Pre-Release: v0.2.0

config/config-sample.ini

@@ -97,9 +97,24 @@ user_email = mail
 ; equal its value
 ;user_active_false = 'former'
 
-; To require a user to be in a specific group use a filter like this:
-; filter = "(memberof=<group entry>)"
-filter = ""
+; Group membership attributes. Examples below are for typical setups:
+;
+; POSIX groups
+;  group_member = memberUid
+;  group_member_value = uid
+;
+; Group-of-names groups
+;  group_member = member
+;  group_member_value = dn
+;
+; Attribute of group where members are stored
+group_member = memberUid
+; User attribute to compare with
+group_member_value = uid
+
+; Members of admin_group are given full admin access to SSH Key Authority web
+; interface
+admin_group_cn = sca-administrators
 
 [inventory]
 ; SCA Cert Authority will read the contents of the file /etc/uuid (if it

core.php

@@ -213,6 +213,71 @@ function simplify_search($defaults, $values) {
 	}
 }
 
+/**
+ * Returns the given string in its hexadecimal representation
+ * @param string string to convert to hex
+ * @return array hex representation of the input string
+ */
+function to_hex($data) {
+    return strtoupper(bin2hex($data));
+}
+
+/**
+* Decrypt data from a CryptoJS json encoding string
+*
+* @param mixed $passphrase
+* @param mixed $jsonString
+* @return mixed
+*/
+function cryptoJsAesDecrypt($passphrase, $jsonString) {
+    $jsondata = json_decode($jsonString, true);
+    try {
+        $salt = hex2bin($jsondata["s"]);
+        $iv  = hex2bin($jsondata["iv"]);
+    } catch(Exception $e) { return null; }
+    $ct = base64_decode($jsondata["ct"]);
+    $concatedPassphrase = $passphrase.$salt;
+    $md5 = array();
+    $md5[0] = md5($concatedPassphrase, true);
+    $result = $md5[0];
+    for ($i = 1; $i < 3; $i++) {
+        $md5[$i] = md5($md5[$i - 1].$concatedPassphrase, true);
+        $result .= $md5[$i];
+    }
+    $key = substr($result, 0, 32);
+    $data = openssl_decrypt($ct, 'aes-256-cbc', $key, true, $iv);
+    return json_decode($data, true);
+}
+
+/**
+ * Helper method to query a parameter from $POST or $GET. 
+ * Will return 422 if a parameter is not available.
+ * @param array $_GET or $_POST array
+ * @param string paramter to query
+ * @return string value of the parameter
+ */
+function getParameterOrDie($method, $parameter) {
+	if(isset($method[$parameter])) {
+		return trim($method[$parameter]);
+	}
+	require('views/error422.php');
+	die;
+}
+
+/**
+ * Helper method to query a parameter from $POST or $GET. 
+ * Will return null if parameter is not set.
+ * @param array $_GET or $_POST array
+ * @param string paramter to query
+ * @return string value of the parameter or null
+ */
+function getOptParameter($method, $parameter) {
+	if(isset($method[$parameter])) {
+		return trim($method[$parameter]);
+	}
+	return null;
+}
+
 class OutputFormatter {
 	public function comment_format($text) {
 		return hesc($text);

docker/Dockerfile

@@ -36,4 +36,4 @@ VOLUME /sca/config
 VOLUME /public_html
 
 ENTRYPOINT "/entrypoint.sh"
-HEALTHCHECK CMD /healcheck.sh
+HEALTHCHECK CMD /healthcheck.sh

examples/certificates/test1.crt

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuzCCAqOgAwIBAgIUB48uNKy465bQOYTSxSiS642pcCYwDQYJKoZIhvcNAQEL
+BQAwbTELMAkGA1UEBhMCREUxDTALBgNVBAgMBHRlc3QxDTALBgNVBAcMBHRlc3Qx
+DTALBgNVBAoMBHRlc3QxDTALBgNVBAsMBHRlc3QxDTALBgNVBAMMBHRlc3QxEzAR
+BgkqhkiG9w0BCQEWBHRlc3QwHhcNMTkwNTAyMTI1MDEwWhcNMjAwMTAxMTI1MDEw
+WjBtMQswCQYDVQQGEwJERTENMAsGA1UECAwEdGVzdDENMAsGA1UEBwwEdGVzdDEN
+MAsGA1UECgwEdGVzdDENMAsGA1UECwwEdGVzdDENMAsGA1UEAwwEdGVzdDETMBEG
+CSqGSIb3DQEJARYEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AMjsyAZJUAQtR8cw9zfQoUOitzAB/H7swM2eH/wMHmMP2hxupcFJNeDirQdyv+Ma
+EoARr8TNtcHSyEnszsE63jwB7TlwiuzdZp7lTNkxeXuWLhW1EGmRt1DwKjOa4AJj
+OoXH8qcXeg5Qou+DGX1sEMdYWbaIRT94QMgdnTGqsNbpfcACqnr7P82YVPlIfNz9
+smoSOhHGUl9SVwh4l3KoUlih7FSyjbytin/tnzigoBI1r3qWYjgJ1e1hfKHY9vMV
+2VLcSPbS8zYrmUBBYPhBtGwvk6ZnuJ/3n7kmXykifJ1T+Fa08BrnpQKARwSIe1Hs
+ZmOwi51eaMJz3AvpAFwEOJ8CAwEAAaNTMFEwHQYDVR0OBBYEFJIO6DtVanARXYTI
+OK2jPqcTbfEOMB8GA1UdIwQYMBaAFJIO6DtVanARXYTIOK2jPqcTbfEOMA8GA1Ud
+EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAHq9p07hQRSwGJkKB1XUN/oJ
+KzJU+bIgbtEKL0BqTUXlkTO/hK/IX6N2xrlaIXW7nFa5i2djFFhBQlYV0M6KZ6zE
+KpTmsdT+2dKghRuRcr5m5eecb0jak6Jo55eCfda9yxsTHH2piPYOUx3ryzcmtauQ
+TAkNc/3ruOgLt1M86POjvY1QqJ0HEH8FfhGG6R05ikHLpLV26nLU2jiz9O0QzxVj
+auJLdCdPaPa5r713dPUQi28b+4HuDmQWHl1UlHO3YD3yLJcjXg0jLTP0LnYcR8gF
+Bf82E44l113d/8LxTufszbYIy7jtRisiOnf+8GrYJLz/Vb7LJfRxM3tFvDDVbR8=
+-----END CERTIFICATE-----

examples/certificates/test1.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDI7MgGSVAELUfH
+MPc30KFDorcwAfx+7MDNnh/8DB5jD9ocbqXBSTXg4q0Hcr/jGhKAEa/EzbXB0shJ
+7M7BOt48Ae05cIrs3Wae5UzZMXl7li4VtRBpkbdQ8CozmuACYzqFx/KnF3oOUKLv
+gxl9bBDHWFm2iEU/eEDIHZ0xqrDW6X3AAqp6+z/NmFT5SHzc/bJqEjoRxlJfUlcI
+eJdyqFJYoexUso28rYp/7Z84oKASNa96lmI4CdXtYXyh2PbzFdlS3Ej20vM2K5lA
+QWD4QbRsL5OmZ7if95+5Jl8pInydU/hWtPAa56UCgEcEiHtR7GZjsIudXmjCc9wL
+6QBcBDifAgMBAAECggEBAKsdrMRdz32fKpAjzYeFcLHvc9+48VcPPqxezJKVp5Nq
+PrEUMqpINVCO/Blpyq4Y2ESly3HqV674WodK3FKIVhf49BWFGWvcqrcMRcR7dCCi
+qCDokU+3P834m5hTgA/IfmDNBoTzY4mpdvpQRncgf7GmNtFTgNYrDdDgF63i1rRP
+plbbMh2hlU6eHI1p2/RCZzATAGv+wrUmOUwmMLQWtMvF5NOchIFh1wm9MMQAtqt8
+0WFFmkEyxtOrZ2rV3jf9Q53WJVFW7bymztajyFRg+oFfyMeXiYMmMu3G199aBL3S
+CGC8pu+GH53Uy0zlC1yN4w1noKHBo5g+3CFw+zuL6gECgYEA+Gh5+ujDG1ibtzmM
+lx9SCyRgyuV/P8oepJmVTK2UDwft8pa8I7MJatANlJUw6cA/XQmYetd1AGCQjiJf
++XGgmhK3uicZH6ezZOoyNDGt9eilLB6nJnv14xPtrl8MQDUg55NEj7zT55NG9kF3
+EJcNFJzSlcO01GwBsWcZvan79IECgYEAzxDM8KlKpl5i6WmopUB7AoIIzHq9pyeH
+0tKMmai+1j4BL0ejiraoWcr0Kl9mdAYLzU74/TTDzS6T12qwa3nmy9qv2Xm5jjCT
++82x577knxDo0MmypAQtOi62WTFCfzCIPSinGMmHUZMgW9z2dun7FsJG+fZ0zJIZ
+F4QaAshPHR8CgYBGGE0bVSUBCW7fM/kNB8SB6mD5v+q5WFJvRftQKMbXuvgU9R3f
+wPyOTGkYnUSxIROAMF37g+K7GYSQ5vhIDh0wfMmlWLUJLqw7dK539fDNrDk3iurF
+vEL1McFm6+EsGRHQ5sh4+uKcvP1QLcboQodpYps1sYTMUDHmGl60G0xCgQKBgQCr
+VnaOaTb5BT8Jb0F6RCnFQH4xXRsTdpVgMJLhDw2iT7pBOiEsRcp2SobRjRFEzj/z
+yfYj5wZiALma1ZBXzo3YfwNli+CrtKyu/lzIq1+X87ECGvPz3fTioQaINUeV4T3K
+hZoG27NaH8j12pgie6gmA+ohKfspz3ZtzASN6tvz9wKBgHAzePaAZB6FbcLRqE4y
+odtp/lgusr8fLRczBYFJClKkkUu6bRzHRqPiwoTeUXyGagr6gD6rPRiE5/uI/RFO
+DYkySfHz5ltCu/D45roCsIY61f0D5egprXcNX4FoySM9J1PDzcwmKLQthvXYNTA9
+Kzreu5GwGp1GgXa1bH39KUfB
+-----END PRIVATE KEY-----

examples/certificates/test2.crt

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDxzCCAq+gAwIBAgIUZb8GBHZtBKosUvi7FHghXz23p6kwDQYJKoZIhvcNAQEL
+BQAwczELMAkGA1UEBhMCREUxDjAMBgNVBAgMBXRlc3QyMQ4wDAYDVQQHDAV0ZXN0
+MjEOMAwGA1UECgwFdGVzdDIxDjAMBgNVBAsMBXRlc3QyMQ4wDAYDVQQDDAV0ZXN0
+MjEUMBIGCSqGSIb3DQEJARYFdGVzdDIwHhcNMTkwNTAyMTI0MzI3WhcNMjEwMTAx
+MTI0MzI3WjBzMQswCQYDVQQGEwJERTEOMAwGA1UECAwFdGVzdDIxDjAMBgNVBAcM
+BXRlc3QyMQ4wDAYDVQQKDAV0ZXN0MjEOMAwGA1UECwwFdGVzdDIxDjAMBgNVBAMM
+BXRlc3QyMRQwEgYJKoZIhvcNAQkBFgV0ZXN0MjCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALi+oiglokdSARLm2Db+eVFb4A0lzyVuM70logAAIGWkTEhX
+LVQWY1klpYpxWtm8Gg+9mgw72p4x8hnI9WdNJlp6iYefXPmizebMPUsVTGL39uSi
+NqK/CvS/vynjGb3GNntyExeSyDthmthX1ruAiygPUFoJx2s7m0I7kHzX6jOxHIQM
+DKcAgDRr9tuz2/mrVb74+Nk0RghJ5Dfo8V+xkt3LrIfM9w90oVKwGTQOcOHcu3cx
+CKBmyUazqeoM76m/luFPUtUmHakRD+pfGEiMEiwqxtwEaw2WoX/0i3FKNMboDoGk
+TAExMNwy3gE1FLMQ3W2uaxmMvmllUgVfILRtE90CAwEAAaNTMFEwHQYDVR0OBBYE
+FIQ9QbQ1WCPmS1ExmQuc5s1ufNAhMB8GA1UdIwQYMBaAFIQ9QbQ1WCPmS1ExmQuc
+5s1ufNAhMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAKXuoBcZ
+fVo80hitWpAk57ms4Pg84h9GSfer0H1hKmEdOsf4s9ZsPOVMGyh3xyKVyb/WjypT
+ecDQCXZhm5EYpv8RfJY5E7spqHaMoo7V8GV2oiGzTHglOhmuNmUMX6voPkhX/S8O
+ZC3KP8am7IXVW4firotWNH3qxyoGsoCI8SVVPwnZSO8QEgR1cu0hEb5P+KcQly+y
+uuk7e5EP8qCbdeEmWda8fRbd714+bxa97XUwKi8v8s9vXfJLBbhdI8Ctd36ALuZE
+R/OIVp4P2cibzALj5l5NgQlN0PfwPckWIZfc8+zch/5+EqlJh6TKniE+6Ex/hXTN
+cSJRvt1eBbotMk0=
+-----END CERTIFICATE-----

examples/certificates/test2.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQC4vqIoJaJHUgES
+5tg2/nlRW+ANJc8lbjO9JaIAACBlpExIVy1UFmNZJaWKcVrZvBoPvZoMO9qeMfIZ
+yPVnTSZaeomHn1z5os3mzD1LFUxi9/bkojaivwr0v78p4xm9xjZ7chMXksg7YZrY
+V9a7gIsoD1BaCcdrO5tCO5B81+ozsRyEDAynAIA0a/bbs9v5q1W++PjZNEYISeQ3
+6PFfsZLdy6yHzPcPdKFSsBk0DnDh3Lt3MQigZslGs6nqDO+pv5bhT1LVJh2pEQ/q
+XxhIjBIsKsbcBGsNlqF/9ItxSjTG6A6BpEwBMTDcMt4BNRSzEN1trmsZjL5pZVIF
+XyC0bRPdAgMBAAECggEBAKYg3wbFGNGTn12U8nc5jHSp7qdECat6FtKPJcdkVb2w
+6dvfcOZ9n2cJ4HvHBVBowvLGp+E6bZP2C+Q9/tee289fA49OsjfVu9xAaxm6lE8m
+9gCREhp1Ou/uAYQ0MPCjbljBswNuvdoQIkNLcdB4fipO4w2kX4xBNJNxprNtIbDK
+m0KPHmn4bcliFGjAEJMirZ17gutPBKsGZ/FyTshPDeKeES7IuSPcXyJZdtqhlLy+
+YVLcUtxTLUcV8UP150vNWOM1ofAphFEmLEF980tzPdFlrz3GtDkjPYTkdvoVVlSr
+Yr9H8uPGigxDFuL59X0vlsQmSd4/2/q1TE/hLesi8C0CgYEA3rwYPOZyjNYtNrdl
+H3jdn/kttPmfns7Q9hURFA/7M1rrPjW7yoVzJ1zSdr2jZExNMhpKx1ru0Aai3B4c
+uiylMSIRgSPJ/mdFUROt3mYRfiktPQlYGfBdYFqMcRdhCtZr2Zv5Fuz2h3J7MHoJ
+wsxfaNbCzs4FxTZlocxhNKvSOnMCgYEA1FYMhjEgtOG5FtNN8/ldDlcMtpImkMHw
+xk/NOaopgN6dtZH0FmMNOO3JrqAH7rN1mCuVoPXubxdDJN3TaXk+MDXPjXEtMDeU
+yfBVYjUfs8je9o7O8BfuRXNLCu6pmPYPRb6KREVZKUJ1/0e8Vc9e0AjRTb76B508
+ml84diSIVG8CgYEAg6RL9wKExXR4eJRf8f/vjPMq7oFys9usaST+WQsw/qNH0hbU
+DNhevO8BfSiL/2WRYoFjnPvDlbO2Yb5yYB6u66ElE1xhsDi9ITQuWPmecSBJGoAB
+UCNeLOqXgue8dTlRuOWUjNY0xs0EvhwC1N0RrtbvgGcHxg1meABhm03KDL0CgYEA
+rne5uLU7M4TYyTl8LsAxRuwdxRGXYJAKX1gIv53ilkHUgfFYBuECZ0ly0uopOmf4
+cr01J9mLPXp2sB8Ya+y0PXapgIWC5MB2n+q6rYQK9XVSRnKW9E4leKk/+s6ZSda8
+O8lQ4MG+fhlezQ/LXxKRzAvCtsf5tzHqLsmYofJolj8CgYEA3dvkJ7wjN2FQu0Td
+0+n6wot8vaKvlu9WnsiNeQVB20xAVqlDq7oTs4YA1xK60LNk+04OzQyV9USRMyM2
+JEMCoGlnfYiQQ8B1fjSSsK5SoyYiuL8IBuHrjnsLLiCRxBv79353O3T+Q4Qb2M9H
+eJfcThRw9/qPNWJu/dBjvJh17j8=
+-----END PRIVATE KEY-----

examples/httpd-ldap/README.md

@@ -21,5 +21,26 @@ docker logs -f httpd-ldap_sca_1
 ## Using sca
 
 1. Login using the admin account `rainbow`.
-1. Add the server `test.example.com` at http://localhost/servers#add
-1. Sca should be able to connet to the system and update its authorized_keys file. You can verify this by checking whether there is an `Synced successfully` next to the server. 
+1. Add the server `nginx.example.com` and `httpd.example.com` at http://localhost/servers#add
+1. Sca should be able to connect to both systems. You can verify this by checking whether there is an `Synced successfully` next to the servers. 
+1. Add the scripts [check_loport.sh](../scripts/check_loport.sh), [restart_httpd.sh](../scripts/httpd/restart_httpd.sh), [restart_nginx.sh](../scripts/nginx/restart_nginx.sh) and [status_pidfile.sh](../scripts/status_pidfile.sh)
+1. Add two services called `nginx_8443` and `httpd_8444`. Both should use `check_loport.sh`, `status_pidfile.sh` and their respective restart script
+1. Add the following two variables to both services.
+   * nginx_8443:
+      * Name: `PID_FILE`
+      * Value: `/run/nginx/nginx.pid`
+      * Name: `PORT`
+      * Value: `8443`
+   * httpd_8444:
+      * Name: `PID_FILE`
+      * Value: `/var/run/apache2/httpd.pid`
+      * Name: `PORT`
+      * Value: `8444`
+1. Add the certificates from [certificates](../certificates)
+1. Add two profiles. `nginx_demo` with `nginx.example.com` and `nginx_8443` as well as `httpd_demo` with `httpd.example.com` and `httpd_8444`. Both with certifcate `test1`.
+1. Go to http://localhost/servers#list and use `Sync listed servers now`. After the confirmation it should only take a few seconds until both servers should be set to `Synced successfully`.
+1. Visit https://localhost:8443/ and https://localhost:8444/ and take a look at the certificate it should be valid till 2020-01-01. Now visit [certificate test1](http://localhost/certificates/test1#migrate) and migrate it to `test2`. Afterwards synchronise the servers again. After reloading both pages, the certificate should now be valid till 2021-01-01.
+
+## View synchronisation logs
+
+The Web UI only shows very rudimentary error messages. For more information connect to the php container using `docker exec -it httpd-local_sca-php_1 /bin/ash`. In there, you can use the this command to follow the log file of the synchronisation daemon: `tail -f /var/log/cert/sync.log`.

examples/httpd-local/README.md

@@ -25,10 +25,31 @@ _The `cert-sync` user should only be used for the first setup. Afterwards its be
 
 1. Login using the admin account `cert-sync`.
 1. Create user `rainbow` as admin and user `proceme` as user at http://localhost/users#add
-1. Add the server `test.example.com` at http://localhost/servers#add
-1. Sca should be able to connet to the system and update its authorized_keys file. You can verify this by checking whether there is an `Synced successfully` next to the server. 
+1. Add the server `nginx.example.com` and `httpd.example.com` at http://localhost/servers#add
+1. Sca should be able to connect to both systems. You can verify this by checking whether there is an `Synced successfully` next to the servers. 
+1. Add the scripts [check_loport.sh](../scripts/check_loport.sh), [restart_httpd.sh](../scripts/httpd/restart_httpd.sh), [restart_nginx.sh](../scripts/nginx/restart_nginx.sh) and [status_pidfile.sh](../scripts/status_pidfile.sh)
+1. Add two services called `nginx_8443` and `httpd_8444`. Both should use `check_loport.sh`, `status_pidfile.sh` and their respective restart script
+1. Add the following two variables to both services.
+   * nginx_8443:
+      * Name: `PID_FILE`
+      * Value: `/run/nginx/nginx.pid`
+      * Name: `PORT`
+      * Value: `8443`
+   * httpd_8444:
+      * Name: `PID_FILE`
+      * Value: `/var/run/apache2/httpd.pid`
+      * Name: `PORT`
+      * Value: `8444`
+1. Add the certificates from [certificates](../certificates)
+1. Add two profiles. `nginx_demo` with `nginx.example.com` and `nginx_8443` as well as `httpd_demo` with `httpd.example.com` and `httpd_8444`. Both with certifcate `test1`.
+1. Go to http://localhost/servers#list and use `Sync listed servers now`. After the confirmation it should only take a few seconds until both servers should be set to `Synced successfully`.
+1. Visit https://localhost:8443/ and https://localhost:8444/ and take a look at the certificate it should be valid till 2020-01-01. Now visit [certificate test1](http://localhost/certificates/test1#migrate) and migrate it to `test2`. Afterwards synchronise the servers again. After reloading both pages, the certificate should now be valid till 2021-01-01.
 
 ## Add/Change passwords for users
 
 1. Either install `htpasswd` on your system or connect to the httpd container using `docker exec -it httpd-local_sca_1 /bin/ash`.
 1. Run `htpasswd` on the htpasswd file. Inside the container it is `htpasswd /allowed_users <username>`
+
+## View synchronisation logs
+
+The Web UI only shows very rudimentary error messages. For more information connect to the php container using `docker exec -it httpd-local_sca-php_1 /bin/ash`. In there, you can use the this command to follow the log file of the synchronisation daemon: `tail -f /var/log/cert/sync.log`.

examples/nginx-local/README.md

@@ -25,10 +25,31 @@ _The `cert-sync` user should only be used for the first setup. Afterwards its be
 
 1. Login using the admin account `cert-sync`.
 1. Create user `rainbow` as admin and user `proceme` as user at http://localhost/users#add
-1. Add the server `test.example.com` at http://localhost/servers#add
-1. Sca should be able to connet to the system and update its authorized_keys file. You can verify this by checking whether there is an `Synced successfully` next to the server. 
+1. Add the server `nginx.example.com` and `httpd.example.com` at http://localhost/servers#add
+1. Sca should be able to connect to both systems. You can verify this by checking whether there is an `Synced successfully` next to the servers. 
+1. Add the scripts [check_loport.sh](../scripts/check_loport.sh), [restart_httpd.sh](../scripts/httpd/restart_httpd.sh), [restart_nginx.sh](../scripts/nginx/restart_nginx.sh) and [status_pidfile.sh](../scripts/status_pidfile.sh)
+1. Add two services called `nginx_8443` and `httpd_8444`. Both should use `check_loport.sh`, `status_pidfile.sh` and their respective restart script
+1. Add the following two variables to both services.
+   * nginx_8443:
+      * Name: `PID_FILE`
+      * Value: `/run/nginx/nginx.pid`
+      * Name: `PORT`
+      * Value: `8443`
+   * httpd_8444:
+      * Name: `PID_FILE`
+      * Value: `/var/run/apache2/httpd.pid`
+      * Name: `PORT`
+      * Value: `8444`
+1. Add the certificates from [certificates](../certificates)
+1. Add two profiles. `nginx_demo` with `nginx.example.com` and `nginx_8443` as well as `httpd_demo` with `httpd.example.com` and `httpd_8444`. Both with certifcate `test1`.
+1. Go to http://localhost/servers#list and use `Sync listed servers now`. After the confirmation it should only take a few seconds until both servers should be set to `Synced successfully`.
+1. Visit https://localhost:8443/ and https://localhost:8444/ and take a look at the certificate it should be valid till 2020-01-01. Now visit [certificate test1](http://localhost/certificates/test1#migrate) and migrate it to `test2`. Afterwards synchronise the servers again. After reloading both pages, the certificate should now be valid till 2021-01-01.
 
 ## Add/Change passwords for users
 
 1. Either install `htpasswd` on your system or connect to the nginx container using `docker exec -it nginx-local_sca_1 /bin/ash` and install it there with `apk add apache2-utils`
 1. Run `htpasswd` on the htpasswd file. Inside the container it is `htpasswd /allowed_users <username>`
+
+## View synchronisation logs
+
+The Web UI only shows very rudimentary error messages. For more information connect to the php container using `docker exec -it nginx-local_sca-php_1 /bin/ash`. In there, you can use the this command to follow the log file of the synchronisation daemon: `tail -f /var/log/cert/sync.log`.

examples/scripts/check_loport.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env sh
+PID_FILE=${PORT}
+if [ -z "${PORT}" ]; then
+    (>&2 echo "Variable PORT is required")
+    exit 255
+fi
+
+set -o nounset
+set -o errexit
+set -o pipefail
+
+/usr/bin/openssl s_client -showcerts \
+	  -servername localhost -connect localhost:$PORT \
+	   </dev/null 2>/dev/null \
+   | /usr/bin/openssl x509 -noout -serial \
+   | /usr/bin/cut -d'=' -f2
+

examples/scripts/httpd/restart_httpd.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env sh
+set -o nounset
+set -o errexit
+set -o pipefail
+
+sudo httpd -k restart

examples/scripts/nginx/restart_nginx.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env sh
+PID_FILE=${PID_FILE}
+if [ -z "${PID_FILE}" ]; then
+    (>&2 echo "Variable PID_FILE is required")
+    exit 255
+fi
+
+set -o nounset
+set -o errexit
+set -o pipefail
+
+if [ -f "${PID_FILE}" ]; then
+    PID=$(cat ${PID_FILE})
+    if [ -n "${PID}" -a -d "/proc/${PID}" ]; then
+        sudo nginx -s reload
+        exit 0
+    fi
+fi
+sudo nginx

examples/scripts/status_pidfile.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env sh
+PID_FILE=${PID_FILE}
+if [ -z "${PID_FILE}" ]; then
+    (>&2 echo "Variable PID_FILE is required")
+    exit 255
+fi
+set -o nounset
+set -o errexit
+set -o pipefail
+
+if [ -f "${PID_FILE}" ]; then
+    PID=$(cat ${PID_FILE})
+    if [ -n "${PID}" -a -d "/proc/${PID}" ]; then
+        exit 0
+    fi
+fi
+exit 1

examples/shared/config-ldap/config.ini

@@ -97,7 +97,24 @@ user_email = mail
 ; equal its value
 ;user_active_false = 'former'
 
-filter = "(memberof=cn=admin,ou=groups,dc=test,dc=itmettke,dc=de)"
+; Group membership attributes. Examples below are for typical setups:
+;
+; POSIX groups
+;  group_member = memberUid
+;  group_member_value = uid
+;
+; Group-of-names groups
+;  group_member = member
+;  group_member_value = dn
+;
+; Attribute of group where members are stored
+group_member = member
+; User attribute to compare with
+group_member_value = dn
+
+; Members of admin_group are given full admin access to SSH Key Authority web
+; interface
+admin_group_cn = admin
 
 [inventory]
 ; SCA Cert Authority will read the contents of the file /etc/uuid (if it