IBSng ReleaseNotes B1.33
New Features
Active Directory Integration via LDAP
LDAP Subsystem allows IBSng, to Sync its users, groups and password with an active directory server. Previously this was possible by using IBSng windows services, but now it has been enhanced so that there is no need to install extra softwares on windows active directory server. Also the performance and ease of use has been greatly improved.
LDAP Subsystem supports adding domains and multiple redundant servers within it. Also multiple domains are supported. It will automatically sync users and groups on certain, configurable periods. Both PAP and MS-CHAPv2 Authentication mechanisms are available.
LDAP Subsystem has been tested with 30,000 Active directory users in production environment. Administrators can refer to docs/README.ldap for installation manual.
OTRS Integration
OTRS is an open source ticket tracking system, with english and farsi (and many other) language support. For a list of OTRS features you can checkout OTRS Features
OTRS has been integrated into IBSng, so that users can login with their IBSng username and password to open or follow their tickets. Admins also can manage the tickets. A link is provided in both users and admins home page, that redirects them to their corresponding OTRS page. Login to OTRS will be done automatically by IBSng.
The rules of IBSng ISPs also applies in OTRS. Admins belong to an ISP can see only their ISP users tickets.
OTRS files are now shipped with IBSng package, but for installation an extra step with setup.py script is required. A new option has been introduced in setup script to automatically create OTRS database and configuration files.
Failed Login Username
With this feature, ISPs can redirect users with finished credit or expired accounts to their special web page to help them with technical support and online payment gateways.
This feature allows an internet user with failed login, to virtually login as an special user. Often this user has special ip assignment rules that redirect user to special web page, right after user opened his browser. The username of special user should be set on the ras, this functionality is intended.
Squid Ras
Support for Squid (Basic) Authentication and External ACL Checking has been added to IBSng. By using this ras, users can be authenticated to squid via IBSng. On consequent web surfings, an external ACL checks user with IBSng and disallow user if user has been kicked out by IBSng. Day Time and hourly limitations are supported by this ras, but traffic quota is not yet possible. Here's the README.squid file for more informations
1- What it does?
This is a very basic IBSng Squid Authentication support. It uses external authentication and external acls to
enforce access control on squid users.
2- How to setup?
1- Create Ras with squid IP Address in IBSng
2- Ensure IBSng XML-RPC Server is listening on 0.0.0.0 in IBSng.conf
3- copy ibs_squid_auth.py and ibs_squid_ext_acl.py from addons/squid_auth folder, to squid server in /usr/local/sbin
and ensure squid user can execute them
4- Add these lines to top of squid.conf
auth_param basic program /usr/local/sbin/ibs_squid_auth.py basic <IBS_IP>
auth_param basic children 10
auth_param basic credentialsttl 2 hours
authenticate_ttl 1 hour
external_acl_type ibs_ext children=10 %LOGIN %URI %SRC /usr/local/sbin/ibs_squid_ext_acl.py <IBS_IP>
WARNING: Do not use vhost or transparent ports with proxy authentication
5- Add acl directives in proper place
acl ibs_ext external ibs_ext
http_access allow ibs_ext
3- Login/Logout
Users login via squid by using login popup. Each website is checked by IBSng to see if user has been logged in.
If you kill a user, on next web page, an auto login attempt will be performed.
Logout works by idle timeout either in user/group or ras.
4- Limitations
1- It does not support In/Out polling
IBS Radius Dispatcher
IBS Radius dispatcher is a Clustering and High availability solution for IBSng. It's an special radius server that receives radius request packets from ras, and decides what to do with them. It can
- Route the radius packet to IBSng servers, based on Ras IP or radius packet contents
- Do failover by retrying a timed out request to a list of IBSng servers
- Sends a default accept reply if all IBSng servers are unavailable
From this version, radius dispatcher is shipped with IBSng package in addons folder
IBS RCMD Client and Server
RCMD subsystem, fixes issues with unreliable links between IBSng core server and bandwidth managers. It uses an asynchronous method of running bandwidth manager commands to overcome problems of unreliable or slow links.
It makes bandwidth manager faster, more reliable and ensure security of connection between server and bandwidth manager. It's a drop in replacement for older ssh method, so no change is necessary to facilitate this new subsystem.
VoIP Forward Number
Forward number will dial an specific number for user, right after authentication. It means instead of asking for a destination, system automatically dials the number in forward number.
Cisco Ras TCL script has been changed to work with this feature.
Limit Ras and Port
Two new limitations has been added to user and group sections. Limit ras, limits on what rases user can login, and limit ports limits the port.
System Audit Log
System audit log like user audit log, capture and reports activity of admins in IBSng. System audit log capture changes in following subsystems
- Ras
- Charge
- VoIP Tariff
- Prefix Group
- ISP and Admins
For each activity, Date, Issuer admin, IP address of admin, category, target, old value and new value are captured.
ISP And Group Bandwidth Graphs
From this version, In/Out rate data for each ISP and Group are automatically collected and later can be used to generate bandwidth graphs. Graph can be generated for multiple ISP or Groups at once.
This was a popular feature request to be able to calculate virtual ISP or specific group of users bandwidth usage.
One Time Password for Admins
One time password subsystem allows admin to generate a series of passwords, that each password can only be used once. After each use, the password will be tagged as expired and can not be used for login again.
This is extremely useful when admin should login from public computer stations, or password safety can not be ensured.
Cisco Login and Command AAA
With this feature, IBSng can almost replaces Cisco Secure ACS in command authentication and reporting area.
A set of username, password and privileges can be added in this subsystem that are allowed to login in cisco routers and switches. All executed commands will be logged along with username and ip address of issuer user.
Enhancements
Mikrotik, Cisco and Cisco VPDN Rases POD Support
Mikrotik, Cisco and Cisco VPDN are now support Packet of Disconnect as their prefer method of force disconnecting users. Previously Mikrotik was using SSH that was slow and error prone and Cisco VPDN was using rsh that was insecure and unreliable. POD proves to be stable and has much less overhead than other protocols.
Separated Internet and VoIP Interfaces
A new flag in configuration file has been introduced to hide Internet or VoIP interfaces. It's highly recommended that you hide Internet or VoIP interfaces if you aren't using them. This leads to higher performance and smaller network footprint.
Asterisk Registered Users Report
This new report, shows asterisk SIP and IAX registered users.
VoIP Route Hunt Stop
A hunt stop flag has been added to voip routes. If a voip route matches with a call, and has hunt stop flag set, no further voip routes will be checked for that call.
VoIP Provider Port and Protocol Support
VoIP Provider now supports protocol(H323, SIP and IAX) and port numbers. Asterisk ras has been changed to use these values on dialing outside.
IN Support Cisco VoIP Ras
Cisco VoIP Ras now supports Intelligent Network mode of usage. A new tcl script cisco_in.tcl has been added to addons/cisco folder to perform on cisco router side.
Other Minor Features/Enhancements
- New Interfaces Remote IP Bug
- Remote IP were incorrect in interfaces that were using SOAP interface. This has been fixed in this version.
- BW Manager Leaf Access Permission
- This new permission allows an admin to only access specified set of bw manager leaves.
- Session Based Core Authentication
- IBSng core is now able to create a session for both XML-RPC and SOAP APIs. This improves performance and allows a wide set of bugs to get fixed.
- Online Payment Session Restoration
- By help of session based authentication, IBSng can ensure to restore the online payment sessions after user paid in bank website.
Upgrade From B1.32
Database Changes
If you are doing a manual update, it's importing the sql file same as usual
psql -U ibs IBSng < /usr/local/IBSng/db/from_B1.32_upgrade.sql
