 I would like to introduce myself. I'm Christian Pöker from the University of Bielefeld, a student there, and I would like to talk about CUT, this SIPOC's administration tool. I would like to do this in English. I hope everybody can understand my poor English. This software was developed in 1999 for the University of Bielefeld as an exchange for the novel server. We did this by means of developing a kind of distribution by ourselves. This SIPOC administration tool is one offspring of this project. The main problem was to administrate users. We have to do this by our own. SIPOC means a computer investment program. This was a kind of word used inside our university. This tool I would like to talk about today is how to give people the opportunity to maintain users or groups or other things of the system without much knowledge and without the idea of root access or something like this. The concept is to make things simple. We developed over the last five years a lot of modules to attain this goal. This is the main view of the modules which are available today. There are modules for administrative users, the user support service, or tools for administrative groups. For example, a group, a tutor, or something like this. You can have an idea, if you look at this slide, that this system is a little bit more than simply adding and removing users. It also has an idea of how to group users together and even more. You see this on, for example, a client admin. This means not a client as a people, this means a client as a computer. It also is able to administrate, for example, clients, computers. In the case of the university, these are FET clients. There are computers which have to have an IP and something like this or a name. This kind of facility is able to do this by people who do not know what is, for example, a DHCP server or something like this. The main goal is to have a nice group and several people who can apply information to the system. This is also a very good idea of the system. People who have the information should supply the information. For example, I am an admin of 1,600 users. I do not want to write telephone numbers of the people or want to create the logins by myself. We thought it is a good idea to make them supply their data. I have only pushed a button. Yes, you are applied to the system and you can go. The decentralized administration was one of the goals of our system. This is a module 2.2 admin who has people in universities who deal with group administration. I will go to this in detail in a few moments. This is the main view of the user administration. This is mainly the same thing as, for example, other school units tools. You can see here a lot of user logins. They were generated by maybe three kinds of tasks. You can generate a login by just adding them as an admin, like in Windows. Or you can have an application form. The user can put in a name and say, I want to have access and the admin will get an application request. You can say, yes, you are replied or yes, you are not. There is also a possibility to fill out an application form in paper. This was the second one. The third one is, for example, like Windows 2. You can have a list and import the whole list inside the system. Three kinds of ways to import users to the system. Of course, this is not a very ordinary thing. You have names for users, of course, but one of the kinds which is nearly a rule. This in German language is the page where pupils are shown. Also, you can see that this rule-based system is two-dimensional. You have, for example, a rule which is called counter. This is a normal user access facility. You have also a rule which looks like there are different rules in the system. For example, teachers, assistant, of course, trucle. Then there is some print account manager and, well, I think two or three else. The rules are mentioned in this system. You see in the next column there are the status. We have on the mouse here the left button. If you scroll over it, it says Linux. The right button it says Samba, I think. So you have the access possibility of enabling or disabling a user only for Linux or for Samba, this means Windows. Or you can disable both of them or enable both of them. Very fine control what the user can do or what he can't. The next row is, for example, the amount of space he is using in the system. You can get him a limit where he can write. If he, for example, has a limit, in the holidays it was 10 megabytes then the student can't write 11. Nowadays maybe you can give him 50 megabytes or 500 megabytes. This depends on how you will configure the system. You have two levels. One level is the administrator get a warning. You can see here this is all good people. So they are using only a very small amount of space. But if the user will use much space he will have a yellow button. If he uses too much he will have a red button. You can also configure the system that this writes emails to the users to inform them that they are over their limit. But this depends on how the system administrator will configure the system. This is not a standard behavior because sometimes they don't want to use emails. If this would be the default behavior this would be too complex and it would write a lot of mails which will never be received by the user. So this is not a default behavior of the system. You can also have in this row here in color you can set the maximum you can use. You can also have a policy. Everyone has for example 50 megabytes but you can decide on the personal way you have more or you have less than this. So this is very flexible. This is actually a user quota. So the system is also able to use quotas based on groups but the practical experience in this area shows that it is very confusing for the administrator how to decide which was the quota which was full. So my advice is use only one kind of quota system at both. If you use quotas at all you will use only one kind of quota system at both. So if you use both you will get confused by this. So next row of course it's a password you can set a password for the user again if you don't remember it or whatever. And the next one is the home directory. We in the university made the experience that the home directory is a kind of problematic thing. Of course one problematic thing is maybe the browser if it's full or something like this or the user has deleted some files he shouldn't do or something else or even the user migrates or something like this or something like that. We have two buttons here. One means reset and one means restore. Reset means you wipe it out and make it fresh and restore means you re-sync the scale directory again. So we have the data for the he write himself but if for example he deletes KDE configuration this will be applied again without deleting this data. Do you do intelligent or just write over the KDE? No it's not very intelligent it's just an azure header. So it's quite not very. So of course if he writes... This is a special capital or is the home directory? No it's only his home directory. So it's the whole home directory? Yes the whole home directory. Of course maybe you can have a part of it that nobody demanded. So the last one is delete the user login and this is for example in this case non-reversible. It will not be transferred to attic or something like this. The user will be deleted and made backup for the user directory so you can have this data but the user from itself it will be deleted from the other server. Next please. So we now come to the group things. Groups are as a definition from this system nearly the same as a user. So it's only a distinction in the rule not in the system. For example you have here groups which was generated by the university. For example some statistical courses or something like this and they have to be a way to apply data for the people who join the courses. The courses are of course you can have classes like the student classes of course but you also have courses like for example or something like this. And they have to be a method to apply data to the students and the solution for this problem was to create logins which act for normal users as groups which only are distinguishable at the road flag in the other services. So you can log in for example as GES for example and provide the data for the group GES and then everybody who is in the group GES have the data with the group GES because for example a link or a mapping in the number server for example a shell or something like this and you get applied when they are log in so they can have their data on base of these groups. So this is the reason why there is a password broke inside this because you can have a login as a group and therefore you have to have a password and you have to reset maybe or you can delete it. So the other thing is how do I add a user to a group or a group to a user? You can see it twice further. There are several possibilities to do this. Of course if you have a list you can write the group in the list where you should attend or if you have do it by your own you can have a default group for the user you can add that user to this group by adding the user himself. This tool here is available for the rest of the cases. This means if you want to have a group and you have to put some people out of this group and put some people into that group. So you have three buttons here this means list the members of the group to add somebody to the group or delete somebody from the group. Of course there are several other possibilities to do this. For example I think in the French community there was a request to have a tool for changing groups on class buses every year I think. I wrote this tool so we have a question which goes to every class. For example now you are in class 6b what do you want with these users? Add them or they are leaving or they are joining the next class or something like this so you can also change the users on class buses. This will be a little bit too much to explain in this short speech here. But there are several possibilities. Of course you can, like some schools did now delete every user and have a new list and import them again. But I think this is a possibility which is very wide used in the schoolings community but it's not a good manner I think for the user administration system to do this in this way. You can do it of course. Yes, this was a very complex topic in a very few words. There are a lot of questions about these user and group things. Now here you have an email address and a group email address and I'll write an email to CIP course and then more than boss also. No. Actually there are users. The email address is for this system only used on a user basis because for example in the university they have an inspire statement on every account so they get mail when the account will be expired but of course you can think about mailing list functionality in this kind of thing. Maybe one should make... You have to make it. Yes, well... The only thing is that you don't know what kind of mail system they use and it's always different. Yes. Every place is different. Every place is different. So I didn't... That's why we made a firewall just to insulate the method to the rest because there's always no discussion asked with the trolleys so to explain you met obstacles connecting into the existing network. Yes. There's always something. This is the reason why I didn't mess up with this kind of stuff because you can't find a solution which will seem to everybody. This is a problem for this. If there is a common sense in this kind of stuff to tell me please I will think about it. So that's the problem. It's not common sense. Yes, of course. So I'm sorry to say it shouldn't be like that. But that's true and it's different everywhere. And it's even different in neighboring municipality compared to this one. Yes. And the reason for this is that it's not technical and it's trashed in this kind of situation. I think it's a kind of social problem. Yes. So it's nothing to do with... As I often say, call an engineer. I have a social problem. It gets expensive. It doesn't get that expensive. So the thing about this system is it has to be very easy and cheap to operate. Of course. That's the main issue. Do it very simple and cheap. And let Microsoft actively be as difficult as possible. Then you win. Yes, of course. This is also the kind of thinking I was mean by when I say it should be as simple as possible so I don't like to implement much part of this here. So, next slide, please. So, one thing we developed in the first... in March or April this year, last year, sorry, for school of... I don't know where. And then like this was the possibility to control programs on a terminal server. So this... the people in the school would like to have the control, which kind of program they may start or may not start. So this was the answer on that. The idea was to have an access control, they enabled a higher system. And of course the groups... I don't know. I just want to check. The people are organizing groups and all this stuff are in the database album server. So you can enable, for example, this is a group name, NON, so it's really everybody, and servers. This was the kind of... kind of stuff they wanted to have. It's okay. Oh, you. It's very funny. But this is the kind of philology in this space. So you have a group called the servers, which are only guests in that school. They call them servers. So they have no rights, actually. And they want to have the possibility to say the servers may have access to a browser. But what is a browser? So they have to define what's a browser, and they did it by this means. A browser is useable in... useable in Firefox and so on. And if they push this button, this will get wet, and the RCL will enable the rights for everybody in the group. So what kind of file system do you use to handle this? I don't know, sure. But maybe it's extended 3 on the terminal server. Or it's XFS, I don't know. Not very special. It does not depend on the file system. If you are allowed to use this program. I can't say that. The ACL is dependent on the file system. And on that ACL is... I need a second. Yeah, so you need... if you haven't had this support because we don't have enough groups, we have to control this in a manually manner that you are starting. No, no. How do you do it? You don't have enough groups, more than 32 of them. Well, you have all the groups, and the network filesystem don't handle all the groups. A network filesystem? Yes. So you have to have a file system, even. So not the filesystem. So network filesystem is smaller than this? Well, then you don't have a network to distribute the filesystem in the program. I did not. So you do it with one terminal server, if you have two external servers, then what do you do? You have all the explaining to do. Yes, yes. Yes, I know. They have actually more than one server and enough. But I was not the person who implemented the server. I would just... It's kind of... He's upstairs. He's upstairs. You can total tell you how they solved this problem. It's interesting because people with teachers ask very about how should I shut down some programs for this new group. Yes, that is a good question. If they want to have all this administration, a regular teacher don't have time to handle this group. Somebody has... Somebody has the time to do that. Yes, and I would like to. At least they were very keen to have this kind of... They use it also. We have to ask Martin before he will answer how he managed this in the fire system. So... But you get the basic idea of this kind of stuff. So next slide, please. So this is also a kind of invention for this theme school. This is how to accept the internet or not. In this case, also with two groups, none and surface. The idea was done by the IP tables. We have... I can't kind of go into detail, but I think there was a new chain or block? Chain for IP tables and they will are based on the user basis, but the goal was to make this look like was based on group basis. So, actually what this button does is, if you press on the surface okay button, then the strip will determine who is in the group of servers and will disable every user for the group of servers. So it will turn off the internet access? Yeah, for this use on server. Yeah, maybe they are using the server. Yes. Or you have to... Well, I can't imagine maybe a thing where you don't have to use a terminal server, but this was a terminal server. We got this room for this kind of environment. Those other things are also possible. Yeah. So this is a simple grid for rather internally complex thing, but you can think as roles inside the system and sometimes there is a necessary to switch this kind of roles. Of course, we have a lot of roles. I told you before. Here you can see two users which are incidentally the same user because this is a grid for changing the roles. Both, for example, means to be a pupil or teacher or tutor or assistant or whatever. And this are done in well, there is a new add up attribute at the server where you can define who is where. So this is the kind of stuff which is maybe different to other tools because you also have the possibility to access this role by, for example, command line tools. For example, this all teachers, this all assistants, this all whatever. So this is kind of a very neat feature for example to wipe out every assistant's home deal whatever. You can have a category of your users which depends on those with the idea. So sometimes you have to change this. For example, the assistant maybe the people who want to add clients or maybe the tutor is a person who changed the membership groups. So you can have access right for example for this modules. In the first picture, only assistants are allowed to change clients or something like this. You can manage this kind of role based thing in the system. So this is why sometimes for example in the university there are all students but some students have jobs by their professor as a tutor and the professors don't like to have work with the system so they have to give the task to somebody less important. So the tutor will have to choose who is in what group and something like this and so we have to give normal students access rights which normally they don't should have. So this is the kind of reason we invented this role actually this tutor role and they will give us on that. What's the choice? What's the difference with the role in the group? Well a group is a kind of place you can share data yes we have nothing special rights on the group it's just not in actually although in the role you are a group and a group right as roles have special meanings in the system. If you are for example a tutor and the module for a tutor admin was assigned to tutor then you can access this module. But you are on the group. So this is three kind of things you have to maybe if you take the user the user, the group, the role you have three kind of things you have to distinguish. You can be in a class you can have the role as a pupil or a teacher just keep in the same room. This is the reason why why you have to distinguish between roles, users and groups this is not the same and now I don't get into detail we can make it complex next please. So one thing we developed a little bit further was the scale mechanism of principles and I think it was also for us we invented a new idea on this kind of topic on the old system the old system is nearly this what we need here for this was a very simple idea for example if you have a role role for example assistant course, examination well these are roles for users for example assistant X70, guest, machine non, non teacher, tutor these are roles for users so this is quite clear if you are a student you have a role as a student and you get the scale of a student so this is very simple thing so where is the scale for a student it is in for example school notes in school in China school students not in ATC so the role student is actually a user with this kind of thing it's a little bit strange to think about but actually the user students have his directory as a scale directory for every student so this is very easy to maintain because you can log in as a student to copy a file inside the student directory and then every new student who will create by the system this is a very convenient thing so you can even customize the desktop having files in KDE somewhere and every new student have this kind of desktop there is also a button I developed two weeks ago for school here where you can resume the whole thing so everybody gets a new desktop so this is a very nice thing so what the French idea was of course we have students but maybe we would like to distinguish a kind of infrastructure for example you have in Germany a school career parted in three parts second art 2 for 1, 2 for 3 I think 3 more Prima, 2 for 1 Prima, 2 for 1 2 for 2 so from the year 1 to 4 it's one level and now 5 to 10 it's the next level and then the third level so they would like to have data which are only supplied for this people based on the level so the simple scale idea wouldn't fit that need so we have to copy things twice for example if one is a student and one is in grade or fourth level or something like this he will have another group Z1 and he will become all files from the student and all files from this user so he will have a mixture of files from two sources of course it is the administrator who have to maintain these things he cannot have two kind of test tops or if he have two files which have the same name only one will survive I promise you so this maybe can get a little complicated for the administrator but it also can have a lot of benefits for example if you have a folder which said Z1 for every Z1 student and you have a folder for example student then of course there you have two folders if you can say that we use it with Carrier and WinDomaker so in one file you have the scale for the Carrier and the new step for WinDomaker and that isn't the problem at all if you are aware of this kind of things it is a nice feature if you have one for hours 300 users yes it is also not for other people of course as an ICT manager who have one to four hours a week to operate all the users and doing all this tailoring demands man-hours anyway it does you can't run from it so then you have higher maintenance cost maintenance cost there are more people there are more man-hours than in more standard for an engagement as we are meeting in Norway because we don't have man-hours to you don't have to use this kind of stuff of course yeah and that is the problem that's a good point but the point is you are talking about the local administrator of course if you have no time over an hour a month something like this he would not do this of course but the feature was also added because of making a french customized school notes distribution so if they want to have for example by means of a ministry or whatever you have to have this kind of function if they have the man-hours or cheap labor you can get 3 hours as I am already from my teacher if you have cheap people that work off the price as we do and we are working in translating open office we work off the price compared to the same seller because of the taxes and so on and they got no social benefits that people are owed for us so you can do that and you can get the half the price but I am telling you anyway that it has something to do with operational cost and if you have cheap labor you can go off the mark at the same moment yes of course I get the point I even think so you have to pay it's not a problem that the options are there because it's much easier than doing this by hand by copying files and remembering what we did last year and everything is blurred and we get well maybe yes but it's a kind of using for example the administrators of our university they do not like to think about where are the files and what to do they are windows users they are not argument so you are just filling them out and say just push up and it's ok but also I had to say in the university we got ten times among the first students sometimes to do more and they can do industrial in a whole other manner than in high maintenance people that you didn't know had low grades on helping users to use the system when the university have users that know the system they can use more time using this system or a french project that has this in focus that really wants to do this because they believe that this is the right thing to do so it's different user as you self don't need to use it if you don't need it you don't really want to have this and give it to them that's free software because it's free software it's free software I wouldn't say that administrators want to copy files should do that you can do that it's stupid if you have the options well we can think about the possibility to disable this but I see the point but if the administrators are able to do this maybe he should not change this model he can disable the whole model it's an interesting thing because we have this tool that has changed the menu copied by hand it takes 1-2 hours when pressing the button it's just gone so in that perspective it can introduce flexibility that somebody wants to have but they are not so caring that's the right way that has to be said the idea of this thing was at the beginning but it has to be full automatic that means when you create a new pupil in the system it becomes automatically the scale who was fought for him and you have nothing to do with that if you want to change you can come there and change to another scale but it's automatic you just create your user and it becomes the scale which was fought with all the software needed and in all web streams what we have done a lot in Norway is that we could have as we probably have done already we have one menu for the first to the fourth grade and from the fifth to the seventh grade and from the eighth to the tenth grade and to different say with doing scales we have time developer now really just fits personally you have to have an experience or you think of it you have sold it great get finished with it and that has to be well done tailored for a french project we have a package which contains two scales one for the first grade and the second for the seventh grade in my project this is a selling point very good we have a french solution people are going to know it we are going to speak a lot of french in Norway this is very good it's finished we have a french solution it's the french solution but it's based on cat what should we say one thing is to do it and one thing is to propagate it it's french solution okay it's a compliment it's an amazing thing because it's easy to remember it's not always true I talked to Rick Stolman he seems to say to us that school students should have a clue in it and we told him well we had this vote and he lost because you know it's sometimes not the fact that people like it it's important that people like it so my last words about the documentation which is under development as documentation always is but I would like to say that David do a lot of work to export the old kind of guide into XML and we would like to put this in a new system called ChangCMS which will help us to translate this into english french also chan we can translate it but the idea of ChangCMS is a different thing we have no master language we can do it it's a new system we talked about the multilingual translation so if one would like to have an idea about a deeper of for example a cut then you would not find it in the internet actually now it's only a guide for someone who would like to re-solve the system deeper insight are in usershare.ciples I think and these are the texts where the rules structure the complex things are described I think in english are you re-using the LDAP schema that's already there or have you your own LDAP schema I think mostly only LDAP schema I re-use also other LDAP schema as appropriate but sometimes it's not very good for example if you look at the Mac address about the DSP server then you will notice that the LDAP schema on this kind of topic is very strange because it will force you to write only capital or small just in the Mac address field and this is not like the FC states so time errors will be avoided so you will have to in practical life you just replace the LDAP schema in school and then you act only in the tip of the schema and then you depend on it you have to depend on it how do you change the switch from real to zero I understand that but then I have to ask how you re-use the LDAP schema yes they will keep the posix user LDAP schema and so on so I think it's not a schema it's just an addition addition yes some some little difference between for example Vilos the tool and zippos for example you can change passwords for users with zippos but some kind of things are not inside a normal user if you have for example a Vilos user ok what question