Deploying Netscape’s Collabra Server

Collabra Server runs on a number of Unix platforms and Windows NT. It shares a common administration server with Netscape’s other SuiteSpot servers: Enterprise (Web), Messaging (mail), Calendar, and Directory. If you download the Collabra Server evaluation kit from the Netscape site ( http://www.netscape.com/download) and install it on a machine that has no other SuiteSpot servers running, you’ll end up with both Collabra Server and Administration Server running. Administration Server’s responsibilities include managing users, groups, keys, and certificates. Its installer asks what kind of directory service you want to use. If you’re running Directory Server, choose that. If not, you can use a local LDAP directory. All the SuiteSpot servers will be able to talk to that local directory, but you won’t be able to create your own directory-aware applications, as we did in Chapter 11. Figure 13.4 shows the Administration Server’s main screen, with both Directory Server and Collabra Server installed and running.

Administration Server, managing Directory Server and Collabra Server

Figure 13-4. Administration Server, managing Directory Server and Collabra Server

Creating Users and Groups in Collabra Server

SuiteSpot server administration is web-based. You access the Administration Server on a port that it selects randomly when it installs—in this example, 14483. All communication paths can be SSL-encrypted. You can run Administration Server in SSL mode, requiring browsers to establish secure connections to it. You can run Directory Server in SSL mode, so that all LDAP connections to it—from any of the SuiteSpot servers or from your own LDAP-aware applications—must be encrypted. Finally, you can run Collabra Server itself in SSL mode, as we’ll see, so that newsreader-to-news-server traffic will be encrypted.

You can create users and groups interactively from the Users and Groups tab of Administration Server’s main screen. A faster and easier method, if you’re running Directory Server, is to create an LDIF load file and add entries directly. Example 13.2 shows a sample load file that defines users and groups for our Ronin Group example.

Example 13-2. An LDIF Load File

dn: uid=Ed,o=RoninGroup
cn: Ed
sn: DeJesus
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
userpassword: {SHA}W8r/fyL/UzygmbNAjq2HbA67qac=

dn: cn=RoninGroupUsers,o=RoninGroup
objectclass: top
objectclass: groupOfUniqueNames
cn: RoninGroupUsers
uniquemember: uid=Ed,o=RoninGroup
uniquemember: uid=Sally,o=RoninGroup

dn: cn=RoninGroupAnalysts,o=RoninGroup
objectclass: top
objectclass: groupOfUniqueNames
cn: RoninGroupAnalysts
uniquemember: uid=Ed,o=RoninGroup

dn: cn=RoninGroupSales,o=RoninGroup
objectclass: top
objectclass: groupOfUniqueNames
cn: RoninGroupSales
uniquemember: uid=Sally,o=RoninGroup

To add these entries, click the Directory Server button on the Administration Server’s main screen and select Database Management Add Entries. Type the name of the load file and the admin password you assigned when you installed Directory Server, then click OK to load the entries. Note that you can preassign SHA-encrypted passwords; see Chapter 12, for examples of how to do this encryption.

Creating Discussion Scopes in Collabra Server

To carve out the discussion scopes, click the Collabra Server button on the Administration Server’s main screen and select Discussion Groups Manage Discussion Groups OK to invoke the Discussion Group Manager shown in Figure 13.5.

Defining discussion scopes in Collabra Server

Figure 13-5. Defining discussion scopes in Collabra Server

To control visibility and access, select the root newsgroup and select Access Control Rules Edit. On the ensuing screen, select Authenticated Users/Groups Only and click OK. Now, on the access-control screen for the root newsgroup, set Allow Role Of: to (Deny). At this point, you’ve configured the server to be able to do authentication, but you’ve denied authenticated users all privileges in the root newsgroup and any new newsgroups you create under it. Why the blanket denial? In terms of Collabra Server privileges, it’s easier to giveth than to taketh away. This scheme ensures that as you create newsgroups, you can grant precisely the permissions that you want them to have.

Next, select the root group and click the New tab to create a new newsgroup. Use Access Control Rules New Rule to override the permissions inherited from the root. Figure 13.5 shows the situation after creating watercooler, thinktank, and saleslounge. The second access-control rule for thinktank says that members of the group analysts can read and post to that group; nobody else can. The Continue box is checked, which means that newsgroup hierarchy created under thinktank will inherit this rule. Using the same procedure, you can associate the group sales with the saleslounge newsgroup, and the umbrella group users with the watercooler newsgroup.

Now Collabra Server is set up to authenticate according to these rules, but it won’t do so until you turn on access control. To do that, click the Access Control tab on Collabra Server’s main admin screen. Turn access control on and check Require Authentication on First Connect. Stop and restart the server to apply these changes.

Other Configuration Tasks for Collabra Server

To disable expiration, click the Expiration tab and select Edit Never Expire Articles. To index the newsgroups, select Discussion Groups Full Text Indexing. Type any name (e.g., my-indexer) into the Index Identifier: field and click OK. Now select Server Preferences Technical Settings and set the Organization: field to your company’s (or department’s) name. You can adjust the frequency of indexing on this screen too, but the choices are limited, ranging from every 15 minutes to hourly. Even an hourly indexer run gets to be a lot of work for the server, so unless you absolutely require up-to-the-hour indexes, you might want to schedule the indexer to run nightly. You can’t do that interactively in the Administration Server. You’ll need to edit the file /netscape/suitespot/config/newstime.conf .[13] To index at 4 A.M., change the entry in newstime.conf for the indexsend command from AtInterval 60 (hourly) to AtHour 4 (nightly at 4 A.M.).

Now you’re almost ready to go, but if you’re running Collabra Server on NT and you’ve enabled NT’s TCP/IP port security, note that it’s not sufficient simply to leave port 119 open. Collabra Server uses some extra ports to talk to itself. If you don’t open these too, the server will seem to work until you try to post, and then it will squawk about an “NNTPlocalconnect” error. Should you abandon NT port security? I wouldn’t recommend that, especially if your NT box is directly exposed to the Internet. Instead, add these extra ports to the ones that NT permits, using Control Panel Network Protocols TCP/IP Properties Advanced Enable Security Configure. Collabra Server uses the first two available ports after the reserved range 1-1024. On my NT box it takes 1027 and 1028. You can check Collabra Server’s log (Reports View Server Log) to verify which pair it’s using. While you’re at it, open up another pair of ports—the ones that the built-in search server uses. The rule for these is 5000 + (2 * Collabra Server port). In other words, if you’re running Collabra Server on port 119, then the first search server port is 5238, and the second is 5239.

Note that although NNTP servers conventionally run on port 119, and INN has to, its modern derivatives can run on any port you specify. Likewise, the Microsoft and Netscape newsreaders can connect to NNTP servers on any port. Why does this matter? If you offer a public discussion area on port 119, some people won’t be able to get to it, because their corporate firewalls don’t allow traffic on that port. One of the arguments in favor of web-based conferencing is that it can reach more people than NNTP conferencing can, since firewalls almost universally permit traffic on the HTTP port 80. But this isn’t really an application issue—web service versus NNTP service. It’s a port issue—80 versus 119. If you can’t reach everyone you need to on 119, try running your NNTP server on port 80.

Advertising Newsgroups to Users

Running news service on a nonstandard port may confuse users. Even when you’re running on the standard port 119, it can be difficult to get people to find and use newsgroups. How can you advertise the discussion service to users? There’s a hard way and an easy way. The hard way involves explaining the following procedure:

  1. Launch the newsreader.

  2. Add a new host to the list of hosts to which it subscribes.

  3. Specify the NNTP port on that host, if nonstandard.

  4. Select the new host and view its list of offered newsgroups.

  5. Subscribe to one or more groups.

Here’s the easy way: publish a URL like news://udell.roninhouse.com/public on a web page. Or, if you’re using a nonstandard port, news://udell.roninhouse.com:80/public. Both the Netscape and Microsoft browsers will automatically perform all the steps shown earlier when referred to this kind of URL. It’s a great way to avoid not just one long-winded explanation but several. That’s because the procedure for manually attaching to a news server and subscribing to its groups differs between the Microsoft and Netscape newsreaders.

A web page that presents a set of these quick-start news URLs is also an opportunity to define the purpose of each newsgroup that you offer. Who’s invited to contribute and why? Should HTML be used freely, sparingly, or never? Are attachments permitted? Is the group searchable, and if so, how? Lotus Notes has an excellent feature called the policy document—it’s a special record in every Notes database that answers these kinds of questions. You can likewise begin every NNTP newsgroup with a posting that serves as a policy document, but it’s also a good idea to provide a summary web page that lists all the newsgroups you’re offering, spells out the policies for each, and gives quick-start access to the groups. Note that if you publicize an SSL-protected newsgroup in this way, you need to use snews:// instead of news://.

Securing Collabra Server Newsgroups

The Netscape counterpart to Microsoft’s Key Manager is a command-line tool called sec-key , which lives in /netscape/suitespot/bin/admin/admin/bin. Run it to generate a key pair; save the resulting certificate signing request (CSR) in a file; submit the CSR to a certificate authority (again, this can be your own CA or a commercial one); and save the signed certificate issued by the CA in another file. Then, from Administration Server’s main screen, select Keys & Certificates Request Certificate, complete the form shown in Figure 13.6, and submit it.

Requesting a server certificate in Collabra Server

Figure 13-6. Requesting a server certificate in Collabra Server

If you elect to mail the request, the Administration Server prints it to the screen and saves it to a file. Depending on how your CA works, you can cut the text from the screen and paste it into the CA’s request-processing form or mail the CSR to the CA. When the CA sends back a signed certificate by one or another of these means, save it in a file. Then, back in the Administration Server, select Keys & Certificates Install Certificate, paste the contents of the file into the form, and submit it. Review the information on the ensuing screen, then click Add Certificate to install your new server certificate. Finally, restart the Administration Server and all its dependent services to complete the procedure.

Now you can enable SSL encryption in Collabra Server. Go to the Collabra Server admin screen and select Encryption Activate Connection Security On. The default port changes from 119 to 563, which is the standard port for secure NNTP. Click OK, then shut down and restart Collabra Server to bring it back up in secure mode. Note that you can no longer restart Collabra Server by way of web-based administration. You have to be at the server’s console so that you can type the password that protects the server’s private key; Netscape’s security policy regards that password as sacrosanct and will not allow it to travel over a wire. Remember, finally, to add the secure NNTP port to any local, router, or firewall filters that need to know about it.

Searching Collabra Server Newsgroups

For Netscape clients only, Collabra Server offers a really slick integrated search capability. From the Message Center select Edit Search Messages to invoke the search dialog shown in Figure 13.7.

Searching newsgroups in Collabra

Figure 13-7. Searching newsgroups in Collabra

From the list of mail folders and news servers, choose the Collabra Server instance that you want to search—in this example, it’s localhost(secure), a secure instance of Collabra Server running on my local machine. You can restrict searches to the Sender:, Subject:, or Date: fields or choose any text for a full-text search. In this example, I’ve authenticated to the server as user Ed, a member of the analysts group. In response to a search for LDAP, I’m shown Ed’s postings in thinktank and Sally’s postings in watercooler, because I have access to both areas. But if I authenticate as Sally, a member of sales, only Sally’s LDAP posting will appear, because members of that group can access watercooler and saleslounge but not thinktank.

Collabra Server’s search mechanism is clean, simple, and effective—provided, of course, that your users are all running Netscape clients. Netscape hoped that the NNTP protocol extensions that support Collabra Server’s search feature would be adopted more widely, but so far that hasn’t happened. What can you do if you’re not playing to a homogeneous audience of Netscape clients? Remember that NNTP newsgroups are just docbases—that is, text files with headers. You can index them with any web indexing tool just as you index web pages. Of course, you’d have to do extra work to filter search results according to the permissions held by an authenticated user performing a search.

Searchable private newsgroups are an incredible resource. The old adage applies, though: you get out of it what you put into it. As a member of a three-person development team, I habitually posted many of the key project-related web pages and emails that I handled every day. Sometimes the goal was to communicate this information to my team in a centralized way; sometimes it was just to save it for my own future reference. Whatever the immediate motive, our team’s newsgroups always served both purposes at once. In effect, our department had its own Usenet forums and its own Deja.com-like memory of those forums. If you’ve never worked this way, you’re missing out on one of the most powerful productivity benefits that networked computers can deliver.

Using NNTP Replication with Collabra Server

Although we’re not concerned in this book with conventional newsfeeds, Collabra Server does support replication—even between a regular and an SSL-enabled server. And it makes replication much easier to set up than does INN. For non-SSL replication, select Discussion Replication Configure Replication Host and name a replication partner. In the SSL case, you also need to make sure that the necessary CA certificate is in Collabra Server’s database of trusted signers, so that the replication process will be able to accept the server certificate presented by a replication partner. You use the admin server’s Keys & Certificates Install Certificate function to tell Collabra Server to trust a CA that it doesn’t already trust. Like browsers, Collabra Server trusts a number of commercial CAs by default, so if you use one of them, this extra step isn’t necessary.

NNTP replication is powerful stuff, and it remains useful—even in today’s wired world—as a way to push data around on marginal networks. For example, suppose that some of the Ronin Group’s satellite offices are served by skinny and slow Internet pipes. When newsgroups are used to exchange not only text messages, but also large binary attachments—images, Acrobat .PDF files, software updates—direct interactive use of a single server in the central office can be painful. In this situation, store-and-forward technology still has an important role to play. The existence of the Usenet proves that NNTP can move more data in this way than any individual company is likely to require. Collabra Server domesticates INN’s newsfeed mechanism into something that an average network administrator can comfortably handle.



[13] Not all of Collabra Server is configurable from the GUI admin screens, just as not all of the MS NNTP service is. In the former case, you edit text files, Unix-style. In the latter case, you poke around in the NT registry.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
100.28.132.102