Friday 22 November 2013

Authentication headaches

Authentication is a pretty complex subject.  With the Iceni servers that are running at the moment we can run in two modes:

The Iceni server maintains a database of users in LDAP and all services use PAM to authenticate users, and PAM is configured to authenticate against LDAP.  The proxy server offers HTTP "Basic" authentication and "NTLM" authentication in this mode, with the proxy using Winbind for the NTLM side (the Iceni server runs Samba to become a Windows primary domain controller on the network).

Integrated with Windows:
The Iceni server maintains a database of users in LDAP, but this is not used for authentication.  The services still use PAM for authentication, but PAM is configured to authenticate against the kerberos server provided by the primary domain controller.  Additionally, Squid offers the "Negotiate" authentication method as well as "Basic" - this means the client can authenticate through kerberos (in which case, the proxy server talks directly to the PDC's kerberos server), or NTLM (the proxy server uses Samba-Winbind to authenticate against the PDC).

As you can imagine, the whole Windows integration thing is pretty messy, and is also an all-or-nothing affair - you can't choose to have certain users (such as the administrator) authenticated locally whilst having others authenticated by the PDC.

So we want to improve things with Iceni 2.  The stand alone stuff is largely unchanged, but the plan for Windows integration is to allow the local LDAP server to pass through authentication requests to another server for certain users.  It seems the way to do this is by using SASL to make the LDAP server forward authentication through to the PDC's kerberos server.  Of course, none of it is entirely straight forward. :)

Friday 15 November 2013

An interesting day

Well, its been an interesting day - I wore a suit (anyone who knows me knows that this almost never happens), got a free lunch and saw Iron Maiden (well, one of them anyway).

This was the Big Business Wales event.  I certainly think it was worth spending a day there - it was quite informative regarding what things the government are offering to help small businesses.

The business mentoring seems like a good idea, since it seems to offer an easy way to get some external input and business experience that we don't necessarily have within the company.

Another thing I hadn't come across is the Sell2Wales system, and the associated systems in the other parts of the UK.  This is basically a database of businesses who can supply products/services to public bodies and jobs the public organisations want someone to do, allowing the buyers to find suppliers and suppliers to find jobs to tender for.

The only negative things I have to say about the whole thing was that there didn't really seem to be enough there to warrant the event lasting the whole day since there were just 2 seminar sessions, which were also rather oversubscribed, plus a keynote.  After a chat with a few Business Wales people, the rest of the time was rather spent just milling around for "networking" purposes, which could've done with a few people facilitating introductions.  The other minor negative point was that the Liberty Stadium saw fit to do noisy maintenance work in the afternoon, which seems rather poor show for a venue that is being used for seminars (I feel sorry for the people presenting the seminars who were having to shout over the racket).

Thursday 7 November 2013

The sound of dialup, pictured

I came across this article on another blog.  I'm sure a lot of people won't remember the sound of a modem handshake these days, but this is a pretty cool analysis.