Getting Started With Zivios

From Zivios Wiki

Jump to: navigation, search

Once you have Zivios installed, you are redirected to the login page. This is where we use our administrative login ID "zadmin" to get into the system. You should remember the password you had specified for zadmin here as currently there is no way to recover it. You can however reset the zadmin user password directly from Kerberos.

Contents

First Steps

When you login, you are presented with the Zivios dashboard. At the time of this writing, there is no data displayed -- it simply says "Dashboard".

From the top menu, use the drop down list and click on "Browse Directory". You will notice a screen very similar to what is shown in the graphic below.


Image:zivios-browse-directory.png


Click on the + next to "Zivios" to expand the tree. Continue to expand "Core Control" and "Master Services". The services you see listed under Master Services are labeled as Zivios Core modules. These include Zivios CA (certificate authority), Zivios Directory (OpenLDAP Management), Zivios DNS (Domain Name Service), Zivios Kerberos and Zivios Time.

As a small test, click on Zivios DNS. A screen similar to what we see below should open up:


Image:zivios-view-dns.png


During installation, Zivios had requested the primary domain name of your system. Let's see what it did with it. Click on "Manage Zones" from the top menu of the service view. This time you are presented with a domain name you can manage. Click on the "Manage" link as it appears next to the domain name.

You will notice two host name entries are present. One is "ns1", signifying the primary name service, and the other is the virtual host name that you had specified.

Let's add a host name. In the "Add New Host" text box, type in "demo" (or something more creative) and click on Apply.

Click on "Manage" next to the host name and you'll be able to add an A record for the host.

Now let's test our change out. Open a terminal/shell to your master zivios server and edit the file: /etc/resolv.conf

Replace it's contents with: 

domain yourdomain.com
nameserver 127.0.0.1

Save the file and quit your editor. From the terminal, type in:

host demo.yourdomain.com

The system should be able to resolve it to the IP address that you specified. Unless you open outgoing ports for your DNS service, it will not be able to resolve domain names; this is not a show stopper however as generally you would want to forward DNS queries to your ISP and have them resolve it. Simply setup DNS forwarding for your service.

Let's get back to our control panel.

Adding Users, Groups and Servers

One should not add servers, users or groups inside Zivios Core Control. Let's create some entries in our tree where it makes more sense. Start by right clicking on your company name as it appears in tree. In our example, it's Zivios, Inc. Click on: Add Locality Container. Enter a name for your Locality and click on Add Locality.


Image:Zivios-add-locality-container.png


Right click on the locality you have just added and click on Add Branch Office. Enter a name for your branch office (ex: HeadOffice). Once you have a branch office, right click on it and add containers for Servers, Users and Groups. Your tree should look something like this now:

Image:Zivios-tree-phase-01.png

Right click on the Groups container and click on "Add Group". Proceed to add a User in the User's container once you have a group added to the system.

Adding a Server to Zivios

There are a few prerequisites to adding a server to the system. Currently support exists only for Debian Etch and Ubuntu Hardy, which means the servers you add and manage via Zivios must be running either one of these two distributions. We will of course add support for additional distributions in coming versions.

At this point we are assuming you have a server on your network running Debian or Ubuntu which has the Zivios agent installed on it. If not, please refer to the following document Preparing a Server for Zivios.

Right click on your Server Container and click on Add a Server.

Image:1-Adding_Server.jpg

Upon successfully adding the server, your view would change. Notice the Orange Computer Plugins tab. More on this in the next section

Image:2-server_added.jpg


Primer on IDM Concepts: Users, Groups and Service

Everything inside Zivios revolves around the concept of a Service. A service is something that provides functionality to the User or a Computer. Even core Zivios systems follow this methodology.

A Service resides on one or more 'Computers. This is why we needed to define a Server first, since the service needs a physical space to execute itself. Core objects such as DNS, NTP, Ldap and Kerberos all reside on the same physical system.

The Service object itself provides SERVICE wide configuration details. In Zivios the view of a service is a LOGICAL one. If you change parameters in a Mail service, you do not need to worry about changing every single mail server - Zivios would do that for you (in the future)

Services

Computer Plugins

Some modules can provide COMPUTER plugins. This makes sense for modules which require computer-wide configuration such as DNS, LDAP, Kerberos, CA, DHCP and NTP. When you add a server, Zivios will automatically initiate computer plugins for:

  • DNS: It will write the correct /etc/resolv.conf
  • Kerberos: It will write the correct /etc/krb5.conf and generate host keytabs pushing them to /etc/krb5.keytab
  • LDAP: It will automatically configure /etc/nssswitch and libnss-ldap to read user/group information from LDAP
  • NTP: It will automatically generate and write a /etc/ntp.conf
  • CA: It will generate server public and private certs. It will write CA, server private and server public certs to /etc/ssl

If you click on the NTP plugin in the server you just added it will probably show up as STOPPED. This is because the NTP Service is not yet installed (most likely) on that system.

Image:3-ntp_service_stopped.jpg

Try installing the NTP service by doing: 

   apt-get install ntp

Upon refreshing the view (Update status) you would see it automatically finds out that the NTP service is running. For the experiment, check /etc/ntp.conf on the newly added server. It would be the default ntp.conf.

Click on service configuration in the NTP plugin and click 'Poll config'.


Image:4-poll_NTP.jpg

Check /etc/ntp.conf on the server again, it would be updated to reflect the new NTP server (the master zivios server).

This is how plugins work. They can keep your entire datacentre computer configurations in sync so that manual steps are unncessary.

Adding a Service

First we need to add a service container. Service containers can be placed anywhere but would only be visible to service in the same tree depth. An exception is placing Services in the base tree. To keep things simple, we are going to add a Global Services container to the root tree. Right click on Zivios, Inc and select Add service container call it Global Services

Image:5-adding_service_container.jpg

Right click on the container and ADD your service.


Adding an Asterisk service

Out of the modules shipped with Zivios, we are going to select and install the Asterisk module for testing. Before doing this you need to complete the following steps on the target server:


Server side Asterisk plugin installation


Post Installation

After that we are ready to add the asterisk service. Click on 'Install'.

Image:6-adding_Asterisk_SErvice.jpg

Select the target computer as the master computer. In some services (in the future) you would be able to select multiple SLAVE computers to install on. This would make sense for replicated setups such as DNS or clustered setups such as Asterisk or Mail.


When the installation proceeds successfully you should see the Asterisk Service object appear and the screen change to the Asterisk Service DAshboard.

Image:7-Asterisk_added.jpg

Feel Free to explore the service. Remember this is the Service wide configuration aspect of Zivios- creating inbound routes, conferences and queues.

Creating extensions, voicemail, etc would logically come under the User Management part of the Asterisk plugin. Likewise ring groups, etc would come under the Group Management part of the Asterisk plugin.

Hope the concept of Services, Computers, Users and Groups is becoming clearer by this example.


Add a SIP Trunk

Zivios does user permissions by trunks. It is necessary to add atleast ONE outgoing TRUNK for zivios to function properly. Lets add a simple SIP Trunk:

Image:7b-Asterisk_Adding_SIP_Trunk.jpg

Lets proceed to the next section and add some users!

Identity Management using Zivios

IDM is accomplished using the supplied Group and User plugins. Once a service is initiated, groups in visibility would see that service and allow you to EXTEND them with that service.

Once a group has been extended with that service, users in that group can initialize that service which exposes the User Specific options of the service. It is upto the module creator to decided what functionality should be in these four components namely User, Group, Service and Computer

Group Plugins

Lets create a new group. Right click on your group container that you created earlier and select add group. The only required parmeter is the group name.


You would see the group automatically inherits a few plugins. Keberos, Ldap, CA, Posix all define 'group' and 'user' portions. DNS, NTP, DHCP do not provide such portions and hence they cannot be added to groups. It is upto the module developer to define these portions and zivios would adjust automatically.

Click on Service Management inside the group. You will notice that an Asterisk plugin can now be added to this group. Install this plugin.

Image:8-subsribing_group_to_asterisk.jpg

You would notice that the group now has the orange asterisk tab added to it. All plugins show as these orange tabs.

  • Note:: You can also simply extend the first group you created earlier with the Asterisk plugin. The user you created earlier would AUTOMATICALLY allow the Asterisk plugin to be added to it.

User Plugins

Users inherit plugins based on their group memberships. Sometimes this is useless - as sometimes the group portion of a plugin does absolutely nothing (Squid for example). However this is the norm we have chosed to maintain consistency.

The user you created earlier should list 'Asterisk' as the plugin. Clicking on it you would see the plugin is disabled. Plugins need to be explicitly enabled per user. In later version we might provide a 'Bulk Subscribe' feature.

Image:10-Zivios_Asterisk_Plugin.jpg

You would notice that information being asked for the 'Asterisk' plugin is closely related to User specific information. His extension, voicemail password, codecs, email etc.

When you click Apply, multiple things happen. First of all his information gets stored in LDAP for later retrieval. Secondly, the Asterisk plugin contacts the agent on the asterisk machine and asks it to make these changes in Asterisk's SIP.conf, extensions.conf, voicemail.conf automatically.

You would also see a 'Route permissions' section. Zivios Asterisk plugin also provides a feature to enable route based acls. This is an example to show how you can add custom functionality to Asterisk using a zivios plugin and provide it with a nice front end.

Delegated Adminsitration

Zivios allows fine grained ACLs to be placed on any part of the tree. Since everything inside Zivios is a LDAP object, any sort of control can be incorporated using Ldap ACLs. Zivios also features Zivios ACLs which can further lock down the system and provide ACLs of sort that are not exactly possibly with bare OpenLDAP ACls. However, in doing so security of the system is completely preserved.

Zivios logic has been carefully examined by us and every care is taken to NOT leave security holes. This means that we make sure there is no situation in which you can get MORE access by bypassing Zivios (Binding to LDAP directly). If you can produce a scenario where this does not hold true- please report it immediately as a bug or discuss it on our mailing lists! We believe that security should never be compromised regardless how easy to use a system is.

Transactions and Workflow

All actions in Zivios utilize transactions to defer execution till a later time. This allows module developers to chain arbitrary code to any transaction. Transactions are necessary as they allow:

  • Arbitrary Rollback
  • Workflow (deferring transactions till a later time till approved by a authority)

Currently, transactions bypass workflow and execute directly.

Managing ACLs

Right click on Zivios, Inc and select 'Manage ACLs'. This would bring you to the following screen:

Image:11-Manage_ACL.jpg

These are ACLs placed on the Zivios,Inc object. ALL objects allow for ACL management. You can restrict who can read, write, auth, search, compare (standard LDAP ACLs) based on his user-id or group. Attribute level ACLs are not yet possible, but would be made available SOON.

Understanding Zivios ACLs

Some actions require Zivios ACLs. Password changing is one of them. You seen that currently ALL access is allowed to EVERYBODY. You should most likely change this something more strict (like Deny all and allow zadmin). However, when denying ALL making sure another ACL not currently mentioned: CORE_LOAD_DN is accessible by all. Without this, Ldap object loading would start throwing Access Denied exceptions.

Modules can provide CUSTOM acls, which is why we only have a TEXT field for entry (since we dont know what ACLs are required). However we do plan to list available ACLs by using some sort of Variable Reflection in the future so you dont have to TYPE it in (and induce errors!)

You can try disabling password change for a particular user. the ACL name is CORE_USER_CANCHANGEPW. Ask it to be DENIED to all users and allowed to zadmin.

Retrieved from "http://wiki.zivios.org/wiki/Getting_Started_With_Zivios"
Personal tools