| ID |
Date |
Icon |
Author |
Author Email |
Category |
OS |
ELOG Version |
Subject |
|
69063
|
Fri Nov 22 02:55:50 2019 |
 | John S. Haggerty | haggerty@bnl.gov | Bug report | Mac OSX | 3.1.4 | Trouble on Catalina | I decided to rebuild elog 3.1.4 in Catalina (MacOS 10.15.1), XCode 11.2.1. As in previous builds, I needed to add to the Makefile pointers to openssl:
CFLAGS += -I/usr/local/opt/openssl/include
LIBS += -L/usr/local/opt/openssl/lib
The make builds cleanly, no errors, no warnings. After make/make install, elogd segfaults immediately. I saw the same behavior with the version in gitlab. I kept my (very) old build and was able to make install it without recompiling and it still works.
I'll crack out the debugger when I have a chance to get more information, but has anyone else seen this problem? |
|
69061
|
Thu Nov 21 18:10:28 2019 |
 | David Wallis | wallis@aps.anl.gov | Question | Linux | V3.1.4-ba84827 | Re: PAM authentication question | Hi Christoph,
Thanks for looking into this, if you can enable PAM + File, our users would be very happy!
The pam.d issue is probably related to CentOS/Red Hat, since our PAM expert warned me that it might be necessary.
| Jan Christoph Terasa wrote: |
| David Wallis wrote: |
|
I'm testing the PAM authentication feature, and have a couple questions, a suggestion, and a comment.
First the comment... it was pretty easy to get working, and is exactly what we need here, so thanks! Our PAM stack here is designed to allow logins with Active Directory, LDAP, or local accounts, so the PAM option preserves all of that.
The suggestion: In order to make it work, I had to add a symbolic link in /etc/pam.d:
elogd -> system-auth
That might be considered for addition to the documentation (this was on Red Hat Enterprise Linux 7.7)
The questions:
- The docs indicate that "Self register" must be set to >= 1, but in the code (elogd.c, line 26453), if the PAM module is enabled, Self register is overriden to 0. The result is that no "register as new user" link is displayed on the login screen. Is that the intent?
- Related... can PAM and File authentication both be enabled? We have some logbooks that are used by both internal people (with an A/D account) and outside collaborators that get local elog accounts. This works with LDAP + File, can it work with PAM?
Thanks in advance!
|
David, thank you for reporting on your findings regarding the PAM feature. I will look into the points you mentioned:
0. On my machines (Debian testing and stable) I did not have to add anything to /etc/pam.d, but apparently Debian just uses implicit defaults then, and REHL might insist on using excplicit settings. Adding a hint in the documentation is certainly useful, thank your for the suggestion. Maybe elog should provide a pam.d config file (which can be installed/adapted by package maintainers for various OSes).
1.+2. If I remember correctly, I intentionally disabled registration when using the PAM backend, because users will register using their passwd/LDAP/NIS users, and new users can only be regustered using the appropriate tools for the authentication mechanism used. This might not be correctly reflected in the docs, I will check that. In the light of question 2., I can also re-investigate that policy, so that logins will check against both the elog user database and PAM. Self-registering can then be enabled again, and new registrees will go to the elog database. I will try to bringthe code in line with how LDAP works.
regards,
Christoph
|
|
|
69060
|
Mon Nov 18 16:58:21 2019 |
 | Roger Kalt | roger.kalt@psi.ch | Info | Linux | 3.1.4 | Example scripts how to migrate or combine logbooks | Attached the shell scripts using awk and sed how I have migrated two separated logbooks into one single and how I re-adjusted certain attributes. |
| Attachment 1: run_modif.sh
|
#!/bin/bash
# KR84, 28.10.2019
# the input files are the exported XML files from ELOG -> Finden
# search in XML for sring between <DATE> and </DATE>
# and replace with: <DATE> and </DATE><When> and </When>
echo "converting export_rf.xml ..."
cat ./export_rf.xml |
sed 's/<Personnel\(.*\)Personnel>/<Author\1Author>/g' |
sed 's/<DATE\(.*\)DATE>/<DATE\1DATE>\n\t\t<When\1When>/g' |
sed 's/<Subject>\(.*\)<\/Subject>/<Title>\1<\/Title><Entry_Type><\/Entry_Type>/g' |
sed '/<Machine>SwissFEL<\/Machine>/ {N;N; s/<Machine>SwissFEL<\/Machine>.*<Domain>OBLA<\/Domain>.*<Section>TRFCB/<Machine>OBLA<\/Machine>\n\t\t<Domain>All<\/Domain>\n\t\t<Section>TRFCB/g}' |
sed 's/<When>Mon, /<When>/g' |
sed 's/<When>Tue, /<When>/g' |
sed 's/<When>Wed, /<When>/g' |
sed 's/<When>Thu, /<When>/g' |
sed 's/<When>Fri, /<When>/g' |
sed 's/<When>Sat, /<When>/g' |
sed 's/<When>Sun, /<When>/g' |
sed '/<When>.*<\/When>/{s/ Jan 20/.01./g}' |
sed '/<When>.*<\/When>/{s/ Feb 20/.02./g}' |
sed '/<When>.*<\/When>/{s/ Mar 20/.03./g}' |
sed '/<When>.*<\/When>/{s/ Apr 20/.04./g}' |
sed '/<When>.*<\/When>/{s/ May 20/.05./g}' |
sed '/<When>.*<\/When>/{s/ Jun 20/.06./g}' |
sed '/<When>.*<\/When>/{s/ Jul 20/.07./g}' |
sed '/<When>.*<\/When>/{s/ Aug 20/.08./g}' |
sed '/<When>.*<\/When>/{s/ Sep 20/.09./g}' |
sed '/<When>.*<\/When>/{s/ Oct 20/.10./g}' |
sed '/<When>.*<\/When>/{s/ Nov 20/.11./g}' |
sed '/<When>.*<\/When>/{s/ Dec 20/.12./g}' |
sed 's/ +0100<\/When>/<\/When>/g' |
sed 's/ +0200<\/When>/<\/When>/g' > export_rf_modified.xml
# sed 's/ Jan 20/.01./g' |
# sed 's/ Feb 20/.02./g' |
# sed 's/ Mar 20/.03./g' |
# sed 's/ Apr 20/.04./g' |
# sed 's/ May 20/.05./g' |
# sed 's/ Jun 20/.06./g' |
# sed 's/ Jul 20/.07./g' |
# sed 's/ Aug 20/.08./g' |
# sed 's/ Sep 20/.09./g' |
# sed 's/ Oct 20/.10./g' |
# sed 's/ Nov 20/.11./g' |
# sed 's/ Dec 20/.12./g' |
# search in XML and add offset to all IDs because they shall not overlap when merged.
echo "converting export_llrf.xml ..."
cat ./export_llrf.xml | sed 's/<Subject>\(.*\)<\/Subject>/<Entry_Type><\/Entry_Type>\n\t\t<Status><\/Status>\n\t\t<Title>\1<\/Title>\n\t\t<Inv_ID><\/Inv_ID>/g' > export_llrf_modified1.xml
cat ./export_llrf_modified1.xml | awk -F'\t\t<MID>|</MID>||' '{ if ($2!="") {print "\t\t<MID>"$2+2016"</MID>"} else { print $1} }' > export_llrf_modified2.xml
cat ./export_llrf_modified2.xml | awk -F'\t\t<REPLY_TO>|</REPLY_TO>||' '{ if ($2!="") {print "\t\t<REPLY_TO>"$2+2016"</REPLY_TO>"} else { print $1} }' > export_llrf_modified3.xml
cat ./export_llrf_modified3.xml | awk -F'\t\t<IN_REPLY_TO>|</IN_REPLY_TO>||' '{ if ($2!="") {print "\t\t<IN_REPLY_TO>"$2+2016"</IN_REPLY_TO>"} else { print $1} }' > export_llrf_modified.xml
rm -rf ./export_llrf_modified1.xml ./export_llrf_modified2.xml ./export_llrf_modified3.xml
cat ./export_llrf_modified.xml |
sed '/<Machine>SwissFEL<\/Machine>/ {N;N; s/<Machine>SwissFEL<\/Machine>.*<Domain>Test Systems<\/Domain>.*<Section>TRFCB/<Machine>OBLA<\/Machine>\n\t\t<Domain>All<\/Domain>\n\t\t<Section>TRFCB/g}' |
sed 's/<When>Mon /<When>/g' |
sed 's/<When>Tue /<When>/g' |
sed 's/<When>Wed /<When>/g' |
sed 's/<When>Thu /<When>/g' |
sed 's/<When>Fri /<When>/g' |
sed 's/<When>Sat /<When>/g' |
sed 's/<When>Sun /<When>/g' |
sed 's/-Jan-/.01./g' |
sed 's/-Feb-/.02./g' |
sed 's/-Mar-/.03./g' |
sed 's/-Apr-/.04./g' |
sed 's/-May-/.05./g' |
sed 's/-Jun-/.06./g' |
sed 's/-Jul-/.07./g' |
sed 's/-Aug-/.08./g' |
sed 's/-Sep-/.09./g' |
sed 's/-Oct-/.10./g' |
sed 's/-Nov-/.11./g' |
sed 's/-Dec-/.12./g' |
sed 's/ +0100<\/When>//g' |
sed 's/ +0200<\/When>//g' |
sed 's/<\/When>/:00<\/When>/g' |
sed 's/<When>-:00<\/When>/<When><\/When>/g' > export_llrf_modified_datetime.xml
echo "export_llrf_modified_datetime.xml need manual edit for empty <When></When>"
|
| Attachment 2: generate_import_llrf_fwd.sh
|
#!/bin/bash
# KR84, 28.10.2019
# generate emtpy auto-fwd text for LLRF for 3100 entries and offset of 2000
echo "generated import_llrf_fwd.xml"
echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" > import_llrf_fwd.xml
echo "<ELOG_LIST>" >> import_llrf_fwd.xml
declare -i ID
declare -i IDNEW
for ID in {1..3013}
do
IDNEW=$ID+2016
echo -e "\t<ENTRY>" >> import_llrf_fwd.xml
echo -e "\t\t<MID>${ID}</MID>" >> import_llrf_fwd.xml
echo -e "\t\t<DATE>Mon, 28 Oct 2019 20:00:00 +0200</DATE>" >> import_llrf_fwd.xml
# echo -e "\t\t<DATE>28.10.2019 20:00:00</DATE>" >> import_llrf_fwd.xml
echo -e "\t\t<ATTACHMENT></ATTACHMENT>" >> import_llrf_fwd.xml
echo -e "\t\t<ENCODING>HTML</ENCODING>" >> import_llrf_fwd.xml
echo -e "\t\t<When>28.10.2019 20:00:00</When>" >> import_llrf_fwd.xml
# echo -e "\t\t<When>1572289200</When>" >> import_llrf_fwd.xml
echo -e "\t\t<Author>Kalt Roger (KR84)</Author>" >> import_llrf_fwd.xml
echo -e "\t\t<Machine>SwissFEL</Machine>" >> import_llrf_fwd.xml
echo -e "\t\t<Domain></Domain>" >> import_llrf_fwd.xml
echo -e "\t\t<Section></Section>" >> import_llrf_fwd.xml
echo -e "\t\t<System></System>" >> import_llrf_fwd.xml
echo -e "\t\t<Subsystem></Subsystem>" >> import_llrf_fwd.xml
echo -e "\t\t<Subject>Automatic forward</Subject>" >> import_llrf_fwd.xml
echo -e "\t\t<TEXT><meta http-equiv="refresh" content="0; URL='https://elog-gfa.psi.ch/SwissFEL+RF/${IDNEW}'" /></TEXT>" >> import_llrf_fwd.xml
echo -e "\t</ENTRY>" >> import_llrf_fwd.xml
done
echo "</ELOG_LIST>" >> import_llrf_fwd.xml
|
|
69059
|
Sun Nov 17 14:55:11 2019 |
| Jan Christoph Terasa | terasa@physik.uni-kiel.de | Question | Linux | V3.1.4-ba84827 | Re: PAM authentication question |
| David Wallis wrote: |
|
I'm testing the PAM authentication feature, and have a couple questions, a suggestion, and a comment.
First the comment... it was pretty easy to get working, and is exactly what we need here, so thanks! Our PAM stack here is designed to allow logins with Active Directory, LDAP, or local accounts, so the PAM option preserves all of that.
The suggestion: In order to make it work, I had to add a symbolic link in /etc/pam.d:
elogd -> system-auth
That might be considered for addition to the documentation (this was on Red Hat Enterprise Linux 7.7)
The questions:
- The docs indicate that "Self register" must be set to >= 1, but in the code (elogd.c, line 26453), if the PAM module is enabled, Self register is overriden to 0. The result is that no "register as new user" link is displayed on the login screen. Is that the intent?
- Related... can PAM and File authentication both be enabled? We have some logbooks that are used by both internal people (with an A/D account) and outside collaborators that get local elog accounts. This works with LDAP + File, can it work with PAM?
Thanks in advance!
|
David, thank you for reporting on your findings regarding the PAM feature. I will look into the points you mentioned:
0. On my machines (Debian testing and stable) I did not have to add anything to /etc/pam.d, but apparently Debian just uses implicit defaults then, and REHL might insist on using excplicit settings. Adding a hint in the documentation is certainly useful, thank your for the suggestion. Maybe elog should provide a pam.d config file (which can be installed/adapted by package maintainers for various OSes).
1.+2. If I remember correctly, I intentionally disabled registration when using the PAM backend, because users will register using their passwd/LDAP/NIS users, and new users can only be regustered using the appropriate tools for the authentication mechanism used. This might not be correctly reflected in the docs, I will check that. In the light of question 2., I can also re-investigate that policy, so that logins will check against both the elog user database and PAM. Self-registering can then be enabled again, and new registrees will go to the elog database. I will try to bringthe code in line with how LDAP works.
regards,
Christoph |
|
69058
|
Mon Nov 11 13:09:35 2019 |
| Stefan Ritt | stefan.ritt@psi.ch | Request | All | 3.1.4 | Re: Subdirectories in logbooks | Just use groups as written in the manual: https://elog.psi.ch/elog/config.html#groups
Stefan
| pavel wrote: |
|
Hello, Is there any way to organize logbooks in some kind of tree with sublogbooks or just have a subdirectories in a logbook directory on the filesystem (treat it as a sublogbook if its name is different from 4 digits of year and pin above all the entries in a list) to structure entires a bit?
|
|
|
69057
|
Sat Nov 9 22:44:23 2019 |
| pavel | temp213@gorodok.net | Request | All | 3.1.4 | Subdirectories in logbooks | Hello, Is there any way to organize logbooks in some kind of tree with sublogbooks or just have a subdirectories in a logbook directory on the filesystem (treat it as a sublogbook if its name is different from 4 digits of year and pin above all the entries in a list) to structure entires a bit?
|
|
69055
|
Tue Nov 5 21:42:50 2019 |
 | David Wallis | wallis@aps.anl.gov | Question | Linux | V3.1.4-ba84827 | PAM authentication question | I'm testing the PAM authentication feature, and have a couple questions, a suggestion, and a comment.
First the comment... it was pretty easy to get working, and is exactly what we need here, so thanks! Our PAM stack here is designed to allow logins with Active Directory, LDAP, or local accounts, so the PAM option preserves all of that.
The suggestion: In order to make it work, I had to add a symbolic link in /etc/pam.d:
elogd -> system-auth
That might be considered for addition to the documentation (this was on Red Hat Enterprise Linux 7.7)
The questions:
- The docs indicate that "Self register" must be set to >= 1, but in the code (elogd.c, line 26453), if the PAM module is enabled, Self register is overriden to 0. The result is that no "register as new user" link is displayed on the login screen. Is that the intent?
- Related... can PAM and File authentication both be enabled? We have some logbooks that are used by both internal people (with an A/D account) and outside collaborators that get local elog accounts. This works with LDAP + File, can it work with PAM?
Thanks in advance! |
|
69054
|
Thu Oct 24 16:38:27 2019 |
| marijn lucas | marijn.lucas@rhul.ac.uk | Question | Linux | v3.1.2 | Re: Hide logbook tab when not authorized | *** edit ***
I solved my problem by removing the guest options from the logbooks ('Guest menu commands' and 'Guest List Menu commands'), this forbids any unauthorised user to see the content of the concerned logbooks. This is what I needed.
***********
Dear Stefan,
I am currently configuring elog for a user platform that will run different unrelated experiments for unrelated research groups. As Stefano, I also would like that user only see the logbooks that they are allowed to edit; your answer was
Hiding logbooks from the logbook selection page is not possible since when people bring up that page, they are not yet logged in, so elog does not know who is accessing the page
However if I set Protect Selection page = 1 in [global] and force users to log in before accessing the logbook selection page, wouldn't elog know who looks at the page?
I would like to use top groups to separate administrative tasks from experimental projects and maintain an easy flow between the different logbooks within a top group for those users that can edit more than one logbook (e.g. the employees of the user platform).
Kindly,
marijn
| Stefan Ritt wrote: |
|
Hi Stefano,
that's what top groups were made for. So make a top group for yourself, and nobody will be able to see them without having the proper URL. Hiding logbooks from the logbook selection page is not possible since when people bring up that page, they are not yet logged in, so elog does not know who is accessing the page (fortunatley no face recognition yet!). So if elog doe not know who looks at that page, logobook which a certain use has no access to cannot be hidden becuase the user is not known at that point.
Best regards,
Stefan
| Andreas Luedeke wrote: |
|
Well, Stefan would need to answer that. But if you are good with C-programming, you might implement it yourself?
There is a way to implement it; but it makes your installation a lot more complicated: you can have two ELOG servers. The first has all logbooks but requires authentification to read any. The second has only the public logbooks, and they are mirrored from the first.
| Stefano Bonaldo wrote: |
|
Hi Andreas,
many thanks for your answer. I partially agree with you, because sometimes "for privacy" of my working group I don't want that other users (external users) know the existance of the other logbooks.
Do you think that will be implemented in future?
Best regards, Stefano
| Andreas Luedeke wrote: |
|
Hi Stefano,
I think your assessment is correct: it is not possible to hide a logbook based on your read/write privileges.
And I'm not even sure that this would make much sense: at least you need to be able to get to the login page of the logbook.
But if you don't have read privileges for a logbook, you'll be automatically redirected to the login page, as soon as you select this logbook.
Kind Regards, Andreas
| Stefano Bonaldo wrote: |
|
Hello, I read carefully the manual, but I didn't find a way to hide the logbooks in the logbook bar and in the initial logbook selection for which the user does not have the access. So, if a user1 does not have the access to a specific logbook, user1 is not able to see that logbook in the bar and neither in the initial logbook selection. How can I do this without using the top groups?
|
|
|
|
|
|
|