Research and Development

User Management Rethought

A quick search on returns tens of user management systems for linux. Quite a few of them are based on ldap and many manage the old /etc/passwd -file, some are built on completely different principles. Many of these tools seem to have one thing in common - they are built around the underlying data storage and managing users with them requires one to know how the data gets stored and distributed. As we are dealing with schools many schools where none of the teachers know what /etc/passwd or ldap are, explaining the user management concepts needs a new approach. Often user accounts are modified only a few times a year so using the tools is close to once-in-a-lifetime event.

Most of the tools are generic user management tools and every company is a bit different. This explains the gazillion features that are built in the tools. When compared to companies schools are quite different. Or should I say the same - meaning all the schools function pretty much the same way. And this opens a huge potential to simplify the user management tools. One does not need to support every possible environment, but the user management flow used in the schools.

The first evolution of the user management tools we used were based on the smbldap-tools scripts. We went carefully through the process of creating documentation, giving hands-on training to admins and then giving support when the first problems arrived. After that we heard of no problems and that was because using command line tools was seen so cryptic that no-one dared to touch the system after a few months.

The round two was more succesful. Web based tool customised for schools - one creates schools and groups under them and then users are placed in the groups. School membership is determined automatically and groups can be nested. There's not a single option in the user interface to configure samba or kerberos settings - it's all done automatically. Home directories are also generated automatically when users log in for the first time. Admin creating the users does not need to know how the data is stored or what ldap or samba is. It just works. The code could be described as ugly, but users are happy. As a developer I can not be happy about the code maintainability, but happy users make the situation much nicer.

As the time passes, the requirements have been going up and now the various web based applications are all over. The problem for the round three is that the web tools are often built to use their own user databases. Managing five or ten user databases is not an option, but luckily tools like Mediawiki and Moodle support ldap. Setting up ldap requires currecntly quite a bit of skills and still getting the user experience streamlined would require working single sign on from the desktop to work also for web applications. The technology is there - kerberos, GSSAPI, CAS, OpenID, OAuth - to name a few. It all just needs to come together in easy to use packaging for unexperienced users to be useful. Researching all the possibilities has taken quite a bit of time, but I'm becoming certain, that the whole user management concept for schools can be rethought to make the whole process intuitive and take the pain away. The first two rounds have taught us something we think is valuable to others too. I hope there's a way we can get it out to the world to help others.

What's the killer feature that I'm missing?

Veli-Matti Lintu