["mobile", "otherMobile"],
    "custom_attrs": ["info", "pager"],
    "servers": [
        {"name": "1.1.1.1", "port":389,"use_ssl": false},
        {"name": "1.1.1.4", "port":389,"use_ssl": false}
    ]
}

    NOTE:With custom_attrs, it is possible to return any LDAP attribute from Active Directory. These attributes provide additional information that can be displayed on RADIUS client if the corresponding RADIUS result specification rule exists in the Administration portal.

  • secret.json: This file helps you to configure the username and password that you must specify during the creation of an external repository in the Advanced Authentication server at Administration portal > Repositories > Add External repo.

    For example, the secret.json file contains the following format:

    {
  "user": "focus",
  "password": "focus"
}

3.2.2 Setting Up the Repo Agent for Certificates and Services

You must set up the Repo Agent for generating the self-signed certificates and docker-compose services.

  1. To generate a self-signed certificate, run the following command:

    export SSL_HOSTNAME=<host_server>

    ./setup_config_production.sh

    This generates the self-signed certificates, nginx.conf, and docker-compose files that are stored in the $AuCoreRepoAgent/config and $AuCoreRepoAgent/config/etc.nginx folders.

    A certificate is generated in the following format:

    -----BEGIN CERTIFICATE-----
MIIDjjCCAnagAwIBAgIJALEEogxd1k/tMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV
BAYTAkVVMRkwFwYDVQQIDBBTZWxmLVNpZ25lZC1DZXJ0MQwwCgYDVQQKDANBQUYx
DzANBgNVBAsMBkF1UmVwYTETMBEGA1UEAwwKMTAuNzEuMzIuOTAeFw0xOTAyMTQx
MjQwMjRaFw0yOTAyMTExMjQwMjRaMFwxCzAJBgNVBAYTAkVVMRkwFwYDVQQIDBBT
ZWxmLVNpZ25lZC1DZXJ0MQwwCgYDVQQKDANBQUYxDzANBgNVBAsMBkF1UmVwYTET
MBEGA1UEAwwKMTAuNzEuMzIuOTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAJS1vqBE+2jp8KVpJQAI0dg0mRlp/ovzv52CNswgatfdJD/UzK/sr7fEnFY/
m4C6NZkAscq3zzot+VfoINAQduC6apYj75mrQ7hd8yhjmqsFwIuF/CG9VOOrxNbr
hQmnsSyfPqYUnD8LCrieQz2U9mQa2TFhExCjkcqJ32M8Q8SKb11pdtfmWdvn8HsS
1FarqmbhJxNWlYXVVr1XEw/epTTJrlalo+2DEXFMyjTJ5ihliqW8fQ47Gg2piPGN
3BfE1Xs0ZLxLI0qeXXcr7g6rLWb8BJLCIe4k9DIDMeSyY3Wt5GZsBW2PtJZc5tQq
0xLl+H/kT+KnzZGUx4RfDah0B0MCAwEAAaNTMFEwHQYDVR0OBBYEFGCay3xXKyZd
2KAG7+46+9HxcGa0MB8GA1UdIwQYMBaAFGCay3xXKyZd2KAG7+46+9HxcGa0MA8G
A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBADaQS7X9OE/rIm84pCL8
fBCNelyV1DfdQJk1ZzaIg+QLzLXIHm7pXEjIRqEIVJqIZkdFj4gHdvHxekfZtAX/
lbVkx3ci6BzjKU/V0oRUxAbwnkU5YIaoklJu9tV/TT2vcynMAV/6o/GLBb29sY0L
kdScWof5XT4L0+AZvzTFcxfR4ztPCKeIgLswAVdsYaDpw6o45FrJgN+IjKgF+Ge+
WOTRQjFjiHn2IUBnJLEePg1bs9a25bpO4pqz0wGxyLhXwGUV/6hDGtOI3hxu1kmA
En+tmxEAasxarjbtXE765KzYfrEgKxoHJUiEKE7KatSIg9REM/oKi4JbhUpQlRsf
aLI=
-----END CERTIFICATE-----

    NOTE:You must upload this certificate in the Administration portal > Repositories > Add External repo while Creating an External Repository on Advanced Authentication.

  2. If you want to upload your own CA certificate, you must place it as cert.pem in the etc.nginx folder before running the setup_config_production.sh file.

    NOTE:When the SSL_HOSTNAME is not passed and setup_config_production.sh is executed, a script picks the custom certificates from etc-config file and consumes it for nginx. This also creates the two files: docker-compose.yml and aurepa.ini.

3.2.3 Starting or Stopping the Services of the Repo Agent

Run the following command under the AuCoreRepoAgent directory to start the docker compose services of the Repo Agent:

./dockompose up -d

Based on the number of repos that are configured, the services are started. Typically, for each repo, the Repo Agent starts three services: db, sync, and http.

The following services are created for FOCUS, which is a repository running in the Repo Agent and one single nginx service as a front web-server:

  • config_nginx_1

  • config_FOCUS-aurepa-db_1

  • config_FOCUS-aurepa-http_1

  • config_FOCUS-aurepa-sync_1

To stop and remove the services of the Repo Agent, run the following command:

./dockompose down $* --remove-orphans

This cleans or removes the Repo Agent docker services from the host machine.

3.2.4 Syncing the Repository Data to the Repo Agent

To manually sync the data from the LDAP repositories, run the following command:

$AuCoreRepoAgent/run_sync.sh <REPO_NAME> [aurepa.fast_sync | aurepa.full_sync]

For example, to do a manual Fast sync for the FOCUS repository, run the following command:

$AuCoreRepoAgent/run_sync.sh FOCUS aurepa.fast_sync

$AuCoreRepoAgent/run_sync.sh FOCUS performs a full sync of the Repo Agent.

NOTE:The Repo Agent fails to sync data with Advanced Authentication when the Repo Name contains spaces.

You can perform the following to validate the syncing of repositories:

Checking the Repository LDAP Connectivity Before Syncing

Before syncing the repository data, to check the LDAP connectivity and print the users to be synced, run the following command:

$AuCoreRepoAgent/run_sync.sh <REPO_NAME> aurepa.print_ldap_users

For example, $AuCoreRepoAgent/run_sync.sh FOCUS aurepa.print_ldap_users

Checking Repository Information is Synced to the Repo Agent Database

To check all the users and groups information is synced to the Repo Agent database, run the following command:

NOTE:Replace the REPO_NAME with the repo name provided in the $AuCoreRepoAgent/config directory.

For users:

docker exec config_<REPO_NAME>-aurepa-db_1 psql -U postgres -d aurepa -P pager=off -c "select count(lookup_names) from repa_user"

For groups:

docker exec config_<REPO_NAME>-aurepa-db_1 psql -U postgres -d aurepa -P pager=off -c "select count(lookup_names) from repa_group"

Cleaning the Repo Agent Database

To delete an invalid user or group information in the Repo Agent database and clean the database without reconfiguring the Repo Agent, run the following command:

$AuCoreRepoAgent/run_sync.sh <REPO_NAME> aurepa.recreate_db

NOTE:After clean up, you must sync the data for the repositories.

3.2.5 Creating an External Repository on Advanced Authentication

After you install and configure the Repo Agent, you must map the Repo Agent as the external repository on Advanced Authentication.

To add the external repository in Advanced Authentication:

  1. Open the Advanced Authentication Administration portal.

  2. Click Repositories > Add External repo.

  3. Specify the following details:

    • Name: Name of the repository.

      Name of the repository must be the same as what is defined in the Repo Agent.

      NOTE:Ensure that the repository name does not contain spaces.

    • Username: Name of the user using the repository.

    • Password: Password of the repository.

      NOTE:The Username and Password are defined in the secret.json file of the Repo Agent. For information about the secret.json file, see Setting Up the Config Folder of Repo Agent.

  4. Add the external repository server configurations:

    1. Click Add Server.

    2. Specify the IP address of the Repo Agent in Address.

    3. Specify the port number of the external repository server in Port. For example, 9443.

    4. Save the server credentials.

  5. Click Choose File to upload the CA certificate for the agent.

    This is the self-signed certificate cert.pem generated in the etc.nginx folder or your own CA certificate used during the configuration of the Repo Agent.

  6. Click Save.

NOTE:You can perform the synchronization of an external repository only from a Global Master server.

Checking Repository is Synced to the Advanced Authentication Database

After creating the external repository in the Advanced Authentication Administration portal and syncing, to validate whether are all user and group information is synced, perform the following steps:

  1. Log in to the Advanced Authentication terminal.

  2. Run the following commands:

    • To check users:

      docker exec aaf_audb_1 psql -U root -d aucore_prod -P pager=off -c "select * from external_user"

    • To check groups:

      docker exec aaf_audb_1 psql -U root -d aucore_prod -P pager=off -c "select * from external_group"