Have you considered using client certs to achieve single signon? Since apache has the "make it look like basic auth occurred" setting, it would be at least possible that this might do what you want. Of course it would require code on the xo, presumably added to the school server registration, to install a client cert in the browse activity. <br>
<br><div class="gmail_quote">On Feb 12, 2008 9:07 AM, Greg Smith (gregmsmi) <<a href="mailto:gregmsmi@cisco.com">gregmsmi@cisco.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi Sulochan et al,<br><br>Thanks for the details and closing off a bunch of issues. I think we are<br>converging on a short term design. Time permitting, I'll create a new<br>wiki page this week showing the April design. The existing page can<br>
track the "Phase 2" design. Nice and simple for Phase 1 with XS doing<br>network access, basic web serving, caching and maybe filtering sounds<br>wise.<br><br>Here's what I see for phase 1:<br>- XS build 150 (unless Wad or someone else comes up with a must have<br>
reason and stable build in time)<br>- No SSO (also means no Moodle tracking by student, grade or group)<br>- 2 x XS servers<br>- No automated XO backup on XS<br><br>Let me know if you agree and we can revisit all in phase 2 with a newer<br>
XS build.<br><br>Still open questions on phase 1:<br>1 - Network design.<br>I think we need this based on Wads comment it's the only one supported<br>for >150 Xos:<br>(ISP)-------------(hub)---------eth0 [XS] eth1 ------------ (WiFi)----[<br>
XO ]<br><br>The only downside is when XS is down you're off the Internet and Library<br>server. A second Wifi AP between the hub and eth0 helps but requires<br>manual intervention (e.g. change WEP to open on XS failure). It also<br>
leaves the Internet open (aka no filtering) on XS failure. The 2 x XS<br>design may help but needs more definition.<br><br>Will you have 2 x DSL lines, one for each XS? Should we consider the<br>second AP on each XS or start with the design above? Does your DSL line<br>
ever go down and is that a major concern?<br><br>2 - 2 x XS design.<br>We need to define the "backup" scripts which allow one to backup the<br>other. Also need to spell out the domain name and web site design.<br>
Lastly, need to define how Xos "attach" to an XS and if we can/should<br>segment the mesh. Some high level options for 2 x XS boxes are:<br>- active/standby. Mirrored and may require manual intervention to bring<br>
up standby on active failure.<br>- active/active mirrored and load balanced by DNS, client (XO) config or<br>other<br>- active/active one for Grade 6 one for Grade 2 with each serving the<br>other grade on failure. Needs client config or other method to load<br>
balance with Xos sticky to the right XS for their grade.<br><br>I think Tony has been commenting on the last option but we need another<br>level of detail for that to make phase 1.<br><br>3 - On Squid. I think you want a full Moodle, library and activities<br>
store on the XS. That keeps your XS useful even if DSL line is down. In<br>this case, Squid is mostly for transparent proxy (TP = close to the<br>user, caches everything and saves WAN BW)). Also some reverse proxy (RP<br>
= close to the server, caches server content only, offloads server CPU<br>and HD). I think you can add some commands to the squid.conf to do the<br>RP and persist the Library server content. That way, even if the kids<br>
surf the Internet and cache a whole bunch of stuff the Library and<br>Moodle is always local on the XS.<br><br>Maybe squid experts know the command to persist (aka flush last) a<br>domain name? Also, can a squid expert confirm how to ensure cached<br>
content gets served even if the origin domain is unreachable?<br><br>If you have a second box in the school you could run Squid on one and XS<br>on the other. That keeps content local and does TP and RP. Only down<br>side is it needs more HW (more points of failure), network and<br>
management. I would start with Squid on same box as XS for simplicity.<br><br>FYI on some good links:<br>I noticed a bunch of new activities on Nepal page.<br><a href="http://www.olenepal.org/activities_download.html" target="_blank">http://www.olenepal.org/activities_download.html</a><br>
<br>Cross posting this from the developer list:<br>For the archives and those interested, the scripts Uruguay used for<br>their deployment are in git at:<br> <a href="http://dev.laptop.org/git?p=projects/ceibal-scripts;a=tree" target="_blank">http://dev.laptop.org/git?p=projects/ceibal-scripts;a=tree</a><br>
<br>I hope to actually get a complete build image at some point. (Thanks<br>for cjb for pointing these out to me.)<br> --scott <a href="http://cscott.net/" target="_blank">http://cscott.net/</a> )<br>*******<br><br>Let me know if you want a translation. We probably need a point person<br>
to write Nepal install scripts too. That will force us to define some XS<br>details (e.g. domain names, XO home pages, directory structures for<br>activity store, etc.).<br><br>On Wiki updates, thanks for the edits/additions and keep them coming.<br>
I'll try to spend an hour cleaning and editing on Friday. I also owe<br>more edits/comments on redundancy design.<br><br>Thanks,<br><br>Greg S<br><br>PS sorry for the long post again! Let me know if the list see this as<br>
SPAM and wants me to toggle it back.<br><br>_______________________________<br>From: sulochan acharya [mailto:<a href="mailto:sulochan@gmail.com">sulochan@gmail.com</a>]<br>Sent: Tuesday, February 12, 2008 1:46 AM<br>To: Greg Smith (gregmsmi)<br>
Cc: <a href="mailto:server-devel@lists.laptop.org">server-devel@lists.laptop.org</a><br>Subject: Re: [Server-devel] Nepal Server Open Issues<br><div><div></div><div class="Wj3C7c"><br><br><br> Nepal team - here are a few questions, suggestions and decisions<br>
needed:<br> 1 - Need to decide ASAP if we will deploy the new XS image or<br>the<br> current one. Also, please confirm if we have two XS boxes in the<br>school<br> or one.<br><br>>>Yeah i think we are going to use two XS boxes in each school, for<br>
redundancy purpose as proposed by Tony and others.<br><br><br><br><br> 2 - I suggest that people try upgrading their XS to the latest<br>image and<br> take notes on how its done. Even if we deploy OLPC_XS_150.iso it<br>
helps<br> to have docs on to re-image. We want to know what Nepal or user<br>specific<br> content can be preserved. We may also want to upgrade modules<br>one at a<br> time. Does anyone know of docs or best practices on upgrading<br>
whole<br> boxes or by components for LAMP servers?<br><br>>>The latest stable built is 150, and yeah we can update modules through<br>yum.<br><br><br><br><br> 3 - Need closure on SSO. Pending Martin's comments on the<br>
applicability<br> of the existing paradigm, you should pick a solution. Sounds<br>like John W<br> suggests no user tracking or possibly one of the work arounds.<br> See item 3 at this link for proposed workarounds:<br>
If it's a workaround we better clarify which right away.<br><br>>>I dont see SSO working anytime soon. It would be great to have it,<br>because it would solve quite a few auth problems. If Ivan can make it<br>
work great, but we should not depend on it at least fot the test phase.<br><br><br><br><br> 4 - Based on SSO decision you need to confirm what kind of<br>Moodle<br> interface and services will be in phase 1. My main question is<br>
if we<br> will use Moodle to access activities.<br><br>>>Needs testing. Will update later.<br><br><br><br><br> 5 - On the school network. Can you confirm if we can get 2 x<br>router +<br> wireless Access points per XS? We need to flush out the failure<br>
cases<br> and the available HW will have a big effect on that. Let us know<br>what HW<br> is in place. If ts just a matter of buying a few Linksys<br>routers, I<br> think we can find a way to do that.<br>
<br>>> The network structure might be a little different. Please take a look<br>at the attached file and let me know what you guys think.<br><br><br><br><br><br><br>>>Moodle does not handle IP based authentication.<br>
<br>>>I am attaching a file that shows cache and xs structure for the pilot.<br>I think its a good idea to run proxy and content on different machines.<br>On a long run it becomes more efficient to do it like that. It also<br>
reduces content handling and traffic processing on the XS. What do you<br>guys think?<br><br></div></div><div><div></div><div class="Wj3C7c">_______________________________________________<br>Server-devel mailing list<br>
<a href="mailto:Server-devel@lists.laptop.org">Server-devel@lists.laptop.org</a><br><a href="http://lists.laptop.org/listinfo/server-devel" target="_blank">http://lists.laptop.org/listinfo/server-devel</a><br></div></div>
</blockquote></div><br><br clear="all"><br>-- <br>"Always do right," said Mark Twain. "This will gratify some people and astonish the rest."