my animals and other friends
I spend a good part of my time ensuring that whatever services we offer will be up and running 24/7. Be it an Exim cluster, a failsafe BlackBerry Enterprise Server, MySQL on DRBD, multiple DNS servers, LDAP directory servers, you name it: whatever services we offer are very hard to kill.
Then comes some twerp and pulls the cord on a couple of routers and a huge stack of switches. And the result? The whole pile of services comes crashing down.
I've updated my whatmon Mozilla extension to include a very useful patch by Heiko Weber which causes whatmon to open a new browser window to display additional information.
Read the documentation and download whatmon or wait a wee bit until it is visible on the Mozilla Addons Site.
Because one of our clients thinks that two Radius servers are not enough, I'm creating a couple of VMware appliances which will be hosting an OpenLDAP-driven FreeRADIUS daemon on them with which we'll be authorizing 802.1x appliances.
Due to the fact that my master OpenLDAP servers (and their slaves) are currently still on version 2.2, I cannot effectively use OpenLDAP's delta-syncrepl. This is where my lsync tool is coming in handy. I love reusing good ideas I've had before, and in this case a good tool.
FreeRADIUS can execute arbitrary programs when an authorization or authentication request arrives from a NAS, by using the exec module; that is what I've implemented to solve my dilemma.
exec jxrad {
wait = yes
program = "/etc/raddb/bin/jxrad %{Stripped-User-Name}"
input_pairs = request config
}
in the modules section as well as an invocation of the thus created jxrad module in the instantiate and authorize sections ensure that my program is invoked when an authorization request arrives.
What does that program do? It retrieves the user's password from $USER_PASSWORD and performs an LDAP bind operation in order to see if the supplied credentials are correct (this won't work for CHAP ). Irrespective of whether the bind succeeds or not, this fact together with a timestamp and the username are recorded in a MySQL database table.
I realize a second round-trip to the LDAP server is needed for this, but it doesn't matter as we have enough computing power to handle that.
It is quite incredible what FreeRadius can do. At a customer site I've got a server which is doing authentication and authorization (as well as accounting of course) for a number of different NAS, each servicing distinct groups of people. Examples are VPN users, regular dial-up, Wireless with 802.1x and also administrative ssh logins to Cisco routers. Oh, and the best part? All managed by an OpenLDAP directory as a backend.