[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] Pinch me...



On Sun, 2003-07-06 at 16:24, Shawn Powers wrote:
> I remember last year, that it was difficult for me to convince the
> school to purchase a subscription to Linux Journal... and now...
> 
> In a recent unexpected turn of events at my school district, the school
> board was overwhelmingly in favor of switching to open-source based
> servers.  Amazingly enough, my presentation focused on the money saved,
> and the businessmen and businesswomen on the board actually *understood*
> linux.  At least enough to like the moneysaving aspect of it. :)

    GoodOnYa!

> 1) Not a question, but a simple description of the hardware that will be
> involved.  We have a handful of public IP addresses coming into the
> district via a licensed wireless link from our ISD.  I will have a
> computer with 2 or 3 NICs acting as the firewall/masquerading box.  This
> will most likely run IPCOP.  Connected to that machine, in the DMZ will
> be a XEON machine with mirrored-RAID IDE drives for web/internet
> services.  Inside the private LAN, I will have 2 other servers.  One
> will be a PIII with 9GB SCSI drive running squidgard/dansguardian.  The
> other will be a PIII/PIV with RAID5 SCSI drives acting as the fileserver
> for the district.  Ok, there's a simplistic picture of the hardware I
> have to work with.

    Just one question...wireless? I hope we're not talking 802.11*;
that's pretty easy to crack...

> 2) LDAP.  I can't think of a reason to *not* use LDAP for
> authentication.  Everything seems to be able to authenticate via LDAP,
> plus the addressbook side-effect you get, it would be silly for me NOT
> to use it.  My question:  What has proven to be the best way for users
> to change their password?  Usermin?  Does whatever method you fancy
> allow for a hierarchy of "who can change what"  ?   It would be
> wonderful if I could delegate a small group of users (teachers) that
> could change passwords for students, but NOT change the passwords of the
> principals...  Any help with the "in use" nuances of LDAP would be
> appreciated.  This list has generated a great deal of info regarding
> setting up a server, and I thank all involved for that. :)

    LDAP really isn't for authentication.  And a fellow much more
experienced than I has told me many reasons for not doing it, all having
to do with security- both integrity and intrusion.  He suggests using
kerebos instead...but I have no idea how that works, yet.  For what it's
worth.

> 3) home directory structure.  I know this has much to do with personal
> preference, but I wonder if anyone has any pros/cons of different
> structures.  My plan is to base it on graduation year, like:
> 
> /home/2004/user1
> /home/2004/user2
> /home/2005/user3
> /home/2005/user4
> /home/staff/user5
> /home/staff/user6

    I don't think it matters much; just whatever's easier for you to
handle.  Remember that you can 'userdel' any one of them, to remove
them.

    Around here (inside the house) I have one machine that gets NFS
exported from one machine's  /nfshomes directory. As long as the users
all have the same userID, everything's beautiful, but I worry that it
might be a security risk.

> 4) Chicken-and-Egg scenario.  I can't think of a perfect order for
> setting up servers.  I plan to start with the LDAP server, because
> everthing else I set up will need to have user authentication.  The LDAP
> server will reside on the "web/internet services" machine mentioned in
> question 1.  I should be able to set this up internally on a private IP,
> and have the appropriate ports forwarded through the firewall to it. 
> The only problem with setting this machine up first, is that I will
> eventually want the /home directory mounted from the fileserver via
> NFS.  Since that server doesnt' exist yet -- I'm hoping that when the
> time comes, I can just empty the /home folder that will exist, and mount
> the NFS box.  If I'm offbase in that thought, please slap me
> accordingly.

    Build it like a bridge: start pouring foundations. Install one
machine, probably with a fixed IP for stability, then the next, making
sure each machine has the IP address worked out in /etc/hosts.  This
means that when DNS is being bounced (or problematic) you'll still be
able to work on the servers without the distraction of remembering the
IP addresses.

    Build your DNS solidly. Keep it simple until it's all done.
Personally, I suggest webmin for this, as it's easy and there's almost
NO having to remeber where you need to leave the '.' characters to point
out root. And, you can say "Add a host" and click "Update reverse, too"
and it'll get both sides at the same time.  Become a DNS god
later...this'll give you a working copy that you can learn from, and you
can get it right with the least sweat.

    Also, think about your naming convention.  A lot of people think
calling 192.168.1.42 "mymachine.sitename.com", but it's not: it can't be
reached from the outside- the name is erroneous.  Thing about something
more like "mymachine.sitename.local" for all the addresses behind the
firewall(s). Webmin makes this trivial, and make sure to add a zone for
"sitename.local" in your main, internal DNS server.  It's surprisingly
easy.

> 5) I am replacing our current proprietary email/groupware server
> (FirstClass) with linux based alternatives.  One feature I have been
> unable to pin down is the ability to have multiple email connections to
> a single box.  This seems like a silly need, but I can't stand it when
> my computer at work disconnects my mutt session by polling for new
> mail.  I check mail from many many computers in a day, and I play
> "broken IMAP connection" tag all day...  I know the IMAP server isn't
> tied directly into the MTA I use -- but a combination that works well
> for you would be greatly appreciated.   (BTW, does anyone else have
> problems with the "server disconnected" problem with their IMAP server
> using multiple machines, or is it just me?)

    OK...I've never EVER seen that, but I despise character-based email
clients, having used them for about 15-20 years. Evolve. Try something
like Evolution 1.2.  You'll thank me, once you realize what it can do
for you.  It works with POP/POP3/IMAP/IMAPS and even cool things like
LDAP for name completion.

    As to the groupware, check out phpGroupware and/or OpenAdmin. Both
are fine packages, and can be found via Google.

    And you might want to install SquirrelMail.org's SquirrelMail for
people accessing mail from home. You can install it on the webserver,
then tell it to get the mail from, say, 192.168.1.45 or whatever.  And,
I can help you on it when installed.


> THANK YOU all for even reading this far.  I'm very excited about this
> summer, but want to make sure I make the best decisions possible.  Thank
> you for any advice/experience you are willing to share.  Our district
> has influence over a lot of schools (never really thought of myself as
> influential, but alas linux geeks shine when the economy turns sour) and
> I want to make sure we set a good example. :)

    No problem; I want Linux to succeed where I'm certain it will, and
your implementation will be just more proof to the rest of the world
what I already know: Linux is ready for primetime.

    Plus, you're a sysadmin, like me. Do yourself a favor: don't do it
all at once. Start simple, add features only when everything else works
perfectly...even if those other things don't have eye-candy. Plus, when
it comes up basic, and you tune it, others will see how it grows into a
system that's unique to you.

    Try to do one more thing: once you get it set up, watch how much
time you spent on the Microsoft boxes and how much you spend on Linux.
You'll be able to support 40 MS machines, or at least 100 Linux boxes,
so you're gonna have some time on your hands...more time to chase
viruses and icons that disappear.

    And don't be afraid to contact me for help!

    Good luck!

-- 
------------------------------------------------------------------------
Brian Fahrländer          GNU/Linux Zealot, Conservative, and Technomad
Evansville, IN                    My Voyage: http://www.CounterMoon.com
ICQ  5119262
------------------------------------------------------------------------

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]