Network/zm setup notes

Overview

Steps to configure a zoneminder integration.

1. Install the latest debian (currently buster)
   1. make sure its hostname is "zoneminder"
2. As root, install sudo, create a user, add it to sudoers
3. Add a source for the zoneminder repo (the one in the debian repos is very stale)
   • echo "deb https://zmrepo.zoneminder.com/debian/release-1.36 bullseye/" > /etc/apt/sources.list.d/zoneminder.list
4. Install gnupg
   • apt install apt-transport-https gnupg
5. Add the key for the zoneminder repo
   • wget -O - https://zmrepo.zoneminder.com/debian/archive-keyring.gpg | sudo apt-key add -
6. Update apt since a new repo was added
   • apt update
7. Install zoneminder
   • apt install zoneminder
   1. systemctl enable zoneminder.service
   2. systemctl start zoneminder.service
   3. a2enconf zoneminder
   4. systemctl restart apache2
8. Modify zoneminder to use the Makers LDAP
   1. a2enmod ldap
   2. a2enmod authnz_ldap
   3. a2enmod php7.4
   4. Create /etc/apache2/conf-available/zoneminder-ml256.conf with these contents
      1. <Location /zm>
      2. AuthType Basic
      3. AuthBasicProvider ldap
      4. AuthLDAPURL ldap://newldap.256.makerslocal.org/dc=makerslocal,dc=org?uid
      5. AuthName "LDAP user plz"
      6. AuthType Basic
      7. Require valid-user
      8. </Location>
   5. a2enconf zoneminder-ml256
   6. systemctl restart apache2
9. Make new zm pc work in the makers local infrastructure
   1. vim /etc/network/interfaces -> change nameserver to 10.56.0.1
   2. vim /etc/network/interfaces -> set the ip to static 10.56.0.19
      1. auto enp3s0
      2. iface enp3s0 inet static
      3. address 10.56.0.19
      4. gateway 10.56.0.1
      5. netmask 255.255.255.0
10. log into the new ZM using your ML256 creds and modify the options to match the old zm
    1. ensure the PATH_ZMS on the Paths tab is "/zm/cgi-bin/nph-zms", among other things.
11. The PC was then connected to the DMZ net (200) by updating a switch port on the ProCurve switch to use that network.
12. Edit /etc/systemd/system$ cd multi-user.target.wants/zoneminder.service
    1. change 'Restart=on-abnormal' to 'Restart=always' and restart the service.
13. The old vm was shut down, and the PC was booted
14. Success!

Addendum

A lot of the information above will get you connected to various LDAP authenticated apps. The following is some good info.

• If your app needs a read only user, you can use your user account. Ex: uid=omegix,ou=people,dc=makerslocal,dc=org
  • I have no idea what "LDAP usr plz" above is, and am suspected it was not meant to be literal.
• If your app needs to know Base DN for listing users: ou=people,dc=makerslocal,dc=org
• Our LDAP does not use encryption, and is on port 389
• The application LDAP Admin makes it easy to browse a lot of this information, and provides a quick tool for copying and pasting dn's

Next Steps

1. Soak up the eudaimonia

Deep Gratitude from Phil to:

• Kinsey
• Tyler
• Hunter

Lessons Learned

• the reverse proxy works by mapping shop.ml.org/zm to zoneminder.ml.org
  • this is done in nginx on the remoteproxy VM in the /etc/nginx/sites-enabled folder. (specifically the shop.makerslocal.org.conf)
  • routing for zoneminder.makerslocal.org is handled by the edge router. it updates its hosts file from reported client hostnames and adds them as fqdns to the network
  • this is neat