Steven D. Brewer's blog

Since I arrived at UMass, we haven't had a good mechanism to keep track of who's using the BCRC. There was a practice of having people sign-in on paper sheets, which we continued on inertia, but it was never very satisfactory. People just scribbled whatever. Sometimes sheets weren't available. The sheets got lost. And, in the end, it was not a very useful form for data. At the end of the year, I would sample the data and do an analysis to estimate usage in the BCRC.

I had pushed for years (practically since I arrived) to have student accounts that we could use to have students log into the workstations. But with the technical staff stretched as thin as they are, I could never get the issue high enough on the list of priorities to make it happen. When we began working in the ISB, I finally prevailed on George to let me just build the infrastructure we needed. We did pilot-testing last spring and this spring, we're actually doing the deployment. There's still a lot of work to be done, but finally, we're building accounts in a form that we can use them to have students log into our workstations. The generic login is still available, but soon everyone will be required to use a real account to login.

What we still didn't have was a mechanism to record the login data somehow. I had been thinking about the problem for a while and decided that the easiest thing would be to have each computer use curl to talk to a webpage on the server with the information: all we need is the username and the name of the workstation. That gets all the information to the server, but then how to record it. Writing to a flat file wouldn't work because you'd have multiple apache processes all trying to write the file at the same time. Using a database would be stupid because all you need is to write a stupid log file. Then I remembered that PHP offers an api for talking to syslog!

We set up a log local channel in syslog and I wrote a tiny script that just accepts the data and passes it to syslog. Now we have a log file that shows me each time someone logs in. No more sign-in sheets! At the end of the semester, we should be able to develop much more robust data about who's using the BCRC and all of our computer labs.

When they put Mark's Meadow up against a wall last year, the town just turned the other way while it was killed. Now they think I'm going support an override? Forget it.

I've written a print release system that we're using to manage printing in Biology. We have to run the print release system configured differently between wahoo (in the ISB) and snapper (in Morrill). On snapper it doesn't have Drupal as its parent and on wahoo, we have to have it manage queues on wahoo, but use the database on snapper to maintain page quotas, etc. Trying to keep a common codebase between the two installations is problematic. I'm trying to keep the configuration info separate from the code, but it's not perfect.

Since I last updated the print release system on wahoo, we'd been having odd problems. Occasionally, when you'd load one of the print release system pages, you'd get a weird error out of Drupal in the parent directory. (The error looked like drupal was trying to run as if it was inside the print release folder and it couldn't find its associated files to load). There didn't seem to be any correlation between which action you took and the appearance of the error. I did a lot of experimentation and eventually tracked it down (I think).

In the .htaccess file in the drupal directory, Drupal sets itself up to be the agent responsible for 404 errors. In the css file for the print release system, I was trying to load the background graphic from snapper (a picture of a snapper) instead of for wahoo (a picture of a wahoo). That graphic didn't exist on wahoo, and so it caused a 404 error. And the 404 error would prompt apache to try to invoke Drupal. And Drupal couldn't run in that context. Or something. I still can't figure out why it would only break the thing randomly. But it was a very weird manifestation of a simple, boneheaded problem which I think I have corrected.

One of the challenges that George and I confronted soon after I arrived at UMass was how to provision computer services to students. At the time, the Biology Department had two servers -- a Sparc 10 and a Sparc 20, I think -- and all accounts were built at the comment line manually by George once on each server. The Intro Biology course was among the first that wanted to have accounts and, with a population of 700 - 800 it was going to require some automation.

A brief aside: when I described what we were doing to Jack Wilson, who was then the director of UMass Online, before he became president, he asked why accounts weren't being generated centrally and I explained that there were no central accounts that students could be depended on to have because the fees to support the technology services were optional and some significant fraction of students chose not to pay them. That meant that, as an instructor, if you wanted to be certain students would have a particular resource, you needed to build it yourself. We also didn't have any means of associating student usernames with individuals nor any standard way for us to check students' authentication either. But I digress.

George and I discussed what to do and drew up a plan to synchronize accounts between the two servers and to build student accounts only on the BCRC server. In order to avoid collisions with existing usernames, we added a digit based on the year of enrollment to the end of a username generated by munging first initial and last name together: the system would start out with sensible versions and then try various other permutations until it found one that was unique. Once a username was assigned to a student, they would get the same username from then on. George could then script building accounts and I mostly used imap to let students authenticate against the system.

A key challenge was resetting passwords. We chose to set students' initial passwords to their student number. I wrote a password changing script that used poppassd and we encouraged students to change their password. If a student forgot their password, I would reset it based on email from their @student account or if they visited my office with ID. The whole system was not perfect, but it worked reasonably well.

When we started using smb authentication for shared file space and printing, we had to start setting smbpasswords at the same time as unix passwords. Then, we added a new server in the ISB that needed to have some accounts replicated. Then we started building replacement servers for the Department and BCRC. At that point, I finally prevailed on George that we needed to have a central authentication system to bring some sanity to passwords. It was a constant problem for people to try to figure out which system they were authenticating against to debug problems: "Let's see... This is your smb on wahoo which should be the same as your SMB password on marlin, which might be the same as your email password, but might be different."

Last spring I set up ldap for the first time and we ran a pilot project in the ISB. We built all our usual accounts, but set samba on wahoo to authenticate against ldap. The original plan had been to merge our account generation stuff for undergraduates with the similar efforts in Chemistry. We share so many students and have shared resources in the ISB that it makes sense to merge how we provide authentication. Their system wasn't ready in time to use for last Spring, so we ran our pilot project. Then we were supposed to merge our systems over the summer, but we found at the last minute that we couldn't use their set up (because they hadn't built ldap with crypt or turned on the apple ldap schema we were using), so we postponed and reused the pilot work from the spring. I had hoped to make the merge happen over intersession, but there was another fly in the ointment.

While we had been using the student number as a password, Chemistry had been using it as a username. During security discussions with OIT, they indicated that we probably shouldn't be using the student number at all -- but especially not as the username. OIT does now provide accounts to all students now and furthermore they were willing to give us rosters with student usernames and to open a means for us to check student authentication for the purpose of setting the same username with either the same or different password at the student's choice for our use.

Over break, I set up a new authentication server for ongoing ldap services and build a password setting script that let's students authenticate using pubcookie and sets our ldap password. I had hoped to get the structure consistent with Chemistry but we couldn't get a response from them in time, so we just went forward with the same structure we'd been using for our pilot project. But we also migrated all of our permanent accounts into the system, rebuilt the account generation scripts to use the new roster format (which includes the NetID), modified everything to point at the new ldap server, and built 3750 student accouts. So far, the system is providing authentication for samba file service and printing on two servers, our print-release system, and duck.

There's still more to do: we still have to get shell service on the servers to use the authentication system, and I'm planning that we'll also use it for our course websites and, little by little, pretty much everything else. If we can ever get on the same page with Chemistry, we'll have to go back and tweak everything to use a different DN. Hopefully, we can do that over the summer. But we've made substantial progress in a very short time.

I realize my last post came off a bit snarky, so I wanted to post about the pedagogy meeting with DEGW. We had four groups that each proposed a "class of the future" to talk about space and resource needs. I thought all of the ideas presented were compelling. Each was focused on experiential or situated learning and were driven by interesting, real-world problems. One involved having students design and build an energy-efficient house. That would be really cool! Another proposed having students try to balance the US budget in order to teach economics, to see how changes in one part would affect changes in the other -- that sounded really cool too. Another was about project management and would have students actually conduct the project management for a real project. The course my group proposed was my "think globally, act locally" course, where student groups would be matched up with groups around the world to study some complex-real world issue by investigating it locally and combining it with learning Esperanto in order to exchange results with the other groups around the world. I would love to see all of these classes being taught on campus! Great stuff!

There has been wide consternation in liberal circles over the supreme court overturning the McCain-Feingold limits on political advertising. I agree its a disaster for democracy, but was never very comfortable with the way the limits were implemented anyway. Rather than trying to identify kinds of speech or limit speech, its seemed to me that the real problem has been treating corporations as if they have the same rights as people -- or indeed any rights. I think corporations should be evaluated on a yearly basis and, any corporation that is not demonstrably serving in the public interest, should be dis-incorporated.

After years of living in a kleptocracy, I thought there was real hope that the Democrats would use their opportunity to make real change. I was hoping for a Newt Gingrich like "deal with America". Instead, the Democrats appear to already be owned by the corporations lock, stock, and barrel -- or, at least enough of them, that they're not willing to do anything. I guess now we get to see just how deep the rabbit hole is.

It's said to be a curse to live in "interesting times". I was born near the high-water mark for liberalism: for the gains that ordinary people won against the oligarchy after they'd wrecked the country in the Great Depression. For thirty years, I watched as the right turned the country into a kleptocracy where government served only to protect and funnel money to the extremely rich. I had hopes when the evil klepocrats finally ran the country off the rails that we might have a chance to reverse the worst of the changes. Unfortunately, that appears not to be the case. In a very short period of time, in spite of having absolute control of every branch of government in my state and in the country, the Democrats have shown themselves unwilling and incapable of effecting any substantive change in government. Obama has improved the U.S. brand, without actually changing the substance of government. But that's what modern corporate culture is all about.

Ten years ago, Naomi Klein wrote the book "No Logo" about the hollow practice then emerging in business of focusing on enhancing the value of the brand. This practice is a move toward a completely hollow, unproductive model for business where you develop and sell an image, rather than focus on the fundamentals of your business. In fact, you don't need any products at all: just find the cheapest crap, put your logo on it, and -- if you can control the message and the brand -- it won't matter, because people are paying the big money for the brand. When Naomi wrote her book, she included a chapter on corporatism moving into education. At that time, the threat was business trying to make money in the educational space through advertising. Now, however, the University is becoming the corporation.

In a long email to the University, the chancellor announced his new branding initiative, that was also reported in the loop. The new slogan for the University is: "THIS IS UMASS AMHERST. THIS IS NEXT. We're Wide Open." He said, "Only through a consistent and collaborative application of this identity campaign will we build a compelling identity for the University, one which does indeed evoke a unique and competitive image in the minds of our constituencies." Really?

I think a better solution would be to have greater openness: to show the campus as it really is. It's a great and wonderful place with dedicated people working very hard even under difficult circumstances. The richness of what's really here is its greatest selling point, in my opinion. If you try to control the message, you're going to get into a battle with anyone who tries to tell the truth: that's not a proposition you can win. But if you simply open up and try to show what's here -- everything that's here -- people can see the good stuff for themselves. And you can invest your effort in actually solving the problems on the ground and making things better -- and not just people's perceptions. But I guess that's why I'm not CEO.

I've been trying for a long time to capture what the use of standardized testing does to education. This is the best I've been able to do so far:

Rather than providing a well-rounded education, it asks educators to quit doing what makes sense and, instead, steal whatever time they might have otherwise used to engage in well-rounded learning to instead improve scores on the things that get measured. Making decisions based on standardized testing results pushes schools to do whatever will most cheaply cause those measures to respond.

It still falls short because we aren't really necessarily improving reading or math -- just the scores on the tests. Who cares if kids *can* read, if they don't (for example). What we really want, are well-functioning kids who are prepared to become life-long learners.

I couldn't find this documented anywhere, so I'm documenting it here.

We have Drupal installed in the root of the webserver, but I wanted to have a subdirectory with Pubcookie authentication (completely separate from Drupal), but I couldn't get it to work. I would get sent to a non-existent URL /Pubcookie.reply rather than redirected back to where I wanted to go.

I tried setting the PubcookiePostURL to where I wanted it to go. That sort of worked -- I could load that page -- but when I tried to use that page as a form, I would get a cryptic error message about "No granting reply" that was obviously some kind of Apache error, but with no corresponding entries in error_log.

Maybe this is supremely obvious to others, but I spent an hour or two this morning trying to figure out what the problem was. Now it seems obvious: Pubcookie.reply is a magic URL that Apache knows how to reply to, but Drupal was rewriting it to index.php?q=Pubcookie.reply or something stupid like that. So I just added in another rewrite rule, modeled on and just after the Favicon.ico entry in .htaccess like this:

RewriteCond %{REQUEST_URI} !=/PubCookie.reply

Now it works just fine.

Hopefully this post will show up if anyone else gets stuck like I was.

I've enjoyed reading James Howard Kunstler, since his book Geography of No-where. His blog, Clusterfuck Nation, offers a continuous stream of invective over the unwillingness of our society at every level to deal seriously with the challenges that confront us. But his current post has finally gone too far for me. He says:

The religion of the Futility Economy is Techno-Triumphalism, which is the belief that an endless sequence of magic tricks performed by shaman scientists can defeat the Second Law of Thermodynamics, which rules the universe -- which true scientists ought to know cannot be defeated.

This is just silly. By this measure, life itself is impossible, so we should all just lay down and die. The essence of life is that we can trick the second law, by using enzymes and organization, to keep entropy at bay for a while. Yes, in the end, entropy will win and the universe will run out of energy. But, for a while, life is possible. Let's not lose sight of that.