Network/zm setup notes
From Makers Local 256
< Network
Overview
Steps to configure a zoneminder integration.
- Install the latest debian (currently buster)
- make sure its hostname is "zoneminder"
- As root, install sudo, create a user, add it to sudoers
- Add a source for the zoneminder repo (the one in the debian repos is very stale)
- echo "deb https://zmrepo.zoneminder.com/debian/release-1.36 bullseye/" > /etc/apt/sources.list.d/zoneminder.list
- Install gnupg
- apt install apt-transport-https gnupg
- Add the key for the zoneminder repo
- wget -O - https://zmrepo.zoneminder.com/debian/archive-keyring.gpg | sudo apt-key add -
- Update apt since a new repo was added
- apt update
- Install zoneminder
- apt install zoneminder
- systemctl enable zoneminder.service
- systemctl start zoneminder.service
- a2enconf zoneminder
- systemctl restart apache2
- Modify zoneminder to use the Makers LDAP
- a2enmod ldap
- a2enmod authnz_ldap
- a2enmod php7.4
- Create /etc/apache2/conf-available/zoneminder-ml256.conf with these contents
- <Location /zm>
- AuthType Basic
- AuthBasicProvider ldap
- AuthLDAPURL ldap://newldap.256.makerslocal.org/dc=makerslocal,dc=org?uid
- AuthName "LDAP user plz"
- AuthType Basic
- Require valid-user
- </Location>
- a2enconf zoneminder-ml256
- systemctl restart apache2
- Make new zm pc work in the makers local infrastructure
- vim /etc/network/interfaces -> change nameserver to 10.56.0.1
- vim /etc/network/interfaces -> set the ip to static 10.56.0.19
- auto enp3s0
- iface enp3s0 inet static
- address 10.56.0.19
- gateway 10.56.0.1
- netmask 255.255.255.0
- log into the new ZM using your ML256 creds and modify the options to match the old zm
- ensure the PATH_ZMS on the Paths tab is "/zm/cgi-bin/nph-zms", among other things.
- The PC was then connected to the DMZ net (200) by updating a switch port on the ProCurve switch to use that network.
- Edit /etc/systemd/system$ cd multi-user.target.wants/zoneminder.service
- change 'Restart=on-abnormal' to 'Restart=always' and restart the service.
- The old vm was shut down, and the PC was booted
- Success!
Addendum
A lot of the information above will get you connected to various LDAP authenticated apps. The following is some good info.
- If your app needs a read only user, you can use your user account. Ex: uid=omegix,ou=people,dc=makerslocal,dc=org
- I have no idea what "LDAP usr plz" above is, and am suspected it was not meant to be literal.
- If your app needs to know Base DN for listing users: ou=people,dc=makerslocal,dc=org
- Our LDAP does not use encryption, and is on port 389
- The application LDAP Admin makes it easy to browse a lot of this information, and provides a quick tool for copying and pasting dn's
Next Steps
- Soak up the eudaimonia
Deep Gratitude from Phil to:
- Kinsey
- Tyler
- Hunter
Lessons Learned
- the reverse proxy works by mapping shop.ml.org/zm to zoneminder.ml.org
- this is done in nginx on the remoteproxy VM in the /etc/nginx/sites-enabled folder. (specifically the shop.makerslocal.org.conf)
- routing for zoneminder.makerslocal.org is handled by the edge router. it updates its hosts file from reported client hostnames and adds them as fqdns to the network
- this is neat