| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| internal:server_romulus [25.02.2016 - 11:17] – [Backup] tnowak | internal:server_romulus [29.02.2016 - 13:36] (current) – [Access] tnowak |
|---|
| | OMERO.figure | ''/usr/local/share/omero/OMERO.server/lib/python/omeroweb/figure''| | | OMERO.figure | ''/usr/local/share/omero/OMERO.server/lib/python/omeroweb/figure''| |
| | iSCSI Initiator | /etc/iscsi | | | iSCSI Initiator | /etc/iscsi | |
| | |
| | ===== Access ===== |
| | |
| | SSH access on //romulus// is only allowed for members of the (LDAP) group ''ssh-logins''. Furthermore, access by encrypted transfer of the user password is disabled for security reasons. The preferred way of accessing the server is via public-private-key authentication. |
| | |
| | When logged in as a specific user, you can generate your own public private-key pair easily with the command ''ssh-keygen -t rsa''. For usage in the Windows program Putty, the private key (usually named ''.ssh/id_rsa'') first has to be converted to a suitable format with ''puttygen''. |
| | |
| |
| ===== Storage ===== | ===== Storage ===== |
| |
| OpenLDAP is configured largely inside its own directory structure instead of using the traditional configuration files inside ''/etc''. Permissions where chosen as restrictively as possible while still allowing external authentication requests where necessary. Please refer to [[https://help.ubuntu.com/lts/serverguide/openldap-server.html]] for a starter on how to configure OpenLDAP on Ubuntu LTS 14.04.4. | OpenLDAP is configured largely inside its own directory structure instead of using the traditional configuration files inside ''/etc''. Permissions where chosen as restrictively as possible while still allowing external authentication requests where necessary. Please refer to [[https://help.ubuntu.com/lts/serverguide/openldap-server.html]] for a starter on how to configure OpenLDAP on Ubuntu LTS 14.04.4. |
| | |
| | ===== GOsa² ===== |
| | The web frontend GOsa² is provided by //romulus// to conveniently manage central OICE user accounts stored via the OpenLDAP backend. New users can be easily added by using the "oice_user" template in the creation process. Upon adding a new user, the post-creation script ''/usr/local/scripts/oice-userpostcreate'' is called that is assigning a default password if nothing else was assigned (February 2016: FirstnameLastnameSTED). Additionally, this script will trigger a custom implementation of a python API for the PPMS HTTPS API to add the new user to the PPMS booking system's database with external authentication turned on. This will happen only if the LDAP field "department number" contains a valid unique group login, such as group-sclaus. If no such field is present, the user will not be automatically added to the PPMS system and has to be added manually. If there is not yet a valid group for the uses that is to be added, the group has to be added manually to the PPMS **before** the user is added. Groups are, unfortunately, not queried by the PPMS server on our LDAP database. Also, account information cannot be automatically requested, which is why the double account creation is necessary. However, the authentication (via username and password) **is** happening on our LDAP server, the the usernames of users in the PPMS database and int he LDAP server need to be identical. Also, the authentication is happening via LDAP SSL (ldaps) on port 636, since STARTTSL encryption is not supported, so port 636 has to be opened for the appropriate IP addresses (which was the case in February 2016). User information during the authentication process is thus transferred on encrypted channels. Care should be taken that this is not accidentally changed. |
| | |
| |
| ===== Firewall ===== | ===== Firewall ===== |
| |Samba | ALLOW | 131.188.170.139 | | |Samba | ALLOW | 131.188.170.139 | |
| |636 | ALLOW | 134.213.137.186 | | |636 | ALLOW | 134.213.137.186 | |
| |636 | ALLOW | 54.77.60.9 | | |636 | ALLOW | 52.31.192.143 | |
| |1194/udp | ALLOW | Anywhere | | |1194/udp | ALLOW | Anywhere | |
| |192.168.231.192/27 3389 | ALLOW | Anywhere | | |192.168.231.192/27 3389 | ALLOW | Anywhere | |
| All scripts that run duplicity can receive an additional argument ''full''. If full is present, it will force a full backup even in cases where an incremental backup would have been possible. According to the current (February 2016) backup cronjob, this happens on every first day of the month. | All scripts that run duplicity can receive an additional argument ''full''. If full is present, it will force a full backup even in cases where an incremental backup would have been possible. According to the current (February 2016) backup cronjob, this happens on every first day of the month. |
| |
| | The output of all backup operations is logged to ''/srv/backup-logs'' for inspection in case of problems. Currently, the account ''tnowak'' (can be changed in ''/etc/cron.d/backups'' receives an internal mail in case errors occurred. |
