Prospective Server Admins
From ClueWiki
If you're a server administrator that is considering joining your server to Cluenet, there are probably a few questions or concerns that you have. The most common ones are addressed here. You should probably read about the Cluenet Infrastructure first.
Why would I want to integrate my server into Cluenet?
If you integrate your server into Cluenet, there are numerous advantages:
- You get to be a more unified part of the community.
- You can take advantage of all of Cluenet's resources.
- You don't have to worry about filtering out bad users, because it's all done centrally.
- You don't have to make your own signup system.
- You get transparent access to many Cluenet features such as ClueMail and ClueCC (the DistCC cluster).
- You get to start with an already-established userbase proven to be excellent.
- You will probably gain extra privileges on the ClueIRC network.
Do I get to keep control over my own server?
Yes, of course. You are still the full administrator of your own server and can do whatever you like with it. The only exception is that you cannot compromise, delete, or modify user data on other servers (this is often possible if the user has a distributed private SSH key) and that you cannot use special access privileges (such as LDAP passwords) to gain access to or distribute information that you shouldn't have.
Do I need to give Cluenet administrators access to my server?
We do ask that for official integration, at least one other Cluenet administrator has access to the root account on your server to quickly fix problems. However, this can be debated or changed if you are a very competent administrator and have concerns about others having root access on your server.
Can I keep existing non-cluenet user accounts?
Yes. Cluenet accounts only use UID and GID numbers greater than or equal to 25000. The default PAM and libnss configuration that we provide gives precedence to local logins over LDAP logins. However, if a local username conflicts with an LDAP username, the LDAP user will not be able to log in. We would prefer, but do not require, that you eventually move all existing non-system accounts over to the Cluenet infrastructure to prevent such conflicts.
Can my server be compromised remotely with LDAP authentication set up?
No, not if PAM is configured correctly. The default PAM configuration that we use does not allow UIDs under 25000 to be authenticated via LDAP, so even if the LDAP server were compromised, no root or system accounts could log in.
What happens if the LDAP server goes down?
First, this is unlikely, since we have redundant LDAP servers. If the primary LDAP server fails, the configuration should automatically failover to the secondary server, which is hosted in a completely different location from the primary. If, for some reason, your server cannot contact either LDAP server, such as a configuration error or a networking problem on your end, then local users (including root) will still be able to log in and work. We do recommend that you keep a local account under a different name than your LDAP account if you are concerned about server accessibility without LDAP servers.
If I am already running a shell service, can I keep my existing name?
At Cluenet, we emphasize unity. Several existing shell providers have dropped their names and individual identities (more than their own specific services) to help the community and userbase of Cluenet. For official integration into Cluenet, we ask that you fully and wholeheartedly integrate everything. If you do not like this and like your own name, then you can still integrate your server unofficially without the extra access rights to network privileged data.
Will I be able to control which users are on my server?
Yes, there are several ways to do this. PAM provides a mechanism by which you can allow or disallow specific users to log in, if you would like to ban a specific user from your server.
Will I be able to take part in the Cluenet signup process to decide who gets access to my server?
Most likely, we will allow you to have admin access to the Cluenet signup system. If for some reason we do not (which is unlikely), you can still create your own accounts or disallow LDAP accounts locally.
What about Windows?
If you can get a Windows system to work and integrate into the Cluenet infrastructure, there's nothing preventing it. methecooldude has already integrated a Windows 2003 Server using pGina.
Can I have an IRC channel just for my server?
Yes, you can. We do emphasize community unity, so we would like that you urge users to participate in the network as a whole, but if your server provides some special service or has special quirks, there's no problem in creating a specific channel.
What if I don't want to integrate my server? What if I just want to have an IRC channel?
That's fine too. We do prefer integration or partial integration, but you can just have an IRC channel on ClueIRC for your own server if you would like.
What is this insistence on Clueful Chatting?
At Cluenet, we try to encourage Clueful Chatting as much as possible. The Clueful Chatting document gives information in why this is, and the benefits of Clueful Chatting. We also have a signup system that is based on Clueful Chatting. We have considered many possibilities for the main signup requirement and have decided on this hybrid approach to chatting statistics and Clueful Chatting. See Signing Up. Other considerations were to have a quiz, as component providers have had in the past, and to have some kind of technical trial. The quiz has worked somewhat in the past, but is generally not worthwhile. It has many "false positives" and "false negatives". A technical trial screens out everyone without technical ability, and one big reason for wanting a shell account is to learn. The Clueful Chatting method ensures both community participation and general intelligence/helpfulness.
