Integrated Laboratory Network Management System

Takao ShimomuraUniversity of Tokushima

Dept. of Info Sci. & Intel. Syst.Tokushima

JAPANsimomura@is.tokushima-u.ac.jp

Quan Liang ChenUniversity of Tokushima

Course of Info Sci. & Intel. Syst.Tokushima

JAPANquan@is.tokushima-u.ac.jp

Nhor Sok LangUniversity of Tokushima

Course of Info Sci. & Intel. Syst.Tokushima

JAPANsoklang@is.tokushima-u.ac.jp

Kenji IkedaUniversity of Tokushima

Dept. of Info Sci. & Intel. Syst.Tokushima

JAPANikeda@is.tokushima-u.ac.jp

Abstract: This paper presents a Web-based system that automates some processes to connect machines to a net-work, create accounts, mount remote home directories, set mailing lists, and so on by cooperating with multipleservers, and describes its implementation. By introducing this novel system, a lot of task has been reduced com-pared with the conventional administrative tasks, and it has become easier for users to create and change their ownaccounts and connect their machines to the network without login.

Key–Words: Account, Administration, AJAX, Network, Web

1 Introduction

There are some tools that help system administra-tors administer machines and networks using graph-ical user interface and Web interface, such as Web-min, Nagios, iDNS-MS, DNS Ontology, Friendly-RoboCopy, and Digital Evidence Bag. Webmin [1]is a Web-based interface for system administration forUnix. Using a Web browser, we can setup user ac-counts, Apache, DNS, file sharing and so on. It is aconvenient tool that can be used to make a variety ofsettings after an operating system and several serversare installed on a machine. A Webmin server runswith the privilege of the system administrator (root),and directly updates system files. User accounts arecreated by the system administrator (or a Webminuser). As a result, when the system administrator cre-ates a new account for a user, he needs to set a tempo-rary password for that new account, and then he needsto inform the user of the temporary password in someway. After that, the user also needs to change the tem-porary password to set his own password. In Web-min, all accounts included in “/etc/password” file areadministered, and therefore it cannot classify user ac-counts according to the groups of a laboratory. WhileNisWeb system this paper presents is user-oriented,Webmin is administrator-oriented, and does not have

the concept that each user can administer his or herown account. Nagios [2] is a monitoring tool for ma-chines, services and networks. We can examine thestatus of networks, resources of machines, and per-formance of services using a Web browser. iDNS-MS [3] is a unifying environment for providing plau-sible answers to help solve the complex DNS man-agement problems or alleviate these DNS administra-tion loadings. It is developed by using web interfaceand expert system technology. DNS Ontology [4] isa unifying framework for supporting intelligent DNSmanagement using web interface and expert systemtechnology to help inexperienced administrators in in-suring the smooth operation of their DNS systems.RoboCopy [5] is a tool for the extraction and foren-sic preservation of a subset of data on target com-puter systems. FriendlyRoboCopy provides an effec-tive, user-friendly interface to RoboCopy. Digital Ev-idence Bag [6] is a universal container for digital ev-idence from any source, and used to diagnose systembehaviors. It allows the provenance to be recorded andcontinuity to be maintained throughout the life of theinvestigation.

This paper presents a Web-based system that au-tomates some processes to connect machines to a net-work, create accounts, mount remote home directo-ries, set mailing lists, and so on by cooperating with

Proceedings of the 7th WSEAS International Conference on Applied Informatics and Communications, Athens, Greece, August 24-26, 2007 188

multiple servers, and describes its implementation.By introducing this novel system, a lot of tasks havebeen reduced compared with the conventional admin-istration, and it has become easier for users to createtheir own accounts and connect their machines to thenetwork.

2 Requirements

In laboratories at university, the machines students canuse are arranged in student rooms, computer rooms,and laboratory rooms, and those machines are con-nected with each other through a network. Studentsuse their machines in student rooms to develop soft-ware. They use machines in computer rooms todemonstrate software to other students and visitors,and use machines in laboratory rooms to use them inspecific environments. It would be better for studentsto log in any machine in the same way. That is, astudent should log in any machine with the same ac-count and password, and use the same home direc-tory although this home directory might exist on an-other machine (Requirement 1). The file system thatis used as a home directory may exist on either a stu-dent’s machine or a shared machine. In our depart-ment, account names are also used as the user namesof mail addresses that have the common domain nameof the department (is.tokushima-u.ac.jp). That is, themail address of a student who has account “venus” be-comes “venus@is.tokushima-u.ac.jp”. Therefore, ac-count names should be unique among not only a lab-oratory but also the department (Requirement 2). Pre-viously, the system administrator created accounts fornew students by using administrative commands. Toreduce the loads of the system administrator, a newstudent should create his or her own account and settheir passwords (Requirement 3). To fulfill these re-quirements, we have developed a Web-based labora-tory management system “NisWeb”. The NisWeb sys-tem cooperates with DHCP, DNS, NIS, NFS, AutoFS,Web, DB and Mail servers to automate the processesthat create accounts, set mailing lists, connect ma-chines to the laboratory network, and mount remotehome directories.

On sysM machine in the computer room, DHCP,DNS, NIS, NFS servers and the NisWeb system thatcontains Web server, DB server and a system daemonare running. On sysS machine in the computer room,the slave servers of DHCP, DNS, and NIS, and mailservers such as STMP, POP are running.

3 Implementation

3.1 Flexible home directory mount

We would like to enable a student to log in anymachine with the same account and password, andto use the same home directory even if this homedirectory exists on another machine. For exam-ple, suppose that student stdX wants to mount ashis home directory the default home directory “/ex-portb2lab/local/stdX” that sysM machine provideseven if he logs in any machine. Student stdY wants tomount the home directory “/home/stdY” of her ownmachine stdY as her home directory even if she logsin any machine. As shown in Fig. 1, when studentstdX logs in a machine, his home directory will be“/b2lab/local/stdX”, and the default home directory“/exportb2lab/local/stdX” that sysM machine pro-vides will be mounted at “/b2lab/local/stdX”. Whenstudent stdY logs in a machine, her home direc-tory will be “/b2labremote/stdY”, and the home di-rectory “/home/stdY” of her own machine stdY willbe mounted at “/b2labremote/stdY”. To realize thesefunctions, the NisWeb system makes use of NIS andAutoFS servers and automates these settings (Re-quirement 1).

The NisWeb system creates NIS maps for theNIS master server on sysM machine as shown inFig. 1. It specifies mount points “/b2lab” and“/b2labremote” in “/etc/auto.master” file. It defines“/etc/auto.home” file so that the default home direc-tory “/exportb2lab/local” that sysM machine provideswill be automatically mounted at “/b2lab/local”. Itdefines “/etc/auto.remote” file so that the home di-rectory “/home/stdY” of machine stdY will be auto-matically mounted at “/b2labremote/stdY”. This lineof “stdY -rw stdY:/home/stdY” will be dynamicallyadded to “/etc/auto.remote” file when student stdYcreates her own account. In this situation, we can-not use “/home/stdY”, which is commonly used as amount point, instead of “/b2labremote/stdY”. The rea-son is because the file system will be recursively re-ferred to if stdY machine joins in the NIS service as aNIS client.

3.2 NisWeb system configuration

Figure 2 shows the NisWeb system configuration.NisWeb server is running on sysM machine. Be-cause NisWeb server is a Web server, it is runningwith the privilege of an ordinary user. It cannotdeal with such processes as creating accounts that re-quire the privilege of the system administrator (root).To execute such processes, we have determined torun a NisWeb daemon. The NisWeb daemon is ar-

Proceedings of the 7th WSEAS International Conference on Applied Informatics and Communications, Athens, Greece, August 24-26, 2007 189

sysM home

mount

any (login: stdX)

/b2lab /local/stdX

sysM

/exportb2lab/local/

stdX

remote home

mount

any (login: stdY)

/b2labremote/stdY

stdY

/home/stdY

/etc/auto.master

/b2lab yp:auto.home

/b2labremote yp:auto.remote

sysM

/etc/auto.home

local -rw sysM:/exportb2lab/local

/etc/auto.remote (Dynamically changed)

stdY -rw stdY:/home/stdY

(c) Nis server settings

(a) Default home directory

(b) Remote home directory

Figure 1: Flexible home directory mount

ranged in “/etc/rc.d/init.d” directory, and is automati-cally started at the system boot time. NisWeb serverasks NisWeb daemon to perform some processes thatrequire the privilege of the system administrator suchas creating and deleting accounts.

Students can log in any machine, and accessNisWeb server on sysM machine by using Webbrowsers. When a Web browser sends NisWeb servera request for creating an account, NisWeb server willask NisWeb daemon to create the account through thesocket communication. By executing various kinds ofscripts, NisWeb daemon will perform such processesas creating accounts, mounting remote home directo-ries, and setting mailing lists.

The following procedure shows how to create anaccount for a user.(1) Obtain an encrypted password from an enteredplain password by using MD5 algorithm.(2) By executing “/usr/sbin/useradd” command, addan account name, the encrypted password, and a homedirectory name to the “/etc/passwd” file (See Fig. 3(c)).(3) By executing addMount script to mount a remotehome directory, add a mount point and a remote filesystem to the “/etc/auto.remote” file.(4) By executing makeNis script, update the Nis mapsand reload the AutoFS server.(5) By executing addLabML script, add the accountname to “/etc/postfix/labML” mailing list on sysMmachine.(6) Add the account to account DB table (See Sec.3.4).

NisWeb server (adm) NisWeb daemon (root)

access

request

execute

execute

update

update

any (login: stdX)

Web browser

sysS

/etc/postfix/labML

/etc/auto.remote

cd /var/yp; /usr/bin/make

/sbin/service autofs reload

Script files

addMount

removeMount

makeNis

addLabML

removeLabML

sysM

laboratories account DB

Figure 2: NisWeb system configuration

A mail server Postfix is running on sysS machine.The mailing list of our laboratory is administered at“/etc/postfix/labML” file on sysS machine. When theaccount of a new student stdX is created, the accountname stdX will be added to the “/etc/postfix/labML”file so that a mail that is sent to labML@is.tokushima-u.ac.jp can reach the student stdX.

3.3 Introduction of account administrativetype

A laboratory has multiple professors, and each ofthem instructs multiple students in their research. Toeasily see which student is studying under which pro-fessor, we have determined to show a list of students’accounts so that they will be classified according totheir professors. To do this, we have prepared “lab-oratories” configuration file as shown in Fig. 3 (a),which defines professors’ names (name) and the titlesof the professors’ laboratories (title). The list of stu-dents’ accounts will be shown according to the defini-tion of this “laboratories” configuration file. In addi-tion, we have defined the following account adminis-trative types of professors so that professors can cor-rect students’ erroneous accounts and remove the ac-counts of the students who have graduated or finishedtheir courses.(1) “lab” typeProfessors can freely change and remove the accountsof the students they instruct.(2) “adm” type

Proceedings of the 7th WSEAS International Conference on Applied Informatics and Communications, Athens, Greece, August 24-26, 2007 190

simomura:X:6111:6100:Takao Shimomura:

/b2labremote/simomura:/bin/bash

azusa:x:7033:6500:Azusa Imai:

/b2lab/local/azusa:/bin/csh

quan:x:6943:6500:Quan Liang Chen:

/b2lab/local/quan:/bin/csh

...........

(a) laboratories configuration file

(c) /etc/passwd file

(b) account DB table

name account host home

simomura simomura simoln /home/simomura

simomura azusa sysM /b2lab/local/azusa

simomura quan sysM /b2lab/local/quan

ikeda ikeda sysM /b2lab/local/ikeda

...........

name type title

simomura adm Shimomura Lab.)

ikeda lab Ikeda Lab.)

...... ... .........

guest guest Guests)

Figure 3: Configuration files and a database table

Professors can freely change and remove the accountsof all students.(3) “guest” typeAny professor can change and remove the accounts ofthe students who study under the professor whose ad-ministrative type is “guest”.

The privilege of “adm” administrative type isgiven to the NisWeb system administrator. When any-one temporarily needs accounts for demonstrations,exhibitions, and experiments, they can make the ac-counts under the privilege of “guest” administrativetype.

3.4 Database table configuration

The “/etc/passwd” system file contains a lot of ac-counts other than students’ accounts. We would liketo show only the accounts of professors and studentsamong them. In addition, the students’ accountsshould be classified according to the professors un-der whom they study. To do this, the information thatindicates which student’s account belongs to whichprofessor needs to be recorded. Moreover, the infor-mation that indicates whether a student uses either thedefault home directory that sysM machine provides orthe home directory of the machine the student owns ashis or her home directory also needs to be recorded.

For these reasons, we have created an account DBtable that is shown in Fig. 3 (b) to record these piecesof information permanently. The name field of the ta-ble indicates the account names of professors; the ac-count field indicates the account names of the studentswho belong to the corresponding professors; and thehost field indicates the machines on which their home

directories exist. When a student uses the defaulthome directory that sysM machine provides, the homefield will record “/b2lab/local/accountName”; andwhen a student uses the home directory of the machinethe student owns, this field will record the student’shome directory on the machine. The NisWeb homepage will show only the accounts that are recorded inthis account DB table as a list of accounts. In thisway, the other accounts included in the “/etc/passwd”system file can be excluded.

4 NisWeb system

4.1 NisWeb home page

Figure 4 (b) shows an example of the NisWeb homepage. Its left frame contains some links to a helppage and several professors’ laboratories, and belowthem, a list of registered accounts, a list of registereduser IDs, how to connect machines to the network,and a list of host names. Its right frame shows alist of students’ accounts that are classified accordingto the professors under whom students study. Whennew students come to the laboratory of this researchgroup, they can create their accounts by clicking onthe “Create New Account” button on the right of thecorresponding professors’ laboratory titles (Require-ment 3). When they want to change or delete their ac-counts, they have only to click on the “Change” buttonon the right of their account names. When professorswant to change or delete their students’ accounts bythe privilege of “lab” administrative type, they haveonly to click on the “Manager Login” button on theright of their laboratory titles.

4.2 Creating, changing, and deleting ac-counts

When a new student comes to the laboratory andclicks on the “Create New Account” button on theright of his professor’s laboratory title, a pop-up win-dow will appear as shown in Fig. 5. Only by enteringan account name (venus), password (*****), and thestudent’s name (Venus de Milo), a new account canbe created. The other options will be automaticallyset by default (See Fig. 5 (b) and (c)). A group IDwill be automatically set, which is b2staff (6100) fora professor, and student (6500) for a student.

When student stdY wants to use the home di-rectory “/home/stdY” of her own machine stdY asher home directory even if she logs in any machine,she will check the “Remote mount” radio button,and specify “stdY” for the “Machine name” field,and “/home/stdY” for the “Directory” field. In this

Proceedings of the 7th WSEAS International Conference on Applied Informatics and Communications, Athens, Greece, August 24-26, 2007 191

(a) Japanese NisWeb home page

(b) English NisWeb home page

Figure 4: Examples (English and Japanese) ofNisWeb home page

case, she will need to add the following line to the“/etc/exports” file on her stdY machine to make herhome directory “/home/stdY” public to the laboratorynetwork.

/home/stdY 192.168.0.0/24(rw)

For example, suppose that student stdX wants tomount as his home directory the default home di-rectory “/exportb2lab/local/stdX” that sysM machineprovides even if he logs in any machine, and thatstudent stdY wants to mount the home directory“/home/stdY” of her own machine stdY as her homedirectory even if she logs in any machine. In this case,their accounts will be shown in the NisWeb home pageas illustrated in Table 1 (See also Fig. 5 (d)).

When students click on the “Change” button onthe right of their account names, and then enter theiraccount names and passwords to log in the system,they can change or delete their accounts. The userauthentication is performed by encrypting an enteredpassword with the MD5 algorithm, and comparingthe encrypted password with that of the “/etc/passwd”file.

4.3 Unique account name input method

In our department, account names are also used asthe user names of mail addresses that have the com-mon domain name of the department (is.tokushima-u.ac.jp). That is, the mail address of a student who

(a) Create new account

(c) Account created(b) Confirmation dialog

(d) New account "venus"

Figure 5: Account creation page

has account “venus” becomes “venus@is.tokushima-u.ac.jp”. Therefore, account names should be uniqueamong not only a laboratory but also the department.All mail addresses of the department are managed inthe “aliases” file on IS machine of the department. Tofacilitate entering a unique account name, we have de-termined to show a list of account names that alreadyexist in the department by using the AJAX mechanismeach time a new account name is being entered (Re-quirement 2). While a new account name is being en-tered, the Web browser keeps sending the prefix of theaccount that has been entered so far to the NisWebserver. Then, the NisWeb server receives all latest ac-count names of the department from IS machine, andreturns only the account names that start with the pre-fix to the Web browser.

Let’s try to enter an account name “ikeda” in theaccount creation page in Fig. 5. Figure 6 (a) shows anexample of the account creation page when “i” is firstentered. Figure 6 (b) shows an example of the accountcreation page when “ik” has been entered.

Proceedings of the 7th WSEAS International Conference on Applied Informatics and Communications, Athens, Greece, August 24-26, 2007 192

Table 1: A part of account list

Account name Name User ID Group ID Home directory machine Home directory ShellstdX “Change” Student X 7001 6500 sysM /b2lab/local/stdX /bin/bashstdY “Change” Student Y 7002 6500 stdY /b2labremote/stdY /bin/csh

(/home/stdY)

(b) "ik" is entered

(a) "i" is entered

Figure 6: Examples of facilitating entering a uniqueaccount name

5 EvaluationIt has been easier to administer the accounts in the lab-oratory because we can easily see who are studyingin the laboratory and which student account belongsto which professor. Professors can easily remove theaccounts of the students who have left their laborato-ries. There will be no garbage left in the laboratorynetwork because not only their accounts but also theirhome directories, their mailing-list entries, and theirmail spools will be automatically deleted. Every year,several foreign students come to the laboratory, andthey also use this system without circumstance.

6 Conclusion

We have developed a Web-based NisWeb system thatcooperates with several servers to facilitate installingand connecting machines, and automate creating stu-dents’ accounts. This paper has presented an adminis-trative method that makes a Web-based NisWeb servercommunicate a system daemon. Because the NisWeb

server is running with the privilege of an ordinaryuser, it asks a NisWeb daemon to perform the pro-cesses that require the privilege of the system admin-istrator (root). Java serialization mechanism is used inthis communication. If its port number and the con-tents of the serialized objects are revealed, illegal ac-cesses could be possible. Especially, if the NisWebserver and the NisWeb daemon are running on differ-ent machines, it might cause a serious problem for se-curity. This problem should be solved by encryptedsecure communication.

References:

[1] Jamie Cameron. Webmin.http://www.webmin.com/, 4 2007.

[2] Ethan Galstad. Nagios. http://www.nagios.org/,4 2007.

[3] Chien-Liang Liu, Shian-Shyong Tseng, andChang-Sheng Chen. Design and implementationof an intelligent dns management system. Ex-pert Systems with Applications, Vol. 27, No. 2,pp. 223–236, 8 2004.

[4] Chang-Sheng Chen, Shian-Shyong Tseng, andChien-Liang Liu. A unifying framework for in-telligent dns management. International Journalof Human-Computer Studies, Vol. 58, No. 4, pp.415–445, 4 2003.

[5] Claire LaVelle and Almudena Konrad. Friend-lyrobocopy: A gui to robocopy for computerforensic investigators. Digital Investigation,Vol. 4, No. 1, pp. 16–23, 3 2007.

[6] Philip Turner. Applying a forensic approachto incident response, network investigation andsystem administration using digital evidencebags. Digital Investigation, Vol. 4, No. 1, pp.30–35, 3 2007.

Proceedings of the 7th WSEAS International Conference on Applied Informatics and Communications, Athens, Greece, August 24-26, 2007 193