diff options
| author | Russ Allbery <rra@stanford.edu> | 2007-09-01 04:43:45 +0000 | 
|---|---|---|
| committer | Russ Allbery <rra@stanford.edu> | 2007-09-01 04:43:45 +0000 | 
| commit | c256c29182afc9c180f50c454c4ac6748a8d51d1 (patch) | |
| tree | 957e626930a40d70efd5169e7cbad5812ebea886 /docs/setup | |
| parent | 25ee8ca2c34952fd79d6ebc882216442f4a11c43 (diff) | |
Flesh out the setup instructions.
Diffstat (limited to 'docs/setup')
| -rw-r--r-- | docs/setup | 76 | 
1 files changed, 76 insertions, 0 deletions
| @@ -2,6 +2,13 @@  MySQL Database Setup +    The following instructions are for setting up the wallet with a MySQL +    database on the same host as the wallet server.  Since the wallet is +    designed to be a security-sensitive application, running MySQL on the +    same system is recommended, although it will certainly work with a +    remote MySQL server.  The instructions below would require only minor +    modifications, mostly around the database host. +      After installing the MySQL server, connect as a user with permissions      to create new databases and users.  Then, issue the following      commands: @@ -13,3 +20,72 @@ MySQL Database Setup      This creates a wallet user that can be used by the rest of the wallet      system and gives it access to the wallet database, where it can create      its own tables. + +    Now, create an /etc/wallet.conf file and include settings like: + +        $DB_DRIVER = 'MySQL'; +        $DB_NAME = 'wallet'; +        $DB_HOST = 'localhost'; +        $DB_USER = 'wallet'; +        $DB_PASSWORD = 'WALLET'; +        1; + +SQLite Database Setup + +    SQLite is very nice in that you don't have to create the database +    first.  You don't even have to create the file.  Just create +    /etc/wallet.conf with something like: + +        $DB_DRIVER = 'SQLite'; +        $DB_INFO = '/path/to/database'; +        1; + +    That's all there is to it. + +Database Initialization + +    Now, you have to create the necessary tables, indexes, and similar +    content in the database so that the wallet can start working.  There +    is not, as yet, any command to do this easily, but you can do it with +    the following one line of Perl: + +        perl -MWallet::Server -e "Wallet::Server->initialize ('USER')" + +    where USER is the fully-qualified Kerberos principal of an +    administrator.  This will create the database, create an ADMIN ACL, +    and put USER in that ACL so that user can add other administrators and +    start creating objects. + +    There will eventually be a wallet-admin script to do this and similar +    tasks. + +Wallet Configuration + +    Review the Wallet::Config documentation (with man Wallet::Config or +    perldoc Wallet::Config) and set any other configuration variables that +    you want or need.  If you're going to use the keytab object +    implementation, you'll need to create a keytab with appropriate kadmin +    privileges and set several configuration variables. + +    On the wallet server, install remctld.  Then, install the +    configuration fragment in config/wallet in the remctld configuration. +    You can do this either by adding the one non-comment line of that file +    to your remctl.conf or, if your remctl.conf includes a directory of +    configuration fragments, drop config/wallet into that directory. + +    Note that the default wallet configuration allows any authenticated +    user to run the wallet backend and relies on the wallet's ACLs for all +    access control.  Normally, this is what you want.  But if you're using +    the wallet for a very limited purpose, you may want to change ANYUSER +    in that configuration fragment to a path to a regular ACL file and +    only allow certain users to run wallet commands at all. + +    Once you have the configuration in place, restart or send a HUP signal +    to remctld to make it re-read the configuration. + +    Now, you can start using the wallet.  Read the wallet man page for +    details on all the possible commands.  The first step is probably to +    create a new object with the create command, create an ACL with the +    acl create command, add the ACL entries that should own that object to +    that ACL with acl add, and then set that ACL as the owner of the +    object with the owner command. | 
