| ID |
Date |
Icon |
Author |
Author Email |
Category |
OS |
ELOG Version |
Subject |
|
69061
|
Thu Nov 21 18:10:28 2019 |
 | David Wallis | wallis@aps.anl.gov | Question | Linux | V3.1.4-ba84827 | Re: PAM authentication question | Hi Christoph,
Thanks for looking into this, if you can enable PAM + File, our users would be very happy!
The pam.d issue is probably related to CentOS/Red Hat, since our PAM expert warned me that it might be necessary.
| Jan Christoph Terasa wrote: |
| David Wallis wrote: |
|
I'm testing the PAM authentication feature, and have a couple questions, a suggestion, and a comment.
First the comment... it was pretty easy to get working, and is exactly what we need here, so thanks! Our PAM stack here is designed to allow logins with Active Directory, LDAP, or local accounts, so the PAM option preserves all of that.
The suggestion: In order to make it work, I had to add a symbolic link in /etc/pam.d:
elogd -> system-auth
That might be considered for addition to the documentation (this was on Red Hat Enterprise Linux 7.7)
The questions:
- The docs indicate that "Self register" must be set to >= 1, but in the code (elogd.c, line 26453), if the PAM module is enabled, Self register is overriden to 0. The result is that no "register as new user" link is displayed on the login screen. Is that the intent?
- Related... can PAM and File authentication both be enabled? We have some logbooks that are used by both internal people (with an A/D account) and outside collaborators that get local elog accounts. This works with LDAP + File, can it work with PAM?
Thanks in advance!
|
David, thank you for reporting on your findings regarding the PAM feature. I will look into the points you mentioned:
0. On my machines (Debian testing and stable) I did not have to add anything to /etc/pam.d, but apparently Debian just uses implicit defaults then, and REHL might insist on using excplicit settings. Adding a hint in the documentation is certainly useful, thank your for the suggestion. Maybe elog should provide a pam.d config file (which can be installed/adapted by package maintainers for various OSes).
1.+2. If I remember correctly, I intentionally disabled registration when using the PAM backend, because users will register using their passwd/LDAP/NIS users, and new users can only be regustered using the appropriate tools for the authentication mechanism used. This might not be correctly reflected in the docs, I will check that. In the light of question 2., I can also re-investigate that policy, so that logins will check against both the elog user database and PAM. Self-registering can then be enabled again, and new registrees will go to the elog database. I will try to bringthe code in line with how LDAP works.
regards,
Christoph
|
|
|
69060
|
Mon Nov 18 16:58:21 2019 |
 | Roger Kalt | roger.kalt@psi.ch | Info | Linux | 3.1.4 | Example scripts how to migrate or combine logbooks | Attached the shell scripts using awk and sed how I have migrated two separated logbooks into one single and how I re-adjusted certain attributes. |
| Attachment 1: run_modif.sh
|
#!/bin/bash
# KR84, 28.10.2019
# the input files are the exported XML files from ELOG -> Finden
# search in XML for sring between <DATE> and </DATE>
# and replace with: <DATE> and </DATE><When> and </When>
echo "converting export_rf.xml ..."
cat ./export_rf.xml |
sed 's/<Personnel\(.*\)Personnel>/<Author\1Author>/g' |
sed 's/<DATE\(.*\)DATE>/<DATE\1DATE>\n\t\t<When\1When>/g' |
sed 's/<Subject>\(.*\)<\/Subject>/<Title>\1<\/Title><Entry_Type><\/Entry_Type>/g' |
sed '/<Machine>SwissFEL<\/Machine>/ {N;N; s/<Machine>SwissFEL<\/Machine>.*<Domain>OBLA<\/Domain>.*<Section>TRFCB/<Machine>OBLA<\/Machine>\n\t\t<Domain>All<\/Domain>\n\t\t<Section>TRFCB/g}' |
sed 's/<When>Mon, /<When>/g' |
sed 's/<When>Tue, /<When>/g' |
sed 's/<When>Wed, /<When>/g' |
sed 's/<When>Thu, /<When>/g' |
sed 's/<When>Fri, /<When>/g' |
sed 's/<When>Sat, /<When>/g' |
sed 's/<When>Sun, /<When>/g' |
sed '/<When>.*<\/When>/{s/ Jan 20/.01./g}' |
sed '/<When>.*<\/When>/{s/ Feb 20/.02./g}' |
sed '/<When>.*<\/When>/{s/ Mar 20/.03./g}' |
sed '/<When>.*<\/When>/{s/ Apr 20/.04./g}' |
sed '/<When>.*<\/When>/{s/ May 20/.05./g}' |
sed '/<When>.*<\/When>/{s/ Jun 20/.06./g}' |
sed '/<When>.*<\/When>/{s/ Jul 20/.07./g}' |
sed '/<When>.*<\/When>/{s/ Aug 20/.08./g}' |
sed '/<When>.*<\/When>/{s/ Sep 20/.09./g}' |
sed '/<When>.*<\/When>/{s/ Oct 20/.10./g}' |
sed '/<When>.*<\/When>/{s/ Nov 20/.11./g}' |
sed '/<When>.*<\/When>/{s/ Dec 20/.12./g}' |
sed 's/ +0100<\/When>/<\/When>/g' |
sed 's/ +0200<\/When>/<\/When>/g' > export_rf_modified.xml
# sed 's/ Jan 20/.01./g' |
# sed 's/ Feb 20/.02./g' |
# sed 's/ Mar 20/.03./g' |
# sed 's/ Apr 20/.04./g' |
# sed 's/ May 20/.05./g' |
# sed 's/ Jun 20/.06./g' |
# sed 's/ Jul 20/.07./g' |
# sed 's/ Aug 20/.08./g' |
# sed 's/ Sep 20/.09./g' |
# sed 's/ Oct 20/.10./g' |
# sed 's/ Nov 20/.11./g' |
# sed 's/ Dec 20/.12./g' |
# search in XML and add offset to all IDs because they shall not overlap when merged.
echo "converting export_llrf.xml ..."
cat ./export_llrf.xml | sed 's/<Subject>\(.*\)<\/Subject>/<Entry_Type><\/Entry_Type>\n\t\t<Status><\/Status>\n\t\t<Title>\1<\/Title>\n\t\t<Inv_ID><\/Inv_ID>/g' > export_llrf_modified1.xml
cat ./export_llrf_modified1.xml | awk -F'\t\t<MID>|</MID>||' '{ if ($2!="") {print "\t\t<MID>"$2+2016"</MID>"} else { print $1} }' > export_llrf_modified2.xml
cat ./export_llrf_modified2.xml | awk -F'\t\t<REPLY_TO>|</REPLY_TO>||' '{ if ($2!="") {print "\t\t<REPLY_TO>"$2+2016"</REPLY_TO>"} else { print $1} }' > export_llrf_modified3.xml
cat ./export_llrf_modified3.xml | awk -F'\t\t<IN_REPLY_TO>|</IN_REPLY_TO>||' '{ if ($2!="") {print "\t\t<IN_REPLY_TO>"$2+2016"</IN_REPLY_TO>"} else { print $1} }' > export_llrf_modified.xml
rm -rf ./export_llrf_modified1.xml ./export_llrf_modified2.xml ./export_llrf_modified3.xml
cat ./export_llrf_modified.xml |
sed '/<Machine>SwissFEL<\/Machine>/ {N;N; s/<Machine>SwissFEL<\/Machine>.*<Domain>Test Systems<\/Domain>.*<Section>TRFCB/<Machine>OBLA<\/Machine>\n\t\t<Domain>All<\/Domain>\n\t\t<Section>TRFCB/g}' |
sed 's/<When>Mon /<When>/g' |
sed 's/<When>Tue /<When>/g' |
sed 's/<When>Wed /<When>/g' |
sed 's/<When>Thu /<When>/g' |
sed 's/<When>Fri /<When>/g' |
sed 's/<When>Sat /<When>/g' |
sed 's/<When>Sun /<When>/g' |
sed 's/-Jan-/.01./g' |
sed 's/-Feb-/.02./g' |
sed 's/-Mar-/.03./g' |
sed 's/-Apr-/.04./g' |
sed 's/-May-/.05./g' |
sed 's/-Jun-/.06./g' |
sed 's/-Jul-/.07./g' |
sed 's/-Aug-/.08./g' |
sed 's/-Sep-/.09./g' |
sed 's/-Oct-/.10./g' |
sed 's/-Nov-/.11./g' |
sed 's/-Dec-/.12./g' |
sed 's/ +0100<\/When>//g' |
sed 's/ +0200<\/When>//g' |
sed 's/<\/When>/:00<\/When>/g' |
sed 's/<When>-:00<\/When>/<When><\/When>/g' > export_llrf_modified_datetime.xml
echo "export_llrf_modified_datetime.xml need manual edit for empty <When></When>"
|
| Attachment 2: generate_import_llrf_fwd.sh
|
#!/bin/bash
# KR84, 28.10.2019
# generate emtpy auto-fwd text for LLRF for 3100 entries and offset of 2000
echo "generated import_llrf_fwd.xml"
echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" > import_llrf_fwd.xml
echo "<ELOG_LIST>" >> import_llrf_fwd.xml
declare -i ID
declare -i IDNEW
for ID in {1..3013}
do
IDNEW=$ID+2016
echo -e "\t<ENTRY>" >> import_llrf_fwd.xml
echo -e "\t\t<MID>${ID}</MID>" >> import_llrf_fwd.xml
echo -e "\t\t<DATE>Mon, 28 Oct 2019 20:00:00 +0200</DATE>" >> import_llrf_fwd.xml
# echo -e "\t\t<DATE>28.10.2019 20:00:00</DATE>" >> import_llrf_fwd.xml
echo -e "\t\t<ATTACHMENT></ATTACHMENT>" >> import_llrf_fwd.xml
echo -e "\t\t<ENCODING>HTML</ENCODING>" >> import_llrf_fwd.xml
echo -e "\t\t<When>28.10.2019 20:00:00</When>" >> import_llrf_fwd.xml
# echo -e "\t\t<When>1572289200</When>" >> import_llrf_fwd.xml
echo -e "\t\t<Author>Kalt Roger (KR84)</Author>" >> import_llrf_fwd.xml
echo -e "\t\t<Machine>SwissFEL</Machine>" >> import_llrf_fwd.xml
echo -e "\t\t<Domain></Domain>" >> import_llrf_fwd.xml
echo -e "\t\t<Section></Section>" >> import_llrf_fwd.xml
echo -e "\t\t<System></System>" >> import_llrf_fwd.xml
echo -e "\t\t<Subsystem></Subsystem>" >> import_llrf_fwd.xml
echo -e "\t\t<Subject>Automatic forward</Subject>" >> import_llrf_fwd.xml
echo -e "\t\t<TEXT><meta http-equiv="refresh" content="0; URL='https://elog-gfa.psi.ch/SwissFEL+RF/${IDNEW}'" /></TEXT>" >> import_llrf_fwd.xml
echo -e "\t</ENTRY>" >> import_llrf_fwd.xml
done
echo "</ELOG_LIST>" >> import_llrf_fwd.xml
|
|
69059
|
Sun Nov 17 14:55:11 2019 |
| Jan Christoph Terasa | terasa@physik.uni-kiel.de | Question | Linux | V3.1.4-ba84827 | Re: PAM authentication question |
| David Wallis wrote: |
|
I'm testing the PAM authentication feature, and have a couple questions, a suggestion, and a comment.
First the comment... it was pretty easy to get working, and is exactly what we need here, so thanks! Our PAM stack here is designed to allow logins with Active Directory, LDAP, or local accounts, so the PAM option preserves all of that.
The suggestion: In order to make it work, I had to add a symbolic link in /etc/pam.d:
elogd -> system-auth
That might be considered for addition to the documentation (this was on Red Hat Enterprise Linux 7.7)
The questions:
- The docs indicate that "Self register" must be set to >= 1, but in the code (elogd.c, line 26453), if the PAM module is enabled, Self register is overriden to 0. The result is that no "register as new user" link is displayed on the login screen. Is that the intent?
- Related... can PAM and File authentication both be enabled? We have some logbooks that are used by both internal people (with an A/D account) and outside collaborators that get local elog accounts. This works with LDAP + File, can it work with PAM?
Thanks in advance!
|
David, thank you for reporting on your findings regarding the PAM feature. I will look into the points you mentioned:
0. On my machines (Debian testing and stable) I did not have to add anything to /etc/pam.d, but apparently Debian just uses implicit defaults then, and REHL might insist on using excplicit settings. Adding a hint in the documentation is certainly useful, thank your for the suggestion. Maybe elog should provide a pam.d config file (which can be installed/adapted by package maintainers for various OSes).
1.+2. If I remember correctly, I intentionally disabled registration when using the PAM backend, because users will register using their passwd/LDAP/NIS users, and new users can only be regustered using the appropriate tools for the authentication mechanism used. This might not be correctly reflected in the docs, I will check that. In the light of question 2., I can also re-investigate that policy, so that logins will check against both the elog user database and PAM. Self-registering can then be enabled again, and new registrees will go to the elog database. I will try to bringthe code in line with how LDAP works.
regards,
Christoph |
|
69058
|
Mon Nov 11 13:09:35 2019 |
| Stefan Ritt | stefan.ritt@psi.ch | Request | All | 3.1.4 | Re: Subdirectories in logbooks | Just use groups as written in the manual: https://elog.psi.ch/elog/config.html#groups
Stefan
| pavel wrote: |
|
Hello, Is there any way to organize logbooks in some kind of tree with sublogbooks or just have a subdirectories in a logbook directory on the filesystem (treat it as a sublogbook if its name is different from 4 digits of year and pin above all the entries in a list) to structure entires a bit?
|
|
|
69057
|
Sat Nov 9 22:44:23 2019 |
| pavel | temp213@gorodok.net | Request | All | 3.1.4 | Subdirectories in logbooks | Hello, Is there any way to organize logbooks in some kind of tree with sublogbooks or just have a subdirectories in a logbook directory on the filesystem (treat it as a sublogbook if its name is different from 4 digits of year and pin above all the entries in a list) to structure entires a bit?
|
|
69055
|
Tue Nov 5 21:42:50 2019 |
 | David Wallis | wallis@aps.anl.gov | Question | Linux | V3.1.4-ba84827 | PAM authentication question | I'm testing the PAM authentication feature, and have a couple questions, a suggestion, and a comment.
First the comment... it was pretty easy to get working, and is exactly what we need here, so thanks! Our PAM stack here is designed to allow logins with Active Directory, LDAP, or local accounts, so the PAM option preserves all of that.
The suggestion: In order to make it work, I had to add a symbolic link in /etc/pam.d:
elogd -> system-auth
That might be considered for addition to the documentation (this was on Red Hat Enterprise Linux 7.7)
The questions:
- The docs indicate that "Self register" must be set to >= 1, but in the code (elogd.c, line 26453), if the PAM module is enabled, Self register is overriden to 0. The result is that no "register as new user" link is displayed on the login screen. Is that the intent?
- Related... can PAM and File authentication both be enabled? We have some logbooks that are used by both internal people (with an A/D account) and outside collaborators that get local elog accounts. This works with LDAP + File, can it work with PAM?
Thanks in advance! |
|
69054
|
Thu Oct 24 16:38:27 2019 |
| marijn lucas | marijn.lucas@rhul.ac.uk | Question | Linux | v3.1.2 | Re: Hide logbook tab when not authorized | *** edit ***
I solved my problem by removing the guest options from the logbooks ('Guest menu commands' and 'Guest List Menu commands'), this forbids any unauthorised user to see the content of the concerned logbooks. This is what I needed.
***********
Dear Stefan,
I am currently configuring elog for a user platform that will run different unrelated experiments for unrelated research groups. As Stefano, I also would like that user only see the logbooks that they are allowed to edit; your answer was
Hiding logbooks from the logbook selection page is not possible since when people bring up that page, they are not yet logged in, so elog does not know who is accessing the page
However if I set Protect Selection page = 1 in [global] and force users to log in before accessing the logbook selection page, wouldn't elog know who looks at the page?
I would like to use top groups to separate administrative tasks from experimental projects and maintain an easy flow between the different logbooks within a top group for those users that can edit more than one logbook (e.g. the employees of the user platform).
Kindly,
marijn
| Stefan Ritt wrote: |
|
Hi Stefano,
that's what top groups were made for. So make a top group for yourself, and nobody will be able to see them without having the proper URL. Hiding logbooks from the logbook selection page is not possible since when people bring up that page, they are not yet logged in, so elog does not know who is accessing the page (fortunatley no face recognition yet!). So if elog doe not know who looks at that page, logobook which a certain use has no access to cannot be hidden becuase the user is not known at that point.
Best regards,
Stefan
| Andreas Luedeke wrote: |
|
Well, Stefan would need to answer that. But if you are good with C-programming, you might implement it yourself?
There is a way to implement it; but it makes your installation a lot more complicated: you can have two ELOG servers. The first has all logbooks but requires authentification to read any. The second has only the public logbooks, and they are mirrored from the first.
| Stefano Bonaldo wrote: |
|
Hi Andreas,
many thanks for your answer. I partially agree with you, because sometimes "for privacy" of my working group I don't want that other users (external users) know the existance of the other logbooks.
Do you think that will be implemented in future?
Best regards, Stefano
| Andreas Luedeke wrote: |
|
Hi Stefano,
I think your assessment is correct: it is not possible to hide a logbook based on your read/write privileges.
And I'm not even sure that this would make much sense: at least you need to be able to get to the login page of the logbook.
But if you don't have read privileges for a logbook, you'll be automatically redirected to the login page, as soon as you select this logbook.
Kind Regards, Andreas
| Stefano Bonaldo wrote: |
|
Hello, I read carefully the manual, but I didn't find a way to hide the logbooks in the logbook bar and in the initial logbook selection for which the user does not have the access. So, if a user1 does not have the access to a specific logbook, user1 is not able to see that logbook in the bar and neither in the initial logbook selection. How can I do this without using the top groups?
|
|
|
|
|
|
|
69053
|
Tue Oct 22 12:47:06 2019 |
| Finn Junker | fj@tvis.net | Question | Windows | 3.1.4 | Re: Edit of multiple posts | Trial and error - it seems like this combination does the trick:
Locked Attributes = Author
Fixed Attributes Edit = Author
Allows you to edit eg. status of multiple entries even if one attribute is locked
Kind Regards Finn
| Finn Junker wrote: |
|
Hello Andres
Or maybe my reply was unclear :-), but i did use the "Show Attributes Edit" the way you meant to not show attribute BRUGER and when i do that i get:
Error: Attribute Bruger not supplied.
Please go back and enter the Bruger field
Kind Regards Finn
| Andreas Luedeke wrote: |
|
I'm sorry, apparently my tip was not clear: you should use "Show Attributes Edit = " to NOT SHOW any of your locked attributes.
It is just a guess: if the attribute is not shown in your edit form, it will not complain about it when you submit the form.
Did you try that?
Cheers, Andreas
| Finn Junker wrote: |
|
Hello Andreas
Show Attributes Edit = xxx, limits the attributes shown when editing but when you submit you get the error
Error: Attribute Bruger not supplied.
Please go back and enter the Bruger field.
If I save instead of submitting it looks like it does change the attribute as intented in my test Elog system. Unfortunately i've disabled save with "Save drafts = 0" in my live system - to only use submit, and enabling drafts only causes other issues. My configuration is attached
Kind Regards Finn
| Andreas Luedeke wrote: |
|
Hi Finn,
I don't know if this was intended, but at least I know a possible solution: with the command
"Show Attributes Edit = "
you can limit the attribute list shown in the edit form to those that are not Locked.
I haven't tried, but I guess that should work.
Cheers
Andreas
| Finn Junker wrote: |
|
Hello Andreas
OK, I did install a version of ELOG with a minimum of settings and the edit of multiple settings works fine. I've tracked the issue to "Locked Attributes = Bruger".
If one or more of the attributes are locked i get the error "Error: Attribute option - keep original values - not existing". I'm not trying to change the locked attribute, but it seems when one is locked multiple editing is not possible.
Is that intended to work this way?
Kind Regards Finn
| Andreas Luedeke wrote: |
|
I use editing of multiple entries frequently and it works fine for me.
To understand your problem I would suggest that you try a minimal configuration. If you have a test logbook with just one or two fields and it still does not work, then post the config here that people can reproduce your problem - and hopefully find a fix.
Cheers, Andreas
| Finn Junker wrote: |
|
Hello Elog Forum
There is i ELOG the function to edit multiple posts eg. to change the staus from "ongoing" to "finished" -> in danish translation "igangværende" and "afsluttet", see the attached pictures.
When I select multiple post and want to edit them to status "afsluttet" i get the "udklip_2.jpg" entry form and change only the status to "afsluttet" (Finished)
The result is a error informing that the attribut "gem oprindelige værdier" does not exist. As a test i changed the text in the translation file from "Keep origianl values = gem oprindelige værdier" to "Keep origianl values = Keep origianl values" but the result is the same error: Attribut Keep original values does not exist.
Is there a solution to this or is or is mutiple editing of post not allowed?
Kind Regards Finn
|
|
|
|
|
|
|
|
|