NethServer-SavaPage module

alefattorini · December 13, 2017, 10:30am

We’re cheering for you guys!

robb · December 13, 2017, 7:04pm

So the question is now: how to create a specfile that specifies the described sequence of actions?

I do want to point that it should be considered to use backends that are already used with other applications (if possible)
Especially for Java and PostgreSQL. I would hate to see 2 different versions of java and PostgreSQL installed if it can be avoided.

mrmarkuz · December 13, 2017, 8:27pm

We use one Java and one postgres.

EDIT:

I did a “nightly” build.

yum install http://markusneuberger.at/download/nethserver-savapage-0.0.1-3.ns7.x86_64.rpm

savapage not included in RPM anymore which makes the build much faster and the package smaller
savapage download via script
postgresql working

You have to do this after installation:

signal-event nethserver-savapage-update

I have to find out why it’s not working immediately after install…

Todos/ideas:

LDAP/AD
Default configuration
Some props for e-smith db
Split config and download script
Snapshot/stable version switch
Some reverse proxy to have savapage on a default web port

In the specfile are the requires like java 1.8.0 and the system user is created.

The work is done now by /etc/e-smith/events/actions/nethserver-savapage-conf

I fully agree. Following modules are used:

nethserver-avahi
nethserver-cups
nethserver-postgresql
java 1.8.0 from centos, it is needed by savapage, I tried with 1.7.0 which webtop uses, but the savapage-db script didn’t work

mrmarkuz · December 16, 2017, 2:38am

Nightly update:

LDAP works
AD only works when disabling TLS auth on nsdc container, did you ever try joining to AD with certs and java keystore?
Web printing works
Printing from my Windows 10 doesn’t work. The print stays for some seconds in the queue and then it’s gone without error. But may be a Windoze problem.

I’ll keep you updated…

davidep · December 16, 2017, 8:37am

This seems the same issue @planet_jeroen found in another thread. I’d ask @gabriele_bulfon how he solved it for WebTop5 which runs on the same Java stack.

gabriele_bulfon · December 16, 2017, 9:13am

Hello, at the moment we added code to manage “trust all certs” etc during setup of SSL/TLS sockets.
This is a recurrent problem when working with secure sockets in Java, as installing certificates is always a headache.

Here you can see the ldap auth code that sets up the connection using a library that already features “AllowAnyTrustManager” and “AllowAnyHostnameVerifier”:

github.com

sonicle-webtop/sonicle-security/blob/5ee22d7f2a97e57821cac3e0109b41f4680977ff/src/main/java/com/sonicle/security/auth/directory/AbstractLdapDirectory.java#L465


	
	protected void logConnectionSetup(ConnectionSetup setup) {
		ConnectionInitializer ci = setup.connectionConfig.getConnectionInitializer();
		if (ci instanceof BindConnectionInitializer) {
			logger.debug("Setting-up LDAP connection [url: {}, bindDn: {}]", setup.connectionConfig.getLdapUrl(), ((BindConnectionInitializer)ci).getBindDn());
		} else {
			logger.debug("Setting-up LDAP connection [url: {}]", setup.connectionConfig.getLdapUrl());
		}
	}
	
	protected ConnectionSetup setupConnection(String host, int port, ConnectionSecurity security, String dn, char[] password) {
		ConnectionConfig config = new ConnectionConfig("ldap://" + host + ":" + port);
		JndiProvider provider = null;
		
		if (EnumUtils.equals(security, ConnectionSecurity.SSL)) {
			provider = new JndiProvider();
			provider.getProviderConfig().setHostnameVerifier(new AllowAnyHostnameVerifier());
			config.setSslConfig(new SslConfig(new AllowAnyTrustManager()));
			config.setLdapUrl("ldaps://" + host + ":" + port);
			config.setUseSSL(true);
		} else if (EnumUtils.equals(security, ConnectionSecurity.STARTTLS)) {

davidep · December 16, 2017, 9:40am

Thank you for sharing the code snippets!

@robb we should ask Saveapage devs to implement the option that disables SSL cert verification.

mrmarkuz · December 16, 2017, 1:42pm

Thanks, guys! I’ll try the code asap!

robb · December 16, 2017, 2:54pm

I will bring it under their attention and tell what their response will be.
Is a more elegant way not possible? Like a smooth cert import procedure? It is not for nothing that SSL cert verification is in place. Could turning off SSL cert verification compromise payed/authorized printing in some way?

mrmarkuz · December 16, 2017, 3:47pm

I’ll try that even if some headache is predicted.

Disabling security mechanisms is always bad, but as far as I understand:
The problem are the self-signed certs when connecting to Nethserver AD.
You also have this kind of problem in your browser when you browse to https server with self signed cert but you are able to just allow the site and it works (the connection is still encrypted but the identities are not authorized by a third site)
In this case savapage wants to connect to Nethserver container and Nethserver (and samba as well) defaults to using TLS/SSL auth. So savapage has to connect with certs and complains about the self-signed cert of Nethserver.
I’d like the possibility, like you have in the browser, to say: I know that site, I’ll accept this cert, even if it is not fully valid.

If we don’t have this possibility savapage and AD will only work with valid certs or at least with Letsencrypt I think. For sure valid certs should also work, I don’t want to turn it off forever, it should just be the possibility to make it work with self-signed certs.

robb · December 16, 2017, 3:59pm

So allowing certs would be a better option than disabling SSL…

planet_jeroen · December 16, 2017, 7:13pm

I solved my AD cert issue by simply adding the fqdn of the samba container to it’s hosts letsencrypt cert, and copying it over the container’s certs.

This is the fastest route to valid certs, but needs work to keep current.

mrmarkuz · December 17, 2017, 2:59am

I tried to find the savapage AD joining part, but no success.

Maybe we can automate it

planet_jeroen · December 17, 2017, 10:38am

Probably

mrmarkuz · December 23, 2017, 4:09am

Christmas update:

yum -y install http://markusneuberger.at/download/nethserver-savapage-0.0.1-4.ns7.x86_64.rpm

local LDAP user sync works
AD settings are pre-configured now except of the password
no need to rerun update event after install anymore

For working AD password we have to find out how savapage encrypts the password before saving it to postgres db. Do you have an idea?

Open:

disable SSL validation for self-signed certs, I couldn’t manage it
test if savapage AD sync works with letsencrypt cert

robb · December 23, 2017, 9:57am

Great work @mrmarkuz!
I will contact the savapage dev for info on that AD password.

/edit: got some replies on my question from Rijk Ravestijn, the dev of savapage:

Hallo Rob,

https://www.savapage.org/docs/manual/ch-security-encrypted-secrets.html

Ik begrijp dat Markus direct in PostgreSQL schrijft? Met die encrypted
secrets heeft hij dan een “uitdaging”. Hij kan de SavaPage code op
GitLab natuurlijk bekijken, en zien hoe dat in Java wordt gedaan…

Maar, misschien is het handiger om, zoals ik eerder al voorstelde,
SavaPage commandline API uit te breiden met een methode om config items
te zetten (updaten). De gebruiker van de API hoeft (behoort) niets te
weten van database schema en hoe passwords e.d. als encrypted secrets
worden opgeslagen.

What translates as:
I understand that Markus is writing directly to PostgreSQL? In that case he will have a ‘challenge’ with the encrypted secret. Of course he can have a look at the SavaPage code on gitlab so he can see how this is done in Java.
But perhaps it is more convenient to extend the SavaPage commandline API with a method to place (update) configuration items De user of the API doesn’t need to know anything about the database schema and how encrypted passwords are stored.

and a mail later:

Ik zou in analogie met savapage-db bijvoorbeeld een savapage-cfg
command-line util kunnen maken. Zoiets als …

./savapage-cfg --set-property
–id auth.ldap.admin-password
–value “plain text password”

Zou dat helpen?

https://www.savapage.org/docs/manual/app-tools-savapage-db.html

translation:
I could, like already is done with “savapage-db” create something for “savapage-cfg” commandline util. Something like this:

./savapage-cfg --set-property
–id auth.ldap.admin-password
–value “plain text password”

Would that help?

@davidep what do you think? would that be a feasible solution?

mrmarkuz · December 24, 2017, 12:10pm

That would help a lot!

I tried to find the password encrypt part in that java code but without success. It’s done like this in Webtop where a Java code snippet is used to encrypt the password. But a command like savapage-cfg would make the whole thing easier I think.
Maybe in future the encryption method in savapage changes. When using “savapage-cfg” nothing has to be changed in nethserver-savapage.

robb · December 25, 2017, 11:25am

Will do some tests this week with both LDAP and Samba4 AD, both local and remote.
Thanks again for this awesome job so far!

W I P:

test remote LDAP:

Created an NS7 VM with LDAP account provider.
Added 2nd NS7 as client to the LDAP and checked if the join was successful: yeah!
Installed SavaPage with latest rpm: yum -y install http://markusneuberger.at/download/nethserver-savapage-0.0.1-4.ns7.x86_64.rpm

Looks like the LDAP join is local ldap and not remote? Am I missing something here?
Also, before SavaPage admin interface will show (LDAP) users, it needs to be configured with some post install settings. For instance: Currency code in Options/Financial/Currency Code

test local LDAP

Created an NS7 VM with LDAP account provider.
Updated to latest patchlvl.
Installed SavaPage with latest rpm: yum -y install http://markusneuberger.at/download/nethserver-savapage-0.0.1-4.ns7.x86_64.rpm

Syncing savapage users with LDAP:

And after syncing:

mrmarkuz · December 25, 2017, 8:30pm

Thanks for testing!

You are right, for now only local LDAP.is working. It will be included in the next update.

Ok so I’d use the user source that is provided by NethServer and some mail settings as default. Which currency or locale to use as default? Should we also enable Mail/Web Print or some converters?

robb · December 25, 2017, 9:24pm

thnx for confirming. i will have local ldap a go.
hmm… default settings for a globall community … i don’t know it would be a good idea to go with defaults?
Isn’t there a way to get those settings from NethServer? Or create several defaults and based on set locale in NethServer a SavaPage default is generated?

For instance: If the Organization Contacts (in the configuration section of the admin interface) gets a small extension with Country(code), we could generate a list with all currencies for each country and get the info from there?

When loggin in SavaPage, there are already several locales/translations available:

German
English
French
Spanish
Russian
Dutch

On the other hand, IMHO it wouldn’t be that bad if SavaPage remains with the need of some configuration. After all, it is a VERY complicated and extensive application that will need additional configuration for anyone that wants to use it anyway. There are so many scenarios thinkable that it is impossible to get them all covered through initial install.
After initial configuration the way users are allowed to print has to be determined. If they need to pay per print and how the payment is handled. There are so many different options…
If there is no easy option to add the initial configuration to the installer, maybe we should settle with a clear instruction how to do the initial configuration… Personally I wouldn’t have too much problems with that.