Web-Based ISP Administration for Linux
Functional Description
ComBase is a web-based utility for managing access accounts and login accounts for small to medium-sized ISPs. ComBase runs under Linux, and uses CGI scripting to invoke a priviliged program that updates and displays system user files. The package implements a security shell that requires login by a registered administrative user.
ComBase works in conjunction with Radius authentication, the commonly- used software authentication scheme developed by Lucent Technologies (formerly Livingston Enterprises). In this document, the term "access account" is used to define a capability for dial-in access to an ISP, whereby access is granted through a request to a Radius server. Radius authentication is used by a wide variety of ISP terminal server products.
In addition to managing Radius access accounts, ComBase provides a simple means of adding login accounts (also known as "mailboxes"), which are basically Linux user accounts. For security purposes, this package works best for Linux systems utilizing the "shadow password" suite, although it can also be configured for backward compatibility to use the older password ("passwd") file authentication method still used on some systems. The minimum required installation level of Linux is Version 2.0.30. In this document, the term "login account" also refers to a user mailbox unless otherwise noted.
Login, Status, and Logging Functions
- Login an Administrative User. This requests the user ID and password of the user. The validity of the password is checked in the Linux password file, then the capability of the user is checked in a ComBase list of allowed users. The "allowed user" file indicates the username, the level of privilege (system administrator, operator, or programmer) and the initial menu. Upon validating the user, the system assigns a unique session ID, which is valid for the specified user (from the same IP address) for a configurable period of time. Users also may logout (thereby ending and invalidating their session ID), or their session ID will automatically expire after the configured time period.
- Authorized User Status. This function lists ComBase authorized users, along with their access capabilities. This function also lists active (i.e., logged-in) ComBase sessions, indicating the user name, IP address, and login date/time.
- Logging to System Logfile. This function logs all actions requested, and includes an identification of the user (session) that requested the action, the options/parameters, and a time stamp.
Access Functions (Radius)
- Add Access Accounts - This function adds users to the Radius access database, updating the radius database file using the "builddbm" utility. This facility is usable for ISPs having up to approximately 10,000 access accounts. When adding a user, the system will check to ensure uniqueness of the new user identification, and will also check for quality of the user password. (Passwords must be at least 6 characters.) When adding a user to the radius database, ComBase will also created an associated mailbox (unless requested otherwise). Mailboxes are created with an access account "owner" marked in the "gecos" name field of the associated login account (see below).
- Place Access Account on HOLD. This function is used to prevent dial-up access to the ISP, while keeping the account active. This function is carried out by modifying the password field of the Radius access control database, marking the access account "on hold". (This function can optionally also place ALL login accounts associated with the access account on a hold status). After being placed on hold, Radius accounting will not recognize the password value (i.e., will not authenticate).
- Release Access Account. This function takes an access account off HOLD status, allowing normal dial-in operation; thisalso optionally releases (i.e., takes off HOLD) all associated login accounts (mailboxes) associated with the access account.
- Display Access Account Status. This function checks the availability of a specified named access account, displaying the name and its HOLD status (if applicable).
- List Access Accounts. This function lists all access account names (sorted alphabetically).
- Delete an Access Account. This function removes the access account from the radius authentication database, and optionally deletes all associated mailboxes.
Login Account (Mailbox) Functions
- Add a Login Account (Mailbox). This adds a login account to the server, effectively creating an associated mailbox. This accepts information on the "real" user name, phone number, and associated access account. This function validates that the specified password is "good enough" (if selected at time of installation of the software). Typically, passwords must be at least 6 characters in length; optionally, ComBase may enforce options such as requirements to have mixed upper/lower case characters, or to include numerics and/or special punctuation symbols.
- Change Login Account Password. This changes the server password of the associated login account (mailbox). This function does not require an existing password - thereby resetting the password to the specified value. (Authority to do this requires that the system administrator be logged in via ComBase.) This function is useful for resetting the password for customers who "forgot their password".
- Edit Login Account Information. The Change Information function allows field editing of the information associated with a login account (mailbox), including the users real name, phone number, and associated access account.
- Place Login Account (Mailbox) on HOLD. This function places a single mailbox on HOLD, preventing checking mail for the mailbox. In this case, mail can still be received by the server and placed in the mailbox; however, the server will not recognize the user's password when they attempt to fetch mail from the mailbox (or login via telnet).
- Release Login Account (Mailbox). This function releases the HOLD status on a single mailbox, allowing the user to login or to retrieve mail.
- Display Mailbox Status. This function displays a variety of information about a login account, including the configured shell, the home directory, and mailbox status. Mailbox status indicates the number of bytes of messages within the mailbox, the date and time mail was last read, and (if mail is present) the date and time mail last arrived for this mailbox. This function can also be used to check the availability of a login account name.
- Delete Login Account. This function deletes a login account and its associated mailbox.
- List Login Accounts. This provides the option to list login accounts (mailboxes), with optional sorting options by owner's last name or alphabetically by mailbox name. This function also lists the associated access account (if different from the mailbox name), and indicates which mailboxes are on HOLD status.
Note: login account functions are restricted to accounts with Unix UID
values starting at a configurable value (by default, 100). This prevents
system administrators from modifying special accounts (e.g., root).
General System Functions
- Display Users Online. When used with Radius authentication and accounting, the ComBase utility provides the ability to display the users that are currently online. This facility scans the active Radius logfile to display the ports that are active.
- Display Access and Login Account Counts. This function displays the current number of access and login accounts (mailboxes).
E-Mail: Comware International Product Inquiry
436 First St., Suite 201
Solvang, CA 93463
(805) 686-1262
FAX: (805) 686-4029
E-Mail: Comware International Product Inquiry
