[Fwd: Re: Beginnings of a spec for new User Admin tool.]

Veli-Matti Lintu veli-matti.lintu at opinsys.fi
Wed Jan 20 15:53:48 GMT 2010 

ti, 2010-01-19 kello 20:47 -0800, Steve Rippl kirjoitti:

> Scott Balneaves wrote:
> > https://wiki.ubuntu.com/Edubuntu/NewUserAdminTool

> That looks potentially very useful.  The idea of having plugin scripts 
> is excellent.  Have you though about rights delegation?   I'm thinking a 
> sysadmin might for example control adding and removing users (by 
> whatever method, this tool or otherwise), but might want to allow a 
> teacher to reset passwords, group kids, or change some other attribute 
> of students in their class.  Could certain users just be able to use 
> certain "commands".  Could this be handled via groups perhaps?  All 
> 'teachers' get these rights, all 'power-teachers' get those etc.

I've been involved in managing Ubuntu based LTSP server for some years
and in the process we have accumulated piles of tools to manage users.
Over the years we have settled mostly with web UI for ldap+kerberos and
some magic for laptops to get offline authentication working also.

The concept of our current custom built system is this:

* all web based tool - quite a few admins in school manage users also
from windows workstation or remotely
* hardcoded hierarchy: schools - groups - users - this makes the UI way
easier to user
* groups can also be nested - this is quite heavy on ldap, though
* data is stored in ldap and ldap schema is fixed and hardcoded in the
tool with samba attributes - no separate samba-ldap scripts
* bulk import of users using csv data
* system groups (audio, video, etc.) are left out and handled in pam
modules instead
* teachers are able to change the passwords of kids in their own school
* shared folders are done using ACLs and groups that tell the class of
the user


What I have learnt over the years is that the simpler the UI is, the
better. There are currently three interfaces - one to administer users,
one to change password and one to change password for another user.
Especially the easy way to change passwords for other users has been a
success.

This has worked quite well for the schools we are taking care of. There
was a poor choice of architecture when building this, though, so we are
now in the process of rewriting it so that one can actually maintain the
code. We are trying to get it out really soon now. A web based system
won't be the same as an application with a GUI, though, but many of the
concepts are probably the same.

Veli-Matti

More information about the edubuntu-users mailing list