In a previous 2005 report the Government quango Becta showed that schools could effect considerable savings by making use of Free Open Source software such as Open Office. In their study they simply looked at 'like for like' software replacement using existing networks and computers.

Since this study we have seen the emergence of the new breed of ultra-portable Linux-based computers aimed squarely at the education sector and the inexorable build of Web 2 services such as Google Apps.

This week the Elonex One, a Linux-based laptop costing less than £100, was launched at the Education Show in Birmingham causing much excitement amongst the visitors and a very serious discussion about how best to support this new breed of Linux laptops in schools.

So much has changed so quickly that a model of Open Source school computing is emerging which could save the UK taxpayer billions of pounds and provide enormous opportunities for the home-grown technology sector based around Open Source software.

The problem

The Government does not produce figures for the total cost of ICT in schools. Our research shows however that when staffing and power use are included a typical secondary school will spend between £100,000 - £200,000 per year on ICT.

Scale this figure for the whole UK and it approximates to over £½ billion per year.

Contrary to common perception, however, only a small fraction of the cost of ICT in schools is spent on computers and software - 60% of the cost is on technical support and 20% on electricity.

Quite simply, school networks have become too complex for the purpose they serve.

The answer is to simplify the school ICT infrastructure and lower services by outsourcing more services.

Outsourcing

Outsourced services based on free Open Source software such as e-mail, content filtering and remote backup are entirely appropriate to an education sector:

• Content filtering using Dan's Guardian is very powerful and scalable.
• E-mail using Open Source software is sophisticated, highly available and secure. Easy management of webmail and accounts using GOsa.
• Rsync for secure, remote back-ups.

Examples of where such services already exist are a bi-lingual webmail system accessible to all schools in Carmarthenshire County and the fully managed web content filtering infrastructure available to all schools within the Yorkshire and Humberside region.

In both cases the use of free, Open Source technologies has driven exceptional value compared to similar systems deployed using proprietary software.

Simplifying On-Site Infrastructure

Much of the complexity and management burden to schools comes the sheer number of computers needing maintenance - typically 100-500 desktop PCs and approximately eight network servers (file-authentication server, MIS database server, e-mail server, Intranet server, VLE server, thin-client server, web content filtering servers and a firewall).

But what ICT services do students really require from their school?

• Access to suitable software for teaching and learning
• E-mail
• Safe access to the Internet
• A home folder for personal file storage
• Access to shared resources (e.g. Intranet, VLEs, Public Folders, Databases)

How does the emerging model for Open Source in ICT meet these essential needs?

• The new low-cost Linux sub-notebooks have a very large range of Free Open Source applications already installed and many more available for free download, certainly enough for 95% of all educational needs. Many more applications are available on line through Web 2.0 technologies.
• E-mail and safe Internet access will be outsourced.
• Home folders and shared resources can be provided by one computer. By using Internet protocols and abandoning the venerable Windows SMP/CIFS protocols all of these services can be provided by one Open Source database/web server.

If schools moved their ICT to this model the spiral of ever increasing cost and complexity would be broken.

Becta, having twice warned schools against upgrading to Vista or Office 2007, has effectively signalled a halt to what has been an unbroken series of expensive and increasingly ineffective upgrades. It seems 2008 is the year when schools should take stock and rethink their strategic approach to ICT.

The rewards for change are very substantial. Schools would reduce their costs by 4/5ths producing not only an enormous saving to the taxpayer but making it possible to adapt to new developments in ICT and focus more resources on teaching. New opportunities would be created for the domestic technology industry and there would be far less dependence on dominant multinational suppliers.

This month's OPEN For Business! is the second in our LDAP mini-series. The series is about using directory services to make the administration of your network easier, and potentially, how to replace every bit of proprietary software you may have in the network with better Open Source software, plus how to tie it all together. Last month we covered what a directory is, and hinted at what you could do with it. This month we will look at the creation of a single user account base and single sign-on initially across all of your non-Windows systems (Linux, Solaris, MacOSX, FreeBSD, HP-UX, etc).

But first you need your LDAP directory!

The Open Source world is blessed with the simply fantastic OpenLDAP project. Led by Kurt Zeilenga, the author of most of the RFCs that actually define what LDAP is and how it works, the OpenLDAP server and related tools are one of our best-kept secrets. So it's about time we corrected that...

The OpenLDAP server is a full implementation of the LDAP definition, and has such a vast range of features that are soooo technically wonderful I could go on and on and on for ever. Let's just say it's lightning fast, superbly robust, and does simply everything you could ever need a directory server to do - but without the simply obscene price tag the proprietary vendors seem to enjoy attaching to these things. Of course it's Open Source too, which gives it transparency, extensibility, unlimited customisation potential, and it's guaranteed to never deviate from LDAP's defining standards - not like some other Directory products I could actively mention!

So we've got our OpenLDAP server. Let's get on with populating it!

As I mentioned last month, an LDAP Directory enables information about objects to be held in a tree-like organisational structure (a quick tip at this point - the structure you create to hold your users can be anything you like, we recommend you create one that reflects your actual organisational structure). You can then associate key pieces of information with these objects

Time to make this real. The objects that we are interested in creating are users. If I asked you what your users consist of in IT terms, you'd probably tell me the standard stuff - username, password, home directory, access to this, denied access to that, email account with an email address, etc (funny old view we have of people, right?). Take some time right now, and you'll see that you can soon write a list of stuff defining what a user is on your network. So if we create an object in our directory that represents a user from the IT perspective, the attributes this object must have are the ones that are meaningful in an IT sense - and you've just listed them.

All this stuff is well understood, and well thought through. A central notion in the LDAP world is that of 'schemas'. You've probably noticed by now that I like to explain complex stuff in simple terms. I'm aware that there's a million and one subtleties, and my descriptions are not 'precise' in absolute terms, but we'll leave that argument to the pedants, my descriptions are good enough for where we're going. A schema is a big batch of definitions of well understood attributes, things like telephone numbers, email addresses and passwords. By registering a schema with your LDAP server you can then associate its definitions with your objects. Simple, right?

So we start by adding some schemas that represent people (our somewhat odd IT notion of what people look like that is!) and also that represent an account on a UNIX box. You now have a basic directory service, and you're ready to actually do something with it.

Now we need to move on to the boxes you want to authenticate to your shiny new Directory server. As mentioned, we're going to start with your UNIX, GNU/Linux and BSD machines. By default, these machines have a local account database (/etc/passwd) - a legacy from the early days of UNIX. This database is sometimes exactly what you need, but the truth is, in most cases it's a nightmare to manage. Imagine a network of 500 servers, each with its own user database, each of which needs visiting every time a change happens in your user population. Yuck! Traditionally UNIX solved this with systems like NIS, but this is not truly cross-platform in any trivial-to-implement way, and we want to do waaay better than that, especially when we bring our Macs and Windows boxes online!

The answer is Pluggable Authentication Modules, affectionately known as PAM. The notion is simple... Abstract the authentication layer so that your UNIX system can be authenticated by any method which has a PAM module. PAM makes the method look like traditional UNIX authentication. There are plenty of them, including MySQL, Radius, Kerberos and, for our purposes, LDAP.

Simply better software:

Once your LDAP PAM is plugged into your machine, you can authenticate the underlying operating system against your new Directory. One account base across all your UNIX and GNU/Linux servers - how cool is that? Not only that, but FreeBSD (the world's finest web server!) has had PAM capabilities since release 5, and since MacOSX is based on a BSD core, it can participate in this scheme too. There's only one significant OS missing from your new account management paradise... It’s OK. Don't worry, we’re going to hit them next month! I'll show you how to extend your new Directory to enable logons to your Windows servers and desktops. These logons will be with exactly the same accounts you've just set up to enable logons to your UNIX, GNU/Linux and BSD machines. Single identity across all of your platforms - now won't that be nice?

We'll do all this without you having to buy one of those ridiculously expensive directory solutions from one of the proprietary vendors. It'll do it better. And it's all because it's simply better software.

This month's OPEN For Business! is the first in a mini-series. The series is about how to use Directory Services to make the administration of your network simpler and easier. We'll look at how to replace every bit of proprietary software you may have in that network with what we all know is a far faster, far more reliable solution, Open Source software. Then finally, and most importantly, I'll show you how to tie it all together into a network that really delivers, and that really provides, what the business wants and IT's users need.

First of all some background. Let's start with something that's often unpalatable - the truth.

The truth - would you start from where you are?

The truth about almost every network in the world is that it consists of a wild variety of disparate (or is that desperate?) technologies, platforms, operating systems and services. Timescales are always tight so bits have had to be tacked on here, kluged there and patched all over simply to keep pace with the latest business demand or new management strategy. So it’s all grown higgledy-piggledy over the years. Now ask yourself, if you had to do it again would you really want to start from where you are?

Even so-called 'Microsoft shops' rarely consist of a single build of Windows. Indeed, the truth about the Windows platform is that it's just as 'fragmented' as any other - you didn't really believe that Windows 3.1, 3.11, 95, 98, 98SE, 98ME, NT 3.51, NT4, 2000, XP Home, XP Professional, 2003, XP Reloaded (!) were perfectly interoperable or even similar operating systems did you? Then there's the never-ending barrage of Service Packs. It's best not to even think about what they do to the underlying technologies, protocols, or even file systems... Yep, the plain truth is that an operating system monoculture, even if it were desirable, only exists in the proprietary vendors' marketing brochures.

Now, add network services to this already heady cocktail and you've got what most businesses out there have complexity in spades, constant fixes and upgrades, high cost, poor reliability. In short, a mess. Yet a mess that's absolutely crucial to business competitiveness and performance.

So what's a poor IT Director to do?

Well, there's certainly no shortage of vendors happy to 'advise' you, and to help you sort this lot out. Most vendors will tell you that their solution can integrate all of your various platforms, and that if you choose their solution everything will be "roses, roses!". Occasionally they even mean it! More often than not though, what they actually mean is that you have to chuck out all those 'non-industry standard' (this week!) platforms you've been dumb enough to accumulate and 'upgrade' to the best, all time favourite, greatest platform of today. Theirs. But at what cost?

Always remember - it-s only lizards that can grow new arms and legs . . .

A shining light:

So is there any light that Open Source can throw on this issue? And is there a strategy for using Open Source to extend the life of your existing cocktail (if it ain't broke . . .), keep your options open for the future, and maybe even give you a clear roadmap to the future based on Enterprise Class Open Source solutions?

Funny you should ask that . . .

The common element in all IT systems is that your users need to use them. So the logical place to start is with a single source of user information. This is where Directory Services come in. All the vendors know this, this is why Microsoft's Active Directory, Sun's Sun One Directory, or Novell's eDirectory are touted as the cure for all network woes. Now is there a common element to all these products? You bet!, it's called LDAP.

LDAP, or the Lightweight Directory Access Protocol, enables information about objects (most commonly users but also computers, printers, servers, pretty much anything), to be held in a tree-like organisational structure. You can associate key pieces of information with these objects, things like passwords, email addresses, HR information, home directories, and so on. Once you've done this you can use your directory as the basis for managing pretty much everything about your network. It's the Holy Grail!

One of the things Microsoft networks have historically done, and done reasonably well, is to give a form of single signon to the network and all its services (as long as they're Windows of course!). It's the basis of Windows networking's supposed 'ease of use' (along with GUIs for everything!). It comes with a price tag, however - and I don't just mean money. The thing is, if you use a Directory Service that locks you into a single platform (whether it's Sun, Microsoft, Novell, anyone), you've just slapped on a pair of lock-in handcuffs and dramatically reduced your options. And guess what vendors do when you run out of options . . .

Quite simply, for many tasks, non-Windows software does a far better job. But these days it's Open Source software that does the best job of all.

Simply better software:

Over the next few months, OPEN For Business! will show you how to build an entirely Open Source Directory Service. One that will give you options. I will show you how to do this and why you should want to. I will show you how you can integrate what proprietary vendors disparagingly call your 'legacy' systems (even though you appear to be getting perfectly decent service from them!), and how you can weld together multiple platforms, different generations of technologies, servers, services and desktops into a functional whole, without mortgaging your future to a roadmap your vendor tells you is "the one true way".

This is a big subject, so we're going to take several episodes to cover it. Here's a taster of what we'll do:

• Single user account base and single sign on across all of your non-Windows systems (Linux, Solaris, MacOSX, FreeBSD, HP-UX, etc)
• Extending this account base to offer the same accounts, home directories, passwords, etc to your Windows servers and desktops
• Using the same accounts to manage access to key network services (email aliases and routing, Internet access, web server access, FTP, network file systems, the list goes on)
• Extending your directory to represent groups, desktop PCs and workstations, printers and other objects
• Using your directory for a company-wide single address book

It's simple, it's easy to do, it's fast and it's reliable. The business will absolutely love it and your FD will smile all the way to the bank. And all because it's simply better software.