code.uoa.gr
Fork me on GitHub
Arcanum

PHP Requirements

  • PHP 5.3+ is required. PHP 5.4+ is recommended for support of ldap search paging in administration interface.
  • PHP Modules required:
    • gettext
    • ldap
    • xcache
    • mhash (if the samba NT hash generation is desired, then this PHP module is highly recommended)

LDAP Server Requirements

Any LDAPv3 server should work out of the box.

For the password policy features (password expiration etc.), a draft-behera-ldap-password-policy-09 or draft-behera-ldap-password-policy-10 -compatible LDAP server is required. Arcanum has been tested with OpenLDAP and their slapo-ppolicy overlay.

Installation via Web-based Setup

  • Untar the distribution somewhere under your document root.
  • Make the config directory writeable by the web server user, e.g. sudo chmod www-data config
  • Set up your LDAP server with the required schemas, ppolicy configuration and proper ACLs. See below.
  • In your browser, visit the location where you extracted the distribution, and complete the setup steps to generate the config file.
  • Login with an admin user account in the application and do any migrations needed.

Manual Installation and Configuration

  • Untar the distribution somewhere under your document root.
  • Copy include/config.template.php to config/config.php and edit accordingly.
  • Set up your LDAP server with the required schemas, ppolicy configuration and proper ACLs. See below.
  • Login with an admin user account in the application and do any migrations or further configuration needed.

OpenLDAP Configuration

What follows is recommended snippets from slapd.conf for the correct operation of OpenLDAP and Arcanum.

Required schemata:

include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/GUExtendedAuthentication.schema

Optional schemata (for educational institutions):

include /etc/ldap/schema/eduorg.schema
include /etc/ldap/schema/eduperson.schema
[...]

Database ACLs:

access to attrs=userPassword,shadowLastChange
        by dn="cn=manager,dc=org,dc=gr" write
        by anonymous auth
        by self write
        by * none

access to dn.base="" by * read

access to *
        by dn="cn=manager,dc=org,dc=gr" write
        by * none

overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=org,dc=gr"
ppolicy_use_lockout
ppolicy_hash_cleartext

Optional Configuration Options

You can optionally:

  • Configure your SMS gateway.
  • Enable the cron job for password expiry notifications.

More information on these features will be available shortly.