/ - Diff - DjNRO - Greek Research and Technology Network's projects

Revision afd2a174

     DjNRO = Django + NRO (Django National Roaming Operator or how to manage your eduroam database)
     ## About
     In the [eduroam](http://www.eduroam.org) world, NRO stands for National Roaming Operator.
     Maintaining and managing a local eduroam database is quite an important responsibility of an eduroam NRO.
     eduroam.org periodically polls and gathers information from all participating domains.
     Information is provided upstream, in a structured way (XML format) and consists of participating institutions' data, location data along with monitoring data - though provisioning of monitoring data has been superseeded by the f-Ticks mechanism.
     The source of information should be the local eduroam database. So, changes to the database should be reflected to the XML files.
     New eduroam locations, changes in contacts and information about each location should be up-to-date so as to ease the eduroam usage and assist eduroam users whenever they need support.
     DjNRO is a Django platform that eases the management process of a National Roaming Operator. DjNRO complies with the [eduroam database](http://monitor.eduroam.org/database.php) and the eduroam XSDs.
     Thus, apart from domain management, it can generate the necessary xml files for eduroam.org monitoring.
     DjNRO is more than keeping eduroam.org updated with data.
     In essence it is a distributed management application. It is distributed in the sense that information about each institution locations and services is kept up-to-date by each local eduroam administrator. Keeping in pace with eduroam's federated nature, our implementation uses federated authentication/authorisation mechanisms, namely Shibboleth.
     In case Shibboleth is not an option for an institution, a social media auth mechanism comes in handy. The local institution eduroam administrators can become DjNRO admins. Local eduroam administrators register to the platform via Shibboleth or social media auth. The NRO's responsibility is to activate their accounts.
     From then on they can manage their eduroam locations, contact points and institution information. The administrative interface especially the locations management part, is heavily implemented with Google Maps. This makes editing easier, faster and accurate.
     Installation and customization is fairly easy and is described in the following sections.
     Currently the source code is availiable at code.grnet.gr and github and can be cloned via git::
         git clone https://code.grnet.gr/git/djnro
         git clone https://github.com/grnet/djnro.git
     The Greek eduroam webpage is a living example of DjNRO: `eduroam|gr <http://www.eduroam.gr>`_
     ## Features
     * Allow your local eduroam admins to edit their local eduroam data (AP locations, server params, etc)
     * Visualize the information via Google Maps
     * Eduroam world maps overview via daily update on eduroam.org KML file
     * Find your closest eduroam in the world
     * **New** Allow for eduroam CAT institution enrollments
     * **New** Extract contact info for mailing list creation
     * **New** Server monitoring data
     * **New** Pebble watch app with closest eduroam walking instrunctions
     Bootstrap 3 CSS framework with responsive design makes it work on every device

     # Installation/Configuration
     First of all you have to install all the packages described in `requirements`
     section
     The software is published at [github](https://github.com/grnet/djnro) and can be downloaded using git:
     	git clone https://github.com/grnet/djnro
     ## Project & Local Settings
     **In version 0.9 settings were split in two parts: settings.py and local_settings.py**
     The file settings.py contains settings distributed by the project, which should normally not be necessary to modify.
     Options specific to the particular installation must be configured in local_settings.py. This file must be created by copying local_settings.py.dist:
         cd djnro
         cp djnro/local_settings.py.dist djnro/local_settings.py
     The following variables/settings need to be altered or set:
     Set Admin contacts::
     	ADMINS = (
     	     ('Admin', 'admin@example.com'),
+    	)
     Set the database connection params:
     	DATABASES = {
     	    ...
+    	}
     For a production instance and once DEBUG is set to False set the ALLOWED_HOSTS:
         ALLOWED_HOSTS = ['.example.com']
         SECRET_KEY = '<put something really random here, eg. %$#%@#$^2312351345#$%3452345@#$%@#$234#@$hhzdavfsdcFDGVFSDGhn>'
     Django social auth needs changes in the Extra Authentication Backends depending on which social auth you want to enable:
     	EXTRA_AUTHENTICATION_BACKENDS = (
     	    'djnro.djangobackends.shibauthBackend.shibauthBackend',
     		...
     		'django.contrib.auth.backends.ModelBackend',
+    	)
     **The default Authentication Backends are in settings.py**
     As the application includes a "Nearest eduroam" functionality, global eduroam service locations are harvested from the KML file published at eduroam.org::
     	EDUROAM_KML_URL = 'http://monitor.eduroam.org/kml/all.kml'
     Depending on your AAI policy set an appropriate authEntitlement::
     	SHIB_AUTH_ENTITLEMENT = 'urn:mace:example.com:pki:user'
     Mail server parameters::
     	SERVER_EMAIL = "Example domain eduroam Service <noreply@example.com>"
     	EMAIL_SUBJECT_PREFIX = "[eduroam] "
     NRO contact mails::
     	NOTIFY_ADMIN_MAILS = ["mail1@example.com", "mail2@example.com"]
     Set your cache backend (if you want to use one). For production instances you can go with memcached. For development you can keep the provided dummy instance::
         CACHES = {
             'default': {
                 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
                 'LOCATION': '127.0.0.1:11211',
+            }
+        }
     NRO specific parameters. These affect HTML templates::
     	# Frontend country specific vars, eg. Greece
     	NRO_COUNTRY_NAME = _('My Country')
     	# Variable used by context_processor to display the "eduroam | <country_code>" in base.html
     	NRO_COUNTRY_CODE = 'gr'
     	# main domain url used in right top icon, eg. http://www.grnet.gr
     	NRO_DOMAIN_MAIN_URL = "http://www.example.com"
     	# provider info for footer
     	NRO_PROV_BY_DICT = {"name": "EXAMPLE DEV TEAM", "url": "http://devteam.example.com"}
     	#NRO social media contact (Use: // to preserve https)
     	NRO_PROV_SOCIAL_MEDIA_CONTACT = [
     	                                {"url":"//soc.media.url", "icon":"icon.png", "name":"NAME1(eg. Facebook)"},
     	                                {"url":"//soc.media.url", "icon":"icon.png",  "name":"NAME2(eg. Twitter)"},
+    	                                ]
     	# map center (lat, lng)
     	MAP_CENTER = (36.97, 23.71)
     	#Helpdesk, used in base.html:
     	NRO_DOMAIN_HELPDESK_DICT = {"name": _("Domain Helpdesk"), 'email':'helpdesk@example.com', 'phone': '12324567890', 'uri': 'helpdesk.example.com'}
     Set the Realm country for REALM model::
     	#Countries for Realm model:
     	REALM_COUNTRIES = (
     	             ('country_2letters', 'Country' ),
+    	            )
     Attribute map to match your AAI policy and SSO software (typically Shibboleth SP)::
     	#Shibboleth attribute map
     	SHIB_USERNAME = ['HTTP_EPPN']
     	SHIB_MAIL = ['mail', 'HTTP_MAIL', 'HTTP_SHIB_INETORGPERSON_MAIL']
     	SHIB_FIRSTNAME = ['HTTP_SHIB_INETORGPERSON_GIVENNAME']
     	SHIB_LASTNAME = ['HTTP_SHIB_PERSON_SURNAME']
     	SHIB_ENTITLEMENT = ['HTTP_SHIB_EP_ENTITLEMENT']
     Django Social Auth parameters:
     	SOCIAL_AUTH_TWITTER_KEY = ''
     	SOCIAL_AUTH_TWITTER_SECRET = ''
     	SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = ''
     	SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = ' '
     	SOCIAL_AUTH_GOOGLE_OAUTH2_SCOPE = []
     DjNRO provides limited integration with eduroam CAT (Configuration Assistant Tool). Institution administrators can automatically provision their institution to CAT without the intervention of the federation (NRO) administrator.
     In order to enable this functionality, you must list at least one instance and the corresponding description in CAT_INSTANCES. Beware that pages accessible by end users currently only show CAT information
     for the instance named `production`.
     You must also set the following parameters for each CAT instance in CAT_AUTH:
     * CAT_API_KEY: API key for authentication to CAT
     * CAT_API_URL: API endpoint URL
     * CAT_PROFILES_URL: Base URL for Intitution Download Area pages
     * CAT_FEDMGMT_URL: URL For Federation Overview page (currently not in use)
     ::
         CAT_INSTANCES = (
             ('production', 'cat.eduroam.org'),
             ('testing', 'cat-test.eduroam.org'),
+        )
         CAT_AUTH = {
             'production': {
                 "CAT_API_KEY": "<provided API key>",
                 "CAT_API_URL": "https://cat.eduroam.org/admin/API.php",
                 "CAT_PROFILES_URL": "https://cat.eduroam.org/",
                 "CAT_FEDMGMT_URL": "https://cat.eduroam.org/admin/overview_federation.php"
             },
             'testing': {
                 "CAT_API_KEY": "<provided API key>",
                 "CAT_API_URL": "https://cat-test.eduroam.org/test/admin/API.php",
                 "CAT_PROFILES_URL": "https://cat-test.eduroam.org/test",
                 "CAT_FEDMGMT_URL": "https://cat-test.eduroam.org/test/admin/overview_federation.php"
             },
+        }
     For more information about eduroam CAT, you may read: [A guide to eduroam CAT for federation administrators](https://confluence.terena.org/display/H2eduroam/A+guide+to+eduroam+CAT+for+federation+administrators).
     ### Extra Apps
     In case one wants to extend some of the settings only for the local instance, they can prepend *EXTRA_* on the attribute they want to extend. For example:
     	EXTRA_INSTALLED_APPS = (
     		'django_debug_toolbar',
+    	)
     ## Database Sync
     Once you are done with local_settings.py run:
     	./manage.py syncdb
     Create a superuser, it comes in handy. And then run south migration to complete::
     	./manage.py migrate
     Now you should have a clean database with all the tables created.
     ## Running the server
     We suggest using Apache and mod_wsgi. Below is an example configuration::
     	# Tune wsgi daemon as necessary: processes=x threads=y
     	WSGIDaemonProcess djnro display-name=%{GROUP} python-path=/path/to/djnro/
     	<VirtualHost *:443>
     		ServerName		example.com
     		Alias		/static	/path/to/djnro/static
     		WSGIScriptAlias	/	/path/to/djnro/djnro/wsgi.py
     		<Directory /path/to/djnro/djnro>
     			<Files wsgi.py>
     			    WSGIProcessGroup djnro
     			    Order deny,allow
     			    Allow from all
     			</Files>
     		</Directory>
     		SSLEngine on
     		SSLCertificateFile	...
     		SSLCertificateChainFile	...
     		SSLCertificateKeyFile	...
     		# Shibboleth SP configuration
     		ShibConfig	/etc/shibboleth/shibboleth2.xml
     		Alias		/shibboleth-sp	/usr/share/shibboleth
     		# SSO through Shibboleth SP:
     		<Location /login>
     			AuthType shibboleth
     			ShibRequireSession On
     			ShibUseHeaders On
     			require valid-user
     		</Location>
     		<Location /Shibboleth.sso>
     			SetHandler shib
     		</Location>
     	</VirtualHost>
     *Info*: It is strongly recommended to allow access to `/(admin|overview|alt-login)` *ONLY* from trusted subnets.
     Once you are done, restart apache.
     ## Fetch KML
     A Django management command, named fetch_kml, fetches the KML document and updates the cache with eduroam service locations. It is suggested to periodically run this command in a cron job in order to keep the map up to date::
     		./manage.py fetch_kml
     ## Initial Data
     In order to start using DjNRO you need to create a Realm record for your NRO along with one or more contacts linked to it. You can visit the Django admin interface `https://<hostname>/admin` and add a Realm (remember to set REALM_COUNTRIES in local_settings.py).
     In DjNRO the NRO sets the environment for the institution eduroam admins. Therefore the NRO has to insert the initial data for his/her clients/institutions in the *Institutions* Model, again using the Django admin interface. As an alternative, you can copy your existing `institution.xml` to `/path/to/djnro` and run the following to import institution data::
     		./manage.py parse_instituion_xml
     ## Exporting Data
     DjNRO can export data in formats suitable for use by other software.
     XML documents conforming to the `eduroam database <https://monitor.eduroam.org/database.php>`_ schemata are exported at the following URLs, as required for harvesting by eduroam.org::
         /general/realm.xml
         /general/institution.xml
         /usage/realm_data.xml
     A list of institution administrators can be exported in CSV format or a plain format suitable for use by a mailing list (namely `Sympa <http://www.sympa.org/manual/parameters-data-sources#include_remote_file>`_). This data is available through:
     * a management comand `./manage.py contacts`, which defaults to CSV output (currently with headers in Greek!) and can switch to plain output using `--mail-list`.
     * a view (`adminlist`), which only supports output in the latter plain text format.
     Likewise, data that can be used as input for automatic configuration of `Federation Level RADIUS Servers (FLRS)` can be exported in YAML/JSON format, through:
     * a management command (`./manage.py servdata`)
     * a view (`sevdata`)
     Output format defaults to YAML and can be overriden respectively:
     * by using `--output=json`
     * by sending an `Accept: application/json` HTTP header
     We also provide a sample script for reading this data (`extras/servdata_consumer.py`) along with templates (in the same directory) for producing configuration suitable for FreeRADIUS and radsecproxy. This script requires the following python packages:
       * python-requests
       * python-yaml
       * python-mako (for the templates)
     Take the time to read the default settings at the top of the script and run it with `--help`. The templates are based on assumptions that may not match your setup; they are mostly provided as a proof of concept.
     *attention*
        **The `adminlist` and `servdata` views are commented out by default in `djnro/urls.py`. Make sure you protect them (SSL, ACL and/or authentication) at the HTTP server before you enable them, as they may expose private/sensitive data.**
     ## Next Steps (Branding)
     The majority of branding is done via the NRO variables in local_settings.py. You might also want to change the logo of the application. Within the static/img/eduroam_branding folder you will find the XCF files logo_holder, logo_small.
     ## Upgrade Instructions
     * Backup your `settings.py` and `local_settings` file and any local modifications.
     * Update the code.
     * Copy `djnro/local_settings.py.dist` to `djnro/local_settings.py` and modify it to match your previous configuration.
     * edit the apache configuration in order to work with the new location of wsgi and set the python-path attribute.
     * remove old wsgi file `/path/to/djnro/apache/django.wsgi` and parent directory
     * remove django-extensions from `INSTALLED_APPS`
     * Add timeout in cache configuration
     * Make sure you have installed the following required packages (some of these introduced in 0.9):
       * python-oauth2
       * python-requests
       * python-lxml
       * python-yaml
     * run `./manage.py migrate`
     *attention*
        **You had previously copied `urls.py.dist` to `urls.py`. This is no longer supported; we now use `djnro/urls.py`. URLs that provide sensitive data are disabled (commented out) by default. You may have to edit the file according to your needs.**
     ## LDAP Authentication
     If you want to use LDAP authentication, local_settings.py must be amended::
     	EXTRA_AUTHENTICATION_BACKENDS = (
     		...,
     		'django_auth_ldap.backend.LDAPBackend',
     		...,
+    	)
     	# LDAP CONFIG
     	import ldap
     	from django_auth_ldap.config import LDAPSearch, GroupOfNamesType
     	AUTH_LDAP_BIND_DN = ""
     	AUTH_LDAP_BIND_PASSWORD = ""
     	AUTH_LDAP_SERVER_URI = "ldap://foo.bar.org"
     	AUTH_LDAP_START_TLS = True
     	AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=People, dc=bar, dc=foo",
     	ldap.SCOPE_SUBTREE, "(uid=%(user)s)")
     	AUTH_LDAP_USER_ATTR_MAP = {
     	      "first_name":"givenName",
     	      "last_name": "sn",
     	      "email": "mail
+    	      }
     	# Set up the basic group parameters.
     	AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
     		"ou=Groups,dc=foo,dc=bar,dc=org",ldap.SCOPE_SUBTREE, objectClass=groupOfNames"
+    	)
     	AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
     	AUTH_LDAP_USER_FLAGS_BY_GROUP = {
     		"is_active": "cn=NOC, ou=Groups, dc=foo, dc=bar, dc=org",
     		"is_staff": "cn=staff, ou=Groups, dc=foo, dc=bar, dc=org",
     		"is_superuser": "cn=NOC, ou=Groups,dc=foo, dc=bar, dc=org"
+    	}
     ## Pebble Watch Application - pebduroam
     The closest point API allows for development of location aware-applications.
     Pebduroam is a Pebble watch application that fetches the closest eduroam access point plus walking instructions on how to reach it.
     Installing the application on your Pebble watch can be done in 2 ways:
     * You can install the application via the Pebble App Store: `pebduroam <https://apps.getpebble.com/applications/5384b2119c84af48350000c7>`_
     * You can install the application and contribute to its development via github: `pebduroam github repo <https://github.com/leopoul/pebduroam>`_.
       * You need to have a Cloudpebble account to accomplish this.
       * Once logged-in you need to select Import - Import from github and paste the pebduroam github repo url in the corresponding text box.
       * Having configured your Pebble watch in developer mode will allow you to build and install your cloned project source directly on your watch.
     **attention**
        Currently pebduroam uses GRNET's djnro closest point API. To switch the Pebble app to your djnro installation you need to follow the second method of installation

     # Required Packages
     ## Dependencies
     DjNRO heavily depends on the following:
     * Python (<3 & >=2.6)
     * memcached
     * A mail server - Tested with exim
     * python packages located in requirements.txt, you can install them with `pip install -r requirements.txt`
     ## Conditional Dependencies
     * python-pip
     * python-mysqldb (If you wish to use MySQL as the DB backend)
     * mysql-client
     * apache2 (We suggest apache with mod_rewrite enabled - use your preferred server in case you dont want to use shibboleth)
     * gettext: only if one will be editing and compiling translations
     * python-django-auth-ldap: if ldap authentication backend will be used.
     ## Django Social Auth
     User authentication via social media is carried out by the [python-social-auth](http://http://django-social-auth.readthedocs.org/en/latest/index.html) python-social-auth package.
     ## Pip requirements.txt file
     DjNRO has also a requirements file which can be used with pip

     # -*- coding: utf-8 -*-
+    #
     # DjNRO (eduroam) documentation build configuration file
+    #
     # This file is execfile()d with the current directory set to its containing dir.
+    #
     # Note that not all possible configuration values are present in this
     # autogenerated file.
+    #
     # All configuration values have a default; values that are commented out
     # serve to show the default.
     import sys, os
     # Optional. Use a shorter name to conserve nav. bar space.
     # If extensions (or modules to document with autodoc) are in another directory,
     # add these directories to sys.path here. If the directory is relative to the
     # documentation root, use os.path.abspath to make it absolute, like shown here.
     # -- General configuration -----------------------------------------------------
     # If your documentation needs a minimal Sphinx version, state it here.
     #needs_sphinx = "1.0"
     # Add any Sphinx extension module names here, as strings. They can be extensions
     # coming with Sphinx (named "sphinx.ext.*") or your custom ones.
     extensions = [
       "sphinx.ext.todo",
       "sphinx.ext.graphviz",
       'sphinx.ext.autodoc', 'sphinx.ext.doctest', 'sphinx.ext.intersphinx', 'sphinx.ext.coverage', 'sphinx.ext.pngmath', 'sphinx.ext.ifconfig', 'sphinx.ext.autosummary'
+      ]
     # Add any paths that contain templates here, relative to this directory.
     #templates_path = ["_templates"]
     # The suffix of source filenames.
     source_suffix = ".rst"
     # The encoding of source files.
     source_encoding = "utf-8"
     # The master toctree document.
     master_doc = "index"
     # General information about the project.
     project = u"DjNRO"
     copyright = u"2014, GRNET S.A. - Designed and developed by Leonidas Poulopoulos, Zenon Mousmoulas and Stavros Kroustouris - GRNET NOC"
     # The version info for the project you're documenting, acts as replacement for
     # |version| and |release|, also used in various other places throughout the
     # built documents.
+    #
     # These next two will be passed via the command line, see the makefile
     # The short X.Y version
     version = "0.9"
     # The full version, including alpha/beta/rc tags.
     release = "0.9.1"
     # The language for content autogenerated by Sphinx. Refer to documentation
     # for a list of supported languages.
     language = "en"
     # There are two options for replacing |today|: either, you set today to some
     # non-false value, then it is used:
     #today = ""
     # Else, today_fmt is used as the format for a strftime call.
     #today_fmt = "%B %d, %Y"
     # List of documents that shouldn't be included in the build.
     #unused_docs = []
     # List of directories, relative to source directory, that shouldn't be searched
     # for source files.
     #exclude_trees = [
      # "_build",
      # "api",
      # ]
     # The reST default role (used for this markup: `text`) to use for all documents.
     #default_role = None
     # If true, "()" will be appended to :func: etc. cross-reference text.
     #add_function_parentheses = True
     # If true, the current module name will be prepended to all description
     # unit titles (such as .. function::).
     #add_module_names = True
     # If true, sectionauthor and moduleauthor directives will be shown in the
     # output. They are ignored by default.
     #show_authors = False
     # The name of the Pygments (syntax highlighting) style to use.
     pygments_style = "sphinx"
     # A list of ignored prefixes for module index sorting.
     #modindex_common_prefix = ['iooclient.']
     # -- Options for HTML output ---------------------------------------------------
     # The theme to use for HTML and HTML Help pages.  See the documentation for
     # a list of builtin themes.
     #html_theme = "sphinxdoc"
     # Theme options are theme-specific and customize the look and feel of a theme
     # further.  For a list of options available for each theme, see the
     # documentation.
     #html_theme_options = {}
     # Add any paths that contain custom themes here, relative to this directory.
     #html_theme_path = []
     # The name for this set of Sphinx documents.  If None, it defaults to
     # "<project> v<release> documentation".
     #html_title = None
     # A shorter title for the navigation bar.  Default is the same as html_title.
     #html_short_title = None
     # The name of an image file (relative to this directory) to place at the top
     # of the sidebar.
     html_logo = "logo.png"
     # The name of an image file (within the static path) to use as favicon of the
     # docs.  This file should be a Windows icon file (.ico) being 16x16 or 32x32
     # pixels large.
     #html_favicon = None
     # Add any paths that contain custom static files (such as style sheets) here,
     # relative to this directory. They are copied after the builtin static files,
     # so a file named "default.css" will overwrite the builtin "default.css".
     html_static_path = ['_static']
     # If not "", a "Last updated on:" timestamp is inserted at every page bottom,
     # using the given strftime format.
     #html_last_updated_fmt = "%b %d, %Y"
     # If true, SmartyPants will be used to convert quotes and dashes to
     # typographically correct entities.
     #html_use_smartypants = True
     # Custom sidebar templates, maps document names to template names.
     #html_sidebars = {}
     # Additional templates that should be rendered to pages, maps page names to
     # template names.
     #html_additional_pages = {}
     # If false, no module index is generated.
     html_use_modindex = False
     # If false, no index is generated.
     html_use_index = False
     # If true, the index is split into individual pages for each letter.
     #html_split_index = False
     # If true, links to the reST sources are added to the pages.
     #html_show_sourcelink = True
     # If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
     #html_show_sphinx = True
     # If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
     #html_show_copyright = True
     # If true, an OpenSearch description file will be output, and all pages will
     # contain a <link> tag referring to it.  The value of this option must be the
     # base URL from which the finished HTML is served.
     #html_use_opensearch = ""
     # If nonempty, this is the file name suffix for HTML files (e.g. ".xhtml").
     #html_file_suffix = ""
     # Output file base name for HTML help builder.
     htmlhelp_basename = "eduroamdoc"
     intersphinx_mapping = {'http://docs.python.org/': None}
     autoclass_content = 'both'

     DjNRO: Django National Roaming Operator or how to manage your eduroam database
     ==============================================================================
     DjNRO = Django + NRO
     About
     -----
     In the `eduroam <http://www.eduroam.org>`_ world, NRO stands for National Roaming Operator.
     Maintaining and managing a local eduroam database is quite an important responsibility of an eduroam NRO.
     eduroam.org periodically polls and gathers information from all participating domains.
     Information is provided upstream, in a structured way (XML format) and consists of participating institutions' data, location data along with monitoring data - though provisioning of monitoring data has been superseeded by the f-Ticks mechanism.
     The source of information should be the local eduroam database. So, changes to the database should be reflected to the XML files.
     New eduroam locations, changes in contacts and information about each location should be up-to-date so as to ease the eduroam usage and assist eduroam users whenever they need support.
     DjNRO is a Django platform that eases the management process of a National Roaming Operator. DjNRO complies with the `eduroam database <http://monitor.eduroam.org/database.php>`_ and the eduroam XSDs.
     Thus, apart from domain management, it can generate the necessary xml files for eduroam.org monitoring.
     DjNRO is more than keeping eduroam.org updated with data.
     In essence it is a distributed management application. It is distributed in the sense that information about each institution locations and services is kept up-to-date by each local eduroam administrator. Keeping in pace with eduroam's federated nature, our implementation uses federated authentication/authorisation mechanisms, namely Shibboleth.
     In case Shibboleth is not an option for an institution, a social media auth mechanism comes in handy. The local institution eduroam administrators can become DjNRO admins. Local eduroam administrators register to the platform via Shibboleth or social media auth. The NRO's responsibility is to activate their accounts.
     From then on they can manage their eduroam locations, contact points and institution information. The administrative interface especially the locations management part, is heavily implemented with Google Maps. This makes editing easier, faster and accurate.
     Installation and customization is fairly easy and is described in the following sections.
     .. attention::
        Installation instructions assume a clean Debian Wheezy with Django 1.4
     Currently the source code is availiable at code.grnet.gr and github and can be cloned via git::
         git clone https://code.grnet.gr/git/djnro
         git clone https://github.com/grnet/djnro.git
     The Greek eduroam webpage is a living example of DjNRO: `eduroam|gr <http://www.eduroam.gr>`_
     Features
     --------
     * Allow your local eduroam admins to edit their local eduroam data (AP locations, server params, etc)
     * Visualize the information via Google Maps
     * Eduroam world maps overview via daily update on eduroam.org KML file
     * Find your closest eduroam in the world
     * **New** Allow for eduroam CAT institution enrollments
     * **New** Extract contact info for mailing list creation
     * **New** Server monitoring data
     * **New** Pebble watch app with closest eduroam walking instrunctions
     Bootstrap CSS framework with responsive design makes it work on every device
     Requirements
     ------------
     .. toctree::
     	require
     Installation
     ------------
     .. toctree::
         install

     .. _install-label:
     Installation/Configuration
     ==========================
     .. contents::
     .. note::
        Installation instructions assume a clean Debian Wheezy with Django 1.4
     Assuming that you have installed all the requirements described in :ref:`require-label` you can install the DjNRO project.
     The software is published at code.grnet.gr and can be downloaded using git::
     	git clone https://code.grnet.gr/git/djnro
     It is also available on GitHub::
     	https://github.com/grnet/djnro/
     Project & Local Settings
     ^^^^^^^^^^^^^^^^^^^^^^^^
     .. attention::
        In version 0.9 settings were split in two parts: settings.py and local_settings.py
     The file settings.py contains settings distributed by the project, which should normally not be necessary to modify. Options specific to the particular installation must be configured in local_settings.py. This file must be created by copying local_settings.py.dist::
         cd djnro
         cp djnro/local_settings.py.dist djnro/local_settings.py
     The following variables/settings need to be altered or set:
     Set Admin contacts::
     	ADMINS = (
     	     ('Admin', 'admin@example.com'),
+    	)
     Set the database connection params::
     	DATABASES = {
     	    ...
+    	}
     For a production instance and once DEBUG is set to False set the ALLOWED_HOSTS::
         ALLOWED_HOSTS = ['.example.com']
     Set your timezone and Languages::
     	TIME_ZONE = 'Europe/Athens'
     	LANGUAGES = (
     	    ('el', _('Greek')),
     	    ('en', _('English')),
+    	)
     Set your static root and url::
         STATIC_ROOT = '/path/to/static'
         STATIC_URL = 'http://www.example.com/static'
     .. _Django: https://docs.djangoproject.com/en/1.4/howto/static-files/#serving-static-files-in-development
     .. attention::
     	The STATIC_URL setting works only if DEBUG=False. For more see the Django_ docs.
     Set the secret key::
         SECRET_KEY = '<put something really random here, eg. %$#%@#$^2312351345#$%3452345@#$%@#$234#@$hhzdavfsdcFDGVFSDGhn>'
     Django social auth needs changes in the Authentication Backends depending on which social auth you want to enable::
     	AUTHENTICATION_BACKENDS = (
     	    'djnro.djangobackends.shibauthBackend.shibauthBackend',
     		...
     		'django.contrib.auth.backends.ModelBackend',
+    	)
     Set your template dirs::
     	TEMPLATE_DIRS = (
     	    "/example/templates",
+    	)
     As the application includes a "Nearest eduroam" functionality, global eduroam service locations are harvested from the KML file published at eduroam.org::
     	EDUROAM_KML_URL = 'http://monitor.eduroam.org/kml/all.kml'
     Depending on your AAI policy set an appropriate authEntitlement::
     	SHIB_AUTH_ENTITLEMENT = 'urn:mace:example.com:pki:user'
     Mail server parameters::
     	SERVER_EMAIL = "Example domain eduroam Service <noreply@example.com>"
     	EMAIL_SUBJECT_PREFIX = "[eduroam] "
     NRO contact mails::
     	NOTIFY_ADMIN_MAILS = ["mail1@example.com", "mail2@example.com"]
     Set your cache backend (if you want to use one). For production instances you can go with memcached. For development you can keep the provided dummy instance::
         CACHES = {
             'default': {
                 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
                 'LOCATION': '127.0.0.1:11211',
+            }
+        }
     Models Name_i18n and URL_i18n include a language choice field
     If languages are the same with LANGUAGES variable, simply do URL_NAME_LANGS = LANGUAGES else set your own::
     	URL_NAME_LANGS = (
     	        ('en', 'English' ),
     	        ('el', 'Ελληνικά'),
+    	    )
     NRO specific parameters. These affect HTML templates::
     	# Frontend country specific vars, eg. Greece
     	NRO_COUNTRY_NAME = _('My Country')
     	# Variable used by context_processor to display the "eduroam | <country_code>" in base.html
     	NRO_COUNTRY_CODE = 'gr'
     	# main domain url used in right top icon, eg. http://www.grnet.gr
     	NRO_DOMAIN_MAIN_URL = "http://www.example.com"
     	# provider info for footer
     	NRO_PROV_BY_DICT = {"name": "EXAMPLE DEV TEAM", "url": "http://devteam.example.com"}
     	#NRO social media contact (Use: // to preserve https)
     	NRO_PROV_SOCIAL_MEDIA_CONTACT = [
     	                                {"url":"//soc.media.url", "icon":"icon.png", "name":"NAME1(eg. Facebook)"},
     	                                {"url":"//soc.media.url", "icon":"icon.png",  "name":"NAME2(eg. Twitter)"},
+    	                                ]
     	# map center (lat, lng)
     	MAP_CENTER = (36.97, 23.71)
     	#Helpdesk, used in base.html:
     	NRO_DOMAIN_HELPDESK_DICT = {"name": _("Domain Helpdesk"), 'email':'helpdesk@example.com', 'phone': '12324567890', 'uri': 'helpdesk.example.com'}
     Set the Realm country for REALM model::
     	#Countries for Realm model:
     	REALM_COUNTRIES = (
     	             ('country_2letters', 'Country' ),
+    	            )
     Attribute map to match your AAI policy and SSO software (typically Shibboleth SP)::
     	#Shibboleth attribute map
     	SHIB_USERNAME = ['HTTP_EPPN']
     	SHIB_MAIL = ['mail', 'HTTP_MAIL', 'HTTP_SHIB_INETORGPERSON_MAIL']
     	SHIB_FIRSTNAME = ['HTTP_SHIB_INETORGPERSON_GIVENNAME']
     	SHIB_LASTNAME = ['HTTP_SHIB_PERSON_SURNAME']
     	SHIB_ENTITLEMENT = ['HTTP_SHIB_EP_ENTITLEMENT']
     Django Social Auth parameters::
     	SOCIAL_AUTH_TWITTER_KEY = ''
     	SOCIAL_AUTH_TWITTER_SECRET = ''
     	SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = ''
     	SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = ' '
     	SOCIAL_AUTH_GOOGLE_OAUTH2_SCOPE = []
     .. versionadded:: 0.9
     DjNRO provides limited integration with eduroam CAT (Configuration Assistant Tool). Institution administrators can automatically provision their institution to CAT without the intervention of the federation (NRO) administrator.
     In order to enable this functionality, you must list at least one instance and the corresponding description in CAT_INSTANCES. Beware that pages accessible by end users currently only show CAT information
     for the instance named `production`.
     You must also set the following parameters for each CAT instance in CAT_AUTH:
     * CAT_API_KEY: API key for authentication to CAT
     * CAT_API_URL: API endpoint URL
     * CAT_PROFILES_URL: Base URL for Intitution Download Area pages
     * CAT_FEDMGMT_URL: URL For Federation Overview page (currently not in use)
     ::
         CAT_INSTANCES = (
             ('production', 'cat.eduroam.org'),
             ('testing', 'cat-test.eduroam.org'),
+        )
         CAT_AUTH = {
             'production': {
                 "CAT_API_KEY": "<provided API key>",
                 "CAT_API_URL": "https://cat.eduroam.org/admin/API.php",
                 "CAT_PROFILES_URL": "https://cat.eduroam.org/",
                 "CAT_FEDMGMT_URL": "https://cat.eduroam.org/admin/overview_federation.php"
             },
             'testing': {
                 "CAT_API_KEY": "<provided API key>",
                 "CAT_API_URL": "https://cat-test.eduroam.org/test/admin/API.php",
                 "CAT_PROFILES_URL": "https://cat-test.eduroam.org/test",
                 "CAT_FEDMGMT_URL": "https://cat-test.eduroam.org/test/admin/overview_federation.php"
             },
+        }
     For more information about eduroam CAT, you may read: `A guide to eduroam CAT for federation administrators <https://confluence.terena.org/display/H2eduroam/A+guide+to+eduroam+CAT+for+federation+administrators>`_.
     In case one wants to extend some of the settings only for the local instance, they can prepend *EXTRA_* on the attribute they want to extend. For example::
     	EXTRA_INSTALLED_APPS = (
     		'django_debug_toolbar',
+    	)
     Database Sync
     ^^^^^^^^^^^^^
     Once you are done with local_settings.py run::
     	./manage.py syncdb
     Create a superuser, it comes in handy. And then run south migration to complete::
     	./manage.py migrate
     Now you should have a clean database with all the tables created.
     Running the server
     ^^^^^^^^^^^^^^^^^^
     We suggest using Apache and mod_wsgi. Below is an example configuration::
     	# Tune wsgi daemon as necessary: processes=x threads=y
     	WSGIDaemonProcess djnro display-name=%{GROUP} python-path=/path/to/djnro/
     	<VirtualHost *:443>
     		ServerName		example.com
     		Alias		/static	/path/to/djnro/static
     		WSGIScriptAlias	/	/path/to/djnro/djnro/wsgi.py
     		<Directory /path/to/djnro/djnro>
     			<Files wsgi.py>
     			    WSGIProcessGroup djnro
     			    Order deny,allow
     			    Allow from all
     			</Files>
     		</Directory>
     		SSLEngine on
     		SSLCertificateFile	...
     		SSLCertificateChainFile	...
     		SSLCertificateKeyFile	...
     		# Shibboleth SP configuration
     		ShibConfig	/etc/shibboleth/shibboleth2.xml
     		Alias		/shibboleth-sp	/usr/share/shibboleth
     		# SSO through Shibboleth SP:
     		<Location /login>
     			AuthType shibboleth
     			ShibRequireSession On
     			ShibUseHeaders On
     			require valid-user
     		</Location>
     		<Location /Shibboleth.sso>
     			SetHandler shib
     		</Location>
     	</VirtualHost>
     *Info*: It is strongly recommended to allow access to ``/(admin|overview|alt-login)`` *ONLY* from trusted subnets.
     Once you are done, restart apache.
     Fetch KML
     ^^^^^^^^^
     A Django management command, named fetch_kml, fetches the KML document and updates the cache with eduroam service locations. It is suggested to periodically run this command in a cron job in order to keep the map up to date::
     		./manage.py fetch_kml
     Initial Data
     ^^^^^^^^^^^^
     In order to start using DjNRO you need to create a Realm record for your NRO along with one or more contacts linked to it. You can visit the Django admin interface (``https://<hostname>/admin``) and add a Realm (remember to set REALM_COUNTRIES in local_settings.py).
     In DjNRO the NRO sets the environment for the institution eduroam admins. Therefore the NRO has to insert the initial data for his/her clients/institutions in the *Institutions* Model, again using the Django admin interface. As an alternative, you can copy your existing ``institution.xml`` to ``/path/to/djnro`` and run the following to import institution data::
     		./manage.py parse_instituion_xml
     Exporting Data
     ^^^^^^^^^^^^^^
     DjNRO can export data in formats suitable for use by other software.
     XML documents conforming to the `eduroam database <https://monitor.eduroam.org/database.php>`_ schemata are exported at the following URLs, as required for harvesting by eduroam.org::
         /general/realm.xml
         /general/institution.xml
         /usage/realm_data.xml
     .. versionadded:: 0.9
     A list of institution administrators can be exported in CSV format or a plain format suitable for use by a mailing list (namely `Sympa <http://www.sympa.org/manual/parameters-data-sources#include_remote_file>`_). This data is available through:
     * a management comand (``./manage.py contacts``), which defaults to CSV output (currently with headers in Greek!) and can switch to plain output using ``--mail-list``.
     * a view (``adminlist``), which only supports output in the latter plain text format.
     Likewise, data that can be used as input for automatic configuration of `Federation Level RADIUS Servers (FLRS)` can be exported in YAML/JSON format, through:
     * a management command (``./manage.py servdata``)
     * a view (``sevdata``)
     Output format defaults to YAML and can be overriden respectively:
     * by using ``--output=json``
     * by sending an ``Accept: application/json`` HTTP header
     We also provide a sample script for reading this data (``extras/servdata_consumer.py``) along with templates (in the same directory) for producing configuration suitable for FreeRADIUS and radsecproxy. This script requires the following python packages:
       * python-requests
       * python-yaml
       * python-mako (for the templates)
     Take the time to read the default settings at the top of the script and run it with ``--help``. The templates are based on assumptions that may not match your setup; they are mostly provided as a proof of concept.
     .. attention::
        The ``adminlist`` and ``servdata`` views are commented out by default in ``djnro/urls.py``. Make sure you protect them (SSL, ACL and/or authentication) at the HTTP server before you enable them, as they may expose private/sensitive data.
     Next Steps (Set your Logo)
     ^^^^^^^^^^^^^^^^^^^^^^^^^^
     The majority of branding is done via the NRO variables in local_settings.py. You might also want to change the logo of the application. Within the static/img/eduroam_branding folder you will find the XCF files logo_holder, logo_small. Edit with Gimp according to your needs and export to logo_holder.png and logo_small.png at the same path. To change the domain logo on top right, replace the static/img/right_logo_small.png file with your own logo (86x40).
     Upgrade Instructions
     ^^^^^^^^^^^^^^^^^^^^
     * Backup your ``settings.py`` file and any local modifications.
     * Update the code.
     * Copy ``djnro/local_settings.py.dist`` to ``djnro/local_settings.py`` and modify it to match your previous configuration.
     * edit the apache configuration in order to work with the new location of wsgi and set the python-path attribute.
     * remove old wsgi file ``/path/to/djnro/apache/django.wsgi`` and parent directory
     * remove django-extensions from `INSTALLED_APPS`
     * Add timeout in cache configuration
     * Make sure you have installed the following required packages (some of these introduced in 0.9):
       * python-oauth2
       * python-requests
       * python-lxml
       * python-yaml
     * run ``./manage.py migrate``
     .. attention::
        You had previously copied ``urls.py.dist`` to ``urls.py``. This is no longer supported; we now use ``djnro/urls.py``. URLs that provide sensitive data are disabled (commented out) by default. You may have to edit the file according to your needs.
     Pip Support
     ^^^^^^^^^^^
     We have added a requirements.txt file, tested for django 1.4.5. You can use it
     with ``pip install -r requirements.txt``.
     LDAP Authentication
     ^^^^^^^^^^^^^^^^^^^
     If you want to use LDAP authentication, local_settings.py must be amended::
     	EXTRA_AUTHENTICATION_BACKENDS = (
     		...,
     		'django_auth_ldap.backend.LDAPBackend',
     		...,
+    	)
     	# LDAP CONFIG
     	import ldap
     	from django_auth_ldap.config import LDAPSearch, GroupOfNamesType
     	AUTH_LDAP_BIND_DN = ""
     	AUTH_LDAP_BIND_PASSWORD = ""
     	AUTH_LDAP_SERVER_URI = "ldap://foo.bar.org"
     	AUTH_LDAP_START_TLS = True
     	AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=People, dc=bar, dc=foo",
     	ldap.SCOPE_SUBTREE, "(uid=%(user)s)")
     	AUTH_LDAP_USER_ATTR_MAP = {
     	      "first_name":"givenName",
     	      "last_name": "sn",
     	      "email": "mail
+    	      }
     	# Set up the basic group parameters.
     	AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
     		"ou=Groups,dc=foo,dc=bar,dc=org",ldap.SCOPE_SUBTREE, objectClass=groupOfNames"
+    	)
     	AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
     	AUTH_LDAP_USER_FLAGS_BY_GROUP = {
     		"is_active": "cn=NOC, ou=Groups, dc=foo, dc=bar, dc=org",
     		"is_staff": "cn=staff, ou=Groups, dc=foo, dc=bar, dc=org",
     		"is_superuser": "cn=NOC, ou=Groups,dc=foo, dc=bar, dc=org"
+    	}
     Pebble Watch Application - pebduroam
     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     The closest point API allows for development of location aware-applications.
     Pebduroam is a Pebble watch application that fetches the closest eduroam access point plus walking instructions on how to reach it.
     Installing the application on your Pebble watch can be done in 2 ways:
     * You can install the application via the Pebble App Store: `pebduroam <https://apps.getpebble.com/applications/5384b2119c84af48350000c7>`_
     * You can install the application and contribute to its development via github: `pebduroam github repo <https://github.com/leopoul/pebduroam>`_.
       * You need to have a Cloudpebble account to accomplish this.
       * Once logged-in you need to select Import - Import from github and paste the pebduroam github repo url in the corresponding text box.
       * Having configured your Pebble watch in developer mode will allow you to build and install your cloned project source directly on your watch.
     .. attention::
        Currently pebduroam uses GRNET's djnro closest point API. To switch the Pebble app to your djnro installation you need to follow the second method of installation

     .. _require-label:
     Required Packages
     =================
     Dependencies
     ^^^^^^^^^^^^
     DjNRO heavily depends on the following:
     * Python (<3 & >=2.6)
     * memcached
     * python-mysqldb (If you wish to use MySQL as the DB backend)
     * mysql-client
     * apache2 (We suggest apache with mod_rewrite enabled - use your preferred server)
     * A mail server - Tested with exim
     * python-pip
     * python packages located in requirements.txt, you can install them with `pip install -r requirements.txt`
     Conditional Dependencies
     ^^^^^^^^^^^^^^^^^^^^^^^^
     * gettext: only if one will be editing and compiling translations
     * python-django-auth-ldap: if ldap authentication backend will be used.
     Django Social Auth
     ------------------
     User authentication via social media is carried out by the `python-django-social-auth <http://http://django-social-auth.readthedocs.org/en/latest/index.html>`_ python-django-social-auth package. We have included python-django-social-auth 0.7.18 in repository because DjNRO requires WrongBackend from social_auth.exceptions; this does not exist in 0.7.0 which ships with Debian Wheezy.
     Django Social Auth: Requirements - Dependencies
     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     *  OpenId support depends on python-openid
     *  OAuth support depends on python-oauth2

     site_name: DjNRO
     repo_url: https://github.com/grnet/djnro/
     docs_dir: docs
     site_author: Stavros Kroustouris
     theme: readthedocs
     pages:
         - 'Introduction': 'index.md'
         - 'Installation':
             - 'Requirements': 'installation/requirements.md'
             - 'Installing DjNRO': 'installation/install.md'
         #     - 'Debian': 'installation/debian_wheezy.md'
         #     - 'Red Hat': 'installation/redhat.md'
         # - 'Configuration': 'configuration.md'

Also available in: Unified diff