The tech team is working on implementing student accounts for Mac workstations. At present, all students log into a computer using a generic username and password. The main issue with this process is that all users have access to all files in the account, which allows students to delete files other than their own.
The solution is to use a separate directory service that has all user accounts, adult and student, and use this service for authentication. We used to do this using Apple’s Open Directory service and it worked pretty well for several years. However, Apple stopped supporting enterprise applications such as directory service, asking their users to use other tools such as ActiveDirectory or OpenLDAP. In addition, serving student home folders over the wifi was more than the Apple file servers could handle, and there was a limit of 100 users we routinely exceeded. However, we still use the Apple Open Directory service for our staff wifi access.
Over the last year, we have been experimenting with a Linux based, cloud served OpenLDAP server. This server currently manages our print accounts. The tech team is experimenting at the high school with implementing this authentication server for our student Macs.
The new system will allow a student to log in on any Mac, at any connected campus, using the same password. However, any files created on that Mac will stay on that device, unless manually moved to the student’s Drive account or to an external device, such as a USB. We do not expect to support student remote home folders any time soon.
In addition, we will need to set up an email based password change system so students can manage their directory account passwords.
Therefore, students will need to use the same computer each time if they want to use the file stored on that computer. This will require students adhere to seating charts and to manually back up their files. The advantage is that students can work on large files, such as videos, without worry of other students damaging their files using a common log in. In addition, students will have access to classroom printing with a managed quota and print logging.
Password security and logging in and out of one’s account will also be critical for this process to be successful.
We hope to migrate our wifi authentication to this directory service by the end of summer.
The long term goal will be to authenticate our Google accounts to this directory service, so that students will need one fewer password to remember, and can keep their accounts secure.