dbiproxy.html,v 1.10 2007/01/11 15:58:02 timc Exp

Client and Server Configuration for the DICE Account Management Tools

Operational Guide

• Client Configuration
  

  For a client to use the DICE Account Management Tools its profile needs to include the header dice/options/infdb-client.h. After adding this header run om updaterpms run to install additional packages.

  The packages installed do not themselves include the necessary channel encryption key. For security reasons this must be manually added. First acquire the key value from the server as below:

  1. Login to the server: ssh infdb
  2. Become root: nsu
  3. Take a copy of the channel encryption key value (between the double quotes) which can be obtained by running this command: egrep "^.key" /var/lcfg/conf/dbiproxy/dbiproxy.conf
  4. Logout from the server

  Now insert this value into the right place on the client:

  1. Become root: nsu
  2. Edit /usr/lib/perl5/site_perl/5.8.8/DICE/AccountManager/Infdb/Key.pm and replace the NOT INSTALLED string between double quotes with the key value copied above and as directed by instructions in the file itself.
• Server Configuration
  

  The server must be configured to permit access for the client and for one or more specific users from that client. To do this you need to edit the configuration file live/infdb-dbiproxy.h using the normal Subversion procedure. Add a line like below:

  _DBIPROXY_ADD(HOSTNAME,USERNAME)

  where HOSTNAME is the hostname of the client and USERNAME is a space separated list of users that need to use the DICE Account Management Tools from the client. See the existing entries in the header file for more examples of usage.

  Once the LCFG compiler has rebuilt the profile the DBIProxy daemon on the server must be restarted. Note that while this normally will only take a few seconds and can be done without notice it means that anyone using the DICE Account Management Tools at the point of restart may get a failure message. To restart the daemon:

  1. Login to the server: ssh infdb
  2. Restart the daemon: om dbiproxy restart

  You can check the configuration of the DBI Proxy server to confirm that the client and users have been correctly added by looking at /var/lcfg/conf/dbiproxy/dbiproxy.conf as root.

• Miscellania
  

  Removing any of the _DBIPROXY_ADD definitions from the live/infdb-dbiproxy.h header will prevent access to the server for the named client and users - the entries should be checked whenever a machine including the dice/options/infdb-client.h header is re-deployed and/or re-purposed in case any updates are necessary.

  The live/infdb-dbiproxy.h header includes a macro definition called FRONTLINE_SUPPORT. This explicitly lists the username for each member of the Frontline Support Team. It makes it simpler to configure all the machines in support offices to allow any CSO to use DICE Account Management Tools on them. It is necessary to manually update this macro definition as and when CSO staff change.

 : Units : Research_and_teaching : Documentation 

Please contact us with any comments or corrections. Unless explicitly stated otherwise, all material is copyright The University of Edinburgh