Administration Guide

This Admin Guide details the common procedures that you will need to follow in order to set up and use Access Control Plus.

3.1 Starting Up

To start Access Control Plus, follow these steps:

1. Open a terminal window on the server and login with suitable file permissions.
2. Run the scm-access-control-plus service, located in the /etc/init.d folder:

   lrwxrwxrwx  1 root root        65 Apr 24 11:43 scm-access-control-plus -> /opt/wandisco/scm-access-control-plus/bin/scm-access-control-plus
   

3. Run the script with the start command:

   [root@localhost init.d]#  ./scm-access-control-plus start
   
   
   Starting scm-access-control-plus:.                         [  OK  ]
   

4. The Access Control Plus application will start. Read more about the svn-multisite init.d script

3.2 Shutting down

To shutdown:

1. Open a terminal window on the server and login with suitable file permissions.
2. Run the svn-multisite service, located in the init.d folder:

   lrwxrwxrwx  1 root root        65 Apr 24 11:43 scm-access-control-plus -> /opt/wandisco/scm-access-control-plus/bin/scm-access-control-plus

3. Run the stop script, i.e.:

   [root@redhat6 init.d]#   ./scm-access-control-plus stop
   
   Stopping scm-access-control-plus:.                         [  OK  ]
   
   

4. The process will shut down.

3.3 init.d Management Script

The 'start-up' script for persistent running of Access Control Plus can be found in the /etc/init.d folder. Run the script with the help command to list the available commands:

[root@redhat6 init.d]#  ./scm-access-control-plus help

usage: ./scm-access-control-plus (start|stop|restart|force-reload|status|version)

start         Start Access Control Plus services
stop          Stop Access Control Plus services
restart       Restart Access Control Plus services
force-reload  Restart Access Control Plus services
status        Show the status of Access Control Plus services
version       Show the version of Access Control Plus

Status

Check the running status (with current process ID).

[root@redhat6 init.d]# ./scm-access-control-plus status
Checking scm-access-control-plus:running with PID 29516    [  OK  ]

Version

[root@redhat6 init.d]# ./scm-access-control-plus version
1.0.0-1180

3.4 Password change/recovery

This section explains what to do if an admin loses their password and needs to regain entry to Access Control Plus. Currently the method uses a script that resets Access Control Plus's authentication. If you have set up to use LDAP, this will be disabled, returning access to local users. A new administrator-level local users will be created with credentials that you supply when you run the script.

1. Open a terminal on your node. Navigate to the replicator directory.

   $  cd /opt/wandisco/scm-access-control-plus
   



2. Run the following command-line utility.

   [root@redhat6 scm-access-control-plus]# java -jar scm-access-control-plus-resetSecurity.jar
   Enter full path to the replicator properties folder: /opt/wandisco/scm-access-control-plus/properties
   Enter your username: temporary
   Enter your new password:************
   Confirm your new password:************
   Enter your first name: Temorary
   Enter your last name: Account
   Enter your email address: admin@theadmin.com
   A new user has been created, in order for this to take effect you will need to restart this node.
   [root@redhat6 scm-access-control-plus]#
   



3. Respond to each prompt, then when you've entered everything, restart Access Control Plus to add the new users.


4. Now login using the orginal authentication form:
   

Accounts

An Account is a collection of information that tells Access Control Plus which resources the account holder can access and what level of access they should have. Accounts are the fundamental building blocks for Access Control, although the Access Control model actually handles permissions only on a per-team basis, not directly on individual accounts.

3.5 Create an Account

There are three methods for four routes to an account creation. This procedure follows the sequence that follows from clicking the Create User button, on the Accounts pane that appears on the master screen. You can also create an account from within the Create Team procedure. A more common approach is to add accounts by setting up a query to an available LDAP authority, to add accounts using LDAP, see Connect to LDAP.

• 1. Login to Access Control Plus. Click the + Create button on the Accounts panel.
  
• 2. An entry table will open. Enter the account holder's details, as described below.
  
  

  First Name

  The acount holder's first name.

  Last Name

  The account holder's last name.

  Account Name

  The account name that Access Control Plus will use internally to refer to the account holder.

  Password

  The password for the account (obfuscated entry)

  Confirm Password

  A repeat entry of the password to confirm it was correctly entered.

  Email Address

  The email address associated with the account holder

  Public Key (for Git access)

  The account holder's public key when running with Git that is using ssh authentication. When copying this into the form ensure that no breaks are added - a key should be one unbroken line of characters.

  Disabled (Checkbox)

  This checkbox is used to disable the acount. When ticked the account holder will be completely locked out. All authorization is disabled. This feature offers administrators a means of removing access without completely removing an account or messing with rules. The effect of a disablement is effectively instant from the moment the entry screen is updated, unless batched updates

  User type (Drop-down)

  
  The User type drop-down menu is used to select a type for the account. The following account types are available:

  Standard

  A standard account holder supports all levels of access on all available resources, subject to the rules that apply to the teams for which the account is a member.

  Audit User

  An Auditor account is of a special type that can never be granted write permissions. This provides administrators with complete confidence when adding accounts for employees who need access to repository data but who are not qualified to make changes.

  Application Adminstrator

  This account type is specifically for SCM administrators who will themselves manage Access Control Plus. Administrators can access the admin console and have permissions to change all Access Control Plus settings.

  Update (button)

  Use this button to submit the account details entered into the form, or for that matter any changes that are made during the edit of an existing account.

• 3. Once the account holder's details are entered, click the Update button to save the changes to Access Control Plus's internal database. The account is ready to add to teams, which will then enable you to apply rules to it, which ultimately provide access control for available SCM resources.

3.6 Edit an existing account

Use the following procedure to make changes to an existing account.

• 1. Login to Access Control Plus. Locate the account that you wish to change.
  

  Search by filter Click the Filter to bring up a search entry box. You can select from several critera (Name, Username, Email) for the search.

  Manual Search Use the pagination page links at the bottom of the Accounts panel to run through the available accounts.

  Selecting an account Click on the Account holder's name to bring up the account screen

• 2. An account screen provides an overview of the account's team memberships and access privilages.
  
  It's possible to return to the account's entry form in order to make edits. To do this, click on the Edit link. In the main panel are lists of the teams to which the account is a member and all rules that currently apply to the account.
  
  Change Teams membership From the Teams table it is possible to click on a Team name in order to remove the account from that team / subteam.
  Change a rule Click on any rule in the Rules table in order to remove the account from the rule.


• 3. Once you have finished with the account screen, click the tab on the left hand side of the panel to close the screen.
  
  

LDAP-based users

Note that the "Edit" screen is renamed "Details" for LDAP users as it is not possible to edit an LDAP-based user through Access Control Plus. If you need to modify an LDAP users you will need to do it from within your LDAP service.

3.7 Remove an account

Use this procedure to completely remove an account from Access Control Plus. Be aware that it is often better to disable accounts, should the holder need to get their access back in future.

• 1. Login to the admin console. From the management screen, locate the account that you wish to remove.
  
  
• 2. Tick the check box to the left of the Account holder's name then click the -Remove button on the top of the Accounts pane.
  
• 3. A pop-up warning will ask "Are you sure?". There is no undo for an account removal so consider that question carefully. If you are sure, Click OK. The acccount will not be completely removed from Access Control, it will no longer appear on the accounts list, or in any teams or rules.

If you need to check the accounts particulars to ensure that you are removing the correct account, go to the accounts details screen, you'll find a Delete button at the bottom. This does the same thing as the remove link on the main management screen.

3.8 Disable an account

Disable accounts remain stored in Access Control Plus, they are, however, unable to login or interactive with any repository resources. A disabled account can be added back at a moments notice by re-enabling them.

Currently this isn't working for me.

• 1. Login to the admin console. From the management screen, locate the account that you wish to disable.
• 2. Click on the account holder's name to open up the Account page.
• 3. Click on the Edit button to view the account's basic details. From the accounts details screen, tick the Disabled check box, then click the Update button.

Teams

Teams are intended to make organizing account permissions much simpler as they allow you to apply rules en mass, rather than have to detail permissions for each individual account. There are.

3.9 Create a Team

Use this procedure to set up a new Access Control Team. This method follows the method for adding accounts manually, it is also possible to manager your team structure through LDAP, setting up a query that will filter for the specific account holders that you need for a particular team. For more about this see Adding an LDAP-based team

• 1. Login to the admin console.
• 2. On the Teams pane, click the + Create button.
  
• 3. Complete the entry form for your new team.
  

  Team Name

  Enter a name for the team.

  Team Description

  Enter a description for the team.

  Team Leaders

  During the team creation process this section is not available.

  Create (button)

  Click the button to save the new team.

• 4. The team's screen now appears. From here you define the team in terms of it's Subteams, Members, Resources and Rules.
  

  Subteams

  Subteams are themselves teams of accounts. Subteams differ from teams in that they can only be formed as a subset of its parent team's accounts and available resources. The chief benefit of subteams is that they allow administrators to dole out portions of accounts to suborinate team leaders who are able to manage their subteam, without having wider access to members and resources that fall outside of their responsibility. Put simply, this allows administrators to take vacations as day-to-day user creation/removal etc. can be delegated to team leaders, while at the same time, still limiting full SCM access.

  Members

  Accounts that are added to a team become Members. You can add existing accounts using the + Add button, then selecting accounts. From the Add Members screen you can also create a new member using the Create member button.
  

  Resources

  Resources are representations of repository templates. If you create a team on a new node you'll not be able to add resources until you have established some Repository Templates from the Settings section.
  

Adding an LDAP-based team

Follow this procedure to create a team that is populated from an LDAP authority.

• 1. Login to Access Control Plus. If you have not done so already, add an LDAP authority (in this case the one from which you will be pulling accounts.
• 2. On the Teams pane, click on the + Create button.
  
• 3. Fill out a Team Name and Team Description, then click the Create button.
  
  
• 4. The Team is created, now click on the Edit link.
  
• 5. From the Team edit window, enter the relevant details for an LDAP authority that you wish to associate with the team. Select the authority from the dropdown. If your authority query already filters the accounts that you need then you don't need to include a query, otherwise you'll need to add one. Once you have entered those details, click Update
  
• 6. Click on Close.
  
• 7. You will be returned to the master screen. You'll note that the team should now be populated from LDAP.
  
• 8. Now return to the team by clicking on its name. You can now select from the manually select which users from LDAP are added to the group. Also add any other team components (Resources, Rules, subteams etc) that you need.
  

3.10 Edit a Team

• 1. Login to the admin console.
• 2. On the Teams pane, click the name of the team that you wish to edit.
  
• 3. The team's screen will open.
  
  From here you can create additional Subteams, Add more resources, Add/Remove Members or Rules.

3.11 Delete a Team

• 1. Login to the admin console.
• 2. Click on the Team or Subteam that you wish to delete.
  
  
• 3. Click on the Edit button to view the teams/subteams settings
  
  
• 4. You will be prompted to confirm the deletion - Access Control Plus doesn't allow deletions to be undone so it always checks before deleting an object.
  
  

Resources

Resources are the available repository data, they can be in the form of full repositories or small portions of a repositories file tree. It's only possible to add Resources to Access Control Plus when there is at least one account assigned to a team.

3.12 Create a Resource

Use this procedure to create additional resources, when not syncing with WANdisco's MultiSite products. If you are connecting to MultiSite then resources are selected from whatever repositories that are automatically added. See Create a Resource in a MultiSite Environment

• 1. Login to the admin console, on the main management screen, click the + Create button at the top of the Resources pane.
  
  
• 2. The Resources entry form opens. Fill the form using the guidelines below.
  
  

  Repository Name

  Enter a name for the resource.

  Repository Location (SVN Only?)

  Enter the file path to the repository data.

  Repository Template lists

  Select from the available Repository Templates that you've added.

• 3.Click Save. You'll be returned to the main screen, with the new resources added to the list.
  
  

Create a Resource in a MultiSite Environment

Use this procedure to create additional resources, if syncing with WANdisco's MultiSite products. If you are connecting to MultiSite then resources are selected from whatever repositories that are automatically added.

• 1. Login to the admin console, on the main management screen, click the Assign template button of a repository that has been sync'ed from Git and or SVN MultiSite.
  
  
• 2. A Window will appear that lists the available Repository Templates that correspond with the relevant version control system. Select one of the available templates.
  
  
• 3.Click Save. You'll be returned to the main screen, with the new resource added to the list.
  
  

3.13 Edit a Resource

You can easily edit resources by clicking on the resource's name.

• 1. Change any of the values, then click Save.
  
  

3.14 Remove a Resource

You can remove the resource from the main screen:

• 1. Change any of the values, then click Save.
  
  

Rules

Rules are used to define the parameters for what resources and what permission levels are applied to accounts, strickly through the account's team membership - rules are not applied directly to accounts. Accounts can only have rules applied to them if they are first assigned to a team.

3.15 Using Rule lookup

The Rule lookup tool provides administrators with a means of testing what access and permissions apply to specific accounts. Given that Accounts can belong to multiple teams and have multiple rules applied, the Rule lookup tool can useful tool.

• 1. Click the Rule lookup link on the top menu bar.
  
  
• 2. Enter an account name, along with a repository and path for which you want to test access.
  
  Any rules that apply to the account for the specified resources will show up after you click the Lookup button. They will appear in the Permissions table.

3.16 Create a Rule

Use this procedure to create a new rule

• 1. Login to the admin console. As rules can only be assigned to Team, select a team. Click on the Team's name.
  
• 2. On the Team screen, click the + Create button at the top of the Rules pane.
  
  
• 3. Provide a name then proceed to the Rule screen. Click on the + Add button to add members to which the new rule will apply.
  
  
• 4. Next, select the accounts. Note that there is a check box on the right-hand pane Apply to all current and future members - check this to ensure that the rule is applied automatically to all new members of the team.
  
  When you've added all the necessary accounts, click the Confirm button.
• 5. Finally, you need to add details of what resources and to what level the account holders get access. Click the +Add button to go to the resources screen.
  
  
• 6. On the left-side pane select from the available resources. When you've finished, click the Confirm button.
  
  
• 7. The permission level for each repository resource is then selected. The options are Deny, Read and Read/write
  
  When done, click the Save selection button.
• 8. The new rule will now appear on the list.
  
  

3.17 Edit a Rule

You can edit a rule by clicking on its name on the main screen. This will open up the Rule from where you can modify any of its settings.

3.18 Delete a Rule

You can delete a rule by clicking on it's corresponding check box and then clicking on the - Remove button.

.

Settings

This section deals with the changing and modifying the application settings.

3.19 Connecting your nodes

If you are deploying multiple Access Control Plus node, you'll need to do the following steps to get the nodes talking to each other correctly.

• 1. Repeat the installation procedure on your additional Access Control Plus nodes. Take note of Step 11."

  There can be only one..
  When installing your nodes remember that the step to assign one node as the state machine creator should only be answered "Y" on one of your nodes. It can be any of the nodes, it doesn't have to be the first one that you install.
  In the rest of this procedure we'll refer to the state machine creator node as the "Induction controller node"

• 2. When all nodes have been installed and are up-and-running, Login to each node that you did not assigned as the state machine creator (Induction controller) node. You'll see that these nodes are in a waiting state, locked down until it has been inducted into the replication network.
  
  We'll need to copy the provided details into the 'Induction Controller Node's' Inductor entry fields.
• 3. Login to the Induction Controller Node, go to the Settings, then click on Node Induction, under Node Management.
  
  
• 4. Copy the details of each node into the form, ensure that the Inductor host name doesn't include the protocol prefix 'http://'. Once entered, click Confirm. The node will appear in the list of pending nodes. It should quickly complete the induction.

  Permit no actions until induction completes.
  Although the induction process is usually very fast, in the event that induction takes a while, take action to ensure that there is no attempt to interact with the admin console screens until the induction controller node reports that the process has completely.

• 5. Repeat these steps for each node until all Access Control Plus nodes have completed induction.
• 6. Once induction has completed on each node, it should be included in the Nodes list and become 'unlocked', allowing you to login and interact with the admin console, create accounts, teams, etc.

  Stuck in pending state
  Should any node get stuck in a pending state, you can cancel its induction and try again. Troubleshooting

  
  

3.20 Enable SSL Encryption

Access Control Plus supports the use of Secure Socket Layer encrytion (SSL) for securing network traffic. Currently SSL properties are not exposed through the admin console, instead you need to make edits to Access Control Plus's applications properties file.

/opt/wandisco/scm-access-control-plus/properties/applications.properties

If you plan to use SSL you need to run through the following steps before going into production.

• 1. Create a new directory in which to store your key files, this directory can be placed anywhere, although in this example we'll store them within the Access Control file structure. Open a terminal and navigate to /opt/wandisco/scm-access-control-plus/config/.


• 2. From within the /config folder make a new directory called ssl.
  

  -rw-rw-r-- 1 wandisco wandisco 29 Apr  5 16:53 main.conf
  
  [User@redhat6 config]$ mkdir ssl



• 3. Go into the new directory.
  

  cd ssl



• 4. Copy your private key into the directory. If you don't already have keys set up you can use JAVA's keygen utility, using the command:
  

  keytool -genkey -keyalg RSA -keystore wandisco.ks -alias server -validity 3650 -storepass  <YOUR PASSWORD>

  Knowledgebase Read more about the Java keystore generation tool in the KB article - Using Java Keytool to manage keystores

  -genkey

  Switch for generating a key pair (a public key and associated private key). Wraps the public key into an X.509 v1 self-signed certificate, which is stored as a single-element certificate chain. This certificate chain and the private key are stored in a new keystore entry identified by alias.

  -keyalg RSA

  The key algorithm, in this case RSA is specified.

  wandisco.ks

  This is file name for your private key file that will be stored in the current directory.

  - alias server

  Assigns an alias "server" to the key pair. Aliases are case-insensitive.

  -validity 3650

  Validates the keypair for 3650 days (10 years). The default would be 3 months

  - storepass <YOUR PASSWORD>

  This provides the keystore with a password.

  No password specified If no password is specified on the command, you'll be prompted for it. Your entry will not be masked so you (and anyone else looking at your screen) will be able to see what you type.

  Most commands that interrogate or change the keystore will need to use the store password. Some commands may need to use the private key password. Passwords can be specified on the command line (using the -storepass and -keypass options).
  However, a password should not be specified on a command line or in a script unless it is for testing purposes, or you are on a secure system. When placed into the Access Control Plus properties file we'll first need to manually encrypt it.
  

  The utility will prompt you for the following information

  What is your first and last name?  [Unknown]:  
  What is the name of your organizational unit?  [Unknown]:  
  What is the name of your organization?  [Unknown]:  
  What is the name of your City or Locality?  [Unknown]:  
  What is the name of your State or Province?  [Unknown]:  
  What is the two-letter country code for this unit?  [Unknown]:  
  Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?  [no]:  yes
  
  
  Enter key password for <mykey>
  (RETURN if same as keystore password):
  

• 5. With the keystore now in place, we next need to make the edit to the application.properties file.
  

  node.id=bouncer
  application.hostname=172.16.5.94
  application.port=6888
  #content server port
  content.server.port=6845
  jetty.http.port=8882
  database.location=/opt/wandisco/scm-access-control-plus/database
  application.location=/opt/wandisco/scm-access-control-plus
  content.location=/opt/wandisco/scm-access-control-plus/content
  jetty.https.port=8084
  
  ssl.enabled=true
  ssl.debug=false
  ssl.keystore=
  ssl.keystore.password=
  
  #Option SSL parameters
  
  ssl.key.alias
  ssl.key.password - SimpleCrypt encrypted
  ssl.truststore
  ssl.truststore.password - SimpleCrypt encrypted	
  	
  

  ssl.enabled

  Switch for enabled SSL. Value: true

  ssl.debug

  debugging mode. Don't enable by default. Value: false

  ssl.keystore

  The absolute path to the keystore

  ssl.keystore.password

  The password for the keystore - this password must be encrypted using the SimpleCrypt class. We've provided a little utility to handle the encryption:

  /opt/wandisco/scm-access-control-plus/scm-access-control-plus-cryptPassword.jar

  Use the utility as follows:

   java -jar scm-access-control-plus-cryptPassword.jar password
  Gbwkzxmo70xNNy1/oVMb/7PuE3yB1+fhHX7O9qxIg6k3eNDuU6bzOCKO4Ldi0SJDDycScJjnGq2FxOYYAl0JiBRXIDGRxEVBj <snip>
  

  Optional SSL parameters:

  These additional parameters support a more robust implementation of SSL that uses trust certification.

  ssl.key.alias

  Specify an alias for the private key. This is the name by which the key will be accessible inside the keystore.

  ssl.key.password

  Password if the cert is password protected - must be encrypted as above.

  ssl.truststore

  Path to the truststore file

  ssl.truststore.password

  Password for the truststore - must be encrypted as above.

  
  Changes in any of these value require a restart of Access Control Plus. Any invalid value will likely result in Access Control Plus not running properly.

Setting the server key

In the keystore, the server certificate is associate with a key. By default, we look for a key named server to validate the certificate. If you use a key for the server with a different name, enter this in the SSL settings.

SSL Troubleshooting

A complete debug of the SSL logging will be required to diagnose the problems. To capture the debugging, run the java process with:

'-Djavax.net.debug=all' flag.

To enable the logging of SSL implemented layer, turn the logging to FINEST for 'com.wandisco.platform.net' package.

3.21 Node Repair

The Node Repair tool is used to recover from the loss of one or more nodes. Once replication is set up.

3.22 Connect to MultiSite

In this section we connect Access Control Plus to an existing Git or SVN MultiSite setup.

• 1. Login to the admin console. Click on the Settings link on the top menu.
• 2. Click on the Connect to MultiSite bar in the External Applications section.
  
• 3. Enter the required MultiSite details:
  
  

  API IP

  The IP address of the MultiSite node

  API PORT

  The port used for Rest API traffic (Default is 8082)

  API USER

  Username for the account Access Control Plus use use to access the MultiSite node.

  Managing Node (Drop-down)

  Select which Access Control Plus node will manage communication with MultiSite.

  Poll Period

  The frequency (in seconds) that Access Control Plus will check for changes on the MultiSite node.

  Use SSL (checkbox)

  Enable SSL encryption for the API traffic.

  Password

  Password for the MultiSite account

  Retype Password

  Repeated password entry (to ensure you entered it correctly above.

  Save/Cancel (buttons)

  Click Save to store the details, or Cancel to clear them.

  When all the details have been added, click Save.


• 4. Return to the main Access Control Plus screen. If there are Repositories being handled by MultiSite, they'll be automatically sync'ed with Access Control Plus, appearing in the Repositories panel.
  
  At this point the repositories are known to Access Control Plus, but it still needs to be configured with authentication and or authorization files for each repository. This is handled through the Repository Template section.

Return to the Getting Set up

3.23 Connect to LDAP

This section explains how to configure Access Control Plus to query one or more LDAP authorities in order to pull in accounts for your Git or Subversion users.

LDAP Settings

The settings tell Access Control Plus how to use any available LDAP Authorities that you connect up.

Synchronisation Period (minutes)

Access Control Plus will rerun your LDAP queries with this frequency, picking up any changes that may have occurred within the LDAP service.

TIP
Don't set the period to 0. You shouldn't need to constantly hit your LDAP authority.

IMPORTANT
If you perform an import from an earlier version of Access Control you must ensure that Access Control Plus does not poll the LDAP authorities during the process. You can do this by setting the Synchronisation Period to 999 (minutes) - Just for the duration of the import

Allow Local Users (checkbox)

Ticked by default. When ticked it is possible to field both LDAP-controlled and manually entered Accounts. Some organizations don't permit manually entered accounts, they need to be sure that all accounts are managed through their LDAP. If this is the case, untick the check box once you're LDAP accounts have been successfully imported.

TIP Should you be running with Local Users disabled and your LDAP service fails, you can re-enable local users as part of the account password recovery process. This process will automatically re-enable local users, allowing you to gain access to the admin console.

Entering LDAP Authority details

This is the entry form for adding any number of LDAP Authorities. Multiple Authorities are checked in the order that matches their order number (see below). The lower the order number, the earlier the authority is checked.

Order:

The priority given to the LDAP URL. e.g. A Location Order of 1 means that Access Control will look within that defined authority for a user first. If unsuccessful then Access Control will then check the authority with the next order number (e.g. 2).

Regular Expression:

Enter a regular expression to set a pattern for matching against available LDAP authorities. The expression, is applied locally to limit unnecessary queries against available LDAP authorities. For instance, setting an expression that specifies a top-level domain can ensure that authentication of a user (whose username is their email address) doesn't need to run through all LDAP authorities, but instead can be checked only against those servers that match the the regular expression - in this case, the same top-level domain.

URL: the URL for the LDAP authority, using the format ldap(s)://hostport/basedn?attribute

Bind User DN:

(Optional)

Bind Password:

(Optional)

First Name Attribute:

(Optional)

Last Name Attribute:

(Optional)

Email Address Attribute:

(Optional)

Public Key Attribute:

(Optional) Used with the LDAP service is encrypted, requiring Access Control Plus to be setup with an SSH key pair. As with any public key entry, make sure that no line breaks are introduced to the key, it should be one long string, no breaks.

Case Insensitive Usernames?

Tick this checkbox if you need MultiSite to stop distinguishing between usernames that differ only by their case pattern.
For example, with the "Case Insensitive Usernames?" unticked (it is by default), MultiSite will treat username "MelissaJones" and username "melissajones" as two distinct users. Support for username case insensitivity is a feature that may be required when Active Directory

System Administrator Group?:

Tick this checkbox if the authority will return users who are System Administrators (able to access the MultiSite admin console).

3.24 Email Notification

The mail notification system lets you connect Access Control Plus to an email gateway server, which enables it to send alert email concerning important system events. It's possible to add as many email gateways as you like, so that the loss of a single mail server need to result in the halting of notifications.

The following procedure shows you have to set up an email gateway.

• 1. Logon to the Access Control Plus admin console. Click on the Settings link.


• 2. Click on the Email Notifications bar.
  
  
• 3. Fill out the entry form for your gateway.
  
  

  IP/Hostname of SMTP Server:

  your email server's address.

  SMTP Server Port

  The port assigned for SMTP traffic (Port 25 etc).

  Encryption Type

  Indicate your server's encryption type - None, SSL (Secure Socket Layer) or TLS (Transport Layer Security). SSL is a commonly used. For tips on setting up suitable keystore and truststore files see Setting up SSL Key pair.

  Running Apache?

  • keystores?
    If you're not familiar with the finer points of setting up SSL keystores and truststores it is recommended that you read the following article: Using Java Keytool to manage keystores.

  Authentication Required

  Indicate whether you need a username and password to connect to the server - requires either "true" or "false".

  User Name

  If authentication is required, enter the authentication username here.

  Password

  If authentication is required, enter the authentication password here.

  Sender Address

  Provide an email address that your notifications will appear to come from. If you want to be able to receive replies from notifications you'll need to make sure this is a valid and monitored address.

  Number of Tries Before Failing

  Set the number of attempts SVN MultiSite Plus makes in order to send out notifications.

  Interval Between Tries (Seconds)

  Set the time (in seconds) between your server's attempts to send notifications.

  Once you've entered all the details, click the Add button.


• 4. Once a gateway is in place you need to add a list of email address to where Access Control Plus will actually send notification emails.
  
  Just enter addresses on the Add destination entry field and click + Add.
  


• 5. Before notifications can be sent, the service must be enabled by ticking the Enable notifications checkbox.
  
  You can untick the checkbox if you need to disable the feature, without removing or editing the gateway or destination settings.

Notifiable events

The following events currently trigger notifications (when suitably configured)

• InfoDiskMonitoringEvent
• SevereDiskMonitoringEvent
• VCSReadyEvent
• Restart
• FileReplicationScriptErrorEvent

3.25 Create a Repository Template

In Access Control Plus's backend, there's a mechanism or managing and replicating the core password and or authz files. This mechanism needs a template creating which will contain the path location for these files, as well as a number of optional parameters. Once setup, Repositories that are added to Access Control can be assigned the template, telling Access Control Plus how to handle the repository's necessary files.

Follow this procedure for adding a Repository Template:

• 1. Login to the admin console. Click on the Settings link on the top bar.
  
  
• 2. Click on the Repository Templates bar under in the Applications Settings, near the top of the list. Click on the Create button.
  
  
• 3. A small entry form will appear. Complete the details.
  
  

  Name

  A useful label for the product to refer to this repository.

  Description

  A description of the template to help you distinguish from it from potential others.

  Name

  A useful label for the product to refer to this repository.

  Type (Dropdown)

  There's a dropdown select from where you select which SCM product that you are going to refer to. Options: GIT or SVN.

  Click on the Add button to save the entry form.
• 4. The screen will be parsed, your selection detected and a Generators dropdown will appear. From this dropdown you can select multiple user access assets, of which the following area currently available:
  
  

  SSH Key File Generator

  Transports ssh keys between nodes.

  Apache Password File Generator

  Transports Apache password files between nodes.

  SVN Authz File Generator

  Handles the Authz file (under SVN).

  GIT Authz File Generator

  Handles the Authz file (under Git).

  There are more details about how these files are managed and distributed in the Generic File Replication Section



• 7. Enter the Target Location. Find location of generated file on target node. Absolute path.
  
  Click on Show optional parameters to see a number of extra entry fields. When you have completed the entries you need, click on the Update button.


• 8. You can create any number of Repository Templates, reflecting how many separate collections of repositories you are running where each requires a different series of user management files.
  
  

3.26 Enable/Disable Batch updates

Follow this procedure to enable Batch mode. Make sure you understand what it does and how it works before you do though.

Batch updates is a mechanism that can improve performance in large deployments that field large numbers of accounts holders, accross a number of nodes. There's a section in the Reference Guide that explains more about Batch Updates Mode.

• 1. Login to Access Control Plus, click on the Settings link.
• 2. Click on the Access Control Updates bar.
  
• 3. Tick the Enable checkbox. Confirm the switch period (in seconds) and select which node will manage the batching process.
  
  
• 4. Click on Save.

See Access Control Updates for more details.

3.2.7 Example Configuration

Per-repository Authz via SVNServe and SSH

The following details map out an example setup that sets up authorization using Authz on a per-repository basis, running on SVNServe with SSH encryption. This is only intended as an illustration, so you shouldn't follow it as an actual set up procedure.

Repository Template

The setting set the target location of the authz file and the common path segment of the SVN repositories:

Target Location:

%/conf/authz

Common Repository Path Segment:

/opt/svn/

svnserve.conf

svnserve.conf controls the behavior of the svnserve daemon on a per-repository basis. It is located in the conf subdirectory of the repository, e.g. /opt/svn/repo/conf/svnserve.conf.

[general]
anon-access = none 
auth-access = write
authz-db = authz
[sasl]    

anon-access

Determines the access level for unauthenticated users. "write" allows all repository operations. "read" allows all operations except committing and changing revision properties. "none" allows no unauthenticated access. The default level is "read".

auth-access

Determines the access level for authenticated users, using the same access levels as above. The default level is "write".

authz-db

The authz-db option controls the location of the authorization rules for path-based access control. filename may be relative to the repository conf directory. There is no default value. If you don't specify an authz-db, no path-based access control will be set.

Server-side

The following configuration is required on the server:

• Create an "authorized_keys" file at:

  /home/wandisco/.ssh/authorized_keys

• Change the permissions and ownership as follows:

  chmod 600 /home/wandisco/.ssh/authorized_keys
  chown wandisco:wandisco /home/wandisco/.ssh/authorized_keys
      

Client-side

The following configuration is required for clients:

• If required generate ssh keys:

  ssh-keygen -t rsa

• Copy the ssh key to the server entering the password for the wandisco user when prompted:

  ssh-copy-id wandisco@<ip address>

• The previously empty authorized_keys file should now look like this:

  ssh-rsa <RSA KEY> <client hostname>

• Modify the authorized_keys file as follows:

  command="svnserve -t --tunnel-user=<username> -r /opt/svn" ssh-rsa <RSA KEY> <client hostname>    
      

• Where username is the account added to Access Control Plus. Example:

  command="svnserve -t --tunnel-user=user1 -r /opt/svn" ssh-rsa <RSA KEY> <client hostname>
  

  This would work with a user added to Access Control Plus with Account Name "user1".

Access Control Plus Admin Console settings

• Add a team
• Add a User
• Add a resource
• Add a rule

An Authz file should be generated, here:

/opt/svn/repo/conf/authz

It should look like this: Example (Team: team1, Account Name: user1, Resource: repo0, Perms: RW)

# Generated by Access Control Plus, WANdisco.
# ACP Node Name            : node1
# ACP Node Hostname        : 172.16.6.55
# Generation Audit number  : abab31d2-a266-426b-a578-336b58419130
# Generation Serial number : 187
# Template Id              : 97e47269-4b20-40e8-b1a0-fa052d74ecb9
# Template Name            : svn
# Template Description     : svn
# Assignment Type          : svn-authz
# Assignment Id            : 1de6a9c6-c8ec-4eaa-9391-0a7cd55f8ab3
# Assignment Modified at   : 2014-05-27 23:32:16.346


[groups]
virtual_team_team1_rule_rule1_88b17a89-157b-48ab-a9dd-364912f20b25 = user1

[/]
* = 

[repo:/]
@virtual_team_team1_rule_rule1_88b17a89-157b-48ab-a9dd-364912f20b25 = rw	

Client-side access

Access the repository using:

svn co svn+ssh://wandisco@<ip address>/repo

Copyright © 2010-2014 WANdisco plc.
All Rights Reserved

This product is protected by copyright and distributed under licenses restricting copying, distribution and decompilation.

Access Control Plus
Last doc build: 17:35 09 May 2014