Prior to integrating Novell’s directory across the university’s key platforms and applications, managing users on the SLU network entailed providing application-specific access rights to new students, which required extensive manual processes and staff to create, assign and manage thousands of unique IDs and passwords. SLU developers set out to extend the use of directory services and use open source software to automate user identity management across key applications to reduce administrative costs, provide students, faculty and staff faster access to resources, and increase security.

With record enrollment and an ever-increasing reliance on electronic communication among SLU faculty, staff and students, a secure, reliable and scalable identity management foundation for the university’s distributed network grows more essential by the day. Historically, however, it’s been an endeavor made difficult by the lack of development flexibility in most network management consoles.

The SLU Systems Engineering Office maintains the network systems and user environments and provides software support for the campus local area networks. The team of six individuals administers 14 NetWare® servers, 18 UNIX/Linux* servers, 2 VMS* nodes, and 12 Windows NT/2000* servers, all connected via a gigabit backbone, as well as network equipment, e-mail systems, routers and WAN connections to the Internet, connecting remote campuses in Covington and Baton Rouge with the main campus in Hammond, Louisiana.

In the SLU Engineering team’s not-so ‘spare’ time, they also design and build network software solutions. “Like most university IT departments, we don’t have a lot of budget to purchase packaged software,” noted Ray DeJean, SLU Systems Engineer. “So we made the choice long ago to use, wherever possible, open source software, and do the necessary software development in house.”

Any administrative task can be done from the console in Linux. In many cases, using the console is faster than using a graphical program and may provide additional functionality. As a result, any console task can be placed into a script, and thus automated.

Recently, the team implemented a new e-mail system based on RedHat Linux Advanced Server 2.1 running on two IBM Netfinity* x360 servers with 4 P4 3.06Ghz Xeon Hyper-threaded processors each. These servers are in a clustered configuration with an additional failover server and are connected to a XIOtech Magnitude* SAN. SLU student e-mail accounts are now accessible via WebMail from Captaris, LDAP and eDirectory. WebMail allows students to receive, save, and send e-mail through any connected browser. In addition, the WebMail home page is used to post notices of interest to the student community.

“We have over 100,000 objects in our eDirectory tree,” said Brad Bendily, SLU Network Specialist. “We couldn’t justify buying commercial tools and applications that did everything we wanted. We had a text-based menu system previously with our VMS email system, and it made the most sense to draw from our earlier work and expand from there. That’s the great thing about using eDirectory. It supports our unique infrastructure and works flawlessly behind the scenes, integrating easily because it’s standards-based, and more importantly, scales securely with our implementation.”

“On the management side, LDAPMenu is a text-based application that exposes eDirectory account information using Perl, from LDAP accounts,” said Mark Hemel, SLU’s VMS Administrator. “In addition, Mfinger is an administrative utility written in-house with a screen that displays directory information but doesn’t allow changes to that information. It allows fast user lookups and pulls a summary of the account so the help desk can see immediately what’s wrong. Account Info is another web-based application that lets students manage their profile information, and set spam filters."

“When we create new users, we want them to have a certain set of attributes and rights that isn’t provided by default”, said Tom Renfro, Assistant DBA/Perl Guru. “We extended the directory schema, and then pointed all our applications to authenticate via the LDAP tree. We created a custom PeopleSoft access flag that allows users to log into PeopleSoft, but not access e-mail. Having attributes for each user account offers us the flexibility to specifically allow or deny a user access to specific systems. Novell’s ConsoleOne has no built in tabs for things we’ve added.”

”Our PeopleSoft 8 implementation is web based and these users authenticate via LDAP. We did our initial testing of PeopleSoft 8 using OpenLDAP, and it proved to be hard to manage in day-to-day administration and tuning. What we discovered was that eDirectory gave us a much easier time. Our data loads were significantly faster, indexing made our lives easier and management is very straightforward with no performance penalty for additional features,” continued Renfro. “At SLU eDirectory is master for authentication, and the repository for user information is stored in PeopleSoft. We synchronize the two on a nightly basis to ensure that user information is consistent. eDirectory enforces all the rules that get applied in the nightly synchronization. No single product we evaluated met our need for keeping the user information and authentication synchronized. We decided not to use DirXML® because we didn’t need immediate synchronization. We felt it was sufficient to have the sync done overnight. Since passwords (authentication) are only stored in one place, eDirectory, we didn’t need to synchronize passwords.”

“As developers, we’ve benefited by being able to leverage open source tools and software and then quickly connect the resulting applications to the network via eDirectory,” said Jason Lanclos, SLU Systems Administrator. “Once we had the basic LDAP infrastructure in place, it then became easier to continue developing new projects that add value to the campus network. For example, our team used Novell’s APIs for ActiveX objects from the Novell Developer Kit to provide LDAP-based login for common area desktops. In our Student Technology Fee Labs, all desktops have a login screen, and students only have to enter a user name and password to access workstations. It’s a lot simpler than using RADIUS. In addition, we implemented a password challenge/response so that users who’ve forgotten their password can simply visit a provided link where they can supply the right answer to reset the password.”

“We’ve moved from proprietary e-mail running on VMS to open source e-mail that’s basically free and easy to manage in eDirectory,” said Ray DeJean, SLU Systems Engineer. “We use eDirectory as our main repository for storing email account information and our users authenticate via LDAP. eDirectory also runs our email user search system. We have a web application that searches eDirectory for e-mail addresses, user names, room numbers and phone numbers. This is a simple task of pulling information out of an LDAP directory, but another solid plug for using Novell’s directory.

“In our email systems and authentication servers, eDirectory is the only technology that isn’t open source, but it integrates everything that is open source”, said Bendily. “We support nearly 20,000 active email accounts and eDirectory handles this load effortlessly. Plus, there’s no extra cost to store user accounts in eDirectory on Linux servers. With all the mail-related software we rely on, such as Sendmail, Qpopper, SpamAssassin, Mimedefang, etc., the cost savings from using Novell’s directory to support everything we plug into the network really add up.”

More directory-enabled projects to enhance the network at SLU are being implemented. “For example, we are now using eDirectory to manage wireless access across the campus,” said Bendily. “When a student using a wireless laptop tries to browse to Google, for example, the request gets redirected to a university web page to be authenticated. We can now manage wireless users with eDirectory and a Linux firewall by applying specific policies, such as authorizing usage for limited times via LDAP.”

*Netfinity is a trademark of IBM Corporation, Xeon is a trademark of Intel Corporation, Red Hat is a registered trademark of Red Hat Software, Inc., PeopleSoft is a registered trademark of PeopleSoft Corporation, Active Directory is a registered trademark of Microsoft Corporation, and XIOtech Magnitude is a trademark of XIOtech Corporation in the United States and other countries.