[LON-CAPA-admin] Multi-domain

Stuart Raeburn raeburn at msu.edu
Fri Jun 20 15:50:39 EDT 2008

Hon Kie,

The acceptable values for the auth field are: krb4, krb5, internal and  

It seems to me that updating the auth field in the domain.tab entry  
for the additional domain was not the reason why the multi domain  
library server problem you reported was eliminated.  It is more likely  
that loncontrol and/or Apache restarts, or propagation of the DNS  
change for k12-1.fsu.edu (Internet DNS not LON-CAPA dns), solved the  

As far as I know default authentication information stored in  
domain.tab is only used when (i) a new user is being added in a  
LON-CAPA domain, and the "Create User" interface needs to display a  
default authentication type, or (ii) to set the "Default  
Authentication method" when a DC is using the "Modify course" menu to  
configure course settings which are only modifiable by a Domain  

In the next release of LON-CAPA (2.7) changes to default  
authentication type, default authentication argument (as well as  
default language) will be made by a Domain Coordinator via the "Domain  
Configuration" menu.  With the move to centrally maintained  
dns_domain.tab and dns_hosts.tab files, the aim is to empower domain  
coordinators to be able to make changes for defaults in a domain via a  
web interface, and to store that information in the configuration.db  
file for each domain on the primary library server for the domain.

When using a CAS-type Single Sign On, there is the need to provide a  
mechanism for users who need to be internally authenticated to get to  
a URL of /adm/login instead of / (which will redirect to the external  
SSO service for authentication). The "log-in again" link displayed on  
log out can preserve this  difference based on the existence of  
$env{'request.sso.reloginserver'}.  Your use of an index.shtml file is  
a reasonable solution to the need for different URLs depending on the  
identity of the virtual host.

An access server will need to communicate with a library server to  
retrieve user/course information, and to permanently store user data.   
Apart from display of the log-in page, when a default domain for  
authentication is needed, it does not seem that the domain with which  
the access server is affiliated is significant.  The reasoning for a  
"multi-domain" access server is presumably so that the use of aliases  
for the server can trigger display of an appropriate default  
domainb(and logos), through the operation of  
lonnet::default_login_domain().  This mechanism is currently used  
successfully on multi-domain library servers in the LON-CAPA  
production cluster.

It should be possible to configure a single domain access server to  
display a default domain on the log-in page, based on an alias for the  
server.  However, its implementation could require some changes in  
your network naming schemes.  The solution proceeds as follows:

Create the following file on the access server:

and add each domain which you wish to detect based on alias on a  
separate line in the file.  For example, add the following to the  
expected_domains.tab file on loncapa.fsu.edu (fsua0)


Request an alias of fsuK12.loncapa.fsu.edu to  
(loncapa.fsu.edu) from your hostmaster.

These lines in lonnet::default_domain_login()

     my $testdomain=(split(/\./,$ENV{'HTTP_HOST'}))[0];
     foreach my $posdom (&current_machine_domains(),
                         &additional_machine_domains()) {
         if (lc($posdom) eq lc($testdomain)) {

should cause a default domain of fsuK12 (and approriate logos) to be  
displayed for:  http://fsuK12.loncapa.fsu.edu/adm/login

lonnet::additional_machine_domains() is the routine which extracts  
domains from home/httpd/lonTabs/expected_domains.tab.

Using this approach, fsua0 could remain a single domain access server,  
but you could point fsuK12 users at an access server as well as a  
library server for their sessions.  Your index.shtml solution to avoid  
SSO redirection would also be used on loncapa.fsu.edu as well as  

Stuart Raeburn

Quoting "H.K. Ng" <hkng at fsu.edu>:

> I found a partial solution. I have two servers that were re-configured.
> fsuk12l1 (k12-1.fsu.edu) is now part of fsul1
> and
> fsuk12a1 (k12.fsu.edu) is now part of fsua0
> When I added the auth field to the domain.tab on fsul1
> fsuK12:Florida State University - K12:internal::en-US:Tallahassee,
> FL:-84.28:30.438:fsuk12l1
> fsu:Florida State University:local::en-US:Tallahassee, FL:-84.28:30.438:fsul1
> By adding the auth field, it seems to solve the problem for the library
> server. But doing the same thing to the access server does not do
> anything. Question: What are the acceptable values for the auth field?
> I thought it is local, internal and unix. The fsu and the fsuK12 use
> different auth method so I modified the index.html file to point to
> index.shmtl so that if a user types loncapa.fsu.edu it uses the cas
> otherwise it goes to the /adm/login screen. When I tested this on the
> development server, it seems to work fine.
> -hk
> At 10:48 AM 6/11/2008, you wrote:
>> At 10:42 AM 6/11/2008, you wrote:
>>> Hi,
>>> On Jun 11, 2008, at 9:08 AM, H.K. Ng wrote:
>>>> Yesterday, I re-configured the fsuK12 servers so that they are now
>>>> part of the fsu domain. I followed the instructions as per e-mail
>>>> on lon-capa-admin posted Jan 10 2005 by Guy. Since I am merging an
>>>> existing library server (fsuk12l1) into another library server
>>>> (fsul1), I copied all the files under
>>>> /home/httpd/lonUsers/fsuK12 on the fsuK12 domain to the fsu domain.
>>> Under the fsu domain!? It needs to stay in its own tree!
>>> You need to have
>>> /home/httpd/lonUsers/fsu
>>> /home/httpd/lonUsers/fsuK12
>>> as well as
>>> /home/httpd/html/res/fsu
>>> /home/httpd/html/res/fsuK12
>>> Is that the case?
>> Yes, the files that were in fsuK12 users were copied to   
>> /home/httpd/lonUsers/fsuK12, and the resources go to   
>> /home/httpd/html/html/res/fsuK12.
>> -hk
>> _______________________________________________
>> LON-CAPA-admin mailing list
>> LON-CAPA-admin at mail.lon-capa.org
>> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin

More information about the LON-CAPA-admin mailing list