Transparent Squid Authentication to eDirectory

This post explains how to setup a Squid HTTP proxy to transparently authenticate users against a Novell eDirectory. In the Novell eco-system Border Manager is the venerable choice for an internal firewall and proxy but it is showing its age. This guide is based on this Novell Cool Solution. Unlike Border Manager, which requires the CLNTRUST client-side tool, the setup described works without the need for any desktop client software.

How it works

Within a Novell managed network the eDirectory stores authenticated user's I.P. addresses. Squid performs an LDAP search against eDirectory using the incoming I.P. address of the client. If successful the authenticated username is returned and a proxy session established. If the search comes up empty Squid prompts the client to manually enter their credentials for authentication against the eDirectory. If this too fails the proxy request is denied.

eDirectory 8.8 incompatability

This solution currently only works with eDirectory < 8.8 because Novell has slightly changed the format they store network addresses in newer versions. At the time of writing I have not been able to test against eDirectory 8.8 so I cannot determine the required code changes or test results. Hopefully in the near future this situation will change.

Squid's external_acl_type option

Transparent authentication is made possible thanks to Squid's external_acl_type configuration option. This allows external identities and groups to be identified via any external script. Once Squid is installed setting up transparent eDirectory authentication is a two step process:

  1. Create and tweak the file.
  2. Edit the squid.conf configuration file

Borders' subtle statment about Novell's relevance

I took this photo at Borders' Auckland store yesterday afternoon.

Are Borders trying to position themselves as the subtle industry analyst with their shelving labels? Should Gartner be concerned that people will stop reading their reports and start scanning Borders' shelf names?

Noticing this shelving good did lead me into purchasing 'Don't Make Me Think'. I read it on the flight back to Wellington and it was pretty good and quite funny. The content was all common sense, but sometimes it just takes very clear communication for common sense to make sense.

I guess it is just a shame that 'hey, don't make me think' is probably the response of Novell's marketing department when questioned by their CEO...

At what point is it cheaper for MS to just buy Novell?

The U.S. Supreme Court has cleared the way for Novell to continue their Wordperfect anti-trust suit against Microsoft. Novell's argument is that anti-competitive operating system issues caused their once mighty Wordperfect suite to come tumbling down. This turn of fortune cost Novell to the tune of $1 billion. The lawsuit Novell has filed against Microsoft is for damages potentially in the order of $3 billion.

Whilst everyone agrees Microsoft is no saint the fact of the matter is Novell and Wordperfect got beaten by aggressive pricing and marketing rather than significant operating system level anti-competitive action. Microsoft gained market share by aggressively dropping the price of Office to the point that it was less than half that of its competitors. Rather than following suit and matching dollar for dollar these moves Novell blindly followed their original pricing structures inherited from when they purchased Wordperfect.

Novell's past business blunders aside, given Microsoft's recent showing in the courts you would have to say its an even money bet that some financial compensation arises from this case. Whether it is in the order of $3 billion is unlikely but even a quarter of that amount is still a hefty sum. Does there come a time when Microsoft executives look at Novell and decide it is cheaper to buy them outright than cough up massive legal fees and reparations?

A few years ago the idea of Microsoft buying Novell would be dismissed on anti-competitive grounds, but these days Microsoft faces stiff competition from the likes of Red Hat, IBM, Sun, Oracle and of course Google. Even in recent years the two companies have hardly been competing against each other. The controversial agreement struck a few years ago between the two has seen them in coopetition rather than competition without so much as a mumble from regulatory bodies.

Given Novell's current financial position if a $3 billion payout were on the cards it is not a huge leap to suggest that Microsoft simply buy them out rather than buy their forgiveness. Whilst it would take more than $3 billion to buy the company it would not take much more (relatively speaking) considering Novell has a current market cap of $2.1 billion. Also from a shareholder's perspective an acquisition is much better than a payout as their investment is preserved and built upon instead of going to lawyers and the opposition.

From a technology perspective Novell have two things to offer Microsoft - SUSE and Identity Management. Microsoft currently resell SUSE and have a comparatively weak Identity Management business so both assets could be put to good use. Netware, Novell's other technology is at end of life but this customer base is currently having to weigh up a tricky migration to SUSE or Windows Server. As a consequence owning both end points of this decision would not be such a bad thing from a sales point of view.

Perhaps the biggest hurdle to get over is the general idea that Microsoft cannot sell Linux because it invented Windows. Given the recent announcements at Mix'08 in cloud computing and advertising it would seem that Microsoft no longer sees itself as simply a Windows company. Arguably another indication of this is their determination to buy the LAMP-centric (Linux/Apache/MySQL/PHP) Yahoo. Instead of migrating all the tried and tested Yahoo services over to a Windows server infrastructure, wouldn't it be simpler to establish Microsoft Linux through the acquisition of Novell? 

The case for splitting Novell

Phil Windley in a recent Between the Lines posting entitled 'Split Novell?' mused that Novell's relatively poor identity management business performance (in comparison to the industry in general) was perhaps a result of poor strategic synergy between their operating system (Suse) and IDM product lines. Not being a financial follower of the IDM market I cannot say for certain whether he is right or wrong, but I do agree with his basic assertion that Novell should be split in two. For a while now I have felt that their emphasis on Suse Linux is to the detriment of their excellent product offerings in the identity and network services markets such as eDirectory/iManager, IDM, iFolder and ZenWorks.

Commoditising the operating system

The success of Novell during the 80's and early 90's was due in no small part to their tried and tested Netware operating system. Unfortunately the operating system market has changed, Windows has matured and Linux has gained a strong foothold as a ubiquitous, free platform for reliably hosting network services. With the gradual demise of Netware, Novell had an opportunity to step out of the low-level operating system market and focus on the aspects of their business that where going strong. In this process they could have left the grunt work of maintaining the base operating system to partners such as Red Hat, Suse and even Microsoft. This would have provided a clean and relatively open migration path for existing Netware customers who are committed to a Novell infrastructure (i.e. eDirectory/Groupwise/Zenworks) and for the most part ignore the underlying operating system so long as it was stable and supported by a reputable party.

Instead of adopting a lightweight approach Novell opted to maintain their tried and true business model through the purchase Suse Linux as a straight replacement for Netware in their product arsenal. This meant that instead of placing development emphasis on getting their network and identity products seamlessly working on a range of partner operating systems attention was focused on fusing Novell's existing identity and network services into Suse Linux. The culmination of these efforts has resulted in Open Enterprise Server (OES), an excellent Netware 6.5 replacement that continues with the Novell tradition of marketing a tightly bound operating system/network services stack. Unfortunately this focus on a closed server/services model has been to the detriment of the network and identity services' deployment flexibility and marketing appeal as these valuable offerings must be coupled to and marketed alongside their related server products.

First Allison now Haeger, is there any personality left in Novell?

Today Ted Haeger announced on his personal blog that he has left Novell and taken up a position at Bungee Labs, a Web 2.0 startup focused on creating a purely Web-based application development environment and deployment platform.

Ted founded the Novell Open Audio podcast which did an excellent job of humanising the image of Novell, especially within the Linux community. In general Novell's formal marketing is pathetic but thanks to Ted's leadership Novell Open Audio created an isolated bright point. The podcast provides an excellent conduit for information about Novell products minus the 'doublespeak' that normally accompanies their P.R. attempts. Whilst Ted was not too explicit over the future of the podcast I am sure if Novell management continue to support the show its co-host Erin Quill will do an excellent job as lead.

Ted's departure from Novell removes yet another prominent personality from its ranks after Jeremy Allison's recent move to Google. Together the pair expressed rare qualities for Novell figureheads; honesty and an air of confident casualness quite unlike the suited and boring party line image normally attributed to the company. Sure Miguel de Lcasa and Nat Friedman are still around but as a Linux user I would prefer they concentrate on their respective technology fields. I hope we see a couple of new up and comers stand up to take their place, unless of course Novell plan on subcontracting their P.R. out to Microsoft...

A funny little video from Novell

With Novell's Brainshare well underway they have released a very unique 'will it blend?' video onto YouTube. Ted Haeger's been talking about this for a while now and I can see why, it does a very good job of simulatanoeously being funny whilst remaining stuffy enough to be instantly identified as a Novell video. Sure it is no Apple advert but it is good to see even if you are just interested what would happen if you put a Windows CD, a Mighty Mouse and a helping of Red Bull into an industrial strength blender...

Jeremy Allison speaks out on Novell

On December 29th Jeremy Allison officially left Novell and was able to speak openly about the Novell-Microsoft deal. He provided answers to questions posed Mary Jo Foley of ZDNet and Boycott Novell although it would appear that his answers to the later source were for the most part copied and pasted from his ZDNet interview. What is interesting from the interviews is that the controversial patent deal was included by Microsoft at the last minute (5 days before the announcement). This would suggest Novell was setup by Microsoft, or even worse intentionally withheld information from people within their own company that understood the most about the issues at hand. Whichever was the cause it does not bode well for Novell as it was a lot of negative publicity they could have seriously done without and even avoided if managed more effectively.

Jeremy Allison leaves Novell in protest

Lead Samba developer and vocal open source figure Jeremy Allison has left his position at Novell in protest of their recent patent-protection agreement with Microsoft. It is a great move from Jeremy who has made it clear in the past that his principles (and tongue lashings) will not be bent by corporate pressure.

In a parting shot Jeremy made public a letter he had sent to Novell management. Within it he made a brilliant point regarding the patent agreement and the often misunderstood reaction to it by the Free Software community:

"Do you think that if we'd have found what we legally considered a clever way around the Microsoft EULA so we didn't have to pay for Microsoft licenses and had decided to ship, oh let's say, "Exchange Server" under this "legal hack" that Microsoft would be silent about it - or we should act aggr[i]eved when they change the EULA to stop us doing this?"

It is an excellent point that brings into question people's willingness to accept theft and wrong doing as something that can only occur to an object with a defined monetary value. The components that form GNU Linux have a value, they are Free in all senses of the word. Yet when Novell and Microsoft found a way around the GPL2 license to 'sell' their patent-protection alongside GNU Linux many in the industry viewed it as completely honest and worthwhile. This even though the agreement broke in spirit, but not in practice, the licensing terms of the GPL2.

UPDATE: CNET is reporting that Jeremy Allison will be joining Google in the new year. 

Novell officially pulls plug on Hula

Hula Logo

Novell has officially ended development of Hula, its open source email server stack. For those involved in the Hula community the news was not unexpected but it will be a shame to see go what once promised to bring a breath of fresh air into the rather staid life of open source email and webmail services.


In its prior, closed source life Hula was named NetMail and was sold as a lite alternative to GroupWise for webmail users. Back in early 2005 Novell open sourced Hula to great fanfare and pitched the project as a concise and up to date alternative to the postfix/imapd/Squirrelmail stack dominant amongst most Linux email solutions. The idea was a good one, the existing stack is a pain to configure, disjointed and the Squirrelmail component is really showing its age. Hula offered a complete, concise and functional alternative that was well tested and had an exciting development path plotted out.

Unfortunately for Hula problems began to rise very quickly. The underlying mail storage engine had significant problems requiring a complete rewrite and the 'Web 2.0' style interface which promised to blow people away took forever to emerge. The consequences of these problems set the project back significantly. The rewritten engine whilst significantly improved lacked a stable migration path for existing Hula users, trapping many in older versions and causing others to think twice before deploying or even testing the system. Delays in the interface put Hula significantly behind in terms of user experience when compared to its competitors like GMail, Yahoo Mail, Zimbra, Scalix and RoundCube.

A wrap up of the weeks Novell/Microsoft action

This week the Free Software Foundation (FSF) announced that it would not be taking Novell to court over their patent deal with Microsoft and its potential infringement of the GPL version 2. Instead the FSF's general counsel, Eben Moglen, announced that they would be pushing through with the finalisation of GPL version 3 which resolves many of the ambiguities present in GPL version 2. This strategy effectively takes the high road in the altercation, a costly and dirty lawsuit brought by the FSF against Novell right now would only harm both camps and potentially leave Novell without a viable operating system if they were to loose. By taking the less confrontational GPL version 3 approach the FSF does not condone Novell's actions but they do give everyone involved some breathing room in order to resolve the issue more constructively.

Once the GPL version 3 is finalised and the majority of GNU Linux codebase (including the kernel) has adopted it Novell will once again be left in a difficult situation. The onus will be on their engineers to back-port all new functionality and security fixes to their existing GPL version 2 compliant code bases rather than incorporating patches from the community which the current process. This is a complex and expensive proposition which could potentially leave them in the dust when it comes to GNU Linux operating system development. Fortunately for Novell given the GPL version 3 time line the effects of the problem will not be experienced for at least a year (if not more), so this is really an issue for the Suse Linux Enterprise Server/Desktop 11 team to ponder and will not seriously impede Novell's current crop of products.