Stanford status for cartel

RLM, 97/06/24

Just a bunch of bullet items, mostly development projects, in no particular order, much left out, all IMHO, etc. Questions scattered throughout.

o General

The Infrastructure Program Projects page is at This page lists all official projects, including both techie distributed computing things (eg web security) and more strictly administrative stuff (eg data warehouse). "Infrastructure" is in the sense of support for administrative computing, primarily. Of course, some of the more interesting projects are the unofficial ones ...

This serves to point out, though, that ITSS as a whole is largely driven at the moment by the Core Financials project, which is now planning to close the books using the new General Ledger system in 9/98. This project is consuming lots of money and management time, and continues to push out its dates and reduce its ambitions. Sound familiar?

o SUNet ID

See for user info. Users do ID and account creation via web pages, also @stanford email setup. Kerb principal and directory entry created as part of transaction, other account stuff happens a little later. Hooked in with admin-supplied person status data so eligibility gets turned on and off automatically, in real-time (almost); warnings get emailed automatically when eligibility is expiring. Accounts can be sponsored for non-eligible folks, have to be paid for with Univ $$ accounts. IDs can be regular Kerberos principal or long-form (Bob.Morgan). Now a fairly smooth system after a year of operation. Next phase will do IDs for groups, depts, etc; still figuring out how to do this.

o Directory

Put up LDAP-based directory last year to support @stanford email-forwarding, using UMich slapd. This has worked well. Now expanding to do more app-oriented attributes. Not yet our user-visible directory, but should be by September or so. Business rules for updates in a Sybase Open Gateway front end. Using kerberized access-control features to allow serving "sensitive" data. Longer-term looking at commercial products with LDAPv3 support, eg Netscape; availability of Kerberos is a major concern.

o Registries

We're tackling the problem of putting up the one big central database for all people info to get correlated, drawing from HR, student systems, SUNet ID, ID card, etc. The motivation at the moment is providing a decent feed for the directory. Logical model is mostly done, political obstacles mostly dealt with. Starting to design registries for other things like groups, services, and recast some existing apps as registries, eg NetDB, the DNS/IP mgt system.

o DCE & Kerb 5

DCE will be "production" July 1, but still has no real apps waiting to use it. May use the (former) OpenHorizon Connection product to secure a database app that's deemed sensitive. DFS still the main candidate to make DCE useful, but has had some stability problems in testing so far. DFS is *not* part of the 7/1 rollout. We have a Transarc site license for lotsa stuff, but have not licensed PC/DCE.

DCE is our K5 KDC. Accounts get created in K4/AFS and DCE simultaneously, and password changes get made both places. If someone changes their password they're live in DCE/K5. Working on service principal management, distributions for end-user systems, etc.

o MacLeland, PCLeland (kerberos clients)

MacLeland has been static since Andy Maas left in 4/96. We're now touching it up a little to add S/Ident responder.

PCLeland working toward release this summer with Stanford code, will not include AFS access.

We licensed PC-Enterprise product from Platinum but have not distributed it. We're trying to work with them to improve the product, add PCLeland UI to it, so we can migrate to it. Still not clear if this will work out.

o Webauth

Our approach to doing Kerb authentication for web pages. No fancy logo (sorry) but it is in production, will be used by some serious apps (student registration, library catalog). Uses S/Ident (Sidecar-like) responder if you have it, or central "weblogin" page if you don't, so can work with complete vanilla client. Uses cookies, so can be confusing and scary. Working well in limited apps so far.

o Web ops/apps support

Trying to meet needs of web-based apps from simple scripts to major systems, trying to keep from having separate admin/academic web environments. Much work on giving users on main (www-leland) servers access to reasonably useful scripting without letting them run amok. Big admin apps seem to be choosing Oracle Web Server approach, trying to work with that.

o Email

Eudora is client of choice for most; many folks still use ELM, etc, via terminal sessions too. Were testing Portola IMAP server and would have run it but damn they got bought by Netscape; hope the product emerges again. Still waiting for IMAP. Email service has been quite reliable; no major meltdowns in a long time.


Two groups of support-for-hire internal to campus, CAST does UNIX sysadmin, LiNCS does LAN stuff. Both quite successful, work alongside the "free" support folks in DCG and Networking. A model that will most likely expand.

o Transition from to

We decided we'd rather jump out of our class A space than be pushed. We're now at about 14K 36.* addresses and 13K 171.64 addresses actually in use. Actually relatively few 36.* addresses have changed, but all growth is in 171.64. Curiously, hardly anyone on campus cares, now that most of the ingrown 36-isms have been rooted out.

o Backbone upgrade

Thanks to largesse from the campus and from cisco, we're doing a massive new backbone, with 75XX routers and C5000s in a "hypercube" designed by some cisco deep thinker (contact for details). Links among components will still be 100Mb Ethernet for now, maybe ATM or SONET later. To be deployed this summer/fall. This will let us comfortably offer 100Mb connections to most buildings, though actually doing so is not part of this project. It will also prepare us for CENIC connection.


The California piece of the Internet2 pie. OC-48 rings in LA and SFBA, presents from Pac Bell. So we'll have 600Mb connection to UC. Wonder what we'll do with it. Bits should start flowing by the end of the year.

o Dialin

Decided not to upgrade our dialin service 2 years ago, instead cutting modest deal with Netcom for cheaper rates. Now Netcom is ending the deal, and ISPs are getting out of end-user dialin biz, so we may make the leap and put up a 56K service. Some XDSL trials going on.

o Core Financials

Using Oracle Financials apps, which seem to lag general Oracle technology by at least a couple of years. Were once planning on using their heavy-duty "smart client" UI, now hoping their web-based UI(s) will be usable in time. Oracle-provided authorization controls don't seem to good enough, looking at outboard authz scheme. Oracle-provided workflow also not enough, looking at third-party products.

o Authorization and Workflow

Two related projects largely motivated by Core Financials, looking to replace/enhance existing mainframe capabilities. Worth noting that the mainframe-based authority/workflow functions are becoming network services de facto as mainframe apps start to have web front ends put on them.

Looking at the HP Praesidium product for authorization, still not clear it offers much of a win, but admin folks may sign up to use it anyway. Looking at Xerox InConcert workflow product.

Will be making basic affiliation/status info for people available via directory lookups, for apps to use in authz decisions.

o Printing

"Stanford CardPlan" lets you put $$ on ID card and debit it via vending machines, laundry, dining hall, etc. Now they want to do print-charging too, hence a requirement for better-authenticated printing, which we've never done much of. Love to hear successful stories of doing this.

o E-Commerce

Many campus offices really want to take credit cards on-line, eg, thus far no organized approach to doing this, no major front-runners either. Purchasing-process improvement ala MIT ECAT is attractive but is on-hold waiting for Core Financials. Any success stories elsewhere?

o Public-Key Infrastructure

Have looked briefly at products like Entrust, seem too heavy-duty. Interested in MIT kerberized CA experience. Hope to put up CA sometime in 98. Trying to see if PGP can withstand S/MIME juggernaut and become viable as campus-wide secure email standard. Anyone else deploying secure email?

o Windows stuff

Not pushing users to run NT. Not supporting cross-campus CIFS (hate that name). Still seriously short of Windows-advocacy in DCG. Not working with Microsoft on anything, as far as I know.

o Some items from Dennis Michael, Ops manager:

Database issues:


Login programs:

Security -- does anyone use Tripwire? On which machines? How? Centralbinaries/db, or install on each machine?