LDAP, pGINA 2.1 and Single Sign-on

Now that the frenzy of IPv4 exhaustion is over for a little while, it was time to turn my hand to some of the more mundane aspects of computing.  One of the “things to do” on my list was single sign-on; that is, being able to log in using the same user name and password at any machine on my network.

There’s two main problems getting this to work – the main one is that I have a mix of Windows and Linux machines on my network.  This requires a bit of thought.  Many years ago, there was a fantastic piece of software called pGina which implemented the Microsoft GINA specification (which if you want the simple explanation, is the bit of code that does the login box).  Using pGina, you could add plugins to authenticate users via something other than local users or a Windows domain controller.  So I used the LDAP plugin, and it worked, and it was great.

Then something happened.  Microsoft released Windows Vista.  And in that version of Windows, Microsoft decided to revamp the way the login box was done, replacing the GINA stuff with something called ‘Credential Providers’.  And my beloved pGina stopped working.  With the author at the time indicating that a Vista version wasn’t going to be forthcoming very quickly, I gave up and went to local authentication again.

But…

Last week I discovered that there was a new 2.x version of pGina which *did* implement a Credential Provider, so now Vista and Windows 7 users can once again use LDAP login on the Windows box.  Great news!  So, it was time to get all this up and running again.  To cut a long story short, I have pGina 2.1 installed, but it is not working yet.  The reason why is that I wanted to concentrate on getting the Linux part of it working first, and then sort pGina out later.

The Linux part was going to be interesting.  Using concepts that I first discovered the best part of 15 years ago, and remembering how to do it, was going to be fun.  The first job was to implement a common login system between all the Linux machines.  There are multiple ways to do this, and I would have preferred to have gone the Kerberos+LDAP route, but this isn’t actually possible yet using pGina since it was the LDAP plugin, but not a Kerberos one.  So plain LDAP it was.

It’s been a long time since I’d used OpenLDAP with any kind of sensible purpose, and a bit of a surprise was waiting for me – in Debian squeeze, they had decided to move to the ‘dynamic’ cn=config type configuration, where all the config is stored in the directory itself, rather than the old-fahsioned slapd.conf method.  It took a while to figure this out… but once I had, it was just a case of firing up Eclipse, using Apache Directory Studio to navigate the LDAP tree, and to put all the right options and permissions and suchlike in.

So, now I have an LDAP tree which will support single sign on.  It was just a case then of installing the libpam-ldap and libnss-ldap packages and configuring them up appropriately.  One thing that did catch me out was the fact that Debian seem to link their packages with GnuTLS rather than OpenSSL.  Although I knew this, it wasn’t working properly.  Much frustration later, it appears that reason it wasn’t working was that you cannot use the tlscertdir parameter when using GnuTLS – only tlscertfile will work.  So, having figured that out, all my clients are now talking to each other using StartTLS rather than plain text.

That done, the next job was to somehow make my ‘network’ home directories appear on all the machines.  NFS is the obvious choice for this, but for one reason and another, using straight NFS is not likely to work in my network.  Specifically, I didn’t want the situation where I could not mount my NFS drives on boot, if the virtual machines didn’t come up in the right order or it got ‘stuck’.  So, I decided to resurrect the automounter.  I haven’t used this in donkeys’ years, but I was nicely surprised to see that the latest version of autofs, autofs5, comes with LDAP support – which is handy, since I had just set up my LDAP server anyway.

So, a little scratching of heads and a few entries in my LDAP server later, I had the automounter configured, which would pick up my NFS directories up from the file server but (most importantly) only mount them when required, which means that none of my virtual machines would hang upon boot if the file server hadn’t started up yet, since the home directories aren’t required then.

So far, all is well, and it seems to be quite a good solution.  I still haven’t got pGina working, mainly because I haven’t had time, but hopefully that shouldn’t be too difficult to get going, now that I know the rest of it works.

IPv4 all gone

The news has been announced.  In the last two hours, APNIC have been allocated the last two /8s in the IPv4 address pool, which will trigger the distribution of the ‘final five’ blocks, one to each Regional Internet Registry, which officially means that there are no more IPv4 addresses left in the IANA pool.

What does this mean now?  Well, each RIR still has a stock of addresses.  With APNIC taking the last two blocks, they now have in the region of 3.2 /8s left, ARIN have about the same, and RIPE have nearly 4.  Obviously each RIR will get an additional 1/8 from the ‘final five’ in addition to this.  Current estimates are that these addresses will be gone in around 6 months.

Party time!

IPv4 Exhaustion: Could tomorrow be the big day?

The Internet has been buzzing over the past few days about what the exact date will be for IANA to ‘push the button’ and finally exhaust their stock of /8s by allocating two blocks to APNIC.  The rumours have been for quite some time that 31st Jan/1st Feb was going to be the big day, but now big big (and not very subtle) hints from several people who should know have been dropped, and also neatly coincides with NANOG 51, the perennial meeting of the North American Network Operators Group, and is also the day before Chinese New Year’s Eve.

So, watch this space!  NANOG 51 starts today, with the main events tomorrow, Tuesday and Wednesday.  I’m expecting an announcement around 09:30 EST (so 14:30 UK time, and around 00:30 in APNIC’s office in Brisbane) tomorrow.

Anyone for a party? :)

Clueless IPv6 Comment of the Day

Had to laugh (or possibly cry) at the following quote from reporter Claire Connelly of news.com.au, at http://www.news.com.au/technology/the-internet-has-run-out-of-ip-addresses-and-what-happens-after-that-is-anyones-guess/story-e6frfro0-1225995086627 today:

“Web developers have tried to compensate for this problem by creating IPv6 – a system which recognises six-digit IP addresses.”

The rest of it is so full of errors, I won’t even begin to start pointing them out – but it made me laugh anyway.  If this is the quality of reporting we’re going to get next week when the addresses *do* run out, I think we’re in for a bit of fun…

(In case you weren’t aware, IPv6 addresses aren’t six digits in length – they are 128-bit numbers, which is technically 32 hex digits in length, if all of the leading zeros are present.)

Idle monetary curiosity

Since my new credit card seems to have “cashback”, this got me thinking – I wonder how much I can spend on a credit card in a month?  Normally, I’m not one to buy things on credit cards except if buying things by mail order (mainly because of the Section 75 Consumer Credit Act 1974 protection), preferring to use my debit card for transactions made in person.

And before you all suddenly think I’ve flipped, I’m not talking about going crazy on buying stuff I can’t afford, but more “how much can I spend on a credit card in a month” with the following rules: (i) You must not use the card for anything that you wouldn’t normally buy in an average month, (ii) You must pay the bill off in full at the end of the month (just as I normally do, btw).

Might be interesting to see how I get on…

IPv4 Exhaustion News: Another bumper day at APNIC

At APNIC, it seems to have been another fantastic day of handing out loads of IPv4 addresses to the Chinese – today a /10 (or about 4 million addresses) was allocated to China Mobile bringing the total APNIC address pool down to 1.4 /8s, from 1.66 /8s at the weekend, a whopping 0.26 /8s decrease in one day.

There is still rampant speculation on when ‘IANA IPv4 exhaustion day’ will be,  since apparently it’s meant to be a secret – but my guess is still on 00:00 UTC+10 Tuesday 1 Feb (which is about 14:00 UK time Monday 31 Jan).  Can’t come soon enough for me…

Available from all good record shops now :)

Over the past few months, I’ve been working on an orchestral soundtrack for Cuddington Youth Drama for their next production, “Search for Odysseus” by Charles Way.  It’s a play based around Homer’s Odyssey, but from the son’s (Telemachus) point of view, in the search for his father.  It’s taken a while to get it done – 22 tracks in all, and nothing but the song words to go on, so it’s been a bit of challenge (especially as it’s also the first play score I’ve composed!).  Anyway, the score is all done and recorded now, apart from the obligatory tidying up and necessary spit and polish, and actually finished a week ahead of schedule!

So, if you’re local, don’t forget to come and see it – details on the CYD web site.

Christmas Present Review

Got a great pile of Christmas presents this year – mainly DVDs of classic children’s TV programmes!  The French and Japanese versions were made in 1982, and first shown in English in 1986/87 on Children’s BBC, then repeated again in 1990, the Mysterious Cities of Gold was a 39-part series made jointly by NHK/RTL loosely based around Scott O’Dell’s book The King’s Fifth, and charts the adventures of three 11/12-year old based children – Esteban, Zia and Tao, along with their Spanish companions Mendoza, Pedro and Sancho (who mainly seem to be interested in getting rich), around South America looking for the Cities of Gold.  It’s amazing how well this series has stood the test of time, and I’ve got to say it was great to be able to watch it again (and only the third time in my life I’ve seen it!).  Although the DVD set was released in the early 2000s, it was never released in English at the time and the English dubbed version finally appeared on DVD last year!

Some info about the series: Wikipedia and a unofficial fan site (in English and French).

The other DVDs were the complete first and second series of Dogtanian and the Three Muskehounds.  Produced by BRB Internacional SA in Spain in 1981 (so actually predating MCoG by a year), this was a cartoon animation series based on the Alexandre Dumas story The Three Musketeers.  26 episodes were produced for the first series, and the English version was shown on Children’s BBC in 1985.  I’ve got to say, I don’t think I ever saw every episode when I was a kid, so it took a little while to get the story this time round, but definitely a children’s TV classic.  The second series (‘Return of Dogtanian’) was not shown on the BBC, but shown on ITV in 1990 instead as it was a BRB Internacional/Thames Television co-production.  Having never seen the second series the first time round, I was unsure what to expect, although I remember people saying at the time that it wasn’t as good.  Having watched the first five episodes, I think I have to agree with that – many of the voices have changed, the characters don’t seem quite as well-drawn, and the theme music (a rearrangement of the original) is frankly horrible.  However, I’m beginning to warm to it – so perhaps I’d better watch the rest of the series before I go passing judgment on it.  The second series appears to be based on “The Vicomte of Bragelonne: Ten Years Later”, also by Dumas.

More information on Dogtanian can be found at the Wikipedia entry or at this fan site

Still, I enjoyed watching the first series again, and the second series is growing on me slowly, so I can safely say lots of fun was had watching those!  Here’s hoping for Around the World with Willy Fog next Christmas then :)

Posted in TV | Tagged

IPv4 should be all gone, except that it isn’t…

Those of you that have been watching the various “IPv4 exhaustion sites” (including Geoff Huston’s Potaroo site and Stephan Lagerholm’s IPv4Depletion site, as well as the official graph page at APNIC) will know that IANA should have run out of IPv4 addresses last weekend, under normal circumstances.  However this hasn’t happened, and it appears that no-one has “pushed the button”, that is, the day when a RIR asks for the last 2 /8s available for allocation, and thereby triggering a distribution of the remaining 5 /8s one each to each of the Regional Internet Registries (RIRs).

According to comments made from people who should know, the reason this hasn’t happened is that someone, no idea whether IANA, APNIC, or IANA plus all the RIRs, wants to turn this into a massive PR stunt.  So it appears there is an exhaustion day, but it’s a secret.  And that irritates me.  It’s not as if IANA didn’t know this was coming, they could have had the press releases written months ago.

APNIC’s pool is getting lower by the day (at the time of writing this was 1.67 /8s, or 28,017,950 addresses, and the usual threshold for asking for more addresses is about 2.0 /8s.  There are a number of dates it could be, for example, there’s January 31st, Feb 14th, or even the ICANN meeting in March when it is rumoured that Bill Clinton will be coming to speak (but personally I don’t think they can last that long).  It could be today (except that today is a weekend).

I really just wish everyone would stop stalling for time and push the button to start Stage 2.  Whatever day or time it happens, the press are going to be all over it, there’s going to be mass panic in some quarters of the industry, and it wouldn’t surprise me if one or more ISPs or service providers disappear in the next year or two because they just weren’t ready in time and got caught out.  So let’s just push the button now, please IANA? (Well, okay, when you get up!)

28,017,950.72

IPv4 – The end is coming quicker than you think

Today the news was announced that IANA, the organisation ultimately responsible for allocating IPv4 addresses to the Internet community, has just allocated a further 4 blocks of /8 in one day.  Two of these went to ARIN, the Regional Internet Registry for the North America, one went to AfriNIC, the RIR for the continent of Africa, and one to RIPE NCC, the RIR for Europe.

This means that we now have 7 blocks of /8 left out of a total of 256.  At the beginning yesterday we had 11.  This basically cuts the total free IPv4 space remaining from 4.3% to 2.7%, a decrease of almost half.  Current estimates as of yesterday were predicting that the IPv4 address space would run out at the beginning of March, but with addresses being used so quickly, that might well be December or January.

So what happens now?  Well, as of now, there are 7 /8s left.  If a further two blocks of /8 are allocated, this leaves 5 remaining.  IANA policy is believed to be that when only 5 blocks of /8 are remaining, they will be distributed equally to each of the five RIRs – that is, ARIN, RIPE NCC, LACNIC, AfriNIC and APNIC.  If (as is likely) APNIC require one or more blocks (most probably because of China’s insatiable appetite for new addresses), this means we could be down to 5 /8s very quickly.  And at that point, the last five will be distributed evenly, and we will have run out at IANA, possibly before Christmas.

This begs the question – why is almost no-one is ready for it?  Out of the “sticking plaster” options, Carrier Grade NAT is certainly one solution, (that is, effectively NATing and/or PATing the NATs) but this only works so well until we either run out of addresses *and* TCP/UDP ports, but also means that we will be double, triple or even quadruple NATing our hosts.  This scuppers any chance of PAT (Port Address Translation) working unless all the NATs do the PAT, which is unlikely to be workable, especially when one or more of the NATs are being run by unprepared-for-IPv6 ISPs, and this means that no-one will successfully be able to run servers behind NAT.

So please, ISPs, please stop thinking about rolling out Carrier Grade NAT which will cost ££££££s and start rolling out IPv6 which will also cost ££££££s.  It will cost you less in the long run.  (But I doubt they’re going to listen to me, so if you don’t mind, I’ll just get my metaphorical IPv6-enabled deckchair and sit in it eating my metaphorical IPv6-enabled popcorn whilst watching the chaos ensue.  It really isn’t going to be pretty.)

At some point, the procrastinating ISPs (which currently seems to be all of them) will need to wake up.  Perhaps this will be when people can’t access Google, Facebook, YouTube, iPlayer, <insert popular new service here only available on v6>.  But I can pretty much guarantee the IPv6 roll out will be done in a rush and badly.  If only people had started thinking about this 5 years ago (like the ISP I use did…)