Make Changes to set LDAP and Certificate authorities using environment

variables that are set up in dm.deploy.conf or dm_dev.deploy.conf

doc/Installation/APSDeveloperInstallation.md

@@ -42,6 +42,8 @@ An example of setting up the Data Management system for a developer is described
 
  - Change directory to the root of the Data Management components
 
+ - Note some configuration can be changed before processing the as discussed below.  There are two files **dm_dev.deploy.conf** and **dm.deploy.conf** which define some environment variables used in the scripts used to install & configure.  For the test deployment, **dm_dev.deploy.conf** is used.
+
 > cd ../dev
 
  - Execute the dm/_deploy/_test/_system.sh file in the sbin directory

etc/aps-db-web-service.conf.template

@@ -9,7 +9,7 @@ sslCaCertFile=DM_INSTALL_DIR/etc/ssl/cacert.pem
 principalRetriever=DbPrincipalRetriever()
 #principalRetriever=NoOpPrincipalRetriever()
 principalAuthenticator1=CryptedPasswordPrincipalAuthenticator()
-principalAuthenticator2=LdapPasswordPrincipalAuthenticator(serverUrl='ldaps://dmid-vm.xray.aps.anl.gov:636', dnFormat='uid=%%s,ou=people,o=aps.anl.gov,dc=aps,dc=anl,dc=gov')
+principalAuthenticator2=LdapPasswordPrincipalAuthenticator(serverUrl='LDAP_SERVER_URL', dnFormat='LDAP_DN_FORMAT')
 
 [BssClient]
 bssLoginFile=DM_INSTALL_DIR/etc/dmadmin.bss.login

etc/cat-web-service.conf.template

@@ -11,7 +11,7 @@ principalRetriever=dm.ds_web_service.service.auth.dsAuthPrincipalRetriever.DsAut
 #principalRetriever=DbPrincipalRetriever()
 #principalRetriever=NoOpPrincipalRetriever()
 principalAuthenticator1=CryptedPasswordPrincipalAuthenticator()
-principalAuthenticator2=LdapPasswordPrincipalAuthenticator(serverUrl='ldaps://phoebusldap.aps.anl.gov:636', dnFormat='uid=%%s,ou=people,o=aps.anl.gov,dc=aps,dc=anl,dc=gov')
+principalAuthenticator2=LdapPasswordPrincipalAuthenticator(serverUrl='LDAP_SERVER_URL', dnFormat='LDAP_DN_FORMAT')
 
 [MongoDbManager]
 mongoDbName=dm

etc/daq-web-service.conf.template

@@ -11,7 +11,7 @@ principalRetriever=dm.ds_web_service.service.auth.dsAuthPrincipalRetriever.DsAut
 #principalRetriever=DbPrincipalRetriever()
 #principalRetriever=NoOpPrincipalRetriever()
 principalAuthenticator1=CryptedPasswordPrincipalAuthenticator()
-principalAuthenticator2=LdapPasswordPrincipalAuthenticator(serverUrl='ldaps://phoebusldap.aps.anl.gov:636', dnFormat='uid=%%s,ou=people,o=aps.anl.gov,dc=aps,dc=anl,dc=gov')
+principalAuthenticator2=LdapPasswordPrincipalAuthenticator(serverUrl='LDAP_SERVER_URL', dnFormat='LDAP_DN_FORMAT')
 
 #[SingleSignOnManager]
 #sessionManager=dm.ds_web_service.service.auth.dsSessionManager.DsSessionManager()

etc/dm.deploy.conf

@@ -17,6 +17,10 @@ DM_APS_DB_WEB_SERVICE_URL=https://DM_HOSTNAME:11236
 DM_SOFTWARE_VERSION=dev
 LDAP_SERVER_URL='ldaps://dmid-vm.xray.aps.anl.gov:636'
 LDAP_DN_FORMAT='uid=%%s,ou=people,o=aps.anl.gov,dc=aps,dc=anl,dc=gov'
+LDAP_UTIL_ADMIN_DN='uid=DM_SYSTEM_UNIX_ACCOUNT,ou=People,o=aps.anl.gov,dc=aps,dc=anl,dc=gov'
+LDAP_UTIL_ADMIN_PASSWD_FILE='DM_INSTALL_DIR/etc/DM_SYSTEM_UNIX_ACCOUNT.ldap.passwd'
+LDAP_UTIL_GROUP_DN_FORMAT='cn=%%s,ou=DM,ou=Group,o=aps.anl.gov,dc=aps,dc=anl,dc=gov'
+LDAP_UTIL_MIN_GID_NUMBER=66000
 CA_ORG_NAME_0='Argonne National Laboratory'
 CA_ORG_NAME_1='Advanced Photon Source'
 CA_UNIT_NAME='XSD/SDM'

etc/dm_dev.deploy.conf

@@ -17,6 +17,10 @@ DM_APS_DB_WEB_SERVICE_URL=https://DM_HOSTNAME:11236
 DM_SOFTWARE_VERSION=2.2.2
 LDAP_SERVER_URL='ldaps://dmid-vm.xray.aps.anl.gov:636'
 LDAP_DN_FORMAT='uid=%%s,ou=people,o=aps.anl.gov,dc=aps,dc=anl,dc=gov'
+LDAP_UTIL_ADMIN_DN='uid=DM_SYSTEM_UNIX_ACCOUNT,ou=People,o=aps.anl.gov,dc=aps,dc=anl,dc=gov'
+LDAP_UTIL_ADMIN_PASSWD_FILE='DM_INSTALL_DIR/etc/DM_SYSTEM_UNIX_ACCOUNT.ldap.passwd'
+LDAP_UTIL_GROUP_DN_FORMAT='cn=%%s,ou=DM,ou=Group,o=aps.anl.gov,dc=aps,dc=anl,dc=gov'
+LDAP_UTIL_MIN_GID_NUMBER=66000
 CA_ORG_NAME_0='Argonne National Laboratory'
 CA_ORG_NAME_1='Advanced Photon Source'
 CA_UNIT_NAME='XSD/SDM'

etc/ds-web-service.conf.template

@@ -9,7 +9,7 @@ sslCaCertFile=DM_INSTALL_DIR/etc/ssl/cacert.pem
 principalRetriever=DbPrincipalRetriever()
 #principalRetriever=NoOpPrincipalRetriever()
 principalAuthenticator1=CryptedPasswordPrincipalAuthenticator()
-principalAuthenticator2=LdapPasswordPrincipalAuthenticator(serverUrl='ldaps://dmid-vm.xray.aps.anl.gov:636', dnFormat='uid=%%s,ou=people,o=aps.anl.gov,dc=aps,dc=anl,dc=gov')
+principalAuthenticator2=LdapPasswordPrincipalAuthenticator(serverUrl='LDAP_SERVER_URL', dnFormat='LDAP_DN_FORMAT')
 
 [ExperimentManager]
 storageDirectory=DM_STORAGE_DIR
@@ -18,7 +18,7 @@ recycleDirectory=DM_STORAGE_DIR/recycle
 storageId=extrepid
 manageStoragePermissions=True
 #platformUtility=dm.common.utility.linuxUtility.LinuxUtility()
-platformUtility=dm.common.utility.ldapLinuxPlatformUtility.LdapLinuxPlatformUtility('ldaps://dmid-vm.xray.aps.anl.gov:636', 'uid=DM_SYSTEM_UNIX_ACCOUNT,ou=People,o=aps.anl.gov,dc=aps,dc=anl,dc=gov', 'DM_INSTALL_DIR/etc/DM_SYSTEM_UNIX_ACCOUNT.ldap.passwd', groupDnFormat='cn=%%s,ou=DM,ou=Group,o=aps.anl.gov,dc=aps,dc=anl,dc=gov', minGidNumber=66000)
+platformUtility=dm.common.utility.ldapLinuxPlatformUtility.LdapLinuxPlatformUtility(LDAP_SERVER_URL, 'LDAP_UTIL_ADMIN_DN', 'LDAP_UTIL_ADMIN_PASSWD_FILE', groupDnFormat='LDAP_UTIL_GROUP_DN_FORMAT', minGidNumber=LDAP_UTIL_MIN_GID_NUMBER)
 
 [LdapLinuxPlatformUtility]
 refreshAuthFilesCommand=

etc/proc-web-service.conf.template

@@ -11,7 +11,7 @@ principalRetriever=dm.ds_web_service.service.auth.dsAuthPrincipalRetriever.DsAut
 #principalRetriever=DbPrincipalRetriever()
 #principalRetriever=NoOpPrincipalRetriever()
 principalAuthenticator1=CryptedPasswordPrincipalAuthenticator()
-principalAuthenticator2=LdapPasswordPrincipalAuthenticator(serverUrl='ldaps://phoebusldap.aps.anl.gov:636', dnFormat='uid=%%s,ou=people,o=aps.anl.gov,dc=aps,dc=anl,dc=gov')
+principalAuthenticator2=LdapPasswordPrincipalAuthenticator(serverUrl='LDAP_SERVER_URL', dnFormat='LDAP_DN_FORMAT')
 
 [ExecutionEngine]
 nExecutionThreads=3

sbin/dm_deploy_aps_db_web_service.sh

@@ -141,8 +141,8 @@ if [ ! -f $DM_WEB_SERVICE_CONFIG_FILE ]; then
         | sed 's?DM_DS_WEB_SERVICE_URL?$DM_DS_WEB_SERVICE_URL?g' \
         | sed 's?DM_HOSTNAME?$DM_HOSTNAME?g' \
         | sed 's?DM_DB_NAME?$DM_DB_NAME?g' \
-        | sed 's?LDAP_SERVER_URL?LDAP_SERVER_URL?g' \
-        | sed 's?LDAP_DN_FORMAT?LDAP_DN_FORMAT?g' \
+        | sed 's?LDAP_SERVER_URL?$LDAP_SERVER_URL?g' \
+        | sed 's?LDAP_DN_FORMAT?$LDAP_DN_FORMAT?g' \
         > $DM_WEB_SERVICE_CONFIG_FILE"
     eval $cmd || exit 1
 else

sbin/dm_deploy_cat_web_service.sh

+pwd
 #!/bin/sh
 
 #
@@ -149,8 +150,8 @@ if [ ! -f $DM_WEB_SERVICE_CONFIG_FILE ]; then
         | sed 's?DM_HOSTNAME?$DM_HOSTNAME?g' \
         | sed 's?DM_DB_NAME?$DM_DB_NAME?g' \
         | sed 's?DM_STATION_NAME?$DM_CAT_STATION_NAME?g' \
-        | sed 's?LDAP_SERVER_URL?LDAP_SERVER_URL?g' \
-        | sed 's?LDAP_DN_FORMAT?LDAP_DN_FORMAT?g' \
+        | sed 's?LDAP_SERVER_URL?$LDAP_SERVER_URL?g' \
+        | sed 's?LDAP_DN_FORMAT?$LDAP_DN_FORMAT?g' \
         > $DM_WEB_SERVICE_CONFIG_FILE"
     eval $cmd || exit 1
 else

sbin/dm_deploy_daq_web_service.sh

@@ -149,8 +149,8 @@ if [ ! -f $DM_WEB_SERVICE_CONFIG_FILE ]; then
         | sed 's?DM_HOSTNAME?$DM_HOSTNAME?g' \
         | sed 's?DM_DB_NAME?$DM_DB_NAME?g' \
         | sed 's?DM_STATION_NAME?$DM_DAQ_STATION_NAME?g' \
-        | sed 's?LDAP_SERVER_URL?LDAP_SERVER_URL?g' \
-        | sed 's?LDAP_DN_FORMAT?LDAP_DN_FORMAT?g' \
+        | sed 's?LDAP_SERVER_URL?$LDAP_SERVER_URL?g' \
+        | sed 's?LDAP_DN_FORMAT?$LDAP_DN_FORMAT?g' \
         > $DM_WEB_SERVICE_CONFIG_FILE"
     eval $cmd || exit 1
 else

sbin/dm_deploy_ds_web_service.sh

@@ -121,19 +121,26 @@ mkdir -p $DM_STORAGE_DIR || exit 1
 echo "Checking service configuration file"
 if [ ! -f $DM_WEB_SERVICE_CONFIG_FILE ]; then
     echo "Generating service config file"
+    # Note that order matters here.  Some bits of LDAP_UTIL_... need further substitution 
+    # from DM_SYSTEM_UNIX_ACCOUNT & DM_INSTALL_DIR which must come after the LDAP_UTIL...
+    # substitutions
     cmd="cat $DM_ROOT_DIR/etc/$DM_WEB_SERVICE_DAEMON.conf.template \
         | sed 's?servicePort=.*?servicePort=$DM_DS_WEB_SERVICE_PORT?g' \
         | sed 's?sslCaCertFile=.*?sslCaCertFile=$DM_CA_CERT_FILE?g' \
         | sed 's?sslCertFile=.*?sslCertFile=$DM_WEB_SERVICE_CERT_FILE?g' \
         | sed 's?sslKeyFile=.*?sslKeyFile=$DM_WEB_SERVICE_KEY_FILE?g' \
         | sed 's?handler=TimedRotatingFileLoggingHandler.*?handler=TimedRotatingFileLoggingHandler(\"$DM_WEB_SERVICE_LOG_FILE\")?g' \
+        | sed 's?LDAP_UTIL_ADMIN_DN?$LDAP_UTIL_ADMIN_DN?g \
+        | sed 's?LDAP_UTIL_UTIL_ADMIN_PASSWD_FILE?$LDAP_UTIL_ADMIN_PASSWD_FILE?g' \
+        | sed 's?LDAP_UTIL_GROUP_DN_FORMAT?$LDAP_UTIL_GROUP_DN_FORMAT?g' \
+        | sed 's?LDAP_UTIL_MIN_GID_NUMBER?$LDAP_UTIL_MIN_GID_NUMBER?g' \
         | sed 's?DM_STORAGE_DIR?$DM_STORAGE_DIR?g' \
         | sed 's?DM_INSTALL_DIR?$DM_INSTALL_DIR?g' \
         | sed 's?DM_HOSTNAME?$DM_HOSTNAME?g' \
         | sed 's?DM_DB_NAME?$DM_DB_NAME?g' \
         | sed 's?DM_SYSTEM_UNIX_ACCOUNT?$DM_SYSTEM_UNIX_ACCOUNT?g' \
-        | sed 's?LDAP_SERVER_URL?LDAP_SERVER_URL?g' \
-        | sed 's?LDAP_DN_FORMAT?LDAP_DN_FORMAT?g' \
+        | sed 's?LDAP_SERVER_URL?$LDAP_SERVER_URL?g' \
+        | sed 's?LDAP_DN_FORMAT?$LDAP_DN_FORMAT?g' \
         > $DM_WEB_SERVICE_CONFIG_FILE"
     eval $cmd || exit 1
 else

sbin/dm_deploy_proc_web_service.sh

@@ -149,8 +149,8 @@ if [ ! -f $DM_WEB_SERVICE_CONFIG_FILE ]; then
         | sed 's?DM_HOSTNAME?$DM_HOSTNAME?g' \
         | sed 's?DM_DB_NAME?$DM_DB_NAME?g' \
         | sed 's?DM_STATION_NAME?$DM_PROC_STATION_NAME?g' \
-        | sed 's?LDAP_SERVER_URL?LDAP_SERVER_URL?g' \
-        | sed 's?LDAP_DN_FORMAT?LDAP_DN_FORMAT?g' \
+        | sed 's?LDAP_SERVER_URL?$LDAP_SERVER_URL?g' \
+        | sed 's?LDAP_DN_FORMAT?$LDAP_DN_FORMAT?g' \
         > $DM_WEB_SERVICE_CONFIG_FILE"
     eval $cmd || exit 1
 else