1 / 15

LDAP For Alarms and Authorization

LDAP For Alarms and Authorization. Matthias Clausen (DESY). Overview. Please find LDAP Schema File and LDIF Files on the CSS Web Site: http://css.desy.de/content/e428/e262/e260/index_eng.html LDAP Screen Dumps were created using Apache Directory Studio and JXplorer. LDAP Tree.

scot
Download Presentation

LDAP For Alarms and Authorization

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. LDAPFor Alarms and Authorization Matthias Clausen (DESY)

  2. Overview • Please find LDAP Schema File and LDIF Files on the CSS Web Site:http://css.desy.de/content/e428/e262/e260/index_eng.html • LDAP Screen Dumps were created usingApache Directory Studio andJXplorer

  3. LDAP Tree Currently the LDAP Tree consists of FOUR main Branches: • EpicsControls • Structured List of ALL IOCs with ALL records. • Reference for Namespace Browser • Location to persist Alarm States • EpicsAlarmcfg • Alh-Like Alarm Tree (support for interactive configuration in CSS) • EpicsAuthorize • Applying (access)rolls to Users • EpicsAuthorizeID • Applying Authorize-IDs to Access-Rolls

  4. EpicsControls Tree is filled by: • Based on the dbl -> iocName.db files • Initially a set of scripts created LDAP entries • No a Java program is running periodically checking for new/changed *.db files and updates the LDAP tree IOC-Name / IP-address is set by: • Script/ Program Record Entries (Alarm-States) are written by: • InterConnection-Server (Alarm-States read from IOC)Set to invalid if IOC is disconnected from IC-Server. • CSS Alarm-Table and CSS Alarm-Tree on Alarm Acknowledge. Record Entries (Alarm-States) are read by: • CSS Alarm-Tree to display current alarm states Note: Each record MUST be defined in EpicsControls and MAY be defined multiple times in EpicsAlarmcfg!!

  5. EpicsControls Tree Structure: • Ou=EpicsControls • efan=TTF(facilityName) • ecom=EPICS-IOC(componente) • econ=ttfKryo(controller) • eren=recordName(recordName)

  6. EpicsControlsSubcomponents • epicsController • epicsIPAddressImportant to find (logical) IOC name for an established IP-Connection. E.g. by interconnectionServer. • ecomImportant to find the IOC name for a given record name • Save changes in iocName.ca • Use caPut to write iocName.ca back to IOC at the end of an IOC reboot. Note @DESY: IOCs always keep their logical name! IOC hardware (e.g. VME boards) always keeps the IP address of the HARDWARE. Thus IP addresses of (logical) IOCs may change!

  7. EpicsControlsSubcomponents • epicsRecordName (eren) • epicsAlarmAcknTimeStamp • epicsAlarmHighUnAcknHighest unackn. alarm • epicsAlarmSeverity • epicsAlarmStatus • epicsAlarmTimeStamp

  8. EpicsAlarmcfg Tree is filled by: • Manual Entries using the CSS Alarm-Tree interactively (next slide) • Automated Entries retrieved from the alh config files Record Entries (Alarm-States) are written by: • InterConnection-Server (Alarm-States read from IOC)Set to invalid if IOC is disconnected from IC-Server. • CSS Alarm-Table and CSS Alarm-Tree on Alarm Acknowledge. Record Entries (Alarm-States) are read by: • CSS Alarm-Tree to display current alarm states Alarms can only be written to those records in the EpicsAlarmcfg which have been defined here! Note: Each record MUST be defined in EpicsControls and MAY be defined multiple times in EpicsAlarmcfg!!

  9. Configuring the Alarm-Tree(EpicsAlarmcfg) • Adding Components (root-nodes) and records (leaves) to the Alarm-Tree interactively • Changes are stored in the current LDAP server • Configuring Root Nodes (logical structure) and Leaves (records) using the default Eclipse property view • Root Nodes and Leaves share the same Properties Properties: • Alarm Display (Css Display) • Display (Css Display) • Help Guidance (text) • Help Page (http address) • Strip Chart (dataBrowser config file)

  10. EpicsAlarmcfgSubcomponents • epicsRecordName (eren) • epicsAlarmAcknTimeStamp • epicsAlarmHighUnAcknHighest unackn. alarm • epicsAlarmSeverity • epicsAlarmStatus • epicsAlarmTimeStamp • epicsCssAlarmDisplay • epicsCssDisplay • epicsCssStripChart • epicsHelpGuidance • epicsHelpPage

  11. EpicsAlarmcfgSub Functionalities Alarm Acknowledge • From Alarm-Tree • From Alarm-Table LDAP CSS • Acknowledge is DIRECTLY written to LDAPpersistence • Acknowledge-JMS Message is created to send ackn. to ALL CSS instances to set ackn.-flag(even in the CSS instance which generated the JMS message!)correctly: CSS instances register for the ACK Topic CSS Ackn. CSS CSS JMS

  12. EpicsAuthorize Tree is filled by: • Automated Entries created by the DESY registry • Computer Accounts and access grants are defined here centrally • No Manual Entries allowed Entries are read by: • CSS Security plugin

  13. EpicsAuthorize Tree Structure: • Ou=EpicsAuthorize • ou=Css(organizational unit) • ou=Css(CSS group authorization(group)) • eagn=Admin(Admins of Css group(roll)) • eaun=clausepicsAccesUserName(DESY: DESY account)

  14. EpicsAuthorizeID(not yet functional) Tree is filled by: • For now: only manual entries • CSS-Plugin is planned to ease entering new IDs Entries are read by: • CSS Security plugin

  15. EpicsAuthorizeID Tree Structure: • Ou=EpicsAuthorizeID • ou=SDS(organizational unit) • eain=remoteManagement(ID Name) • eair=admin(roll) • eaig=css(group)

More Related