Building a Student Storage server

Question

I work for a school district. I've been put in charge of building a storage server for students. A place for them to work off of from school and home.

My challenge is getting this to work from home. At school they login, authenticate, and they get a mapped drive to their folder on the server (S:\fileserver\studentname).

My question is how can I make this available to students at home?

The server is running Windows Server 2008 R2. I've got PHP, Apache, and MySQL working together. My idea is to write a script that will "crawl" through the directory containing all of the student folders, then create an instance of every file and folder in a MySQL DB. Create a login page that will use LDAP for authentication, and once they login to the server from home, they get a page with folders a files tied to their username.

Has anyone out there ever put something like this together??

Answer 1

If you insist on doing this (as opposed to going with @sweaves answer) then I'd start by:

1. dropping Php, Apache, and MySql. They are not necessary and will introduce their own headaches.

2. Get an FTPS server up and running. Along these lines you might consider dumping Windows Server 2003 in favor of 2008 R2. IIS 7 has much better FTP items built in. http://blogs.technet.com/b/chrisavis/archive/2008/06/12/how-to-configure-ftp-over-ssl-secure-ftp-on-windows-2008-in-less-than-10-minutes.aspx

3. If you can't do this, take a look at this for how to set up File Zilla to work with AD. http://retrohack.com/enabling-filezilla-server-integration-with-active-directory-authentication/

4. Another option (thanks @jscott) is to use WebDav (http://www.iis.net/download/webdav). Here's another school doing this exact same thing: http://kb.iu.edu/data/araf.html

5. You can also set up an ">SFTP server. SFTP supports passwordless logins, but is not supported in Windows out of the box.

Side note, the filezilla solution is more management work than the IIS 7 one.

Answer 2

A much easier solution would be to set up a VPN. The student can then log in to the VPN and access all of their resources like they are sat inside campus. Check out for details... http://lifehacker.com/162563/how-to-set-up-free-vpn

Answer 3

What exactly do they need to do? Just get access? If you open it up to FTP, you're asking for big issues. If they need access to consistent tools to work on documents from school, open a server (or cluster) for remote desktop services.

Yes, they need to install remote desktop client if they don't already have it (they probably already do) but the client is available for Linux, Windows, and the Mac for free. The connection is encrypted, and they can have access to whatever your school is using for Office or other tools, unless you're running something heavy duty like Photoshop.

If you use RDP, you get encryption, you get one port to open on your firewall, and you get standardization of utilities (no "I made this at home and it worked fine, why won't it open here?" complaints) plus centralized management. I've seen similar problems like this solved in exactly this manner several times and only under specific circumstances has there been issues with it.

Plus you don't have students with multiple copies of documents running around complaining that they don't know WHY their paper is the wrong version because it worked FINE at home...or they didn't save it to the right spot...etc.

Answer 4

How about WebDAV?

This is supported in apache and you could still use LDAP for authentication.

Users would be able to access their files from a browser, and modern versions of Windows and OS X allow users to mount WebDAV shares under Explorer and Finder respectively.

It was also prevent the issues associated with trying to store the state of a constantly changing file system in sync with a database in your propsed method.

Answer 5

Take a look at Adito/OpenVPN ALS. It's free, will install on Windows or Linux, and makes it extremely easy to set up a web interface for file shares, as well as many other features. I use it at the college where I work. It does have a few downsides: it requires java to be installed on the clients, sets off the pop up blocker on many browsers, certificate setup could be easier, and the paged view for file listings could be easier. If you choose to setup webdav it can be used to make it easier (and more reliable) for your users to get the correct drives mapped.

Answer 6

As others have said - do not use FTP - there are many, many things wrong with it. OTOH, you should probably use a protocol which does not require users to install additional client side software; although ssh based access (sftp, scp) would be ideal, MSWindows machines do not come with a client as standard.

There are no end of file managers available written in PHP (and probably other languages too). IIS does some very odd things with tunnelling of NTLM permissions - but if you're using Apache it should be reasonably safe - however accessing the drives is not as simple as just reading from \server\username\ - you'd need to allow the webserver admin rights on these files - but that's a security nightmare!

The way I do it (for a very different type of application) is to handle the I/O via smbclient using the username/password from the users PHP session - but that's on a Linux machine - AFAIK, there is no equivalent on MSWindows.

Certainly you would want to use the credentials supplied by the user to authenticate against the storage.

This is fast becoming scary complicated!

So a practical solution would be to allow the students to map the drives across the internet. That way you don't need to worry about the complications of providing a file manager which is not an integral part of the operating system (i.e. directly accessible from applications). But you don't want to expose your server to anyone and everyone. The usual way to solve this problem would be a VPN - and there are many good and low-cost ones available. Or simply wrap the service in SSL with client certificate authentication. But again this requires client side installations.

So.....

How about a web form to authenticate a user at an IP address which then creates a time-limited hole in the firewall for that IP address to connect via SMB (and they still need to provide a username/password to map the drive of course).

Answer 7

P.S: personally I think you will have a much better rate of success if you port your system to *nix, because more alternatives would be available(freely)

What comes to mind:

Dropbox:

upload the changes to Dropbox. The great thing about dropbox is that they offer a free plan of 20GB(right now) and can be used with every popular Operating System(Windows/Linux/MacOSX) without any hassle. I have not yet read/implemented anything using the Dropbox API, but hopefully you can achieve without to much headache. I guess the problem is what happens when they change the pricing plan, but that is something for later.

Open-source Dropbox alternatives

After performing a quick Google search this link provides some open-source alternatives, but I don't know if any of them are any good so you should test that.

Web

Instead of giving users the option to sync only provide them the opportunity to download files/folder(zipped). I think you could write a system like that without too much grievance.

VPN/RPC

Like some other users said give the user to login using VPN/RPC.

Answer 8

Take a look at Ajaxplorer (http://www.ajaxplorer.info)

It is a web based file manager (written in PHP & Javascript) that provides easy administration of permissions, users, groups, and you can set up shared repositories as well as personal ones.

It can also do webdav and has authentication connectors for all sorts of systems (ldap, mysql, flatfile.....)

with the filesystem connectors you can set up rules to map user accounts to individual directories automatically which would sort out your requirement for accessing the user's mapped drive.

We have just started using it here (design/web agency) and clients of all technical ability find it very easy to use/understand

You should be able to integrate it in to your current system with no changes