Overview

OpenCLAWS is a modular software system that provides centralized account, identity, and network management in a heterogenous computing environment. Its flexible design makes it possible to integrate with nearly any system your organization supports.

More precisely, OpenCLAWS is an open source derivative of Rochester Institute of Technology's CLAWS. Although RIT is continuing to develop the code base, they are no longer offering the software for public use. We believe that other IT organizations could benefit from CLAWS, and so we are continuing development (independent of RIT) from a snapshot of the source tree. We've also re-branded the product with a name that reflects our commitment to the open source community. Read the project mission for more information about the direction of OpenCLAWS.

Why OpenCLAWS?

Andy was a bit frustrated with his job. The infrastructure he was charged with managing had multiple account bases, each with their own tools. Updates were complicated and often led to data inconsistencies. The latest "enterprise" software just didn't seem to be able to handle the scale of his environment.

Then Andy tried OpenCLAWS. He was impressed. He found a powerful and highly customizable system. He discovered lots of up-to-date modules that could integrate with his systems, allowing him to use a single management tool for everything. All of a sudden, Andy was in control. And he liked it.

Suppose your organization maintains an Active Directory forest to provide centralized accounts and resource sharing for all Windows machines. The tools provided by Microsoft are sufficient for most administrative tasks. Now you've been handed a project to create custom attributes for storing employee ID numbers in each user object. You could extend the schema, but schema operations are permanent and you'd prefer not to pollute the directory. Besides, there's already talk of adding more attributes in the next few months.

So you turn to OpenLDAP. The only trouble is that now you have to duplicate user accounts in the LDAP directory. This is fairly easy if you have a small set of users. But your organization has over 10,000 users. You could purchase a tool to create users in both places, or install a daemon to keep the two directories synchronized. But what about that Kerberos installation you have planned for next year? How will that fit in?

OpenCLAWS was intended to solve this very problem. Administrators use one tool that submits the request to the central server. On the back-end, individual system-specific modules subscribe to events (creating users, changing passwords, etc.) that they're responsible for handling. When changes are sent to the central server, modules are notified and the change is processed on each affected system.

The advantage to this model is that administrators are not limited by products or vendors. Any system that has a corresponding OpenCLAWS module can participate in the event processing back-end. And since OpenCLAWS is open source, you (or anyone else) can write modules for unsupported systems.

But wait... there's more! Account management is only one aspect of OpenCLAWS. There are modules that also support network device registration and IP allocation, network monitoring, detailed change history and auditing, identity management, and more.

We recommend you try OpenCLAWS in your own test environment to see how it can benefit your organization.

How Does OpenCLAWS Work?

Since OpenCLAWS started out as CLAWS, we feel it's appropriate to borrow the design description from RIT.

OpenCLAWS Design

The CLAWS Central Server (CAT) represents the interchange point for the entire system. The client front-end is a PHP-based API foundation that is designed to support high-level web clients. The primary management web client allows help desk staff to easily manage user accounts and identities from any computer. Additionally, users can manage their identity and mail preferences using a separate self-help web client.

On the back-end, system-specific modules interface with various third-party software systems. These modules are subscriber-based components that can detect and handle updates from CAT. Data that is specific to CLAWS, such as update history, is stored in an Oracle database. External systems can both update and receive updates through CLAWS subscriptions and feeds.

Running under Apache Tomcat, CAT communicates with the components through SOAP over HTTPS. CLAWS supports the delegation of granular permissions to accommodate the various roles within the organization. This highly-extensible design permits the addition of new systems and clients as needed.

See Matt Campbell's presentation to EDUCAUSE for more information.