Project index

Planning index

Project planning meeting - 23 August 2006

Present: Stuart Yeates (SY), Graham Klyne (GK)

Last report: SakaiVre/PlanningProgress/20060807

This report: SakaiVre/PlanningProgress/20060823

Next meeting: Mon, 4 Sep 2006, 09:00. SakaiVre/PlanningProgress/20060904

Contents

1. Agenda

2. Activity since last report

Progress in the last period has been limited. GK has been away travelling for part of the period, and SY has been involved in OSS-watch reaction to slashdottting of an OSS-commissioned survey. Also, the conversion to Debian is proving more complicated than expected.

2.1. Actions closed or completed

20060301.9

[GK] Port SPIE Shibboleth/WSRP (cf. work by Jasper Tredgold) to Sakai: (Waiting for 20060301.10) Install Shibboleth/WSRP software locally, and convert to work with Sakai. The main remaining unknown is to get Shibboleth attributes into the Sakai portal framework - this has been separated out as a new action 20060619.3. No further progress. The value of WSRP is cast further into doubt by this message from Charles Severance: http://maillist.ox.ac.uk/ezmlm-cgi?3855:mss:119:200607:nelfnlficidkopiknchj. Closed; not completed - it is looking almost certain that this WSRP deployment will not be achieved within the current project plan, and that alternatives will get close enough for the purposes of the demonstrator project.

20060705.2

[SY] Investigate OUCS procedures for spinning up new shared trial facilities. Closed; not completed - this action now seems unimportant to achieving project objectives.

20060807.3

[GK] Contact Alistair Young and advise him that we'd like to take advantage of his Guanxi/Sakai work, providing feedback and further testing to help harden this software. Done. See http://maillist.ox.ac.uk/ezmlm-cgi?3855:mss:156:200608:gddpkpmonkgpgmkebbab.

20060807.4

[GK] Contact CCLRC partners with a view to creating a bilateral Shibboleth authentication federation between our Sakai sites. Done. See http://maillist.ox.ac.uk/ezmlm-cgi?3855:mss:157:200608:laofpmofgobopljlikoi.

  • GK has had a series of email contacts with Steven Carmody, part of the Internet2 Shibboleth team, who has expressed some reservations about our adoption of Guanxi, and would prefer us to follow an approach that is more closely aligned with Internet2's own development plans. In particular, he is concerndd that Guanxi may not track the Shibboleth 2 developments. (If true, this would be a reason to not use Guanxi, since the longer term goals for Shibboleth deployment do include the "n-tier" problem, devolved access to non-web-facing services, which is not possible using Shibboleth 1.3.) The current state of discussion can be seen at http://maillist.ox.ac.uk/ezmlm-cgi?3855:mss:165:200608:bihclbidpgaegckidjfj.

  • Added information about Sakai authorization architecture and Shibboleth integration to the page at SakaiVre/SakaiUserDirectoryProvider.

  • A problem was experienced with the new Sakai virtual machine, but this appears to have been a problem with the network interface in the host system.
  • 2.2. Actions progressed

    20060807.2

    [GK+SY] Transfer Sakai installation to a Xen virtual machine on the SPIE system hardware. The new virtual machine is running Debian Linux (a supported kernel is necessary for reliable operation under Xen). The change to Debian is throwing up a few issues of system configuration that we need to work through. We'll keep the old machine running for a while as a Shibboleth test machine. See //wiki.oss-watch.ac.uk/DebianNotes and 20060721.2. We have started this migration. Tasks still be be completed include:

    • Install IPTables configuration. Done. See DebianNotes

    • Install SSSHBlack. Done. (Description of installation on debian still needed.)

    • Install and configure HFS backups. Done Manual backups working, need to check whether weekly backups work.

    • Install Postfix Done

    • Install Logwatch Done

    • Configure Logwatch messages
    • Configure auto-updater Done

    • Install and configure Apache
    • Install and configure Tomcat
    • Install and configure JK connector
    • Install and configure Shibboleth SP
    • Install and configure Sakai

    See discussion. See also SakaiNotes, ShibbolethInstallNotes and TomcatNotes.

    2.3. New activities and notes

    (No new activities)

    2.4. Summary of ongoing actions carried forward

    20060721.3

    [SY+GK] Modify and document Sakai configuration to persist user database. (Currently, new users added to Sakai are lost on each restart of the system.) The configuration change seems reallly easy: see http://maillist.ox.ac.uk/ezmlm-cgi?3855:mss:135:200607:pfcnekgcelolllgcmnmp. This change needs to be applied to Sakai when the new installation is complete (see 20060803.2)

    20060301.5
    [SY] Analysis of search requirements. (On hold while we focus our efforts on the Shibboleth/Sakai integration.)
    20060619.1

    [GK] Initiate process of SDSS federation credentials. Have obtained an SDSS CA certificate, but have not yet joined the SDSS federation. See http://maillist.ox.ac.uk/ezmlm-cgi?3855:mss:84:200606:hbmpafckdeclpnjmmgmb. The current plan is to enroll the new machine as an SDSS SP (using the new certificate obtained), and use the SPIE IdP, which is already enrolled with SDSS. Dependent on action 20060807.2.

    20060619.4
    [GK/SY] Write Shibboleth configuration document, in particular showing how the various configuration elements and functions are inter-related. Also, note relationship between Shibboleth and Eduperson attribute schema, noting in particular Shibboleth's treatment of attributes as a flat namespace, coupled with their more structured interpretation by Shibboleth-using applications.
    20060807.1
    [GK] Write up things learned about Sakai authentication and authorization structure and the consequent options for integration with Shibboleth.
    20060807.2

    [GK+SY] Transfer Sakai installation to a Xen virtual machine on the SPIE system hardware. The new virtual machine is running Debian Linux (a supported kernel is necessary for reliable operation under Xen). The change to Debian is throwing up a few issues of system configuration that we need to work through. We'll keep the old machine running for a while as a Shibboleth test machine. See //wiki.oss-watch.ac.uk/DebianNotes and 20060721.2. We have started this migration. Tasks still be be completed include:

    • Install IPTables configuration
    • Install SSSHBlack
    • Install and configure HFS backups
    • Install Postfix
    • Install Logwatch
    • Configure Logwatch messages
    • Configure auto-updater
    • Install and configure Sakai
    • Install and configure Shibboleth SP

    3. Discussion

    3.1. Conversion to Debian Linux

    The conversion to using Debian linux is taking longer than expected, mainly due to Debian's approach of requiring the installer to specifiy all aspects of the installation, rather than providing some useful defaults that work for a large majority of installations like ours. This means that many of the supportijng facilities that we've come used to in Redhat Linx are not installed on the base Debian system (e.g. firewall configuration), and it is not always obvious what additional packages should be installed to supply the expected functionality.

    The good news is thart the resulting system should be better tuned to a particular purpose, and unneeded packages that could present security or maintenance problems are not included.

    3.2. Exchanges with Steven Carmody (Internet2)

    GK has exchanged a series of emails with Steven Carmody from the Internet 2 project. They are interested in Shibboleth-enabling of Sakai as a key enabler for Shibboleth in education, but they too are being hampered by Sakai's slightly eccentric approach to access control. Our analyses of the problem space are gratifyingly similar. The current state of our discussions are fairly well represented by this message: http://maillist.ox.ac.uk/ezmlm-cgi?3855:mss:165:200608:bihclbidpgaegckidjfj.

    Of particular note, Steven has expressed reservations about our likely choice of Guanxi to handle the Sakai/Shibboleth integration. One important point he raised in this respect was that we don't know if the Guanxi project is committed to track Shibboleth 2 developments; this could be important because Shibboleth 2 or 2.1 is likely to offer features that help us with the "N-tier" authentication problem (also known as "constrained delegation", though that term is apparently not strictly correct).

    3.3. Shibboleth configuration document

    We briefly discussed the planned Shibboleth configuration document. SY has sketched some diagrams that describe high-level aspects of deployment and component interaction, that will surely be useful in introduce the system to administrators. GK mentioned that we hants to include a diagram that describes the various configuration files that need to be edioted, and the dependencies between them, since this seems to be the most difficult aspect of getting a Shibboleth deployment right. (Maybe this would be useful and/or popular if prepared as (say) an A3 poster?)

    4. Notes for next meeting

    (Matters arising following the planning meeting.)


    -- GrahamKlyne 2006-08-23 09:28:29

    OSSWatchWiki: SakaiVre/PlanningProgress/20060823 (last edited 2013-04-15 13:56:19 by localhost)

    Creative Commons License
    The content of this wiki is licensed under the Creative Commons Attribution-ShareAlike 2.0 England & Wales Licence.

    OSS Watch is funded by the Joint Information Systems Committee (JISC) and is situated within the Research Technologies Service (RTS) of the University of Oxford.