root / docs / installation / install.md @ afd2a174
History | View | Annotate | Download (13.7 kB)
1 |
# Installation/Configuration |
---|---|
2 |
First of all you have to install all the packages described in `requirements` |
3 |
section |
4 |
|
5 |
The software is published at [github](https://github.com/grnet/djnro) and can be downloaded using git: |
6 |
|
7 |
git clone https://github.com/grnet/djnro |
8 |
|
9 |
|
10 |
## Project & Local Settings |
11 |
|
12 |
**In version 0.9 settings were split in two parts: settings.py and local_settings.py** |
13 |
|
14 |
The file settings.py contains settings distributed by the project, which should normally not be necessary to modify. |
15 |
Options specific to the particular installation must be configured in local_settings.py. This file must be created by copying local_settings.py.dist: |
16 |
|
17 |
cd djnro |
18 |
cp djnro/local_settings.py.dist djnro/local_settings.py |
19 |
|
20 |
|
21 |
The following variables/settings need to be altered or set: |
22 |
|
23 |
Set Admin contacts:: |
24 |
|
25 |
ADMINS = ( |
26 |
('Admin', 'admin@example.com'), |
27 |
) |
28 |
|
29 |
Set the database connection params: |
30 |
|
31 |
DATABASES = { |
32 |
... |
33 |
} |
34 |
|
35 |
For a production instance and once DEBUG is set to False set the ALLOWED_HOSTS: |
36 |
|
37 |
ALLOWED_HOSTS = ['.example.com'] |
38 |
SECRET_KEY = '<put something really random here, eg. %$#%@#$^2312351345#$%3452345@#$%@#$234#@$hhzdavfsdcFDGVFSDGhn>' |
39 |
|
40 |
Django social auth needs changes in the Extra Authentication Backends depending on which social auth you want to enable: |
41 |
|
42 |
EXTRA_AUTHENTICATION_BACKENDS = ( |
43 |
'djnro.djangobackends.shibauthBackend.shibauthBackend', |
44 |
... |
45 |
'django.contrib.auth.backends.ModelBackend', |
46 |
) |
47 |
|
48 |
**The default Authentication Backends are in settings.py** |
49 |
|
50 |
As the application includes a "Nearest eduroam" functionality, global eduroam service locations are harvested from the KML file published at eduroam.org:: |
51 |
|
52 |
EDUROAM_KML_URL = 'http://monitor.eduroam.org/kml/all.kml' |
53 |
|
54 |
|
55 |
Depending on your AAI policy set an appropriate authEntitlement:: |
56 |
|
57 |
SHIB_AUTH_ENTITLEMENT = 'urn:mace:example.com:pki:user' |
58 |
|
59 |
Mail server parameters:: |
60 |
|
61 |
SERVER_EMAIL = "Example domain eduroam Service <noreply@example.com>" |
62 |
EMAIL_SUBJECT_PREFIX = "[eduroam] " |
63 |
|
64 |
NRO contact mails:: |
65 |
|
66 |
NOTIFY_ADMIN_MAILS = ["mail1@example.com", "mail2@example.com"] |
67 |
|
68 |
Set your cache backend (if you want to use one). For production instances you can go with memcached. For development you can keep the provided dummy instance:: |
69 |
|
70 |
|
71 |
CACHES = { |
72 |
'default': { |
73 |
'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache', |
74 |
'LOCATION': '127.0.0.1:11211', |
75 |
} |
76 |
} |
77 |
|
78 |
NRO specific parameters. These affect HTML templates:: |
79 |
|
80 |
# Frontend country specific vars, eg. Greece |
81 |
NRO_COUNTRY_NAME = _('My Country') |
82 |
# Variable used by context_processor to display the "eduroam | <country_code>" in base.html |
83 |
NRO_COUNTRY_CODE = 'gr' |
84 |
# main domain url used in right top icon, eg. http://www.grnet.gr |
85 |
NRO_DOMAIN_MAIN_URL = "http://www.example.com" |
86 |
# provider info for footer |
87 |
NRO_PROV_BY_DICT = {"name": "EXAMPLE DEV TEAM", "url": "http://devteam.example.com"} |
88 |
#NRO social media contact (Use: // to preserve https) |
89 |
NRO_PROV_SOCIAL_MEDIA_CONTACT = [ |
90 |
{"url":"//soc.media.url", "icon":"icon.png", "name":"NAME1(eg. Facebook)"}, |
91 |
{"url":"//soc.media.url", "icon":"icon.png", "name":"NAME2(eg. Twitter)"}, |
92 |
] |
93 |
# map center (lat, lng) |
94 |
MAP_CENTER = (36.97, 23.71) |
95 |
#Helpdesk, used in base.html: |
96 |
NRO_DOMAIN_HELPDESK_DICT = {"name": _("Domain Helpdesk"), 'email':'helpdesk@example.com', 'phone': '12324567890', 'uri': 'helpdesk.example.com'} |
97 |
|
98 |
Set the Realm country for REALM model:: |
99 |
|
100 |
#Countries for Realm model: |
101 |
REALM_COUNTRIES = ( |
102 |
('country_2letters', 'Country' ), |
103 |
) |
104 |
|
105 |
Attribute map to match your AAI policy and SSO software (typically Shibboleth SP):: |
106 |
|
107 |
#Shibboleth attribute map |
108 |
SHIB_USERNAME = ['HTTP_EPPN'] |
109 |
SHIB_MAIL = ['mail', 'HTTP_MAIL', 'HTTP_SHIB_INETORGPERSON_MAIL'] |
110 |
SHIB_FIRSTNAME = ['HTTP_SHIB_INETORGPERSON_GIVENNAME'] |
111 |
SHIB_LASTNAME = ['HTTP_SHIB_PERSON_SURNAME'] |
112 |
SHIB_ENTITLEMENT = ['HTTP_SHIB_EP_ENTITLEMENT'] |
113 |
|
114 |
Django Social Auth parameters: |
115 |
|
116 |
SOCIAL_AUTH_TWITTER_KEY = '' |
117 |
SOCIAL_AUTH_TWITTER_SECRET = '' |
118 |
SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = '' |
119 |
SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = ' ' |
120 |
SOCIAL_AUTH_GOOGLE_OAUTH2_SCOPE = [] |
121 |
|
122 |
|
123 |
DjNRO provides limited integration with eduroam CAT (Configuration Assistant Tool). Institution administrators can automatically provision their institution to CAT without the intervention of the federation (NRO) administrator. |
124 |
|
125 |
In order to enable this functionality, you must list at least one instance and the corresponding description in CAT_INSTANCES. Beware that pages accessible by end users currently only show CAT information |
126 |
for the instance named `production`. |
127 |
|
128 |
You must also set the following parameters for each CAT instance in CAT_AUTH: |
129 |
|
130 |
* CAT_API_KEY: API key for authentication to CAT |
131 |
|
132 |
* CAT_API_URL: API endpoint URL |
133 |
|
134 |
* CAT_PROFILES_URL: Base URL for Intitution Download Area pages |
135 |
|
136 |
* CAT_FEDMGMT_URL: URL For Federation Overview page (currently not in use) |
137 |
|
138 |
:: |
139 |
|
140 |
CAT_INSTANCES = ( |
141 |
('production', 'cat.eduroam.org'), |
142 |
('testing', 'cat-test.eduroam.org'), |
143 |
) |
144 |
|
145 |
CAT_AUTH = { |
146 |
'production': { |
147 |
"CAT_API_KEY": "<provided API key>", |
148 |
"CAT_API_URL": "https://cat.eduroam.org/admin/API.php", |
149 |
"CAT_PROFILES_URL": "https://cat.eduroam.org/", |
150 |
"CAT_FEDMGMT_URL": "https://cat.eduroam.org/admin/overview_federation.php" |
151 |
}, |
152 |
'testing': { |
153 |
"CAT_API_KEY": "<provided API key>", |
154 |
"CAT_API_URL": "https://cat-test.eduroam.org/test/admin/API.php", |
155 |
"CAT_PROFILES_URL": "https://cat-test.eduroam.org/test", |
156 |
"CAT_FEDMGMT_URL": "https://cat-test.eduroam.org/test/admin/overview_federation.php" |
157 |
}, |
158 |
} |
159 |
|
160 |
For more information about eduroam CAT, you may read: [A guide to eduroam CAT for federation administrators](https://confluence.terena.org/display/H2eduroam/A+guide+to+eduroam+CAT+for+federation+administrators). |
161 |
|
162 |
### Extra Apps |
163 |
In case one wants to extend some of the settings only for the local instance, they can prepend *EXTRA_* on the attribute they want to extend. For example: |
164 |
|
165 |
EXTRA_INSTALLED_APPS = ( |
166 |
'django_debug_toolbar', |
167 |
) |
168 |
|
169 |
## Database Sync |
170 |
Once you are done with local_settings.py run: |
171 |
|
172 |
./manage.py syncdb |
173 |
|
174 |
Create a superuser, it comes in handy. And then run south migration to complete:: |
175 |
|
176 |
./manage.py migrate |
177 |
|
178 |
Now you should have a clean database with all the tables created. |
179 |
|
180 |
## Running the server |
181 |
|
182 |
|
183 |
We suggest using Apache and mod_wsgi. Below is an example configuration:: |
184 |
|
185 |
# Tune wsgi daemon as necessary: processes=x threads=y |
186 |
WSGIDaemonProcess djnro display-name=%{GROUP} python-path=/path/to/djnro/ |
187 |
|
188 |
<VirtualHost *:443> |
189 |
ServerName example.com |
190 |
|
191 |
Alias /static /path/to/djnro/static |
192 |
WSGIScriptAlias / /path/to/djnro/djnro/wsgi.py |
193 |
<Directory /path/to/djnro/djnro> |
194 |
<Files wsgi.py> |
195 |
WSGIProcessGroup djnro |
196 |
Order deny,allow |
197 |
Allow from all |
198 |
</Files> |
199 |
</Directory> |
200 |
|
201 |
SSLEngine on |
202 |
SSLCertificateFile ... |
203 |
SSLCertificateChainFile ... |
204 |
SSLCertificateKeyFile ... |
205 |
|
206 |
# Shibboleth SP configuration |
207 |
ShibConfig /etc/shibboleth/shibboleth2.xml |
208 |
Alias /shibboleth-sp /usr/share/shibboleth |
209 |
|
210 |
# SSO through Shibboleth SP: |
211 |
<Location /login> |
212 |
AuthType shibboleth |
213 |
ShibRequireSession On |
214 |
ShibUseHeaders On |
215 |
require valid-user |
216 |
</Location> |
217 |
<Location /Shibboleth.sso> |
218 |
SetHandler shib |
219 |
</Location> |
220 |
</VirtualHost> |
221 |
|
222 |
*Info*: It is strongly recommended to allow access to `/(admin|overview|alt-login)` *ONLY* from trusted subnets. |
223 |
|
224 |
Once you are done, restart apache. |
225 |
|
226 |
## Fetch KML |
227 |
A Django management command, named fetch_kml, fetches the KML document and updates the cache with eduroam service locations. It is suggested to periodically run this command in a cron job in order to keep the map up to date:: |
228 |
|
229 |
./manage.py fetch_kml |
230 |
|
231 |
## Initial Data |
232 |
|
233 |
In order to start using DjNRO you need to create a Realm record for your NRO along with one or more contacts linked to it. You can visit the Django admin interface `https://<hostname>/admin` and add a Realm (remember to set REALM_COUNTRIES in local_settings.py). |
234 |
In DjNRO the NRO sets the environment for the institution eduroam admins. Therefore the NRO has to insert the initial data for his/her clients/institutions in the *Institutions* Model, again using the Django admin interface. As an alternative, you can copy your existing `institution.xml` to `/path/to/djnro` and run the following to import institution data:: |
235 |
|
236 |
./manage.py parse_instituion_xml |
237 |
|
238 |
## Exporting Data |
239 |
DjNRO can export data in formats suitable for use by other software. |
240 |
|
241 |
XML documents conforming to the `eduroam database <https://monitor.eduroam.org/database.php>`_ schemata are exported at the following URLs, as required for harvesting by eduroam.org:: |
242 |
|
243 |
/general/realm.xml |
244 |
/general/institution.xml |
245 |
/usage/realm_data.xml |
246 |
|
247 |
A list of institution administrators can be exported in CSV format or a plain format suitable for use by a mailing list (namely `Sympa <http://www.sympa.org/manual/parameters-data-sources#include_remote_file>`_). This data is available through: |
248 |
|
249 |
* a management comand `./manage.py contacts`, which defaults to CSV output (currently with headers in Greek!) and can switch to plain output using `--mail-list`. |
250 |
|
251 |
* a view (`adminlist`), which only supports output in the latter plain text format. |
252 |
|
253 |
Likewise, data that can be used as input for automatic configuration of `Federation Level RADIUS Servers (FLRS)` can be exported in YAML/JSON format, through: |
254 |
|
255 |
* a management command (`./manage.py servdata`) |
256 |
|
257 |
* a view (`sevdata`) |
258 |
|
259 |
Output format defaults to YAML and can be overriden respectively: |
260 |
|
261 |
* by using `--output=json` |
262 |
|
263 |
* by sending an `Accept: application/json` HTTP header |
264 |
|
265 |
We also provide a sample script for reading this data (`extras/servdata_consumer.py`) along with templates (in the same directory) for producing configuration suitable for FreeRADIUS and radsecproxy. This script requires the following python packages: |
266 |
|
267 |
* python-requests |
268 |
|
269 |
* python-yaml |
270 |
|
271 |
* python-mako (for the templates) |
272 |
|
273 |
Take the time to read the default settings at the top of the script and run it with `--help`. The templates are based on assumptions that may not match your setup; they are mostly provided as a proof of concept. |
274 |
|
275 |
*attention* |
276 |
**The `adminlist` and `servdata` views are commented out by default in `djnro/urls.py`. Make sure you protect them (SSL, ACL and/or authentication) at the HTTP server before you enable them, as they may expose private/sensitive data.** |
277 |
|
278 |
## Next Steps (Branding) |
279 |
|
280 |
The majority of branding is done via the NRO variables in local_settings.py. You might also want to change the logo of the application. Within the static/img/eduroam_branding folder you will find the XCF files logo_holder, logo_small. |
281 |
|
282 |
## Upgrade Instructions |
283 |
|
284 |
* Backup your `settings.py` and `local_settings` file and any local modifications. |
285 |
|
286 |
* Update the code. |
287 |
|
288 |
* Copy `djnro/local_settings.py.dist` to `djnro/local_settings.py` and modify it to match your previous configuration. |
289 |
|
290 |
* edit the apache configuration in order to work with the new location of wsgi and set the python-path attribute. |
291 |
|
292 |
* remove old wsgi file `/path/to/djnro/apache/django.wsgi` and parent directory |
293 |
|
294 |
* remove django-extensions from `INSTALLED_APPS` |
295 |
|
296 |
* Add timeout in cache configuration |
297 |
|
298 |
* Make sure you have installed the following required packages (some of these introduced in 0.9): |
299 |
|
300 |
* python-oauth2 |
301 |
|
302 |
* python-requests |
303 |
|
304 |
* python-lxml |
305 |
|
306 |
* python-yaml |
307 |
|
308 |
* run `./manage.py migrate` |
309 |
|
310 |
*attention* |
311 |
|
312 |
**You had previously copied `urls.py.dist` to `urls.py`. This is no longer supported; we now use `djnro/urls.py`. URLs that provide sensitive data are disabled (commented out) by default. You may have to edit the file according to your needs.** |
313 |
|
314 |
## LDAP Authentication |
315 |
|
316 |
If you want to use LDAP authentication, local_settings.py must be amended:: |
317 |
|
318 |
EXTRA_AUTHENTICATION_BACKENDS = ( |
319 |
..., |
320 |
'django_auth_ldap.backend.LDAPBackend', |
321 |
..., |
322 |
) |
323 |
|
324 |
# LDAP CONFIG |
325 |
import ldap |
326 |
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType |
327 |
AUTH_LDAP_BIND_DN = "" |
328 |
AUTH_LDAP_BIND_PASSWORD = "" |
329 |
AUTH_LDAP_SERVER_URI = "ldap://foo.bar.org" |
330 |
AUTH_LDAP_START_TLS = True |
331 |
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=People, dc=bar, dc=foo", |
332 |
ldap.SCOPE_SUBTREE, "(uid=%(user)s)") |
333 |
AUTH_LDAP_USER_ATTR_MAP = { |
334 |
"first_name":"givenName", |
335 |
"last_name": "sn", |
336 |
"email": "mail |
337 |
} |
338 |
# Set up the basic group parameters. |
339 |
AUTH_LDAP_GROUP_SEARCH = LDAPSearch( |
340 |
"ou=Groups,dc=foo,dc=bar,dc=org",ldap.SCOPE_SUBTREE, objectClass=groupOfNames" |
341 |
) |
342 |
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType() |
343 |
AUTH_LDAP_USER_FLAGS_BY_GROUP = { |
344 |
"is_active": "cn=NOC, ou=Groups, dc=foo, dc=bar, dc=org", |
345 |
"is_staff": "cn=staff, ou=Groups, dc=foo, dc=bar, dc=org", |
346 |
"is_superuser": "cn=NOC, ou=Groups,dc=foo, dc=bar, dc=org" |
347 |
} |
348 |
|
349 |
|
350 |
## Pebble Watch Application - pebduroam |
351 |
|
352 |
|
353 |
The closest point API allows for development of location aware-applications. |
354 |
Pebduroam is a Pebble watch application that fetches the closest eduroam access point plus walking instructions on how to reach it. |
355 |
Installing the application on your Pebble watch can be done in 2 ways: |
356 |
|
357 |
* You can install the application via the Pebble App Store: `pebduroam <https://apps.getpebble.com/applications/5384b2119c84af48350000c7>`_ |
358 |
|
359 |
* You can install the application and contribute to its development via github: `pebduroam github repo <https://github.com/leopoul/pebduroam>`_. |
360 |
|
361 |
* You need to have a Cloudpebble account to accomplish this. |
362 |
|
363 |
* Once logged-in you need to select Import - Import from github and paste the pebduroam github repo url in the corresponding text box. |
364 |
|
365 |
* Having configured your Pebble watch in developer mode will allow you to build and install your cloned project source directly on your watch. |
366 |
|
367 |
**attention** |
368 |
Currently pebduroam uses GRNET's djnro closest point API. To switch the Pebble app to your djnro installation you need to follow the second method of installation |
369 |
|