Filed under: Writings
I’ve been keeping myself quite busy the last couple of weeks, so here’s a quick update. First of all, my girlfriend and me got ourselfs a nice little appartment to live in, so that’s where I spend most of my normal/overtime working hours, sanding wood, painting walls, the works, you know 
Second, the Seat Ibiza I’ve ordered finally seems to be arriving. Hopefully it will be in within three weeks. Third, the Soekris boards I’ve talked about earlier really kick ass. I’ve outfitted them all with a 40GB 2.5″ disk (the smallest I could get) and I’ve already got a Kerberos5/OpenLDAP cluster running 
Which brings me to point 4: I’m busy developing software
Yes, ….
Let me introduce you to AD. AD stands for Absolutely Delicious. It’s single-sign-on-with-extras-sorta management software, inspired by the Dameware NT Utilities. It’s plugin based and uses XML-RPC for client/server communications. Right now, there are plugins (some are skeletons) for:
- Heimdal Kerberos 5
- OpenLDAP
- BSD Authentication
- ISC DHCPD
- ISC BIND
- Cisco IOS
Right now, it consists of 2 pieces of software, ad, a small command line based client and adhd, the Absolutely Delicious Host Daemon, which is an XML-RPC server, with plugins for various backend systems. The functions that work partially at the moment are list, add and del.
The goal of AD is to provide a nice complete single-sign-on system for linux/macos(maybe windows) clients and *BSD/Linux servers and cisco routers. It should eventualy be able to manage adding and deleting of clients/users up to the physical network port. And ofcourse, in the far, far future, a graphical frontend for this all, to please all of our managers into Open Source
Printed below is a sample of doing some listing and adding a new user to the system, newuser:
macross [ad]$ ./ad
ad> list user testuser
showing data for Kerberos 5
max-life = 1
expires = never
pw-exp = never
max-renew-mod = week
max-life-mod = day
max-renew = 1
pw-change = never
principal = testuser
showing data for OpenLDAP
dn = uid=testuser,ou=people,dc=in,dc=huis
telephoneNumber = +31 1 23456789
search = 2
cn = Test User
title = Systems Administrator
objectClass = posixAccount
loginShell = /bin/bash
uidNumber = 1001
gidNumber = 1001
result = 0 Success
homeDirectory = /home/testuser
uid = testuser
mail = spam@me.com
givenName = Test
sn = User
ad> list group people
showing data for OpenLDAP
dn = cn=people,ou=group,dc=in,dc=huis
search = 2
cn = people
objectClass = posixGroup
memberUid = r3boot
userPassword =
gidNumber = 1000
result = 0 Success
ad> list group wheel
showing data for BSD Authentication
member = ['root', 'r3boot']
gid = 0
group = wheel
ad> list host infra1.in.huis
showing data for Kerberos 5
max-life = 1
expires = never
pw-exp = never
max-renew-mod = week
max-life-mod = day
max-renew = 1
pw-change = never
principal = host/infra1.in.huis
showing data for ISC DHCP
ethernet = 00:00:24:c3:8f:90
host = infra1
address = 192.168.1.2
showing data for ISC BIND
a = 192.168.1.2
type = A
ptr = infra1.in.huis.
ad> list service ldap infra1.in.huis
showing data for Kerberos 5
max-life = 1
expires = never
pw-exp = never
max-renew-mod = week
max-life-mod = day
max-renew = 1
pw-change = never
principal = ldap/infra1.in.huis
ad> list user newuser
ad> add user newuser
Password [newpassword] =
UID [2000] =
GID [2000] =
Home directory [/home/newuser] =
Shell [/bin/sh] =
Gecos [New User] =
Title [Normal user] =
E-mail [new.user@example.com] =
Telephone number [+0123456789] =
Organisational Unit [people] =
Expiration time [never] =
Password expiration time [never] =
Max. ticket life [1d] =
Max. renewable life [1w] =
Attributes [[]] =
result from Kerberos 5 is OK
result from BSD Authentication is OK
ad> list user newuser
showing data for Kerberos 5
max-life = 1
expires = never
pw-exp = never
max-renew-mod = week
max-life-mod = day
max-renew = 1
pw-change = never
principal = newuser
showing data for BSD Authentication
shell = /bin/sh
uid = 2000
home_dir = /home/newuser
gid = 2000
gecos = New User
name = newuser
ad>^D
macross [ad]$ kinit newuser
newuser@IN.HUIS's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
macross [ad]$ ssh newuser@infra1
$ id
uid=2000(newuser) gid=2000(testgroup) groups=2000(testgroup)
$ uname -a
OpenBSD infra1.in.huis 3.6 GENERIC#42 i386
$ Connection to infra1 closed.
macross [ad]$ ./ad
ad> del user newuser
result from Kerberos 5 is OK
result from BSD Authentication is OK
ad>^D
macross [ad]$ ssh newuser@infra1
Permission denied (gssapi-with-mic).
macross [ad]$
Ofcourse, you always have to put your code where your mouth is, so here it is, enjoy: ad-30012005.tgz[md5]
One warning though, this code is just a snapshot that barely works. Almost no error checking has been implemented, and lots of things are hardcoded, not to speak of the terribly lacking state of functionality. Be patient, it will take some time before I fix those. This is just a release for you all to play with.
