To configure Repo Agent, perform the following:
The $AuCoreRepoAgent/config folder contains the following files:
EXAMPLE1.repo
etc.nginx
You must rename EXAMPLE1.repo with the repo name of your repository.
For example, mv EXAMPLE1.repo/ FOCUS.repo
NOTE:Repo Name must be same as the NETBIOS name for the Active Directory.
Create the following three files in the FOCUS.repo:
cron.py: This file allows you to configure the LDAP synchronization.
For example, the file contains the following format:
import schedule, aurepa.scheduler as au run = au.run ############################### # Schedule, please customize schedule.every(10).minutes.do(run, command='aurepa.fast_sync') #schedule.every().saturday.at("00:15").do(run, command='aurepa.full_sync') # schedule.every(3).days.do(run, command='aurepa.full_sync') # Help: see https://schedule.readthedocs.io/en/stable/ KILL_TIMEOUT_MINUTES = 60 * 4 # 4 hours, increase if your full sync may run longer # End schedule ################################ # Do not change rest of the file au.kill_timeout_seconds = KILL_TIMEOUT_MINUTES * 60 au.main_loop() print(f"This message must not appear. File {__name__} must run aurepa.scheduler.main_loop() forever")
repo.json: This file helps you configure the LDAP parameters.
For example, the file contains the following format:
{ "user": "CN=Administrator,CN=Users,DC=focus,DC=com", "base_dn": "cn=users,dc=focus,dc=com", "password": "sample@12345", "ldap_type": 1, "ldap_type_help": "(1, 'AD'), (2, 'AD LDS'), (3, 'eDirectory'), (4, 'Other'). This field is ignored", "paged_enabled": true, "nested_enabled": true, "base_dn_one_level": false, "group_dn_one_level": false, "user_mail_attrs": ["mail", "otherMailbox"], "user_name_attrs": ["sAMAccountName", "userPrincipalName"], "group_name_attrs": ["sAMAccountName"], "user_lookup_attrs": ["sAMAccountName", "userPrincipalName"], "group_lookup_attrs": ["sAMAccountName"], "user_mobile_phone_attrs": ["mobile", "otherMobile"], "custom_attrs": ["info", "pager"], "servers": [ {"name": "1.1.1.1", "port":389,"use_ssl": false}, {"name": "1.1.1.4", "port":389,"use_ssl": false} ] }
NOTE:With custom_attrs, it is possible to return any LDAP attribute from Active Directory. These attributes provide additional information that can be displayed on RADIUS client if the corresponding RADIUS result specification rule exists in the Administration portal.
secret.json: This file helps you to configure the username and password that you must specify during the creation of an external repository in the Advanced Authentication server at Administration portal > Repositories > Add External repo.
For example, the secret.json file contains the following format:
{ "user": "focus", "password": "focus" }
You must set up the Repo Agent for generating the self-signed certificates and docker-compose services.
To generate a self-signed certificate, run the following command:
export SSL_HOSTNAME=<host_server>
./setup_config_production.sh
This generates the self-signed certificates, nginx.conf, and docker-compose files that are stored in the $AuCoreRepoAgent/config and $AuCoreRepoAgent/config/etc.nginx folders.
A certificate is generated in the following format:
-----BEGIN CERTIFICATE----- MIIDjjCCAnagAwIBAgIJALEEogxd1k/tMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV BAYTAkVVMRkwFwYDVQQIDBBTZWxmLVNpZ25lZC1DZXJ0MQwwCgYDVQQKDANBQUYx DzANBgNVBAsMBkF1UmVwYTETMBEGA1UEAwwKMTAuNzEuMzIuOTAeFw0xOTAyMTQx MjQwMjRaFw0yOTAyMTExMjQwMjRaMFwxCzAJBgNVBAYTAkVVMRkwFwYDVQQIDBBT ZWxmLVNpZ25lZC1DZXJ0MQwwCgYDVQQKDANBQUYxDzANBgNVBAsMBkF1UmVwYTET MBEGA1UEAwwKMTAuNzEuMzIuOTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAJS1vqBE+2jp8KVpJQAI0dg0mRlp/ovzv52CNswgatfdJD/UzK/sr7fEnFY/ m4C6NZkAscq3zzot+VfoINAQduC6apYj75mrQ7hd8yhjmqsFwIuF/CG9VOOrxNbr hQmnsSyfPqYUnD8LCrieQz2U9mQa2TFhExCjkcqJ32M8Q8SKb11pdtfmWdvn8HsS 1FarqmbhJxNWlYXVVr1XEw/epTTJrlalo+2DEXFMyjTJ5ihliqW8fQ47Gg2piPGN 3BfE1Xs0ZLxLI0qeXXcr7g6rLWb8BJLCIe4k9DIDMeSyY3Wt5GZsBW2PtJZc5tQq 0xLl+H/kT+KnzZGUx4RfDah0B0MCAwEAAaNTMFEwHQYDVR0OBBYEFGCay3xXKyZd 2KAG7+46+9HxcGa0MB8GA1UdIwQYMBaAFGCay3xXKyZd2KAG7+46+9HxcGa0MA8G A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBADaQS7X9OE/rIm84pCL8 fBCNelyV1DfdQJk1ZzaIg+QLzLXIHm7pXEjIRqEIVJqIZkdFj4gHdvHxekfZtAX/ lbVkx3ci6BzjKU/V0oRUxAbwnkU5YIaoklJu9tV/TT2vcynMAV/6o/GLBb29sY0L kdScWof5XT4L0+AZvzTFcxfR4ztPCKeIgLswAVdsYaDpw6o45FrJgN+IjKgF+Ge+ WOTRQjFjiHn2IUBnJLEePg1bs9a25bpO4pqz0wGxyLhXwGUV/6hDGtOI3hxu1kmA En+tmxEAasxarjbtXE765KzYfrEgKxoHJUiEKE7KatSIg9REM/oKi4JbhUpQlRsf aLI= -----END CERTIFICATE-----
NOTE:You must upload this certificate in the Administration portal > Repositories > Add External repo while Creating an External Repository on Advanced Authentication
.
If you want to upload your own CA certificate, you must place it as cert.pem in the etc.nginx folder before running the setup_config_production.sh file.
NOTE:When the SSL_HOSTNAME is not passed and setup_config_production.sh is executed, a script picks the custom certificates from etc-config file and consumes it for nginx. This also creates the two files: docker-compose.yml and aurepa.ini.
Run the following command under the AuCoreRepoAgent directory to start the docker compose services of the Repo Agent:
./dockompose up -d
Based on the number of repos that are configured, the services are started. Typically, for each repo, the Repo Agent starts three services: db, sync, and http.
The following services are created for FOCUS, which is a repository running in the Repo Agent and one single nginx service as a front web-server:
config_nginx_1
config_FOCUS-aurepa-db_1
config_FOCUS-aurepa-http_1
config_FOCUS-aurepa-sync_1
To stop and remove the services of the Repo Agent, run the following command:
./dockompose down $* --remove-orphans
This cleans or removes the Repo Agent docker services from the host machine.
To manually sync the data from the LDAP repositories, run the following command:
$AuCoreRepoAgent/run_sync.sh <REPO_NAME> [aurepa.fast_sync | aurepa.full_sync]
For example, to do a manual Fast sync for the FOCUS repository, run the following command:
$AuCoreRepoAgent/run_sync.sh FOCUS aurepa.fast_sync
$AuCoreRepoAgent/run_sync.sh FOCUS performs a full sync of the Repo Agent.
NOTE:The Repo Agent fails to sync data with Advanced Authentication when the Repo Name contains spaces.
You can perform the following to validate the syncing of repositories:
Before syncing the repository data, to check the LDAP connectivity and print the users to be synced, run the following command:
$AuCoreRepoAgent/run_sync.sh <REPO_NAME> aurepa.print_ldap_users
For example, $AuCoreRepoAgent/run_sync.sh FOCUS aurepa.print_ldap_users
To check all the users and groups information is synced to the Repo Agent database, run the following command:
NOTE:Replace the REPO_NAME with the repo name provided in the $AuCoreRepoAgent/config directory.
For users:
docker exec config_<REPO_NAME>-aurepa-db_1 psql -U postgres -d aurepa -P pager=off -c "select count(lookup_names) from repa_user"
For groups:
docker exec config_<REPO_NAME>-aurepa-db_1 psql -U postgres -d aurepa -P pager=off -c "select count(lookup_names) from repa_group"
To delete an invalid user or group information in the Repo Agent database and clean the database without reconfiguring the Repo Agent, run the following command:
$AuCoreRepoAgent/run_sync.sh <REPO_NAME> aurepa.recreate_db
NOTE:After clean up, you must sync the data for the repositories.
After you install and configure the Repo Agent, you must map the Repo Agent as the external repository on Advanced Authentication.
To add the external repository in Advanced Authentication:
Open the Advanced Authentication Administration portal.
Click Repositories > Add External repo.
Specify the following details:
Name: Name of the repository.
Name of the repository must be the same as what is defined in the Repo Agent.
NOTE:Ensure that the repository name does not contain spaces.
Username: Name of the user using the repository.
Password: Password of the repository.
NOTE:The Username and Password are defined in the secret.json file of the Repo Agent. For information about the secret.json file, see Setting Up the Config Folder of Repo Agent
.
Add the external repository server configurations:
Click Add Server.
Specify the IP address of the Repo Agent in Address.
Specify the port number of the external repository server in Port. For example, 9443.
Save the server credentials.
Click Choose File to upload the CA certificate for the agent.
This is the self-signed certificate cert.pem generated in the etc.nginx folder or your own CA certificate used during the configuration of the Repo Agent.
Click Save.
NOTE:You can perform the synchronization of an external repository only from a Global Master server.
After creating the external repository in the Advanced Authentication Administration portal and syncing, to validate whether are all user and group information is synced, perform the following steps:
Log in to the Advanced Authentication terminal.
Run the following commands:
To check users:
docker exec aaf_audb_1 psql -U root -d aucore_prod -P pager=off -c "select * from external_user"
To check groups:
docker exec aaf_audb_1 psql -U root -d aucore_prod -P pager=off -c "select * from external_group"