Network/zm setup notes

From Makers Local 256
Jump to: navigation, search


Steps to configure a zoneminder integration.

  1. Install the latest debian (currently buster)
    1. make sure its hostname is "zoneminder"
  2. As root, install sudo, create a user, add it to sudoers
  3. Add a source for the zoneminder repo (the one in the debian repos is very stale)
  4. Install gnupg
    • apt install apt-transport-https gnupg
  5. Add the key for the zoneminder repo
  6. Update apt since a new repo was added
    • apt update
  7. Install zoneminder
    • apt install zoneminder
    1. systemctl enable zoneminder.service
    2. systemctl start zoneminder.service
    3. a2enconf zoneminder
    4. systemctl restart apache2
  8. Modify zoneminder to use the Makers LDAP
    1. a2enmod ldap
    2. a2enmod authnz_ldap
    3. a2enmod php7.4
    4. Create /etc/apache2/conf-available/zoneminder-ml256.conf with these contents
      1. <Location /zm>
      2. AuthType Basic
      3. AuthBasicProvider ldap
      4. AuthLDAPURL ldap://,dc=org?uid
      5. AuthName "LDAP user plz"
      6. AuthType Basic
      7. Require valid-user
      8. </Location>
    5. a2enconf zoneminder-ml256
    6. systemctl restart apache2
  9. Make new zm pc work in the makers local infrastructure
    1. vim /etc/network/interfaces -> change nameserver to
    2. vim /etc/network/interfaces -> set the ip to static
      1. auto enp3s0
      2. iface enp3s0 inet static
      3. address
      4. gateway
      5. netmask
  10. log into the new ZM using your ML256 creds and modify the options to match the old zm
    1. ensure the PATH_ZMS on the Paths tab is "/zm/cgi-bin/nph-zms", among other things.
  11. The PC was then connected to the DMZ net (200) by updating a switch port on the ProCurve switch to use that network.
  12. Edit /etc/systemd/system$ cd
    1. change 'Restart=on-abnormal' to 'Restart=always' and restart the service.
  13. The old vm was shut down, and the PC was booted
  14. Success!


A lot of the information above will get you connected to various LDAP authenticated apps. The following is some good info.

  • If your app needs a read only user, you can use your user account. Ex: uid=omegix,ou=people,dc=makerslocal,dc=org
    • I have no idea what "LDAP usr plz" above is, and am suspected it was not meant to be literal.
  • If your app needs to know Base DN for listing users: ou=people,dc=makerslocal,dc=org
  • Our LDAP does not use encryption, and is on port 389
  • The application LDAP Admin makes it easy to browse a lot of this information, and provides a quick tool for copying and pasting dn's

Next Steps

  1. Soak up the eudaimonia

Deep Gratitude from Phil to:

  • Kinsey
  • Tyler
  • Hunter

Lessons Learned

  • the reverse proxy works by mapping to
    • this is done in nginx on the remoteproxy VM in the /etc/nginx/sites-enabled folder. (specifically the
    • routing for is handled by the edge router. it updates its hosts file from reported client hostnames and adds them as fqdns to the network
    • this is neat