Posts Tagged ‘authentication’

ACS 5.2 and AD Client

Thursday, November 3rd, 2011

I had an experience this morning and figured I’d share it. I’m running ACS 5.2 to provide a rich Authentication, Authorization and Accounting (AAA) environment for our equipment. I like it – it provides an extremely rich feature-set and is very extensible.

Our environment uses AD on the back-end, however what happens when AD is inaccessible, what then? This happened to me today – here’s what I did.

  1. SSH to the ACS server
  2. Check the status of the adclient ACS process

  3. ACS/admin# sh app status acs

    ACS role: PRIMARY

    Process 'database' running
    Process 'management' running
    Process 'runtime' running
    Process 'adclient' Execution failed
    Process 'view-database' running
    Process 'view-jobmanager' running
    Process 'view-alertmanager' running
    Process 'view-collector' running
    Process 'view-logprocessor' running

    ACS/admin#

  4. Oops – it’s not running, so let’s stop the whole ACS process and start it back up

  5. ACS/admin# app stop acs

    Stopping ACS.
    Stopping Management and View...............................................................
    Stopping Runtime.......
    Stopping Database...
    Cleanup.....

    ACS/admin# app start acs

    Starting ACS ....

    To verify that ACS processes are running, use the
    'show application status acs' command.

    ACS/admin#

  6. All things running now?

  7. ACS/admin# sh app status acs

    ACS role: PRIMARY

    Process 'database' running
    Process 'management' running
    Process 'runtime' running
    Process 'adclient' running
    Process 'view-database' running
    Process 'view-jobmanager' running
    Process 'view-alertmanager' running
    Process 'view-collector' running
    Process 'view-logprocessor' running

    ACS/admin#

Keep in mind that it takes awhile for ACS to stop, as well as start back up (the CLI returns almost immediately after telling it to startup the ACS app, however it will be several minutes until all of the processes are running).

Now it might be totally unnecessary to take down all of ACS, rather than just telling it to start (would it be smart enough to only start the one failed process?). I didn’t try this today – just got things back up-and-running.

Until next time…

Online Requisition System (ORS)

Thursday, January 13th, 2005

OBSELENCE NOTE: This was written well over a year ago, so may be outdated (ie. may have broken links — if so, let me know and I’ll update).  Just because it’s old doesn’t mean that it’s not worth sharing!

Summary:

THIS PAGE IS UNDER CONSTRUCTION AND MAY BE INCOMPLETE

This is a requisition and PO management system that I built.  The ORS interfaces with Meditech’s data repository (DR) to provide accurate shipping and status from the Meditech system itself (assuming that your site has Materials Management (MM)).  The system could still be used if you don’t have Meditech, but quite a bit of the code would have to be modified (it was originally designed to tightly integrate with Meditech).

Each user is authenticated against a Windows NT/2000 domain.  Group permission can be setup by the NT group that the user is a member of (mapping NT groups to the appropriate ORS groups requires a manual initial mapping).  There are system-wide limits for how much can be ordered without a super-user’s signature, etc.

Another added bonus for this system is the digital signature component’s integration with digital tablets.  I chose to use the ePad tablets (when originally designed, the only ePad tablets around were serial-based — you could probably get by using the USB just as easily).  The only catch is that the proper Windows drivers must be configured on the workstation that has the ePad for the digital signature piece to work properly (digital signatures need only be received from super-users — people who approve purchases over set limits within the system).

For more info, read over the docs below (go to the downloads section below).

(more…)

NT Authentication DLL

Thursday, January 13th, 2005

OBSELENCE NOTE: This was written well over a year ago, so may be outdated (ie. may have broken links — if so, let me know and I’ll update).  Just because it’s old doesn’t mean that it’s not worth sharing!

Summary:

How many times have you had a program that you need to authenticate users?  Most programs today require authentication at some point or another.  You have two solutions: use an existing authentication mechanism or re-create the wheel (make your own).

Sometimes it’s best to re-create the wheel, but for most apps (especially in-house, home-brewn apps) this simply results in another username/password combo that end-users will simply forget.  The bottom line: more work for you (or whoever’s maintaining the system) because you’ll be getting complaints from users and having to reset their passwords all the time.  Then, to make things better, you notice that people are leaving sticky notes on their monitors with their usernames/passwords to these programs.  Maybe you’d better think about using an existing authentication system.  May I encourage you to use NT authentication!

If you have a Windows environment (domain), you already have the usernames & passwords created with a system that enforces all of your companies account policies (expiration, lockout, password change interval, etc.).  Simply check the usernames and passwords provided against NT.  This DLL provides one way of doing this.  Maybe there’s a better way.  In fact, I’m almost sure there is, but this works for me.  If you have a better way, please email me — tclegg at ovhd.com.

As a bonus, this DLL also is useful for getting NT group membership.  One function allows you to provide the group name and it will enumerate all of the users in that group.  Another group function takes a username and lists all groups that the user belongs to.  Note that these are domain (global) groups, not local groups.

(more…)