Top

IntegratedNetworkSystem

Project to have single sign-on using Kerberos (perhaps PKI in the future), and offer Email, Chat, and Networked File Storage.

The Story

So, I'm writing a paper for ComputerScience99 about this topic (actually, I'd had the general idea prior to the paper, but this wiki topic was specifically created to help me work on the paper..). Hopefully I'll add more content to this page in the next week (or so) as I finish up my paper.

Components

• User Accounts -- LDAP/ DND
• Email system --- BlitzMail (using its IMAP capabilities)
• Chat system --- using Jabber
• Networked file storage (includes webspace) --- we're using AFS

• FUTURE: (Nodular, interactive user-driven system -- see GreenIvy for an example)

ACCOUNTS:  LDAP/ DND

We will use the DND and LDAP systems currently in place as a directory for user accounts and user information.

Hopefully the kerberos server uses LDAP, so that we can port this system for use elsewhere.

• Issues:
  • how do we control accounts?
  • pointed out by RichardBrittain to me --> the DND doesn't (currently) have an appropriate field for unix usernames. This needs to be solved before we can couple AFS with the DND.

EMAIL: BlitzMail (IMAP)

In order to make this system flexible and portable to other institutions and uses, we will base the work on an IMAP email system.

Obviously, to get this system to gain widespread acceptance at Dartmouth, we need for it to integrate somewhat with the existing BlitzMail system.

• Issues:
  • The overall issue of IMAP not supporting the full feature set that BlitzMail offers (many of these issues have been rectified..)
  • Kerberos authentication for IMAP email clients? (Hopefully this already exists for Evolution or other software...)

CHAT: Jabber

To encourage open standards, etc... Jabber looks like the best choice for a chat system. As I understand, there is already an LDAP authentication module for Jabber available. No idea about kerberos or PKI authentication modules.

• Issues:
  • Kerberos support ?
  • How do we deal with nicknames/usernames?
    • My suggestion was that we use the "first" DND nickname (as long as it was unique), although I don't think that they are stored sequentially in LDAP (or are they even IN LDAP?), so...

NETWORK STORAGE: AFS

I considered NFS, Coda, and AFS. AFS seems the most appropriate, and although more difficult to configure than NFS (don't know about Coda), seems like it offers the power and flexibility that this project requires.

• Issues:
  • Mapping DND accounts to AFS usernames (see comment by RichardBrittain? above).
  • Migrating from existing AFS systems to OpenAFS? (not a problem during the testing phase... :)
  • Managing 5000+ user accounts (I think that the folks in Kiewit can handle it... :-)

Topics Concerning Kerberos

• How easy is it to add kerberos support to applications?
  • How easy to add In-band support compared to Out-of-band support? (Sidecar is the primary way that Dartmouth folks do out-of-band work with Kerberos).
• What about issues passing tickets through proxies, etc...? (mostly a problem w/ out-of-band stuff)
• Our current kerberos work uses 56-bit DES encryption. Are there more secure options involving kerberos? Or other alternate technologies (like PKI...)

links

• AFSForTheDND -- earlier page that I wrote about some of the ideas present here.

• The Athena system at MIT has some similar components, but is different in many ways.

RobinsonTryon - 09 Feb 2003