Source Allies Blog

Technical and process thinking from Source Allies employees

Archive for the ‘Infrastructure’ category

Online malware scanner

December 14th, 2009

F-secure has the best antivirus/anti-malware software available. I have been using it since rootkits became a threat. F-Secure had a free app that would detect and remove rootkits which is a step above technet’s Rootkit Revealer. F-Secure licensing is inexpensive and user friendly. They also have an online scanner that detects and removes threats and also will send samples back to the vendor.

You can find the online scanner here

No comments »

Posted in Infrastructure

Spring LDAP Group Authorization Tip

October 30th, 2009

The folks at Spring have made it extremely easy to allow your application authenticate and authorize users with Spring LDAP. This blog entry explains how to check your directory structure and use some sparsely documented Spring LDAP parameters ({0} and {1}) to get everything working.

In your Spring Security configuration, pointing to your directory is straight forward:

 <ldap-server id="ldapServer" url="ldap://dir.yourdomain.com:389/" />

But in configuring the ldap-authentication-provider, you need to know a few things about your directory of course! We recommend using Apache Directory Studio to browse your directory – it’s a fantastic application.

If you’re more of a command-line person, just use ldapsearch (example below):

ldapsearch -H ldap://dir.yourdomain.com:389 -ZZ -x 
-D "cn=AdminUser,dc=yourdomain,dc=com" -W -b "cn=users,ou=groups,dc=yourdomain,dc=com" 
-s base -a always "(objectClass=*)" "*"

Once connected to your directory, you’ll need to figure out how your groups are configured. Specifically, you’ll want to know if your configuration looks like

Example A:

dc=yourdomain,dc=com

ou=groups

cn=users

memberUid=USERNAME

or Example B:

dc=yourdomain,dc=com

ou=groups

cn=users

memberUid=uid= USERNAME,ou=people,dc= yourdomain,dc=com

If it’s like Example A, you’ll want your config like this:

<ldap-authentication-provider server-ref="ldapServer"  
	user-search-base="ou=people,dc=yourdomain,dc=com" 
	user-search-filter="(uid={0})"
	group-role-attribute="cn"
	group-search-base="ou=groups,dc=yourdomain,dc=com"
	group-search-filter="(memberUid={1})"
	role-prefix="ROLE_" />

otherwise, you’ll want this config:

<ldap-authentication-provider server-ref="ldapServer"  
	user-search-base="ou=people,dc=yourdomain,dc=com" 
	user-search-filter="(uid={0})"
	group-role-attribute="cn"
	group-search-base="ou=groups,dc=yourdomain,dc=com"
	group-search-filter="(memberUid={0})"
	role-prefix="ROLE_" />

Note the difference in the group-search-filter:

{0} contains the username with the entire ldap base.
{1} only contains username.

No comments »

Posted in Infrastructure, Java

Tags: Granted Authorities Group Authorization Spring LDAP Spring Security

Using Conga Web Configuration with Red Hat Cluster Suite – Part 1

October 30th, 2009

Overview

Red Hat Cluster Suite provides high availability and clustered storage for RHEL platforms. Unfortunately the configuration management for each node can be tedious as the /etc/cluster/cluster.conf file must be copied to each as changes are made. Conga makes life a little simpler.

http://sourceware.org/cluster/conga/

Conga provides a client/server architecture for cluster management with the ricci and luci services. Luci acts as the configuration interface and sends instructions the the ricci client on each server. Ricci takes instructions from luci and updates cluster.conf as necessary.

Package Installation and Configuration

Install the Cluster Suite with the following package group installation commands:

yum groupinstall "Clustering"
yum groupinstall "Cluster Storage"

Once installed luci must be initalized on one node. The initialization script will ask for a password for the default admin account.

luci_admin init
/etc/init.d/luci restart

Next start ricci on all nodes that will be joined to the cluster.

/etc/init.d/ricci start

Log In to the Web Interface

Use the url provided by the luci_admin script to login to the web interface.

Luci Login

Coming in Part 2

In the next post I’ll go over the basics of initializing a cluster via Conga. Seeing as luci and ricci do occasionally get in a fight I will provide some tips on dealing with these situations also.

2 comments »

Posted in Infrastructure

Tags: Clustering Red Hat

Open Source Router, Proprietary Cake

October 30th, 2009

Keeping with SAI’s proclivity toward open source software, I present to you Vyatta. Vyatta is a small company with the goal of taking down Cisco by offering an open source router that can run on standard x86 hardware. With the prevalence of virtualization, one could realistically open a branch office using just a single x86 server with a T1 card from Vyatta. The router, firewall, and VPN are covered by Vyatta and the apps could run in a virtualized OS.

Better yet is their current sales promotion. If Cisco’s gross profit margin is 70%, Vyatta will give you a 30% discount. As Cisco makes less money, Vyatta gets cheaper.

Lastly, proprietary cake tastes good. I can prove it, too.

Mark is really excited with the Router Cake at his wedding

No comments »

Posted in Infrastructure

Open Source Enterprise Search

September 27th, 2009

Has locating information across a multitude of systems on your corporate network finally made you consider an enterprise search appliance?

Our company has a number of systems in place designed to capture corporate knowledge and subject matter expertise. Once it became too time consuming to find information across these systems (and we struck out with demos of search appliances like SearchBlox), we purchased the entry level Google Mini. We’ve been happy with the appliance, but wanted to search more information formats (beyond digest authenticated SSL web pages and SMB shares), authenticate to our central authentication system (not LDAP), and introduce additional security levels. (Word stemming would be nice too!) To avoid the costs of graduating to Google Search Appliances, (and creating an internal Source Allies project to front end the Google Mini XML responses with some custom XSLT), we looked to open source again.

The trend towards enterprise search consolidation (Autonomy acquiring Interwoven for $775M, Microsoft offering $1.2B for FAST) has been interrupted by strong open source Lucene-based products like Nutch and Solr. They have broken the enterprise search market segment wide open again. Nutch provides basic web & file system crawling search appliance functionality and Solr gives us the ability to infused structured data into the same underlying Lucene index.

Apache Solr

We decided to implement these technologies into our company network. In our environment, the Nutch and Solr indexes are updated on a regular basis. We use Nutch to index unstructured data such as our intranet, wikis, blogs and subversion document repositories. Solr indexes structured data such as our corporate CRM application – a SugarCRM instance. (Incidentally, we use a separate product called OpenGROK to index our subversion source code repositories). Because both Nutch and Solr are both open source, it was very simple tie them into our single-sign-on system (front-ending them with our CAS server). – Stay tuned for a follow-up blog highlighting the technical details of our configuration.

Ultimately, Nutch and Solr are going to provide our company with a more flexible enterprise search solution, but the solution is not without its fair share of Lucene/Nutch/Solr expertise to make it all happen. Now that we have commodity cloud computing, Hadoop Map/Reduce, structured and unstructured indexing tools on top of Lucene, I’m anxious to see what the open source community will do next in the enterprise search space. It doesn’t seem to far off to have an appliance that will do the normal Nutch/Goole Mini web and SMB share crawling, but also actively update the index with corporate collaboration (shared email/group chat/social media/RSS/wave protocol/video transcribing/forums/KM systems/custom SQL queries). Of course all of this is currently possible with Solr/Nutch and even Google Mini’s OneBox modules, but who will be the first to make it really easy to setup?

2 comments »

Posted in Infrastructure, Java

Internet Routing Tables Reaches 300,000

September 14th, 2009

A few weeks ago the global routing table reached its 300,000th route. Below is a graph showing the exponential growth over the last 15 years.

BGP Table (Yearly)

Let’s do a little math:

Assuming all 4.3 billion IPv4 addresses are used (which isn’t quite true), each route represents approximately 4,294,967,296 / 300,000 = 14317 addresses. This is almost equivalent to a /18 (16,384 addresses). However, there are only 2^18 = 262,144 subnets of this size.

Why are there so many routes in the table?

Because there are BGP Administrators who advertise junk like this. AT&T WorldNet Services is advertising over 1100 prefixes; most of them are /24s. Due to their lack of summarization, this one group of routers is responsible for almost .5% of the fluctuation in global routing tables during any given week. That’s really bad.

Poke around here for some more info on BGP and the global routing table.

3 comments »

Posted in Infrastructure

Newer Entries »

- Subscribe Subscribe to my blogs feed
About
- If you're interested in Agile, Scrum, Open Source, Software and Network Design, Linux, Java, Python, PHP... you've come to the right place.
You are currently browsing the archives for the Infrastructure category.

Categories
- Database (5)
- Design Patterns (3)
- Development (18)
  - File Wrangling (1)
- Fun (2)
- Infrastructure (16)
- Java (26)
  - Hibernate (2)
- Perl (1)
- PHP (1)
- Process (6)
- Scripting (1)
- Uncategorized (25)
- Unix (8)
  - Linux (2)
  - OpenSolaris (2)

Back to Top

Valid XHTML 1.0 Transitional | Valid CSS 3