There was a time when Novell ruled the server…a time when CNE was a mark of technical excellence and server uptime was measured in years not weeks…a time and when Novell Directory Services (NDS) provided a single point of administration for every aspect of the enterprise environment, including the then evolving Active Directory!.

Yet just when everything was coming together for Novell the attraction of owning the desktop led them to acquire Ximian, the coolest Linux desktop on the block, before joining forces with IBM and acquiring SuSE – possibly the biggest competitor to RedHat at the time.

It was not long after the SuSE acquisition that Novell announced their intention to phase out NetWare, a move that saw many IT Managers faced with the decision of migrating their servers to the then largely untested OES (Open Enterprise Server) or crumbling under the ever increasing pressure of Active Directory and Exchange. Needless to say not many survived to log in via the Novell Client…

I personally focused my energy on FreeBSD and other OpenSource solutions, occasionally rolling out OES to companies that required enterprise support, secure file synchronisation (iFolder) or a rock solid collaboration platform (GroupWise). Novell have always had sensible license fees that were often based on the user model and not server providing massive cost savings.

It was cost savings that I was looking for recently while searching for a cross platform LDAP solution that was easy to manage, secure, reliable and had enterprise support to boot. It was exactly those requirements that led me back to Novell, back to eDirectory, which after all this time continue to offer the Full Service Directory promise that ruled the enterprise several years ago.

Installation of eDirectory on SuSE is seamless, RedHat however required a few dependencies (yum install) but still took under 10 minutes, and that included bolting on iManager the secure web interface to many Novell products (think Console One). Configuring the RedHat clients was just as easy, in fact using the authconfig tool you can configure the client to talk to eDirectory with a single command:

authconfig --enableldap --enableldapauth --enableldaptls --ldapserver=myserver --ldapbasedn=o=myorganisation --enablemkhomedir --updateall

As for adding a replica for resilience, well you only need to install eDirectory onto another server on your network (yes it runs on Windows too!), and as long as you select your existing tree during the install process you have a secure read/write replica – simple eh!.

So it seems Novell never gave up. They focused their energy into migrating all the great tools we took for granted with NetWare while combining the best of breed Linux tools into SUSE Linux Enterprise 11 – Novell’s latest enterprise server platform.

With features such as .NET support for System z mainframes, OCFS2 / cLVM2 and new fine-grained management of CPU, memory, storage and networking resources, it looks like Novell have a worthy contender to the enterprise Linux throne!.
Could Novell be ready to pick up where they left off with NetWare?, only time will tell….now if only eDirectory ran on FreeBSD.

If you are security conscious and nowadays who isn’t?, you may have pondered over ways to make your external SSH connection safer.
Of course there’s always One-time Passwords and Public Keys, but if like me you watch the daily barrage of brute force attacks you may be thinking it’s only a matter of time…

That’s what I was thinking at about the same time an SMS arrived on my mobile….then it hit me….I take my mobile everywhere, if only my server could call me and ask if it is really me trying to log in.

My first instinct was to try and insert a Perl or Python script into the login process. After all Clickatell have several libraries that you can use to send SMS messages. How hard could it be?
Well for starters it didn’t feel right relying on a script that runs within an interpreter that is running within a shell, but how else could it be done? Pluggable Authentication sprang to mind but that’s hard right? Wrong!.

Hitting the FreeBSD handbook I was able to gain a decent understanding of PAM functionality and even managed to find some sample code. Shame the programming section had not yet been written. O’Reilly to the rescue. After reading a few articles on PAM it wasn’t long before I had a working prototype, in fact most of my time was spent deciding upon the right library/s to use.
The end result is a pam module that can be dropped into the authentication chain for any PAM aware application/service – think SSH, FTP, POP3 etc.

Upon successfully entering your Username/Password the pam_codemein module uses libcurl to send an HTTPS request via Clickatell, my preferred SMS gateway, which then forwards the random Code to your mobile before prompting you to enter the same Code at the prompt to gain access. Of course there are issues with using SMS, such as mobile reception and timeouts, but in testing I didn’t notice any.

If you are concerned over the cost of SMS messages, Clickatell are a bulk SMS provider so rates are good, and if you prefer to be contacted via some other method the code can be adapted to any other service e.g. XMPP via TLS, you could even GPG encrypt the Code in an email if you prefer.

It was only after I had the fun of writing this module that I stumbled across this blog post. Shame as it may have saved me a lot of time, but hey where’s the fun in that? I’ll just have to get cracking on the XMPP method – either that or search deeper within Google.

Have you seen RT 3.8!

It’s been a long time coming but after 2 years in the making the enterprise-grade ticketing system that is RT has had a well earned facelift, and what a difference!!.

Upgrading from 3.6.3 would have been straightforward if it was not for the fact that I also decided to upgrade to MySQL 5.1 at the same time. The final product made the pitfalls worthwhile however and RT is now slicker than ever. Plus I got know RT better along the way – bonus!.

If your thinking of upgrading to RT 3.8 / MySQL 5.1 just remember to use the MyISAM engine for the Attachments table (It’s worked so far for me with around 84k tickets). Failing to do so will result in slow response from the UI on certain actions due to MySQL failing to select the correct index on certain queries:

ALTER TABLE Attachments ENGINE=MyISAM;

It looks like the optimiser is broken for the InnoDB plugin, however if you check out this bug it may have been fixed by now (I was using FreeBSD port: mysql-server-5.1.26).

I read a lot about MySQL backups using LVM Snapshots on Linux, WAFL Snapshots on NetApp and more recently ZFS Snapshots. But did you know you can do the same under FreeBSD?

FreeBSD has had snapshot capability since around 2001 allowing administrators to take a frozen image of a filesystem at a given instant in time with minimal impact on the server / filesystem. So how does this help with MySQL Backups?

If like me you have loads of space on your database volume and often find yourself making frequent risky modifications to your databases, a snapshot can save you loads of time and headaches by creating a point in time marker that you can fallback on if needed.

Snapshots provide the following benefits:

1. Efficient – Only as blocks in the active filesystem are modified and written to new locations on disk does the snapshot begin to consume extra space.
2. Fast – It takes about 30 seconds to create a snapshot of an 8Gb filesystem. Of that time 25 seconds is spent in preparation; filesystem activity is only suspended for the final 5 seconds of that period.
3. Reliable – FreeBSD ensures that no disk write activity can take place during the setup of the snapshot (typically less than a second). The result is a consistent replica.

If you are running MySQL on FreeBSD, snapshots can certainly help improve your backup strategy. So how do you get started?
Well if you head over to the Wiki you’ll find a detailed guide to creating your first snapshot, but before you click that link there is another new FreeBSD feature that you may not be aware of – Security Event Auditing.

Protecting your data requires more than just regular backups and the security auditing feature in FreeBSD 6.2+ can help assist with the logging of activity on your MySQL server.

Based on Sun’s published Basic Security Module (BSM), the de facto industry standard for auditing, FreeBSD Security Event Auditing provides reliable, fine-grained, and configurable logging of a variety of security-relevant system events, including logins, configuration changes, and file and network access. These log records can be invaluable for live system monitoring, intrusion detection, and postmortem analysis.

At the moment the stable release of FreeBSD will require a Kernel compile to enable audit capability, but future releases should have audit enabled in the generic kernel. You never know by the time FreeBSD 7.0 is available I may have figured out a way to audit MySQL logins using auditd.

If your feeling brave you can download the latest monthly snapshot of the upcoming FreeBSD 7.0 release and put auditing to the test.

Right – I’m off to get a working NetUnit jar ready for the end of the week – I hope