Re: wlus / User Administration

To: Debian Edu Mailinglist <debian-edu@lists.debian.org>
Subject: Re: wlus / User Administration
From: Finn-Arne Johansen <faj@bzz.no>
Date: Tue, 24 May 2005 14:23:25 +0200
Message-id: <[🔎] 42931CBD.1010204@bzz.no>
In-reply-to: <[🔎] 42930B4E.8090906@skolelinux.no>
References: <[🔎] 42930B4E.8090906@skolelinux.no>

Halvor Dahl wrote:
> Hello everyone.
> 
> SLX Debian Labs is starting a project for improving user
> administration in Skolelinux/debian-edu in general and
> wlus in particular.  The background for the project is
> mainly feedback from users.
> 
> We had a meeting in Oslo on this subject with Andreas
> Schuldei, Ragnar Wisløff, Knut, Vidar and myself present.
> What follows is based on conclusions from that meeting.
> 
> 
> 1. Problem with "junior admin" rights
> -------------------------------------
> This issue has been raised from (among others) Trond from
> Kongsvinger.  Password administration takes too much time,
> and it should be possible to authorise users to change other
> users' password.
> 
> Andreas told us that there is already a solution to this,
> although it is not 100% packed and documented yet.
> 
> TODO:  Ragnar will try the solution out in Kongsvinger and
> report back to Halvor if it works or not.  If it does work,
> Andreas will complete a "read me" file or something for
> documentation.
> 
> 
> 2. Password policy
> ------------------
> We agreed that the first time a user logs in (with a pre-
> defined password), he will get a message saying that the
> password is expired and be requested to enter and confirm
> a new password (this is similar to Windows).  Whether this
> feature will be configurable or not is not yet decided.
> 
> Andreas told us that administration of password restrictions
> (length, numbers etc) is already implemented in wlus, including
> a user interface for administrator.
> 
> TODO:  Andreas will check if pam in our setup can do this.
> 
> TODO:  Andreas will check if kdm can be used to do the entering
> and confirmation of a new password (it can be done in wlus).

Also check for samba users - Is the new password set in kde also set for
samba users. What about schools that uses Windows clients, and were
(some) students never would log into kde, but only use Windows

> 3. Mass import
> --------------
> Kongsvinger has reported a general problem doing mass import
> of user data into ldap.  Ragnar informed us this had to do
> with the general poor performance in entering new users which
> takes approximately 5 minutes per user(!).  We do not know
> at the moment the reason for the problem.  Kongsvinger has
> around 2700 users in their ldap database.
> 
> TODO:  Ragnar/Trond will try to increase the cache_size
> parameter in the ldap config file.  If that does not help,
> they will try to install ldap 2.2 which should be 10-100
> times faster than the current version in Kongsvinger (Andreas
> told us that wlus is functioning together with ldap 2.2).
> If that does not help, some serious debugging will need to be
> done.
> 
> Update:  Ragnar has tried to change parameters in ldap config
> file and it did not work.

For that amount of users, I would done this without wlus - as an ldif
instead. While this is possible to script, I know of few who has done
that. (I've lost my script - it was on Ulsrud, and the server is
reinstalled - sorry)

> 4. Other wlus problems
> ----------------------
> There has been some general complaints about the user interface.
> This will be addressed later in this summary.  Apart from what
> is already covered, there are no known major bugs in wlus.
> But there is no good and updated user documentation.
> 
> TODO: Create a new user documentation for wlus.  Person to do
> it will be assigned later.
> 
> 
> 5. Data import
> --------------
> Knut and Halvor had a meeting with Morten Dahl who is the project
> manager for FEIDE.  Based on his recommendations we decided that
> we would use the XML interface developed by Uninett ABC for importing
> data from School Administration Systems (SAS).  Further clarifications
> will be done together with Uninett ABC.
> 
> Skolelinux will *not* use Cerebrum for anything.
> 
> There are a number of different data formats for student data.  Among
> them are Microsoft Active Directory, Novell eDirectory and different
> kinds of spreadsheets.  In order to have a documented specification
> we will use the same XML interface for transferring data from external
> systems other than SAS.
> 
> TODO:  Andreas will do what is necessary to support a new unique
> key in ldap for data import.  In Norway this will be "personnummer",
> but the format will need to be generic.

Note - "Personnummer" is not unique in Norway - there are at least 4
instances of personnummer with more than 2 users. I have not yet heard
of 2 users with same name _and_ same "personnummer"

> TODO:  Write a program for importing data from XML interface to
> Skolelinux' import format to ldap which is a comma/colon separated
> file.  Person to do it will be assigned later.
> 
> 
> 6. Data export
> --------------
> There are a number of systems that may need to import data from
> Skolelinux.  Examples are LMSs like ClassFronter, It's Learing!
> and Micrsoft Learning Gateway.  We decided to use Uninett ABC's
> XML interface for User Administration Systems (BAS) for exporting
> data from Skolelinux.
> 
> TODO:  Write a program for downloading data from the Skolelinux
> ldap database to Uninett ABC's XML format.  Person to do it will
> be assigned later.
> 
> 
> 7. Technical architecture
> -------------------------
> It was agreed that we need a three-tier application architecture
> for user administration in Skolelinux to be able to support
> different types of user interfaces.  WebMin is probably not the
> right tool, and we will decide on a new development framework
> as part of the overall project.  We will also create a new KDE
> client covering all operations currently defined as use cases
> in wlus.
> 
> TODO:  Select development framework.  Will be done later.
> 
> TODO:  Create updated use cases as starting point for new KDE
> interface and user documentation.  Person to do it will be
> assigned later.
> 
> TODO:  Create new user administration interface in KDE.  Person
> to do it will be assigned later.
> 
> TODO:  Write new business logic in a three-tier application
> architecture.  Person to do it will be assigned later.
> 
> 
> 8. Project plan
> ---------------
> SLX Debian Labs will propose a time schedule for the projsect
> after decisions have been communicated to everyone involved and
> reactions from users taken into account.
> 
> TODO:  Make project plan for new user administration system in
> Skolelinux.  Person to do it will be assigned later.
> 
> 
> 9. +++
> ------
> Andreas told us about two other parts of wlus that needs
> be improved:
> (1) regression testing framework
> (2) special permissions for exams
> 
> Activities related to this will be integrated into the overall
> project plan.
> 

One problem with wlus, is that it's very skolelinux specific. There are
a number of different applications out there for Ldap User
Adminsistration. When we investigated this ~mid 2003, we found that none
of them was suited for our use. They were to specific.
After that we also have made wlus very skolelinux specific.
My question is if it's possible to be less SKolelinux specific, and
maybe gain further user base within Debian ?

-- 
Finn-Arne Johansen
faj@bzz.no http://bzz.no/
Leverandør av support på, drift og videreutvikling av Skolelinux-løsninger

Reply to:

Follow-Ups:
- Re: wlus / User Administration
  - From: Steffen Joeris credativ <Steffen.Joeris@credativ.de>
- Re: wlus / User Administration
  - From: Kurt <kurt@lugrav.de>

References:
- wlus / User Administration
  - From: Halvor Dahl <halvor@skolelinux.no>

Prev by Date: Re: Debian-edu/Skolelinux and Edubuntu cooperation
Next by Date: Re: wlus / User Administration
Previous by thread: wlus / User Administration
Next by thread: Re: wlus / User Administration
Index(es):
- Date
- Thread