user login authentication
directory services
logging
user file storage
web services
printing
application files
|
Open Aspects of Waterloo Polaris
Waterloo Polaris Phase II is focused on improving the user
environment, but it will also include transitions from a
decade of home-grown technologies to various new commercial
technologies.
|
User Login Authentication
|
Waterloo Polaris requires a valid user login to begin every user session.
Most users seem to understand that fact, just as they seem to understand
why locks and driver's licenses need to exist.
Watstar servers now co-operate with other servers
and allow them to validate user passwords.
Using an open protocol designed and widely used for such purposes,
each Watstar server is assigned a trusted host running
Unix, NT or some other operationg system. In actuality, most Watstar
servers in a faculty will typically point to one such authentication
host such as the Email server.
If the supplied userid and password match the copy cached in the
Watstar server, the upstream host will not even be asked to validate
the request. But if there is no match, the userid/password pair will
be encrypted and set upstream.
In the longer term, the Watstar server itself will be phased out,
and other servers (home fileservers and directory servers) will
perform the necessary authentication and authorization entirely
using open protocols.
Both the short term and the long term solutions co-operate fully
with the campus-wide
authentication project.
status: completed late September
(in active use in several faculties)
|
Directory Services
|
Waterloo Polaris has inherited the directory services of Watstar
but needs a new system as we migrate from Watstar servers.
The Watstar directory services were primitive in implementation,
but used extensively. They permiate every topic:
- determine if and when each workstation gets updated
- may specify who can or cannot log into each machine
- records stations by room and administrator, determines where
logs are sent, and to whom errors should be directed
- autoselect printers based on rooms
- autoselects Email and News servers by faculty or department
- determine who can access the hard disk
- allow a tiered management strategy, so faculties and
departments can inherit things from the central group, opt out,
etc.
For the short term, we will move toward an LDAP based system
(Lightweight Directory Access Protocol) using open systems and open
standards.
Later, when NT5 is released, we will likely migrate to
an Active Directory system.
The Microsoft ADSI (Active Directory Service Interface) allow for
a variety of directory server options, including LDAP, NDS, Netware,
or WinNT native.
The Waterloo Polaris team is working with IST to resolve campus
needs and deployment of directory services. An initial document
is available which describes some of the
issues.
status: incomplete
|
Logging
|
Although Watstar servers still do the login authentication, the audit
logs that generates are now exported to open platforms.
Watstar servers syslog all logins and logouts (and other
important events like failed password attempts, workstation virus scan
results, software updates, etc) to (up to) two unix syslog daemons.
One of those daemons must be EC's master logger - so we can assist with
various things, and the second can be a server of the faculty's choosing.
The faculties use this facility to plan capacity, deal with
complaints, and to look for problems before users even
report them.
status: complete
|
User File Storage
|
Projects are underway to evaluate various fileserver technologies.
The resulting system must have SMB/CIFS access for users, it must offer
user quotas, backup capabilities which integrate with the campus backup
systems, home/village access, manageability, scalability, and much
more.
Presently some individuals store their user files on Unix/Samba
or NT, and all Math students store their files on a Network Appliance
multiprotocol fileserver. However, other than Math, all the faculties
are relying primarily on Watstar servers.
The remaining Watstar faculties are now looking at capable SMB/CIFS
servers to replace their Watstar servers for the longer term.
Unfortunately, due to the size of most faculty user communities
and the traffic they generate, several popular technologies are
not as appropriate as one might initially hope. Furthermore,
users and sysadmins are expecting the successor server technology
to be an improvement over its predecessor, not merely a replacement
or less. While most contendors meet the basics, the issues of
reliability, server availability and performance will likely
determine the right technology.
Engineering Computing has released an RFP (request for proposal)
and to find possible solutions for its needs.
The P: drive letter is assigned to a user's SMB/CIFS account if they
have one.
status: RFP issued
|
Web Services
|
Most faculties are providing user and group web pages on faculty
and/or departmental Unix and sometimes NT servers.
- Engineering has a faculty web server (FreeBSD)
- Math has a Sun re-export the web pages stored on their Network
Appliance
- Science homepages are stored on their faculty server (Sun)
- The AHS Email server doubles as a student web page server, and
an NT server exports the faculty member web pages
- ARTs homepages are stored on Watarts
The W: drive is allocated for the user web pages. Often this is
a different export than the user's home directory, thus allowing
different create mode privileges.
status: complete
|
Printing
|
The exact printing strategy in Waterloo Polaris varies by faculty. Each
system combines unix and pcs for printing, each has printer accounting,
and each somehow validates the user.
In AHS, Science and Engineering, printer queues are based in Watstarland
and printer accounting is performed there. This is easy for Waterloo Polaris
machines to understand, but harder for unix systems. To print to the
same printers, unix systems must queue print jobs to the Watstar server
based queues. Generally these pass through a helper unix machine (eg. globe)
which accepts lpr then uses an nfs mount to transfer the
files to a Watstar server behind the scenes.
In Arts, the printing from Waterloo Polaris machines first goes to Watstar
server printer queues. Then the jobs are usually lpr'd up to a unix
machine which manages the print queues and accounting. This transfer is
done by a backroom pc with lpr privileges on the Unix computer.
Arts has a private accounting system.
IST and Math use CAS (IST's Computing Accounting System) for accounting on unix machines.
In IST, jobs are initially sent to Watstar print queues, but upon release
are passed through a PC in Engineering which then lpr's the job
to the appropriate unix queue. This strategy in IST is a holdout from Watstar
days.
Math's strategy is to entirely run the queues on unix. All their lab
stations are using Waterloo Polaris, so samba on a unix computer
is combined with a Waterloo Polaris feature to create an smb printer
queue to which the stations automatically connect. Unlike any of the other
systems, this one uses smb and the user's unix userid/password to
authenticate the sender.
Converting IST's system to use smb rather than the present indirect
route is a bigger challenge than might first appear. Basically, the issue
of authenticating users at samba connect time must be solved.
EC is planning to investigate options for its own system, we want to
eliminate the Watstar server from the equation.
status: investigating options
|
Application Files
|
Most common application programs are typically loaded from the local
hard disk, but obviously we have severely limited space for this to be
a permanent solution.
From the start, Waterloo Polaris stations have accepted applications
stored on Watstar and smb/cifs servers, though the latter
has not typically been adopted in most faculties.
The evolution of Waterloo Polaris will see application file storage
moving radically toward the smb/cifs servers. This
server platform shift, combined with our client caching device driver
is described in some depth in our
appfiler white paper.
status: experimental system going live Sept. 1998
|
|