GLPi with Fusion Inventory and Flyve MDM

Ive managed to get GLPI/Fusion Inventory/Nethserver AD and Flyve MDM working together here are the steps – Please note the first part is from my notes which might be out of date ill check and update as necessary also while not yet tested this should work on raspberry pi

---

Step 1.

In nethserver cockpit in webserver create a virtual host select php 7.3

---

Step 2.

Install Mariadb105 along with some additional prerequisites

yum install -y php-xmlrpc rh-php73 rh-mariadb105 mariadb-server glpi php-pecl-apcu php-pecl-zendopcache xmlrpc unzip git composer && sudo systemctl start mariadb.service && sudo mysql_secure_installation

Then create the user and database with

mysql105 -u root

CREATE USER 'glpi'@'127.0.0.1:3313' IDENTIFIED BY 'yourstrongpassdontuse$';

GRANT USAGE ON *.* TO 'glpi'@'127.0.0.1:3313' IDENTIFIED BY 'yourstrongpassdontuse$' REQUIRE NONE WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;

CREATE DATABASE IF NOT EXISTS glpi;GRANT ALL PRIVILEGES ON glpi.* TO 'glpi'@'127.0.0.1:3313';

FLUSH PRIVILEGES;

quit

---

Step 3.

Download GLPI

cd /var/lib/nethserver/vhost/virtualhostrootdirectory

wget https://github.com/glpi-project/glpi/releases/download/9.5.5/glpi-9.5.5.tgz

tar -xvzf glpi-9.5.5.tgz

or if you want it to be accessable by just the virtualhost name add --strip 1 to the end of the command

tar -xvzf glpi-9.5.5.tgz --strip 1

cd ./glpi

find ./* -type d -exec chmod 755 {} + && find ./* -type f -exec chmod 644 {} +

chown apache:apache -R ./*

a2enmod rewrite

a2enmod proxy_fcgi setenvif

systemctl restart httpd

---

Step 4.

Open a webbrowser and go to https://virtualhost/glpi

a. Select your language
b. Agree to the terms
c. Choose Install
d. for the time being ignore the dependencies and continue
e. enter your database details as follows
SQL Server (MariaDB or MySQL)=127.0.0.1:3313
SQL User=glpi
SQL Password=yourstrongpassdontuse$
and ‘keep on going’
f. Select glpi database and continue and wait for Step 3 to display OK - database was initialized and click ‘keep on going’
g. Decide if you want to Send “usage statistics” and click ‘continue’
h. click ‘continue’ in step 5 and ‘use GLPI’ in step 6

*** note you might get an error like Invalid cookie data Empty login or password just click login again and the passwords to login (which must be changed from default) are as follows ***

• glpi / glpi (super-admin)
• tech / tech
• postonly / postonly (only for helpdesk)
• normal / normal

Dont forget to run rm ./install/install.php to remove install directory
also see here for the official docs from glpi 1 and here for the flyvemdm docs 1

---

Step 5.

To install flyve mdm

Cd to glpi virtual host root document folder

cd /var/lib/nethserver/vhost/virtualhostrootdirectory

Install the following
yum install -y unzip git composer mosquitto mosquitto-clients mosquitto-dev
Then to save time later

cd ~
mosquitto -v
wget http://mosquitto.org/files/source/<output from previous cmd ie mosquitto-1.6.9.tar.gz>

sudo composer self-update --1 to avoid issues with later versions of composer*
cd ./glpi/plugins
git clone https://github.com/fusioninventory/fusioninventory-for-glpi.git fusioninventory
git clone https://github.com/flyve-mdm/glpi-plugin.git flyvemdm
git clone https://github.com/KSATDesign/mosquitto-auth-plug.git
mv mosquitto-auth-plug /usr/lib/mosquitto-auth-plug

cd ./flyvemdm
composer install --no-dev

ignore any errors at this point

Open a webbrowser and go to https://virtualhost/glpi/front/plugin.php

1st click the folder icon on the right side of FusionInventory under actions install and enable

Then do the same for flyvemdm

---

Step 6

To compile mosquitto-auth-plug

cd /usr/lib/mosquitto-auth-plug

nano config.mk.in

change

...

MOSQUITTO_SRC =

OPENSSLDIR = /usr

...

to

...

MOSQUITTO_SRC = /were you downloaded the source from previous section

OPENSSLDIR = /default openssl directory ie /usr/lib/ssl

...

then save file as config.mk

then run

make

To get Mosquitto to use mod-auth-plugin

nano /etc/mosquitto/conf.d/flyvemdm.conf

allow_anonymous false

auth_plugin /usr/lib/mosquitto-auth-plug/auth-plug.so

auth_opt_backends mysql

auth_opt_host localhost

auth_opt_port 3306

auth_opt_user glpi

auth_opt_dbname glpidb

auth_opt_pass yourstrongpassdontuse$

auth_opt_userquery SELECT password FROM glpi_plugin_flyvemdm_mqttusers WHERE user='%s' AND enabled='1'

auth_opt_aclquery SELECT topic FROM glpi_plugin_flyvemdm_mqttacls a LEFT JOIN glpi_plugin_flyvemdm_mqttusers u ON (a.plugin_flyvemdm_mqttusers_id = u.id) WHERE u.user='%s' AND u.enabled='1' AND (a.access_level & %d)

auth_opt_cacheseconds 300

listener 8883

cafile /etc/mosquitto/certs/cachain.pem

certfile /etc/mosquitto/certs/cachain.pem

keyfile /etc/mosquitto/certs/private-key.key

tls_version tlsv1.2

ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-ECDSA-RC4-SHA:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK

---

Step 7.

We need to setup a script for moving certs and rehassing them and setup a Cron Job

The Script

cat > /etc/Jobs/certmove.sh <<EOF

#!/usr/bin/bash

sudo cp /etc/letsencrypt/live/yourdomain.tld/fullchain.pem /etc/mosquitto/certs/cachain.pem

sudo cp /etc/letsencrypt/live/yourdomain.tld/privkey.pem /etc/mosquitto/certs/private-key.key

sudo chmod 600 /etc/mosquitto/certs/private-key.key

sudo chown mosquitto:root /etc/mosquitto/certs/private-key.key

sudo c_rehash /etc/mosquitto/certs

sudo systemctl restart mosquitto

echo "done"

EOF

create the Cron job

nano /etc/crontab

15 3 * * * certbot renew --noninteractive --post-hook "/etc/Jobs/certmove.sh"

* * * * * /usr/bin/php7.3 /var/lib/nethserver/vhost/virtualhostrootdirectory/glpi/front/cron.php &>/dev/null # add this while were there

save and

systemctl reload cron # ill put the steps later for using crontab manager module

---

Step 8

As I’m using Letsencrypt for the cert i you need to copy the ad cert to the samba container to use ldaps to do that in a terminal add the following

cat <<EOF >>/etc/e-smith/events/certificate-update/S80push2ad
cp -f -p /etc/pki/tls/certs/localhost.crt  /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem
cp -f -p /etc/pki/tls/private/localhost.key  /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
chmod 600 /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
chmod 644 /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem
systemctl -M nsdc restart samba
EOF

To Setup LDAP(Nethserver AD) Under the glpi webinterface go to Setup > Authentication > LDAP directories and fill out the following:

------------------------------------------------LDAP Server Connection----------------------------------------------------

Default server=Servername-(or fqdn either works i believe it’s more of a descriptive name)

Active=Yes

Server=ldaps://ad.yourdomain.tld

Port=636

Connection Filter=(&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

BaseDN=dc=ad,dc=yourdomain,dc=com,dc=au

RootDN(for non-anonymous binds)=a-user-in-the-domain-admin-group@AD.YOURDOMAIN.COM.AU

Password (for non-anonymous binds)=password for a-user-in-the-domain-admin-group

Login Field=samaccountname

Synchronization field=objectguid

---------------------------Binding to the LDAP directory (at least for anyone using Nethserver as ad)---------

Surname=sn

First name=givenname

Email=mail

Phone=telephonenumber

Mobile phone=mobile

Picture=thumbnailphoto

Location=%{streetaddress},%{postalcode},%{st},%{co}

--------------------Belonging to groups--------------

Search type=Users and Groups

User attribute containing its groups=memberof

Filter to search in groups=(objectClass=user)

--------------------------------------------Advanced information---------------------------------------------------------

LDAP directory time zone=yourGMT Offset if unsure check here *Note if you get an error about mysql cant access timezone see GLPI 9.4.6 to 9.5.1 MYSQL time zone access / English support / Forum GLPI-Project

Domain name used by inventory tool for link the user=ad.yourdomain.com.au

then go to Administration > Users

click on [LDAP Directory Link]

Then Click on [Import new users]

and on [expert mode]

and [search]

then do the same for groups

---

Step 9.

we now need to Install deeplinks (some things still a WIP)

cd /var/lib/nethserver/vhost/virtualhostrootdirectory/
git clone https://github.com/flyve-mdm/deeplink.git
cd deeplink/site

nano config.example.js

edit it to look like

window.appConfig = {
    defaultLocation: "https://your glpi virtualhost/",
    bugsnagApiKey: "optional",
    deeplinkBase: "flyve://register?data=${data}",
    androidDefaultLink: "https://f-droid.org/repo/org.flyve.mdm.agent.mqtt_3238.apk", 
    iosDefaultLink: "https://itunes.apple.com/us/app/flyve-mdm-inventory-agent" # not sure the location of the apple ipa so this won't work
}

save as config.js

---

Step 10

Setup the service startup script

nano /var/lib/nethserver/vhost/virtualhost/glpi/plugins/flyvemdm/scripts/flyvemdm.example.service

edit to look like this

Description=Flyve Mobile Device Management for GLPI
Wants=network.target
##########################################################################
ConditionPathExists=/var/lib/nethserver/vhost/virtualhost/glpi/plugins/flyvemdm/scripts/mqtt.php
##########################################################################

[Service]
Type=simple
User=httpd
Group=httpd
ExecStart=/var/lib/nethserver/vhost/virtualhost/glpi/plugins/flyvemdm/scripts/loop-run.sh
Restart=on-failure
SyslogIdentifier=flyvemdm
[Install]
WantedBy=multi-user.target

save as flyvemdm.service

systemctl daemon-reload
systemctl start flyvemdm.service
systemctl enable flyvemdm.service

---

Step 11

Enable email notifications by going to https://virtualhost/glpi/front/setup.notification.php
and enable the following

Enable followup => Yes
Enable followups via email => Yes
Enable followups from browser => Yes

then go to https://virtualhost/glpi/front/notificationmailingsetting.form.php

and fillout you mail server details

then go to https://virtualhost/glpi/front/crontask.form.php?id=22
In queuednotification settings
change Run Mode => CLI

---

Step 12
Setup API
go to https://virtualhost/glpi/front/config.form.php and go to api

Set the Following

URL of the API = https://virtualhost/apirest.php
Enable Rest API => Yes
Enable login with credentials => Yes
Enable login with external token => Yes

and create an api client

leave all blank except name
Name => a name of your choice
IPv4 Address Range=> your start and end iprange
Enable and save

Then go through the wizard (most things have been configured just need to Allow upload of APK and UPK files and follow the steps about disabling computers and inventory by name)

Thank you for this very nice step by step tutorial.

Does this work with the standard module we have at glpi-latest [NethServer Wiki]

Does this below, affect normal operation on ssl.

No it should work the issue I had was I have my glpi instance on a machine other than nethserver ad having said that I’m sure it could be scripted to push the cert to the host also it should work the same with the glpi latest module

using this resolves the need to have strong auth disabled

I’ll be changing this as there is a few different steps and this defiantly works with the glpi-latest module which removes the needs for steps from the start to the part about composer

since the glpi-latest package installs php7.3 you can use this method to get composer to use php7.3 is

nano ~/.bashrc

Then add alias composer="php73 /bin/composer" and save

Lastly issue source ~/.bashrc to avoid having to log out and in again for the settings to take effect.

A few benefits to this way is

• You no longer need to use --no-dev so you can use the latest composer
• The latest (or at least version>2) is already installed so no need to install (or downgrade to version 1.1)

Also I’m testing this install on a separate Nethserver with secondary ad as while this would work on the main server I’m assuming people might want to install it on a separate server be that on proxmox or second physical server

when installing let’s say fusion inventory for example you issue composer install and you have to accept the option saying about running composer with root user and halfway through the process you get this warning to ask if you trust the composer plugin to be installed which will annoying with the recent situation with some individuals putting malware into their code

Do you trust "dealerdirect/phpcodesniffer-composer-installer" to execute code and wish to enable it now? (writes "allow-plugins" to composer.json) [y,n,d,?]

also with flyvemdm you will need to issue

composer init to fix the json file just hit enter to most of the questions the one is n for skip

ok so I managed to get it all setup the only thing is im still only able to get the inventory not control over the device im thinking maybe mqtt issues as i said I’ll redo the howto