[LON-CAPA-admin] Multi-domain
Stuart Raeburn
raeburn at msu.edu
Fri Jun 20 15:50:39 EDT 2008
Hon Kie,
The acceptable values for the auth field are: krb4, krb5, internal and
localauth.
It seems to me that updating the auth field in the domain.tab entry
for the additional domain was not the reason why the multi domain
library server problem you reported was eliminated. It is more likely
that loncontrol and/or Apache restarts, or propagation of the DNS
change for k12-1.fsu.edu (Internet DNS not LON-CAPA dns), solved the
problem.
As far as I know default authentication information stored in
domain.tab is only used when (i) a new user is being added in a
LON-CAPA domain, and the "Create User" interface needs to display a
default authentication type, or (ii) to set the "Default
Authentication method" when a DC is using the "Modify course" menu to
configure course settings which are only modifiable by a Domain
Coordinator.
In the next release of LON-CAPA (2.7) changes to default
authentication type, default authentication argument (as well as
default language) will be made by a Domain Coordinator via the "Domain
Configuration" menu. With the move to centrally maintained
dns_domain.tab and dns_hosts.tab files, the aim is to empower domain
coordinators to be able to make changes for defaults in a domain via a
web interface, and to store that information in the configuration.db
file for each domain on the primary library server for the domain.
When using a CAS-type Single Sign On, there is the need to provide a
mechanism for users who need to be internally authenticated to get to
a URL of /adm/login instead of / (which will redirect to the external
SSO service for authentication). The "log-in again" link displayed on
log out can preserve this difference based on the existence of
$env{'request.sso.reloginserver'}. Your use of an index.shtml file is
a reasonable solution to the need for different URLs depending on the
identity of the virtual host.
An access server will need to communicate with a library server to
retrieve user/course information, and to permanently store user data.
Apart from display of the log-in page, when a default domain for
authentication is needed, it does not seem that the domain with which
the access server is affiliated is significant. The reasoning for a
"multi-domain" access server is presumably so that the use of aliases
for the server can trigger display of an appropriate default
domainb(and logos), through the operation of
lonnet::default_login_domain(). This mechanism is currently used
successfully on multi-domain library servers in the LON-CAPA
production cluster.
It should be possible to configure a single domain access server to
display a default domain on the log-in page, based on an alias for the
server. However, its implementation could require some changes in
your network naming schemes. The solution proceeds as follows:
Create the following file on the access server:
/home/httpd/lonTabs/expected_domains.tab
and add each domain which you wish to detect based on alias on a
separate line in the file. For example, add the following to the
expected_domains.tab file on loncapa.fsu.edu (fsua0)
fsuK12
Request an alias of fsuK12.loncapa.fsu.edu to 128.186.7.151
(loncapa.fsu.edu) from your hostmaster.
These lines in lonnet::default_domain_login()
my $testdomain=(split(/\./,$ENV{'HTTP_HOST'}))[0];
foreach my $posdom (¤t_machine_domains(),
&additional_machine_domains()) {
if (lc($posdom) eq lc($testdomain)) {
$domain=$posdom;
last;
}
should cause a default domain of fsuK12 (and approriate logos) to be
displayed for: http://fsuK12.loncapa.fsu.edu/adm/login
lonnet::additional_machine_domains() is the routine which extracts
domains from home/httpd/lonTabs/expected_domains.tab.
Using this approach, fsua0 could remain a single domain access server,
but you could point fsuK12 users at an access server as well as a
library server for their sessions. Your index.shtml solution to avoid
SSO redirection would also be used on loncapa.fsu.edu as well as
loncapa10.fsu.edu
Stuart Raeburn
MSU LON-CAPA group
Quoting "H.K. Ng" <hkng at fsu.edu>:
> I found a partial solution. I have two servers that were re-configured.
>
> fsuk12l1 (k12-1.fsu.edu) is now part of fsul1
> and
> fsuk12a1 (k12.fsu.edu) is now part of fsua0
>
> When I added the auth field to the domain.tab on fsul1
>
> fsuK12:Florida State University - K12:internal::en-US:Tallahassee,
> FL:-84.28:30.438:fsuk12l1
> fsu:Florida State University:local::en-US:Tallahassee, FL:-84.28:30.438:fsul1
>
> By adding the auth field, it seems to solve the problem for the library
> server. But doing the same thing to the access server does not do
> anything. Question: What are the acceptable values for the auth field?
> I thought it is local, internal and unix. The fsu and the fsuK12 use
> different auth method so I modified the index.html file to point to
> index.shmtl so that if a user types loncapa.fsu.edu it uses the cas
> otherwise it goes to the /adm/login screen. When I tested this on the
> development server, it seems to work fine.
>
> -hk
>
> At 10:48 AM 6/11/2008, you wrote:
>> At 10:42 AM 6/11/2008, you wrote:
>>> Hi,
>>>
>>> On Jun 11, 2008, at 9:08 AM, H.K. Ng wrote:
>>>
>>>>
>>>> Yesterday, I re-configured the fsuK12 servers so that they are now
>>>> part of the fsu domain. I followed the instructions as per e-mail
>>>> on lon-capa-admin posted Jan 10 2005 by Guy. Since I am merging an
>>>> existing library server (fsuk12l1) into another library server
>>>> (fsul1), I copied all the files under
>>>> /home/httpd/lonUsers/fsuK12 on the fsuK12 domain to the fsu domain.
>>>
>>> Under the fsu domain!? It needs to stay in its own tree!
>>>
>>> You need to have
>>>
>>> /home/httpd/lonUsers/fsu
>>> /home/httpd/lonUsers/fsuK12
>>>
>>> as well as
>>>
>>> /home/httpd/html/res/fsu
>>> /home/httpd/html/res/fsuK12
>>>
>>>
>>> Is that the case?
>>
>>
>> Yes, the files that were in fsuK12 users were copied to
>> /home/httpd/lonUsers/fsuK12, and the resources go to
>> /home/httpd/html/html/res/fsuK12.
>>
>> -hk
>> _______________________________________________
>> LON-CAPA-admin mailing list
>> LON-CAPA-admin at mail.lon-capa.org
>> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
>
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
More information about the LON-CAPA-admin
mailing list