Download - CLE Technical Design
CLE Technical DesignCLE Technical Design
David S. CondreyLAN Systems - DCIT
Presented at:
Technology Transfer Partners (TTP) 1998
Salt Lake City, UtahJuly 7, 1998
CLEMSONU N I V E R S I T Y
AgendaAgenda
Short Clemson Review97-98 RecapCLE OverviewUser’s View Instructor Course ManagementThe DesignThe ImplementationThe Future
Introduction/BackgroundIntroduction/BackgroundClemson University-Upstate SC37,000 users in NDS with home
directories since 1995.NDS is centerpiece of security and
authentication.Big Development Shop~130 Netware 4.x serversAutomated account creation and
maintenance.
Automatic Userid System (AUS)Automatic Userid System (AUS)
MVS
UNIX
NDS
Personnel AdmissionsOther
Other
AUSAUS
Tree DesignTree Design
Users Organizations
ClemsonU
Every Person Has a PlaceEvery Person Has a Place
A to Z A to Z A to Z
Students Misc. Employee
ClemsonU
OrganizationsOrganizations
Every Group Has a PlaceEvery Group Has a Place
UsersUsers Athletics DCIT
Forestry Research Dean's office
CAFLS CES
ClemsonU
Personal Storage (User Data Personal Storage (User Data Servers)Servers)
EmployeDn
Any faculty or staff member
Any student
Office, lab, or dial-in
Dorm, lab, or dial-in
StudentDn
Collaborative Storage (Faculty &Collaborative Storage (Faculty &
EmployeD
Group server1 StudentD
App server
Students)Students)
Authentication ServerAuthentication Server
Mail authC
Web authC
mainframe authC
UNIX authC
NetWare authC
Sun authC
Windows NT authCOracle† authC
NDS
intraNetWare server BintraNetWare server A
AUTHSERV.NLM
intraNetWare server C
RACF
AuthClientAuthClient
POPd
AuthClient
Web site
WebApp
User workstation (Windows 95/Windows NT and Mac workstation)
Eudora TN3270 Netscape† LOGIN.EXE
AuthClient
Apache
WebApp
AUTHSERV.NLM AUTHSERV.NLM
OnlinesVTAM
Mainframe (MVS)MAIL (Solaris) NT Server OpenLinux
Using NDS Security Across the Using NDS Security Across the IntranetIntranet
AuthenticatedClient
ServerAuthClient
AuthenticationServer
NDS
Netscape IIS32-bitDLL
AUTHSERV.NLM
NDS
Page requestCheckEquiv
Check SecurityEquivalence
Locate user objectand run equivalencelist
NT 4.0
AUTHSERV Client FunctionsAUTHSERV Client Functions
Password checkPassword changeResolve to fully distinguished nameCheck security equivalenceReturn group membershipMiscellaneous administrative
functionsGet Effective Rights
Caldera OpenLinux and ApacheCaldera OpenLinux and Apache
Web gateway to NetWare file system
Caldera OpenLinux
FileServer
FileServer
FileServer
AuthC
Browser
Browser
Browser
BrowserAuthServer
FileServer
FileServer
Using NDS to Secure Web PagesUsing NDS to Secure Web Pages
NovellAuth onAuthName Novell TreeAuthType Basic <Limit GET POST>require user gmcochrrequire user kellenrequire group .resadmin.groups.employee.clemsonu</Limit>
What We’ve Been Doing Over What We’ve Been Doing Over the Past Yearthe Past Year
Site License from NovellStudentD/EmployeD splitUpgrade Everything to 4.11Convert Public Labs to ‘95BrainshareAppnotes and Developer NotesNetware 5/ZEN Testing
More of What We’ve Been DoingMore of What We’ve Been Doing
PAM Development for Authentication Server
Cisco PIX FirewallCollaborative Learning
Environment
DescriptionDescription
Collaborative Learning Environment (CLE) Provide a framework for collaborative
works between faculty and students as well as between students themselves.
This means managed and structured disk space that is easily accessible by both students and faculty.
Collaborative Learning Collaborative Learning Environment (CLE)Environment (CLE)Faculty member wants to put data on
the network that students can useStudent submission of work to facultyStudents collaborate on team projects
with assistance from faculty memberStudents and faculty collaborate on
projects or assignmentsPublish web pages as a team or class~6000 class sections per semester
Project GoalsProject Goals
Automate as much as possible.Limit required knowledge of the
instructor.Limit required knowledge of the student.Limit required CSG/SSG involvement.Limit required TSP involvementK.I.S.S.
MaximsMaxims
A class is an interaction of people not necessarily enrolled in a common course (CPSC 423/423H/623)
CLE is analogous to a classroom.The customer is the Instructor and the Student. The harder this is to explain to users, the harder
it is to implement and use. We don't have to get everything perfect the first
time.
TechnologyTechnology
Novell Directory Services (NDS)Student Databases on OS/390Netware File SystemNetware Application Launcher (NAL)Caldera NDS interface for LinuxApache Web server for LinuxAuthentication ServerLots of code for Management Automation
Development TechnologyDevelopment Technology
Borland C/C++ Version 5Netware SDK 15EXE2NLMNDSSNOOPPhoenix DocumentGNU CPerlHTML,JavaScript
NDSSnoopNDSSnoop
It Takes Two to TangoIt Takes Two to Tango
Direct File System AccessDirect File System Access
Become One with the ‘NetBecome One with the ‘Net
NAL as a Door to Direct File NAL as a Door to Direct File AccessAccess
List of enrolled courses.
Icons for each course abbreviation submitted by departments.
Not “applications” in the traditional sense.
Really runs “Explorer” and maps a drive.
Introduces the concept of NAL to instructors.
Explorer functions as “My Explorer functions as “My Computer”Computer”
What a Class Folder Looks Like What a Class Folder Looks Like to the Student (My Computer)to the Student (My Computer)
What a Class Folder Looks Like to What a Class Folder Looks Like to the Student (Windows Explorer)the Student (Windows Explorer)
Web AccessWeb Access
Web AuthenticationWeb Authentication
Class ScheduleClass Schedule
A Particular ClassA Particular Class
Conferencing - Multiple LevelsConferencing - Multiple Levels
Instructor Must AuthenticateInstructor Must Authenticate
Instructors Manage SemestersInstructors Manage Semesters
Default Grouping - 1:1Default Grouping - 1:1
Combine Courses - 2:1 GroupingCombine Courses - 2:1 Grouping
Combine Courses - 2:1 Grouping (2)Combine Courses - 2:1 Grouping (2)
Combine Courses - 2:1 Grouping (3)Combine Courses - 2:1 Grouping (3)
Managing Teams - CreateManaging Teams - Create
Managing Teams - UnlimitedManaging Teams - Unlimited
The Big PictureThe Big Picture
ListMGR
Studentdatabase
GroupMGRNLM
NDS DiskSpace
Linux
Apache
CalderaGroupmgr
Student
Browser
Instructor
Browser
Linux
ApacheCaldera
WebAccess
DirectAccess
CLEManagement
MVSOS/390
CLE Setup has 2 PartsCLE Setup has 2 Parts
NDSFile System
NDS DesignNDS Design
Course abbreviation
Pointer to File Space
Semester number
Course number
Section number
Instructor(s)
Instructor managed teamsApplication object for NAL
ClassMember(s)
All Instructors&Classrolls
NDS Design - Course AbbreviationNDS Design - Course Abbreviation
Holds NDS Objects for all courses in “Electrical and Computer Engineering” (ECE)
160 different course abbreviations.
These are partition boundaries.
NDS Design - ShareDMONDS Design - ShareDMO
Everything uses the “PATH” property to find the file space that backs this course.
“Everyone” group has rights to read the PATH property.
NDS Design - EveryoneNDS Design - Everyone
Holds every person listed as a STUDENT in any class in any semester of ECE.
Holds every person listed as an INSTRUCTOR in any class in any semester of ECE.
NDS Design - Global InstructorsNDS Design - Global Instructors
Holds every person listed as an INSTRUCTOR in any class in any semester of ECE.
NDS Design - SemesterNDS Design - Semester
Holds NDS constructs for all ECE courses in a particular semester.
State (S) attribute is used for tracking updates.
NDS Design - Course NumberNDS Design - Course Number
Holds NDS constructs for all sections of “Electronics I” (ECE 320).
NDS Design - AdminNDS Design - Admin
Not currently in use. Intended to provide a
place to assign management duties to departmental personnel on a per course basis.
Ex: help manage all sections of Chem 101.
NDS Design - SectionNDS Design - Section
Holds NDS constructs for one section of “Electronics I” (ECE 320).
Description attr holds TTRB and other info.
Location attr holds pointer to ShareDMO and name of file system directory.
NDS Design - ClassRollNDS Design - ClassRoll
The people taking the class.
Member attr holds the userids of the people taking the class.
Description attr holds course title for NAL.
App:Association with SHARE application object for NAL.
NDS Design - InstructorNDS Design - Instructor The people teaching
the class. Member attr should
hold the userids of the instructors. See Also*
Description attr holds course title for NAL.
App:Association with SHARE application object for NAL.*
NDS Design - Teams ContainerNDS Design - Teams Container
Holds NDS groups for each team created by the instructor.
NDS Design - TeamsNDS Design - Teams
Instructor maintained groups.
No naming rules; at discretion of the prof.
Not accessed by the instructor directly. Uses web tool.
Member attr holds userids of people put in to the groups.
NDS Design - Share ApplicationNDS Design - Share Application
Title attr contains NAL title.
Executable is EXPLORER.EXE
Icon is unique to course abbreviation.
Command line parms “/root,k:\”
Cleans up network resources on exit.
NDS Design - Share Application (2)NDS Design - Share Application (2)
Description attr holds long description of course “Collaborative Learning Environment disk space for ELECTRICAL AND COMPUTER ENGINEERING 426 sec001 9804”
Mapped Drives attr holds rooted map of K: to the correct* ShareDMO.
Platforms attr is ‘95 and NT.
File System DesignFile System Design
What a Class Folder Looks LikeWhat a Class Folder Looks Like
E_C_E
General
101_9806.001
426_9806.001
Share
Teams
101_9806.002A1Team1
Handouts Classwrk
Resource
ToDo
TurnIn
Reviewed
ALAYTON
ALAYTON
A1Team2
xxxxx
….
463_9806.010
860_9806.043
…….
ProfOnly Public.www
RightsRights
RF
ALL*ALL*ALL*ALL*ALL*ALL*
Instructor
RWCEF
RFRF
RFALL*
ClassRoll
CRF
cstoneb
RF
CRF
dandrew
RF
ALL*
P2Team2
RF
PublicWeb
* - All but Supervisor
Instructor
User CSTONEB
Class Roll
User DANDREW
Team P2TEAM2
Team P2TEAM1
Public Web
Library Staff
Read Access
Write Access
Create-Only Access
MVS OS/390
Automated Distribution ListsAutomated Distribution Lists
ListMGRListMGR
popD ListDMail
server
TCP/IP
Class rolesDepartments
Studentdatabase
Employeedatabase
Automated NDS Group Automated NDS Group MembershipMembership
MVS OS/390
ListMGR
popDpopD ListDListD MailServer
MailServer
TCP/IP
Class Roles
NDS GroupMGRNLM
TCP/IP
Studentdatabase
Course IdentifierCourse Identifier
9808SPAN_H321006-LSection Number
Course Number
Prefix
Course Abbreviation
Semester Number
‘_’ - Standard‘H’ - Honors‘L’ - Lab‘T’ - Telecampus‘C’ - Consortium
Transaction Data FormatsTransaction Data Formats
Based on Listserv commandsPUT - Snapshot of an entire courseOPT - Options for a course ADD - Drop/Add Classroll members
for a courseDEL - Course Cleanup
Transaction Data Transaction Data Format - PUTFormat - PUT
Create course or set instructors & classroll.
If course exists already, make changes as appropriate.
‘Owner=‘ names instructor(s)
NOP Ticket Tracking
PUT 9806E_C_E_891001-L.LIST PW=M00NWALKER** E C E 891 001** SEND= PRIVATE* SERVICE= LOCAL* SUBSCRIPTION= CLOSED* CONFIDENTIAL= YES* PW= E00218* REPLY-TO= SENDER,RESPECT* DEFAULT-OPTIONS= REPRO,NOACK* VALIDATE= YES,CONFIRM* REVIEW= OWNERS,POSTMASTER* LOOPCHECK= NOSPAM* ERRORS-TO= OWNERS,POSTMASTER* OWNER= [email protected]* OWNER= [email protected] BAUM CARL [email protected]@CLEMSON.EDU BAUM CARL [email protected] BLOCK FREDERICK [email protected] COLWELL MICHAEL T <some deleted>[email protected] STIVERS FRED S [email protected] WYSOCARSKI JEFFREY [email protected] YOUNG JOHN CALVIN&&&&&NOP 0003454
Transaction Data Format - OPTTransaction Data Format - OPTSets ‘options” for a course.TTRB - Title, Time, Room, BuildingNOP Ticket Tracking
QUIET SET 9806ECON__101001-L REPRO,NOACK FOR *@* TTRBQUIET SET 9806ECON__101002-L REPRO,NOACK FOR *@* TTRBQUIET SET 9806ECON__101003-L REPRO,NOACK FOR *@* TTRB QUIET SET 9806ECON__201001-L REPRO,NOACK FOR *@* TTRBQUIET SET 9806ECON__320001-L REPRO,NOACK FOR *@* TTRBQUIET SET 9806ECON__320002-L REPRO,NOACK FOR *@* TTRBQUIET SET 9806ECON__455001-L REPRO,NOACK FOR *@* TTRBQUIET SET 9806ECON__655001-L REPRO,NOACK FOR *@* TTRBQUIET SET 9806ECON__814001-L REPRO,NOACK FOR *@* TTRBNOP 0003845
Transaction Data Format - ADDTransaction Data Format - ADDDrop/Add classroll for a course.NOP Ticket Tracking
QUIET DEL 9806CP_SCL120003-L PW=J011EYMA1NT [email protected] DEL 9806CP_SC_241001-L PW=J011EYMA1NT [email protected] ADD 9806CP_SC_481002-L PW=J011EYMA1NT [email protected] QUIET ADD 9806CP_SC_481002-L PW=J011EYMA1NT [email protected] QUIET ADD 9806CP_SC_481002-L PW=J011EYMA1NT [email protected] NOP 0003665
Transaction Data Format - DELTransaction Data Format - DELDelete a course.NOP Ticket Tracking
/DELETE 9805CP_SC_320001-L PW=J011EYMA1NT/DELETE 9805CP_SC_320002-L PW=J011EYMA1NT/DELETE 9805CP_SC_320003-L PW=J011EYMA1NT/DELETE 9805CP_SC_653001-L PW=J011EYMA1NT/DELETE 9805CP_SC_814001-L PW=J011EYMA1NT/DELETE 9805CP_SC_822001-L PW=J011EYMA1NTNOP 0003997
NDS Server PlacementNDS Server PlacementClemsonU
OrganizationsOrganizationsUsersUsers CLECLE
CLExCLEx
5 Dell 4200 w/ 512MB RAM
250 GB RAID-5Switched 100mbit
GroupMGRNLM
CU-ROOT-1CU-ROOT-1
Transaction Tracking - TicketsTransaction Tracking - Tickets
NOP nnnnnnn record on OPT, PUT, ADD, and DEL files.
nnnnnnn is unique ticket number that was started at 0000001 on the first file on the first day of production and is incremented for each transaction file.
Assures transactions are processed in order intended.
The Spanish-Nursing ProblemThe Spanish-Nursing Problem
If an instructor groups courses from 2 different course abbreviations, we must choose one server to hold the data.
SPAN_ NURS_
?
The 64 Security Equivalence LimitThe 64 Security Equivalence Limit
There is a ‘limit’ of 64 explicit and implicit security equivalances in Netware 4.x.
Explicits are easy to see in NDS.Implicits are [Public] and each of your
ancestor containers.Netware 4.x uses ‘sliding window’ algorithm*.Fixed in 5.x, will not be fixed in 4.x.This is a problem for CLE.
CLE Circumvention for the ProblemCLE Circumvention for the Problem
Set ‘See Also’ in each Instructor User object to the ‘Instructor’ group for the course.
Set ‘See Also’ in the ‘Instructor’ group for the course to the user object for each listed instructor.
Do explicit Rights and application assignments to each instructor user object instead of the group.
CLE Circumvention for the ProblemCLE Circumvention for the Problem
#IFDEF NETWARE5 if (CUAddUserToGroup(context,member,group,1)!=0) numerrors++;#ELSE // Setup Application association between User and SHARE App section=strchr((char *)group+1,'.'); sprintf(appObject,".SHARE%s",section); err=SetUpAssn(context,appObject,member); // Add user to SeeAlso attribute of group err=PutNDSAttr(context,(char *)group,"See Also",member,"ADD"); …..another couple hundred lines...#ENDIF
Access for the NAL-ChallengedAccess for the NAL-Challenged
Mac - Folder of Aliases, one for each course abbreviation pointing to the same path as the ShareDMO for that course abbreviation.
DOS - Folder of BAT files, one for each course abbreviation pointing to the same path as the ShareDMO for that course abbreviation.
--Does not address Spanish-Nursing.
Things to DoThings to DoTrainingIntegration with Course Content
Management Application such as WebCT, TopClass, etc.
Get User Feedback & Make enhancements.Move to Netware 5 to resolve 64 SE limit.Load Balance and Tune CLE and NDS
ServersBuckle chinstrap and hold on tight.
http://people.clemson.edu/lansystems