Typo.

[homepage.git] / blog / archive / 2010 / 07 / 07.rss

diff --git a/blog/archive/2010/07/07.rss b/blog/archive/2010/07/07.rss
index 361b64b519ab8ffe011093183c3a4c3631f3502a..97f94b37f1bbdc6595114ab52e375fb26dab488c 100644 (file)
--- a/blog/archive/2010/07/07.rss
+++ b/blog/archive/2010/07/07.rss
@@ -7,527 +7,290 @@
 
        
        <item>
 
        
        <item>

-               <title>Caching password, user and group on a roaming Debian laptop</title>
-               <link>http://people.skolelinux.org/pere/blog/Caching_password__user_and_group_on_a_roaming_Debian_laptop.html</link>        
-               <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Caching_password__user_and_group_on_a_roaming_Debian_laptop.html</guid>
-                <pubDate>Thu, 1 Jul 2010 11:40:00 +0200</pubDate>
-               <description>
-&lt;p&gt;For a laptop, centralized user directories and password checking is
-a bit troubling.  Laptops are typically used also when not connected
-to the network, and it is vital for a user to be able to log in or
-unlock the screen saver also when a central server is unavailable.
-This is possible by caching passwords and directory information (user
-and group attributes) locally, and the packages to do so are available
-in Debian.  Here follow two recipes to set this up in Debian/Squeeze.
-It is also possible to set up in Debian/Lenny, but require more manual
-setup there because pam-auth-update is missing in Lenny.&lt;/p&gt;
-
-&lt;h2&gt;LDAP/Kerberos + nscd + libpam-ccreds + libpam-mklocaluser/pam_mkhomedir&lt;/h2&gt;
-
-This is the traditional method with a twist.  The password caching is
-provided by libpam-ccreds (version 10-4 or later is needed on
-Squeeze), and the directory caching is done by nscd.  The directory
-lookup and password checking is done using LDAP.  If one want to use
-Kerberos for password checking the libpam-ldapd package can be
-replaced with libpam-krb5 or libpam-heimdal.  If one is happy having a
-local home directory with the path listed in LDAP, one can use the
-pam_mkhomedir module from pam-modules to make this happen instead of
-using libpam-mklocaluser.  A setup for pam-auth-update to enable
-pam_mkhomedir will have to be written until a fix for
-&lt;a href=&quot;http://bugs.debian.org/568577&quot;&gt;bug #568577&lt;/a&gt; is in the
-archive.  Because I believe it is a bad idea to have local home
-directories using misleading paths like /site/server/partition/, I
-prefer to create a local user with the home directory in /home/.  This
-is done using the libpam-mklocaluser package.&lt;/p&gt;
-
-&lt;p&gt;These packages need to be installed and configured&lt;/p&gt;
+               <title>Circular package dependencies harms apt recovery</title>
+               <link>http://people.skolelinux.org/pere/blog/Circular_package_dependencies_harms_apt_recovery.html</link>        
+               <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Circular_package_dependencies_harms_apt_recovery.html</guid>
+                <pubDate>Tue, 27 Jul 2010 23:50:00 +0200</pubDate>
+               <description>&lt;p&gt;I discovered this while doing
+&lt;a href=&quot;http://people.skolelinux.org/pere/blog/Automatic_upgrade_testing_from_Lenny_to_Squeeze.html&quot;&gt;automated
+testing of upgrades from Debian Lenny to Squeeze&lt;/a&gt;.  A few packages
+in Debian still got circular dependencies, and it is often claimed
+that apt and aptitude should be able to handle this just fine, but
+some times these dependency loops causes apt to fail.&lt;/p&gt;
+
+&lt;p&gt;An example is from todays
+&lt;a href=&quot;http://people.skolelinux.org/~pere/debian-upgrade-testing//test-20100727-lenny-squeeze-kde-aptitude.txt&quot;&gt;upgrade
+of KDE using aptitude&lt;/a&gt;.  In it, a bug in kdebase-workspace-data
+causes perl-modules to fail to upgrade.  The cause is simple.  If a
+package fail to unpack, then only part of packages with the circular
+dependency might end up being unpacked when unpacking aborts, and the
+ones already unpacked will fail to configure in the recovery phase
+because its dependencies are unavailable.&lt;/p&gt;
+
+&lt;p&gt;In this log, the problem manifest itself with this error:&lt;/p&gt;

 
 &lt;blockquote&gt;&lt;pre&gt;
 
 &lt;blockquote&gt;&lt;pre&gt;

-libnss-ldapd libpam-ldapd nscd libpam-ccreds libpam-mklocaluser
+dpkg: dependency problems prevent configuration of perl-modules:
+ perl-modules depends on perl (&gt;= 5.10.1-1); however:
+  Version of perl on system is 5.10.0-19lenny2.
+dpkg: error processing perl-modules (--configure):
+ dependency problems - leaving unconfigured

 &lt;/pre&gt;&lt;/blockquote&gt;
 
 &lt;/pre&gt;&lt;/blockquote&gt;
 

-&lt;p&gt;The ldapd packages will ask for LDAP connection information, and
-one have to fill in the values that fits ones own site.  Make sure the
-PAM part uses encrypted connections, to make sure the password is not
-sent in clear text to the LDAP server.  I&#39;ve been unable to get TLS
-certificate checking for a self signed certificate working, which make
-LDAP authentication unsafe for Debian Edu (nslcd is not checking if it
-is talking to the correct LDAP server), and very much welcome feedback
-on how to get this working.&lt;/p&gt;
-
-&lt;p&gt;Because nscd do not have a default configuration fit for offline
-caching until &lt;a href=&quot;http://bugs.debian.org/485282&quot;&gt;bug #485282&lt;/a&gt;
-is fixed, this configuration should be used instead of the one
-currently in /etc/nscd.conf.  The changes are in the fields
-reload-count and positive-time-to-live, and is based on the
-instructions I found in the
-&lt;a href=&quot;http://www.flyn.org/laptopldap/&quot;&gt;LDAP for Mobile Laptops&lt;/a&gt;
-instructions by Flyn Computing.&lt;/p&gt;
+&lt;p&gt;The perl/perl-modules circular dependency is already
+&lt;a href=&quot;http://bugs.debian.org/527917&quot;&gt;reported as a bug&lt;/a&gt;, and will
+hopefully be solved as soon as possible, but it is not the only one,
+and each one of these loops in the dependency tree can cause similar
+failures.  Of course, they only occur when there are bugs in other
+packages causing the unpacking to fail, but it is rather nasty when
+the failure of one package causes the problem to become worse because
+of dependency loops.&lt;/p&gt;

 
 

-&lt;blockquote&gt;&lt;pre&gt;
-       debug-level             0
-       reload-count            unlimited
-       paranoia                no
+&lt;p&gt;Thanks to
+&lt;a href=&quot;http://lists.debian.org/debian-devel/2010/06/msg00116.html&quot;&gt;the
+tireless effort by Bill Allombert&lt;/a&gt;, the number of circular
+dependencies
+&lt;a href=&quot;http://debian.semistable.com/debgraph.out.html&quot;&gt;left in Debian
+is dropping&lt;/a&gt;, and perhaps it will reach zero one day. :)&lt;/p&gt;
+
+&lt;p&gt;Todays testing also exposed a bug in
+&lt;a href=&quot;http://bugs.debian.org/590605&quot;&gt;update-notifier&lt;/a&gt; and
+&lt;a href=&quot;http://bugs.debian.org/590604&quot;&gt;different behaviour&lt;/a&gt; between
+apt-get and aptitude, the latter possibly caused by some circular
+dependency.  Reported both to BTS to try to get someone to look at
+it.&lt;/p&gt;
+</description>
+       </item>
+       
+       <item>
+               <title>First Debian Edu test release (alpha0) based on Squeeze is released</title>
+               <link>http://people.skolelinux.org/pere/blog/First_Debian_Edu_test_release__alpha0__based_on_Squeeze_is_released.html</link>        
+               <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/First_Debian_Edu_test_release__alpha0__based_on_Squeeze_is_released.html</guid>
+                <pubDate>Tue, 27 Jul 2010 17:45:00 +0200</pubDate>
+               <description>&lt;p&gt;I just posted this announcement culminating several months of work
+with the next Debian Edu release.  Not nearly done, but one major step
+completed.&lt;/p&gt;

 
 

-       enable-cache            passwd          yes
-       positive-time-to-live   passwd          2592000
-       negative-time-to-live   passwd          20
-       suggested-size          passwd          211
-       check-files             passwd          yes
-       persistent              passwd          yes
-       shared                  passwd          yes
-       max-db-size             passwd          33554432
-       auto-propagate          passwd          yes
+&lt;blockquote&gt;
+&lt;p&gt;This is the first test release based on Squeeze. The focus of this
+release is to test the user application selection. To have a look,
+install the standalone profile and let the developers know if the set
+of installed packages i.e. applications should be modified. If some
+user application is missing, or if there are some applications that no
+longer make sense to be included in Debian Edu, please let us know.
+Also, if a useful application is missing the translation for your
+language of choice, please let us know too.&lt;/p&gt;

 
 

-       enable-cache            group           yes
-       positive-time-to-live   group           2592000
-       negative-time-to-live   group           20
-       suggested-size          group           211
-       check-files             group           yes
-       persistent              group           yes
-       shared                  group           yes
-       max-db-size             group           33554432
-       auto-propagate          group           yes
+&lt;p&gt;In addition, feedback and help to polish the desktop (menus,
+artwork, starters, etc.) is appreciated. We would like to ship a nice
+and handy KDE4 desktop targeted for schools out of the box.&lt;/p&gt;

 
 

-       enable-cache            hosts           no
-       positive-time-to-live   hosts           2592000
-       negative-time-to-live   hosts           20
-       suggested-size          hosts           211
-       check-files             hosts           yes
-       persistent              hosts           yes
-       shared                  hosts           yes
-       max-db-size             hosts           33554432
+&lt;p&gt;The other profiles should be installable, but there is a lot more
+work left to be done before they are ready, so do not expect to
+much.&lt;/p&gt;

 
 

-       enable-cache            services        yes
-       positive-time-to-live   services        2592000
-       negative-time-to-live   services        20
-       suggested-size          services        211
-       check-files             services        yes
-       persistent              services        yes
-       shared                  services        yes
-       max-db-size             services        33554432
-&lt;/pre&gt;&lt;/blockquote&gt;
+&lt;p&gt;Changes compared to the lenny based version&lt;/p&gt;

 
 

-&lt;p&gt;While we wait for a mechanism to update /etc/nsswitch.conf
-automatically like the one provided in
-&lt;a href=&quot;http://bugs.debian.org/496915&quot;&gt;bug #496915&lt;/a&gt;, the file
-content need to be manually replaced to ensure LDAP is used as the
-directory service on the machine.  /etc/nsswitch.conf should normally
-look like this:&lt;/p&gt;
+&lt;ul&gt;
+&lt;li&gt;Everything from Debian Squeeze
+&lt;ul&gt;
+  &lt;li&gt;Desktop environment KDE 4.4 =&gt; the new KDE desktop in
+         combination with some new artwork
+  &lt;li&gt;Web browser Iceweasel 3.5
+  &lt;li&gt;OpenOffice.org 3.2
+  &lt;li&gt;Educational toolbox GCompris 9.3
+  &lt;li&gt;Music creator Rosegarden 10.04.2
+  &lt;li&gt;Image editor Gimp 2.6.10
+  &lt;li&gt;Virtual universe Celestia 1.6.0
+  &lt;li&gt;Virtual stargazer Stellarium 0.10.4
+  &lt;li&gt;3D modeler Blender 2.49.2 (new application)
+  &lt;li&gt;Video editor Kdenlive 0.7.7 (new application)
+&lt;/ul&gt;&lt;/li&gt;
+&lt;li&gt;Now using Kerberos for password checking (migration not finished).
+    Enabled for:
+&lt;ul&gt;
+  &lt;li&gt;PAM
+  &lt;li&gt;LDAP
+  &lt;li&gt;IMAP
+  &lt;li&gt;SMTP (sender verification)
+&lt;/ul&gt;
+&lt;/li&gt;
+&lt;li&gt;New experimental roaming workstation profile for laptops.&lt;/li&gt;
+&lt;li&gt;Show welcome page to users when they first log in. The URL is
+    fetched from LDAP.&lt;/li&gt;
+&lt;li&gt;New LXDE desktop option, in addition to KDE (default) and Gnome.&lt;/li&gt;
+&lt;li&gt;General cleanup (not finished)&lt;/li&gt;
+&lt;/ul&gt;
+&lt;p&gt;The following features are not working as they should&lt;/p&gt;

 
 

-&lt;blockquote&gt;&lt;pre&gt;
-passwd:         files ldap
-group:          files ldap
-shadow:         files ldap
-hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
-networks:       files
-protocols:      files
-services:       files
-ethers:         files
-rpc:            files
-netgroup:       files ldap
-&lt;/pre&gt;&lt;/blockquote&gt;
+&lt;ul&gt;
+&lt;li&gt;No web based administration tool for creating users and groups. The
+    scripts ldap-createuser-krb and ldap-add-user-to-group can be used
+    for testing.&lt;/li&gt;
+&lt;li&gt;DVD installs are missing debian-installer images for the PXE boot,
+    and do not set up the PXE menu on eth0 because of this. LTSP
+    clients should still boot from eth1 on thin client servers.&lt;/li&gt;
+&lt;li&gt;The restructured KDE menu is not implemented.&lt;/li&gt;
+&lt;li&gt;The LDAP server setup need to be reviewed for security.&lt;/li&gt;
+&lt;li&gt;The LDAP directory structure need to be reworked.&lt;/li&gt;
+&lt;li&gt;Different sets of packages are installed when using the DVD and the
+    netinst CD. More packages are installed using the netinst CD.&lt;/li&gt;
+&lt;li&gt;The jackd package fail to install. This is believed to be caused by
+    some ongoing transition, and hopefully should be solved soon. The
+    jackd1 package can be installed manually for those that need it.&lt;/li&gt;
+&lt;li&gt;Some packages lack translations. See
+    http://wiki.debian.org/DebianEdu/Status/Squeeze for updated status,
+    and help out with translations.&lt;/li&gt;
+&lt;/ul&gt;

 
 

-&lt;p&gt;The important parts are that ldap is listed last for passwd, group,
-shadow and netgroup.&lt;/p&gt;
+&lt;p&gt;To download this multiarch netinstall release you can use&lt;/p&gt;

 
 

-&lt;p&gt;With these changes in place, any user in LDAP will be able to log
-in locally on the machine using for example kdm, get a local home
-directory created and have the password as well as user and group
-attributes cached.
+&lt;ul&gt;
+&lt;li&gt;&lt;a href=&quot;ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso&quot;&gt;ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso&lt;/a&gt;&lt;/li&gt;
+&lt;li&gt;&lt;a href=&quot;http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso&quot;&gt;http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso&lt;/a&gt;&lt;/li&gt;
+&lt;li&gt;rsync -avzP ftp.skolelinux.org::skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso&lt;/li&gt;
+&lt;/ul&gt;
+&lt;p&gt;To download this multiarch dvd release you can use&lt;/p&gt;

 
 

-&lt;h2&gt;LDAP/Kerberos + nss-updatedb + libpam-ccreds +
-  libpam-mklocaluser/pam_mkhomedir&lt;/h2&gt;
+&lt;ul&gt;
+&lt;li&gt;&lt;a href=&quot;ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso&quot;&gt;ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso&lt;/a&gt;&lt;/li&gt;
+&lt;li&gt;&lt;a href=&quot;http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso&quot;&gt;http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso&lt;/a&gt;&lt;/li&gt;
+&lt;li&gt;rsync -avzP ftp.skolelinux.org::skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso&lt;/li&gt;
+&lt;/ul&gt;

 
 

-&lt;p&gt;Because nscd have had its share of problems, and seem to have
-problems doing proper caching, I&#39;ve seen suggestions and recipes to
-use nss-updatedb to copy parts of the LDAP database locally when the
-LDAP database is available.  I have not tested such setup, because I
-discovered sssd.&lt;/p&gt;
+&lt;p&gt;There is no source DVD available yet. It will be prepared when we
+get closer to the final release.&lt;/p&gt;

 
 

-&lt;h2&gt;LDAP/Kerberos + sssd + libpam-mklocaluser&lt;/h2&gt;
+&lt;p&gt;The MD5SUM of these images are&lt;/p&gt;

 
 

-&lt;p&gt;A more flexible and robust setup than the nscd combination
-mentioned earlier that has shown up recently, is the
-&lt;a href=&quot;https://fedorahosted.org/sssd/&quot;&gt;sssd&lt;/a&gt; package from Redhat.
-It is part of the &lt;a href=&quot;http://www.freeipa.org/&quot;&gt;FreeIPA&lt;/A&gt; project
-to provide a Active Directory like directory service for Linux
-machines.  The sssd system combines the caching of passwords and user
-information into one package, and remove the need for nscd and
-libpam-ccreds.  It support LDAP and Kerberos, but not NIS.  Version
-1.2 do not support netgroups, but it is said that it will support this
-in version 1.5 expected to show up later in 2010.  Because the
-&lt;a href=&quot;http://packages.qa.debian.org/s/sssd.html&quot;&gt;sssd package&lt;/a&gt;
-was missing in Debian, I ended up co-maintaining it with Werner, and
-version 1.2 is now in testing.
+&lt;ul&gt;
+&lt;li&gt;3dbf45d59f42a53518b6e3c9ec3b5eb6 debian-edu-6.0.0+edua0-CD.iso&lt;/li&gt;
+&lt;li&gt;22f2cbfce281d1c6e478be452638675d debian-edu-6.0.0+edua0-DVD.iso&lt;/li&gt;
+&lt;/ul&gt;

 
 

-&lt;p&gt;These packages need to be installed and configured to get the
-roaming setup I want&lt;/p&gt;
+&lt;p&gt;The SHA1SUM of these images are&lt;/p&gt;
+&lt;ul&gt;
+&lt;li&gt;c53d1b69b40cf37cd27aefaf33f6f6a3821bedf0 debian-edu-6.0.0+edua0-CD.iso&lt;/li&gt;
+&lt;li&gt;2ec29d7db676d59d32197b05c277ffe16348376c debian-edu-6.0.0+edua0-DVD.iso&lt;/li&gt;
+&lt;/ul&gt;
+&lt;p&gt;How to report bugs:
+http://wiki.debian.org/DebianEdu/HowTo/ReportBugsInBugzilla&lt;/p&gt;

 
 

-&lt;blockquote&gt;&lt;pre&gt;
-libpam-sss libnss-sss libpam-mklocaluser
-&lt;/pre&gt;&lt;/blockquote&gt;
+&lt;p&gt;Please direct replies to debian-edu@lists.debian.org&lt;/p&gt;
+&lt;/blockquote&gt;
+</description>
+       </item>
+       
+       <item>
+               <title>One step closer to single signon in Debian Edu</title>
+               <link>http://people.skolelinux.org/pere/blog/One_step_closer_to_single_signon_in_Debian_Edu.html</link>        
+               <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/One_step_closer_to_single_signon_in_Debian_Edu.html</guid>
+                <pubDate>Sun, 25 Jul 2010 10:00:00 +0200</pubDate>
+               <description>&lt;p&gt;The last few months me and the other Debian Edu developers have
+been working hard to get the Debian/Squeeze based version of Debian
+Edu/Skolelinux into shape.  This future version will use Kerberos for
+authentication, and services are slowly migrated to single signon,
+getting rid of password questions one at the time.&lt;/p&gt;

 
 

-The complete setup of sssd is done by editing/creating
-&lt;tt&gt;/etc/sssd/sssd.conf&lt;/tt&gt;.
-
-&lt;blockquote&gt;&lt;pre&gt;
-[sssd]
-config_file_version = 2
-reconnection_retries = 3
-sbus_timeout = 30
-services = nss, pam
-domains = INTERN
-
-[nss]
-filter_groups = root
-filter_users = root
-reconnection_retries = 3
-
-[pam]
-reconnection_retries = 3
-
-[domain/INTERN]
-enumerate = false
-cache_credentials = true
-
-id_provider = ldap
-auth_provider = ldap
-chpass_provider = ldap
+&lt;p&gt;It will also feature a roaming workstation profile with local home
+directory, for laptops that are only some times on the Skolelinux
+network, and for this profile a shortcut is created in Gnome and KDE
+to gain access to the users home directory on the file server.  This
+shortcut uses SMB at the moment, and yesterday I had time to test if
+SMB mounting had started working in KDE after we added the cifs-utils
+package.  I was pleasantly surprised how well it worked.&lt;/p&gt;

 
 

-ldap_uri = ldap://ldap
-ldap_search_base = dc=skole,dc=skolelinux,dc=no
-ldap_tls_reqcert = never
-ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
-&lt;/pre&gt;&lt;/blockquote&gt;
+&lt;p&gt;Thanks to the recent changes to our samba configuration to get it
+to use Kerberos for authentication, there were no question about user
+password when mounting the SMB volume.  A simple click on the shortcut
+in the KDE menu, and a window with the home directory popped
+up. :)&lt;/p&gt;

 
 

-&lt;p&gt;I got the same problem here with certificate checking.  Had to set
-&quot;ldap_tls_reqcert = never&quot; to get it working.&lt;/p&gt;
+&lt;p&gt;One step closer to a single signon solution out of the box in
+Debian Edu.  We already had PAM, LDAP, IMAP and SMTP in place, and now
+also Samba.  Next step is Cups and hopefully also NFS.&lt;/p&gt;

 
 

-&lt;p&gt;With the libnss-sss package in testing at the moment, the
-nsswitch.conf file is update automatically, so there is no need to
-modify it manually.&lt;/p&gt;
+&lt;p&gt;We had planned a alpha0 release of Debian Edu for today, but thanks
+to the autobuilder administrators for some architectures being slow to
+sign packages, we are still missing the fixed LTSP package we need for
+the release.  It was uploaded three days ago with urgency=high, and if
+it had entered testing yesterday we would have been able to test it in
+time for a alpha0 release today.  As the binaries for ia64 and powerpc
+still not uploaded to the Debian archive, we need to delay the alpha
+release another day.&lt;/p&gt;

 
 

-&lt;p&gt;If you want to help out with implementing this for Debian Edu,
+&lt;p&gt;If you want to help out with implementing Kerberos for Debian Edu,

 please contact us on debian-edu@lists.debian.org.&lt;/p&gt;
 </description>
        </item>
        
        <item>
 please contact us on debian-edu@lists.debian.org.&lt;/p&gt;
 </description>
        </item>
        
        <item>

-               <title>Lenny-&gt;Squeeze upgrades, apt vs aptitude with the Gnome desktop</title>
-               <link>http://people.skolelinux.org/pere/blog/Lenny__Squeeze_upgrades__apt_vs_aptitude_with_the_Gnome_desktop.html</link>        
-               <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Lenny__Squeeze_upgrades__apt_vs_aptitude_with_the_Gnome_desktop.html</guid>
-                <pubDate>Sat, 3 Jul 2010 23:55:00 +0200</pubDate>
-               <description>
-&lt;p&gt;Here is a short update on my &lt;a
-href=&quot;http://people.skolelinux.org/~pere/debian-upgrade-testing/&quot;&gt;my
-Debian Lenny-&gt;Squeeze upgrade testing&lt;/a&gt;.  Here is a summary of the
-difference for Gnome when it is upgraded by apt-get and aptitude.  I&#39;m
-not reporting the status for KDE, because the upgrade crashes when
-aptitude try because of missing conflicts
-(&lt;a href=&quot;http://bugs.debian.org/584861&quot;&gt;#584861&lt;/a&gt; and
-&lt;a href=&quot;http://bugs.debian.org/585716&quot;&gt;#585716&lt;/a&gt;).&lt;/p&gt;
-
-&lt;p&gt;At the end of the upgrade test script, dpkg -l is executed to get a
-complete list of the installed packages.  Based on this I see these
-differences when I did a test run today.  As usual, I do not really
-know what the correct set of packages would be, but thought it best to
-publish the difference.&lt;/p&gt;
-
-&lt;p&gt;Installed using apt-get, missing with aptitude&lt;/p&gt;
-
-&lt;blockquote&gt;&lt;p&gt;
-  at-spi cpp-4.3 finger gnome-spell gstreamer0.10-gnomevfs
-  libatspi1.0-0 libcupsys2 libeel2-data libgail-common libgdl-1-common
-  libgnomeprint2.2-data libgnomeprintui2.2-common libgnomevfs2-bin
-  libgtksourceview-common libpt-1.10.10-plugins-alsa
-  libpt-1.10.10-plugins-v4l libservlet2.4-java libxalan2-java
-  libxerces2-java openoffice.org-writer2latex openssl-blacklist p7zip
-  python-4suite-xml python-eggtrayicon python-gtkhtml2
-  python-gtkmozembed svgalibg1 xserver-xephyr zip
-&lt;/p&gt;&lt;/blockquote&gt;
-
-&lt;p&gt;Installed using apt-get, removed with aptitude&lt;/p&gt;
-
-&lt;blockquote&gt;&lt;p&gt;
-  bluez-utils dhcdbd djvulibre-desktop epiphany-gecko
-  gnome-app-install gnome-mount gnome-vfs-obexftp gnome-volume-manager
-  libao2 libavahi-compat-libdnssd1 libavahi-core5 libbind9-50
-  libbluetooth2 libcamel1.2-11 libcdio7 libcucul0 libcurl3
-  libdirectfb-1.0-0 libdvdread3 libedata-cal1.2-6 libedataserver1.2-9
-  libeel2-2.20 libepc-1.0-1 libepc-ui-1.0-1 libexchange-storage1.2-3
-  libfaad0 libgd2-noxpm libgda3-3 libgda3-common libggz2 libggzcore9
-  libggzmod4 libgksu1.2-0 libgksuui1.0-1 libgmyth0 libgnome-desktop-2
-  libgnome-pilot2 libgnomecups1.0-1 libgnomeprint2.2-0
-  libgnomeprintui2.2-0 libgpod3 libgraphviz4 libgtkhtml2-0
-  libgtksourceview1.0-0 libgucharmap6 libhesiod0 libicu38 libisccc50
-  libisccfg50 libiw29 libkpathsea4 libltdl3 liblwres50 libmagick++10
-  libmagick10 libmalaga7 libmtp7 libmysqlclient15off libnautilus-burn4
-  libneon27 libnm-glib0 libnm-util0 libopal-2.2 libosp5
-  libparted1.8-10 libpisock9 libpisync1 libpoppler-glib3 libpoppler3
-  libpt-1.10.10 libraw1394-8 libsensors3 libsmbios2 libsoup2.2-8
-  libssh2-1 libsuitesparse-3.1.0 libswfdec-0.6-90 libtalloc1
-  libtotem-plparser10 libtrackerclient0 libvoikko1 libxalan2-java-gcj
-  libxerces2-java-gcj libxklavier12 libxtrap6 libxxf86misc1 libzephyr3
-  mysql-common swfdec-gnome totem-gstreamer wodim
-&lt;/p&gt;&lt;/blockquote&gt;
-
-&lt;p&gt;Installed using aptitude, missing with apt-get&lt;/p&gt;
-
-&lt;blockquote&gt;&lt;p&gt;
-  gnome gnome-desktop-environment hamster-applet python-gnomeapplet
-  python-gnomekeyring python-wnck rhythmbox-plugins xorg
-  xserver-xorg-input-all xserver-xorg-input-evdev
-  xserver-xorg-input-kbd xserver-xorg-input-mouse
-  xserver-xorg-input-synaptics xserver-xorg-video-all
-  xserver-xorg-video-apm xserver-xorg-video-ark xserver-xorg-video-ati
-  xserver-xorg-video-chips xserver-xorg-video-cirrus
-  xserver-xorg-video-dummy xserver-xorg-video-fbdev
-  xserver-xorg-video-glint xserver-xorg-video-i128
-  xserver-xorg-video-i740 xserver-xorg-video-mach64
-  xserver-xorg-video-mga xserver-xorg-video-neomagic
-  xserver-xorg-video-nouveau xserver-xorg-video-nv
-  xserver-xorg-video-r128 xserver-xorg-video-radeon
-  xserver-xorg-video-radeonhd xserver-xorg-video-rendition
-  xserver-xorg-video-s3 xserver-xorg-video-s3virge
-  xserver-xorg-video-savage xserver-xorg-video-siliconmotion
-  xserver-xorg-video-sis xserver-xorg-video-sisusb
-  xserver-xorg-video-tdfx xserver-xorg-video-tga
-  xserver-xorg-video-trident xserver-xorg-video-tseng
-  xserver-xorg-video-vesa xserver-xorg-video-vmware
-  xserver-xorg-video-voodoo
-&lt;/p&gt;&lt;/blockquote&gt;
+               <title>Digitale restriksjonsmekanismer fikk meg til å slutte å kjøpe musikk</title>
+               <link>http://people.skolelinux.org/pere/blog/Digitale_restriksjonsmekanismer_fikk_meg_til___slutte___kj_pe_musikk.html</link>        
+               <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Digitale_restriksjonsmekanismer_fikk_meg_til___slutte___kj_pe_musikk.html</guid>
+                <pubDate>Thu, 22 Jul 2010 23:50:00 +0200</pubDate>
+               <description>&lt;p&gt;For mange år siden slutte jeg å kjøpe musikk-CDer. Årsaken var at
+musikkbransjen var godt i gang med å selge platene sine med DRM som
+gjorde at jeg ikke fikk spilt av musikken jeg kjøpte på utstyret jeg
+hadde tilgjengelig, dvs. min datamaskin. Det var umulig å se på en
+plate om den var ødelagt eller ikke, og jeg hadde jo allerede en
+anseelig samling med plater, så jeg bestemme meg for å slutte å gi
+penger til en bransje som åpenbart ikke respekterte meg.&lt;/p&gt;

 
 

-&lt;p&gt;Installed using aptitude, removed with apt-get&lt;/p&gt;
+&lt;p&gt;Jeg har mange titalls dager med musikk på CD i dag. Det meste er
+lagt i et stort arkiv som kan spilles av fra husets datamaskiner (har
+ikke rukket rippe alt). Jeg ser dermed ikke behovet for å skaffe mer
+musikk. De fleste av mine favoritter er i hus, og jeg er dermed godt
+fornøyd.&lt;/p&gt;

 
 

-&lt;blockquote&gt;&lt;p&gt;
-  deskbar-applet xserver-xorg xserver-xorg-core
-  xserver-xorg-input-wacom xserver-xorg-video-intel
-  xserver-xorg-video-openchrome
-&lt;/p&gt;&lt;/blockquote&gt;
+&lt;p&gt;Hvis musikkbransjen ønsker mine penger, så må de demonstrere at de
+setter pris på meg som kunde, og ikke skremme meg bort med DRM og
+antydninger om at kundene er kriminelle.&lt;/p&gt;

 
 

-&lt;p&gt;I was told on IRC that the xorg-xserver package was
-&lt;a href=&quot;http://git.debian.org/?p=pkg-xorg/xserver/xorg-server.git;a=commit;h=9c8080d06c457932d3bfec021c69ac000aa60120&quot;&gt;changed
-in git&lt;/a&gt; today to try to get apt-get to not remove xorg completely.
-No idea when it hits Squeeze, but when it does I hope it will reduce
-the difference somewhat.
+&lt;p&gt;Filmbransjen er like ille, men mens musikk gjerne varer lenge, er
+filmer mer ferskvare. Har dermed ikke helt sluttet å kjøpe filmer, men
+holder meg til DVD-filmer som kan spilles av på mine Linuxbokser.
+Kommer neppe til å ta i bruk Blueray, og ei heller de nye DRM-greiene
+«Ultraviolet» som be annonsert her om dagen.&lt;/p&gt;

 </description>
        </item>
        
        <item>
 </description>
        </item>
        
        <item>

-               <title>MS Word krøller det til for politiet?</title>
-               <link>http://people.skolelinux.org/pere/blog/MS_Word_kr__ller_det_til_for_politiet_.html</link>        
-               <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/MS_Word_kr__ller_det_til_for_politiet_.html</guid>
-                <pubDate>Thu, 8 Jul 2010 14:00:00 +0200</pubDate>
-               <description>
-&lt;p&gt;De siste dagene har Aftenposten
-&lt;a href=&quot;http://www.aftenposten.no/nyheter/iriks/article3718597.ece&quot;&gt;fortalt&lt;/a&gt;
-&lt;a href=&quot;http://www.aftenposten.no/nyheter/iriks/article3724249.ece&quot;&gt;hvordan&lt;/a&gt;
-politet har brukt skriveverktøy som ikke håndterer arabisk tekst og
-tekst som skal skrives fra høyre mot venstre når de har laget
-løpeseddel for å be om informasjon fra publikum.  Resultatet har vært
-en uleselig arabisk-bit på løpeseddelen.  Feilen har oppstått når
-teksten har blitt &quot;kopiert inn i programvare som ikke har støtte for
-språk som skrives fra høyre mot venstre&quot;, og jeg er ganske sikker på
-at det er snakk om Microsoft Office i dette tilfellet.  Er det slik at
-MS Office i norsk språkdrakt ikke har støtte for tekst som skal
-skrives fra høyre mot venstre?  Jeg tror alle utgaver av
-OpenOffice.org har slik støtte, og det er jo ikke veldig vanskelig å
-la slik støtte finnes i alle utgaver av et program hvis støtten først
-er utviklet.  Aftenpostens melding får meg til å undre om problemet
-ville vært unngått hvis politiet brukte OpenOffice.org i stedet for MS
-Office.&lt;/p&gt;
+               <title>OpenStreetmap one step closer to having routing on its front page</title>
+               <link>http://people.skolelinux.org/pere/blog/OpenStreetmap_one_step_closer_to_having_routing_on_its_front_page.html</link>        
+               <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/OpenStreetmap_one_step_closer_to_having_routing_on_its_front_page.html</guid>
+                <pubDate>Sun, 18 Jul 2010 16:45:00 +0200</pubDate>
+               <description>&lt;p&gt;Thanks to
+&lt;a href=&quot;http://feedproxy.google.com/~r/Opengeodata/~3/wUTCzDZk3lc/project-of-the-week-which-way-home&quot;&gt;todays
+opengeodata blog entry&lt;/a&gt;, I just discovered that the
+OpenStreetmap.org site have gotten
+&lt;a href=&quot;http://nroets.dev.openstreetmap.org/demo/index.html?layers=B000FTFTT&quot;&gt;support
+for calculating routes&lt;/a&gt;.  The support is still experimental and
+only available from the development server, until more experience is
+gathered on the user interface and any scalability issues.&lt;/p&gt;

 
 

-&lt;p&gt;Mon tro om det er flere eksempler på at MS Office har ødelagt for
-offentlig myndighet?&lt;/p&gt;
-</description>
-       </item>
-       
-       <item>
-               <title>jXplorer, a very nice LDAP GUI</title>
-               <link>http://people.skolelinux.org/pere/blog/jXplorer__a_very_nice_LDAP_GUI.html</link>        
-               <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/jXplorer__a_very_nice_LDAP_GUI.html</guid>
-                <pubDate>Fri, 9 Jul 2010 12:55:00 +0200</pubDate>
-               <description>
-&lt;p&gt;Since
-&lt;a href=&quot;http://people.skolelinux.org/pere/blog/LUMA__a_very_nice_LDAP_GUI.html&quot;&gt;my
-last post&lt;/a&gt; about available LDAP tools in Debian, I was told about a
-LDAP GUI that is even better than luma.  The java application
-&lt;a href=&quot;http://jxplorer.org/&quot;&gt;jXplorer&lt;/a&gt; is claimed to be capable of
-moving LDAP objects and subtrees using drag-and-drop, and can
-authenticate using Kerberos.  I have only tested the Kerberos
-authentication, but do not have a LDAP setup allowing me to rewrite
-LDAP with my test user yet.  It is
-&lt;a href=&quot;http://packages.qa.debian.org/j/jxplorer.html&quot;&gt;available in
-Debian&lt;/a&gt; testing and unstable at the moment.  The only problem I
-have with it is how it handle errors.  If something go wrong, its
-non-intuitive behaviour require me to go through some query work list
-and remove the failing query.  Nothing big, but very annoying.&lt;/p&gt;
+&lt;p&gt;Earlier, the routing I knew about using the OpenStreetmap.org data
+was provided by &lt;a href=&quot;http://maps.cloudmade.com/&quot;&gt;Cloudmade&lt;/a&gt;,
+but having it on the main page is required to make everyone aware of
+the issue.  I&#39;ve had people reject Openstreetmap.org as a viable
+alternative for them because the front page lacked routing support,
+and I hope their needs will be catered for when routing show up on the
+www.openstreetmap.org front page.&lt;/p&gt;

 </description>
        </item>
        
        <item>
 </description>
        </item>
        
        <item>

-               <title>Idea for storing LTSP configuration in LDAP</title>
-               <link>http://people.skolelinux.org/pere/blog/Idea_for_storing_LTSP_configuration_in_LDAP.html</link>        
-               <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Idea_for_storing_LTSP_configuration_in_LDAP.html</guid>
-                <pubDate>Sun, 11 Jul 2010 22:00:00 +0200</pubDate>
-               <description>
-&lt;p&gt;Vagrant mentioned on IRC today that ltsp_config now support
-sourcing files from /usr/share/ltsp/ltsp_config.d/ on the thin
-clients, and that this can be used to fetch configuration from LDAP if
-Debian Edu choose to store configuration there.&lt;/p&gt;
-
-&lt;p&gt;Armed with this information, I got inspired and wrote a test module
-to get configuration from LDAP.  The idea is to look up the MAC
-address of the client in LDAP, and look for attributes on the form
-ltspconfigsetting=value, and use this to export SETTING=value to the
-LTSP clients.&lt;/p&gt;
-
-&lt;p&gt;The goal is to be able to store the LTSP configuration attributes
-in a &quot;computer&quot; LDAP object used by both DNS and DHCP, and thus
-allowing us to store all information about a computer in one place.&lt;/p&gt;
-
-&lt;p&gt;This is a untested draft implementation, and I welcome feedback on
-this approach.  A real LDAP schema for the ltspClientAux objectclass
-need to be written.  Comments, suggestions, etc?&lt;/p&gt;
-
-&lt;blockquote&gt;&lt;pre&gt;
-# Store in /opt/ltsp/$arch/usr/share/ltsp/ltsp_config.d/ldap-config
-#
-# Fetch LTSP client settings from LDAP based on MAC address
-#
-# Uses ethernet address as stored in the dhcpHost objectclass using
-# the dhcpHWAddress attribute or ethernet address stored in the
-# ieee802Device objectclass with the macAddress attribute.
-#
-# This module is written to be schema agnostic, and only depend on the
-# existence of attribute names.
-#
-# The LTSP configuration variables are saved directly using a
-# ltspConfig prefix and uppercasing the rest of the attribute name.
-# To set the SERVER variable, set the ltspConfigServer attribute.
-#
-# Some LDAP schema should be created with all the relevant
-# configuration settings.  Something like this should work:
-# 
-# objectclass ( 1.1.2.2 NAME &#39;ltspClientAux&#39;
-#     SUP top
-#     AUXILIARY
-#     MAY ( ltspConfigServer $ ltsConfigSound $ ... )
-
-LDAPSERVER=$(debian-edu-ldapserver)
-if [ &quot;$LDAPSERVER&quot; ] ; then
-    LDAPBASE=$(debian-edu-ldapserver -b)
-    for MAC in $(LANG=C ifconfig |grep -i hwaddr| awk &#39;{print $5}&#39;|sort -u) ; do
-       filter=&quot;(|(dhcpHWAddress=ethernet $MAC)(macAddress=$MAC))&quot;
-       ldapsearch -h &quot;$LDAPSERVER&quot; -b &quot;$LDAPBASE&quot; -v -x &quot;$filter&quot; | \
-           grep &#39;^ltspConfig&#39; | while read attr value ; do
-           # Remove prefix and convert to upper case
-           attr=$(echo $attr | sed &#39;s/^ltspConfig//i&#39; | tr a-z A-Z)
-           # bass value on to clients
-           eval &quot;$attr=$value; export $attr&quot;
-       done
-    done
-fi
-&lt;/pre&gt;&lt;/blockquote&gt;
-
-&lt;p&gt;I&#39;m not sure this shell construction will work, because I suspect
-the while block might end up in a subshell causing the variables set
-there to not show up in ltsp-config, but if that is the case I am sure
-the code can be restructured to make sure the variables are passed on.
-I expect that can be solved with some testing. :)&lt;/p&gt;
-
-&lt;p&gt;If you want to help out with implementing this for Debian Edu,
-please contact us on debian-edu@lists.debian.org.&lt;/p&gt;
-
-&lt;p&gt;Update 2010-07-17: I am aware of another effort to store LTSP
-configuration in LDAP that was created around year 2000 by
-&lt;a href=&quot;http://www.pcxperience.com/thinclient/documentation/ldap.html&quot;&gt;PC
-Xperience, Inc., 2000&lt;/a&gt;.  I found its
-&lt;a href=&quot;http://people.redhat.com/alikins/ltsp/ldap/&quot;&gt;files&lt;/a&gt; on a
-personal home page over at redhat.com.&lt;/p&gt;
-</description>
-       </item>
-       
-       <item>
-               <title>Combining PowerDNS and ISC DHCP LDAP objects</title>
-               <link>http://people.skolelinux.org/pere/blog/Combining_PowerDNS_and_ISC_DHCP_LDAP_objects.html</link>        
-               <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Combining_PowerDNS_and_ISC_DHCP_LDAP_objects.html</guid>
-                <pubDate>Wed, 14 Jul 2010 23:45:00 +0200</pubDate>
-               <description>
-&lt;p&gt;For a while now, I have wanted to find a way to change the DNS and
-DHCP services in Debian Edu to use the same LDAP objects for a given
-computer, to avoid the possibility of having a inconsistent state for
-a computer in LDAP (as in DHCP but no DNS entry or the other way
-around) and make it easier to add computers to LDAP.&lt;/p&gt;
-
-&lt;p&gt;I&#39;ve looked at how powerdns and dhcpd is using LDAP, and using this
-information finally found a solution that seem to work.&lt;/p&gt;
-
-&lt;p&gt;The old setup required three LDAP objects for a given computer.
-One forward DNS entry, one reverse DNS entry and one DHCP entry.  If
-we switch powerdns to use its strict LDAP method (ldap-method=strict
-in pdns-debian-edu.conf), the forward and reverse DNS entries are
-merged into one while making it impossible to transfer the reverse map
-to a slave DNS server.&lt;/p&gt;
-
-&lt;p&gt;If we also replace the object class used to get the DNS related
-attributes to one allowing these attributes to be combined with the
-dhcphost object class, we can merge the DNS and DHCP entries into one.
-I&#39;ve written such object class in the dnsdomainaux.schema file (need
-proper OIDs, but that is a minor issue), and tested the setup.  It
-seem to work.&lt;/p&gt;
-
-&lt;p&gt;With this test setup in place, we can get away with one LDAP object
-for both DNS and DHCP, and even the LTSP configuration I suggested in
-an earlier email.  The combined LDAP object will look something like
-this:&lt;/p&gt;
-
-&lt;blockquote&gt;&lt;pre&gt;
-  dn: cn=hostname,cn=group1,cn=THINCLIENTS,cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
-  cn: hostname
-  objectClass: dhcphost
-  objectclass: domainrelatedobject
-  objectclass: dnsdomainaux
-  associateddomain: hostname.intern
-  arecord: 10.11.12.13
-  dhcphwaddress: ethernet 00:00:00:00:00:00
-  dhcpstatements: fixed-address hostname
-  ldapconfigsound: Y
-&lt;/pre&gt;&lt;/blockquote&gt;
-
-&lt;p&gt;The DNS server uses the associateddomain and arecord entries, while
-the DHCP server uses the dhcphwaddress and dhcpstatements entries
-before asking DNS to resolve the fixed-adddress.  LTSP will use
-dhcphwaddress or associateddomain and the ldapconfig* attributes.&lt;/p&gt;
-
-&lt;p&gt;I am not yet sure if I can get the DHCP server to look for its
-dhcphost in a different location, to allow us to put the objects
-outside the &quot;DHCP Config&quot; subtree, but hope to figure out a way to do
-that.  If I can&#39;t figure out a way to do that, we can still get rid of
-the hosts subtree and move all its content into the DHCP Config tree
-(which probably should be renamed to be more related to the new
-content.  I suspect cn=dnsdhcp,ou=services or something like that
-might be a good place to put it.&lt;/p&gt;
-
-&lt;p&gt;If you want to help out with implementing this for Debian Edu,
-please contact us on debian-edu@lists.debian.org.&lt;/p&gt;
-</description>
-       </item>
-       
-       <item>
-               <title>What are they searching for - PowerDNS and ISC DHCP in LDAP</title>
-               <link>http://people.skolelinux.org/pere/blog/What_are_they_searching_for___PowerDNS_and_ISC_DHCP_in_LDAP.html</link>        
-               <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/What_are_they_searching_for___PowerDNS_and_ISC_DHCP_in_LDAP.html</guid>
-                <pubDate>Sat, 17 Jul 2010 21:00:00 +0200</pubDate>
-               <description>
-&lt;p&gt;This is a
-&lt;a href=&quot;http://people.skolelinux.org/pere/blog/Time_for_new__LDAP_schemas_replacing_RFC_2307_.html&quot;&gt;followup&lt;/a&gt;
-on my
-&lt;a href=&quot;http://people.skolelinux.org/pere/blog/Idea_for_a_change_to_LDAP_schemas_allowing_DNS_and_DHCP_info_to_be_combined_into_one_object.html&quot;&gt;previous
-work&lt;/a&gt; on
-&lt;a href=&quot;http://people.skolelinux.org/pere/blog/Combining_PowerDNS_and_ISC_DHCP_LDAP_objects.html&quot;&gt;merging
-all&lt;/a&gt; the computer related LDAP objects in Debian Edu.&lt;/p&gt;
+               <title>What are they searching for - PowerDNS and ISC DHCP in LDAP</title>
+               <link>http://people.skolelinux.org/pere/blog/What_are_they_searching_for___PowerDNS_and_ISC_DHCP_in_LDAP.html</link>        
+               <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/What_are_they_searching_for___PowerDNS_and_ISC_DHCP_in_LDAP.html</guid>
+                <pubDate>Sat, 17 Jul 2010 21:00:00 +0200</pubDate>
+               <description>&lt;p&gt;This is a
+&lt;a href=&quot;http://people.skolelinux.org/pere/blog/Time_for_new__LDAP_schemas_replacing_RFC_2307_.html&quot;&gt;followup&lt;/a&gt;
+on my
+&lt;a href=&quot;http://people.skolelinux.org/pere/blog/Idea_for_a_change_to_LDAP_schemas_allowing_DNS_and_DHCP_info_to_be_combined_into_one_object.html&quot;&gt;previous
+work&lt;/a&gt; on
+&lt;a href=&quot;http://people.skolelinux.org/pere/blog/Combining_PowerDNS_and_ISC_DHCP_LDAP_objects.html&quot;&gt;merging
+all&lt;/a&gt; the computer related LDAP objects in Debian Edu.&lt;/p&gt;

 
 &lt;p&gt;As a step to try to see if it possible to merge the DNS and DHCP
 LDAP objects, I have had a look at how the packages pdns-backend-ldap
 
 &lt;p&gt;As a step to try to see if it possible to merge the DNS and DHCP
 LDAP objects, I have had a look at how the packages pdns-backend-ldap


@@ -836,223 +599,505 @@ auxiliary object class.&lt;/p&gt;
        </item>
        
        <item>
        </item>
        
        <item>

-               <title>OpenStreetmap one step closer to having routing on its front page</title>
-               <link>http://people.skolelinux.org/pere/blog/OpenStreetmap_one_step_closer_to_having_routing_on_its_front_page.html</link>        
-               <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/OpenStreetmap_one_step_closer_to_having_routing_on_its_front_page.html</guid>
-                <pubDate>Sun, 18 Jul 2010 16:45:00 +0200</pubDate>
-               <description>
-&lt;p&gt;Thanks to
-&lt;a href=&quot;http://feedproxy.google.com/~r/Opengeodata/~3/wUTCzDZk3lc/project-of-the-week-which-way-home&quot;&gt;todays
-opengeodata blog entry&lt;/a&gt;, I just discovered that the
-OpenStreetmap.org site have gotten
-&lt;a href=&quot;http://nroets.dev.openstreetmap.org/demo/index.html?layers=B000FTFTT&quot;&gt;support
-for calculating routes&lt;/a&gt;.  The support is still experimental and
-only available from the development server, until more experience is
-gathered on the user interface and any scalability issues.&lt;/p&gt;
+               <title>Combining PowerDNS and ISC DHCP LDAP objects</title>
+               <link>http://people.skolelinux.org/pere/blog/Combining_PowerDNS_and_ISC_DHCP_LDAP_objects.html</link>        
+               <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Combining_PowerDNS_and_ISC_DHCP_LDAP_objects.html</guid>
+                <pubDate>Wed, 14 Jul 2010 23:45:00 +0200</pubDate>
+               <description>&lt;p&gt;For a while now, I have wanted to find a way to change the DNS and
+DHCP services in Debian Edu to use the same LDAP objects for a given
+computer, to avoid the possibility of having a inconsistent state for
+a computer in LDAP (as in DHCP but no DNS entry or the other way
+around) and make it easier to add computers to LDAP.&lt;/p&gt;

 
 

-&lt;p&gt;Earlier, the routing I knew about using the OpenStreetmap.org data
-was provided by &lt;a href=&quot;http://maps.cloudmade.com/&quot;&gt;Cloudmade&lt;/a&gt;,
-but having it on the main page is required to make everyone aware of
-the issue.  I&#39;ve had people reject Openstreetmap.org as a viable
-alternative for them because the front page lacked routing support,
-and I hope their needs will be catered for when routing show up on the
-www.openstreetmap.org front page.&lt;/p&gt;
+&lt;p&gt;I&#39;ve looked at how powerdns and dhcpd is using LDAP, and using this
+information finally found a solution that seem to work.&lt;/p&gt;
+
+&lt;p&gt;The old setup required three LDAP objects for a given computer.
+One forward DNS entry, one reverse DNS entry and one DHCP entry.  If
+we switch powerdns to use its strict LDAP method (ldap-method=strict
+in pdns-debian-edu.conf), the forward and reverse DNS entries are
+merged into one while making it impossible to transfer the reverse map
+to a slave DNS server.&lt;/p&gt;
+
+&lt;p&gt;If we also replace the object class used to get the DNS related
+attributes to one allowing these attributes to be combined with the
+dhcphost object class, we can merge the DNS and DHCP entries into one.
+I&#39;ve written such object class in the dnsdomainaux.schema file (need
+proper OIDs, but that is a minor issue), and tested the setup.  It
+seem to work.&lt;/p&gt;
+
+&lt;p&gt;With this test setup in place, we can get away with one LDAP object
+for both DNS and DHCP, and even the LTSP configuration I suggested in
+an earlier email.  The combined LDAP object will look something like
+this:&lt;/p&gt;
+
+&lt;blockquote&gt;&lt;pre&gt;
+  dn: cn=hostname,cn=group1,cn=THINCLIENTS,cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
+  cn: hostname
+  objectClass: dhcphost
+  objectclass: domainrelatedobject
+  objectclass: dnsdomainaux
+  associateddomain: hostname.intern
+  arecord: 10.11.12.13
+  dhcphwaddress: ethernet 00:00:00:00:00:00
+  dhcpstatements: fixed-address hostname
+  ldapconfigsound: Y
+&lt;/pre&gt;&lt;/blockquote&gt;
+
+&lt;p&gt;The DNS server uses the associateddomain and arecord entries, while
+the DHCP server uses the dhcphwaddress and dhcpstatements entries
+before asking DNS to resolve the fixed-adddress.  LTSP will use
+dhcphwaddress or associateddomain and the ldapconfig* attributes.&lt;/p&gt;
+
+&lt;p&gt;I am not yet sure if I can get the DHCP server to look for its
+dhcphost in a different location, to allow us to put the objects
+outside the &quot;DHCP Config&quot; subtree, but hope to figure out a way to do
+that.  If I can&#39;t figure out a way to do that, we can still get rid of
+the hosts subtree and move all its content into the DHCP Config tree
+(which probably should be renamed to be more related to the new
+content.  I suspect cn=dnsdhcp,ou=services or something like that
+might be a good place to put it.&lt;/p&gt;
+
+&lt;p&gt;If you want to help out with implementing this for Debian Edu,
+please contact us on debian-edu@lists.debian.org.&lt;/p&gt;

 </description>
        </item>
        
        <item>
 </description>
        </item>
        
        <item>

-               <title>Digitale restriksjonsmekanismer fikk meg til å slutte å kjøpe musikk</title>
-               <link>http://people.skolelinux.org/pere/blog/Digitale_restriksjonsmekanismer_fikk_meg_til____slutte____kj__pe_musikk.html</link>        
-               <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Digitale_restriksjonsmekanismer_fikk_meg_til____slutte____kj__pe_musikk.html</guid>
-                <pubDate>Thu, 22 Jul 2010 23:50:00 +0200</pubDate>
-               <description>
-&lt;p&gt;For mange år siden slutte jeg å kjøpe musikk-CDer. Årsaken var at
-musikkbransjen var godt i gang med å selge platene sine med DRM som
-gjorde at jeg ikke fikk spilt av musikken jeg kjøpte på utstyret jeg
-hadde tilgjengelig, dvs. min datamaskin. Det var umulig å se på en
-plate om den var ødelagt eller ikke, og jeg hadde jo allerede en
-anseelig samling med plater, så jeg bestemme meg for å slutte å gi
-penger til en bransje som åpenbart ikke respekterte meg.&lt;/p&gt;
+               <title>Idea for storing LTSP configuration in LDAP</title>
+               <link>http://people.skolelinux.org/pere/blog/Idea_for_storing_LTSP_configuration_in_LDAP.html</link>        
+               <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Idea_for_storing_LTSP_configuration_in_LDAP.html</guid>
+                <pubDate>Sun, 11 Jul 2010 22:00:00 +0200</pubDate>
+               <description>&lt;p&gt;Vagrant mentioned on IRC today that ltsp_config now support
+sourcing files from /usr/share/ltsp/ltsp_config.d/ on the thin
+clients, and that this can be used to fetch configuration from LDAP if
+Debian Edu choose to store configuration there.&lt;/p&gt;
+
+&lt;p&gt;Armed with this information, I got inspired and wrote a test module
+to get configuration from LDAP.  The idea is to look up the MAC
+address of the client in LDAP, and look for attributes on the form
+ltspconfigsetting=value, and use this to export SETTING=value to the
+LTSP clients.&lt;/p&gt;
+
+&lt;p&gt;The goal is to be able to store the LTSP configuration attributes
+in a &quot;computer&quot; LDAP object used by both DNS and DHCP, and thus
+allowing us to store all information about a computer in one place.&lt;/p&gt;
+
+&lt;p&gt;This is a untested draft implementation, and I welcome feedback on
+this approach.  A real LDAP schema for the ltspClientAux objectclass
+need to be written.  Comments, suggestions, etc?&lt;/p&gt;
+
+&lt;blockquote&gt;&lt;pre&gt;
+# Store in /opt/ltsp/$arch/usr/share/ltsp/ltsp_config.d/ldap-config
+#
+# Fetch LTSP client settings from LDAP based on MAC address
+#
+# Uses ethernet address as stored in the dhcpHost objectclass using
+# the dhcpHWAddress attribute or ethernet address stored in the
+# ieee802Device objectclass with the macAddress attribute.
+#
+# This module is written to be schema agnostic, and only depend on the
+# existence of attribute names.
+#
+# The LTSP configuration variables are saved directly using a
+# ltspConfig prefix and uppercasing the rest of the attribute name.
+# To set the SERVER variable, set the ltspConfigServer attribute.
+#
+# Some LDAP schema should be created with all the relevant
+# configuration settings.  Something like this should work:
+# 
+# objectclass ( 1.1.2.2 NAME &#39;ltspClientAux&#39;
+#     SUP top
+#     AUXILIARY
+#     MAY ( ltspConfigServer $ ltsConfigSound $ ... )
+
+LDAPSERVER=$(debian-edu-ldapserver)
+if [ &quot;$LDAPSERVER&quot; ] ; then
+    LDAPBASE=$(debian-edu-ldapserver -b)
+    for MAC in $(LANG=C ifconfig |grep -i hwaddr| awk &#39;{print $5}&#39;|sort -u) ; do
+       filter=&quot;(|(dhcpHWAddress=ethernet $MAC)(macAddress=$MAC))&quot;
+       ldapsearch -h &quot;$LDAPSERVER&quot; -b &quot;$LDAPBASE&quot; -v -x &quot;$filter&quot; | \
+           grep &#39;^ltspConfig&#39; | while read attr value ; do
+           # Remove prefix and convert to upper case
+           attr=$(echo $attr | sed &#39;s/^ltspConfig//i&#39; | tr a-z A-Z)
+           # bass value on to clients
+           eval &quot;$attr=$value; export $attr&quot;
+       done
+    done
+fi
+&lt;/pre&gt;&lt;/blockquote&gt;
+
+&lt;p&gt;I&#39;m not sure this shell construction will work, because I suspect
+the while block might end up in a subshell causing the variables set
+there to not show up in ltsp-config, but if that is the case I am sure
+the code can be restructured to make sure the variables are passed on.
+I expect that can be solved with some testing. :)&lt;/p&gt;
+
+&lt;p&gt;If you want to help out with implementing this for Debian Edu,
+please contact us on debian-edu@lists.debian.org.&lt;/p&gt;
+
+&lt;p&gt;Update 2010-07-17: I am aware of another effort to store LTSP
+configuration in LDAP that was created around year 2000 by
+&lt;a href=&quot;http://www.pcxperience.com/thinclient/documentation/ldap.html&quot;&gt;PC
+Xperience, Inc., 2000&lt;/a&gt;.  I found its
+&lt;a href=&quot;http://people.redhat.com/alikins/ltsp/ldap/&quot;&gt;files&lt;/a&gt; on a
+personal home page over at redhat.com.&lt;/p&gt;
+</description>
+       </item>
+       
+       <item>
+               <title>jXplorer, a very nice LDAP GUI</title>
+               <link>http://people.skolelinux.org/pere/blog/jXplorer__a_very_nice_LDAP_GUI.html</link>        
+               <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/jXplorer__a_very_nice_LDAP_GUI.html</guid>
+                <pubDate>Fri, 9 Jul 2010 12:55:00 +0200</pubDate>
+               <description>&lt;p&gt;Since
+&lt;a href=&quot;http://people.skolelinux.org/pere/blog/LUMA__a_very_nice_LDAP_GUI.html&quot;&gt;my
+last post&lt;/a&gt; about available LDAP tools in Debian, I was told about a
+LDAP GUI that is even better than luma.  The java application
+&lt;a href=&quot;http://jxplorer.org/&quot;&gt;jXplorer&lt;/a&gt; is claimed to be capable of
+moving LDAP objects and subtrees using drag-and-drop, and can
+authenticate using Kerberos.  I have only tested the Kerberos
+authentication, but do not have a LDAP setup allowing me to rewrite
+LDAP with my test user yet.  It is
+&lt;a href=&quot;http://packages.qa.debian.org/j/jxplorer.html&quot;&gt;available in
+Debian&lt;/a&gt; testing and unstable at the moment.  The only problem I
+have with it is how it handle errors.  If something go wrong, its
+non-intuitive behaviour require me to go through some query work list
+and remove the failing query.  Nothing big, but very annoying.&lt;/p&gt;
+</description>
+       </item>
+       
+       <item>
+               <title>MS Word krøller det til for politiet?</title>
+               <link>http://people.skolelinux.org/pere/blog/MS_Word_kr_ller_det_til_for_politiet_.html</link>        
+               <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/MS_Word_kr_ller_det_til_for_politiet_.html</guid>
+                <pubDate>Thu, 8 Jul 2010 14:00:00 +0200</pubDate>
+               <description>&lt;p&gt;De siste dagene har Aftenposten
+&lt;a href=&quot;http://www.aftenposten.no/nyheter/iriks/article3718597.ece&quot;&gt;fortalt&lt;/a&gt;
+&lt;a href=&quot;http://www.aftenposten.no/nyheter/iriks/article3724249.ece&quot;&gt;hvordan&lt;/a&gt;
+politet har brukt skriveverktøy som ikke håndterer arabisk tekst og
+tekst som skal skrives fra høyre mot venstre når de har laget
+løpeseddel for å be om informasjon fra publikum.  Resultatet har vært
+en uleselig arabisk-bit på løpeseddelen.  Feilen har oppstått når
+teksten har blitt &quot;kopiert inn i programvare som ikke har støtte for
+språk som skrives fra høyre mot venstre&quot;, og jeg er ganske sikker på
+at det er snakk om Microsoft Office i dette tilfellet.  Er det slik at
+MS Office i norsk språkdrakt ikke har støtte for tekst som skal
+skrives fra høyre mot venstre?  Jeg tror alle utgaver av
+OpenOffice.org har slik støtte, og det er jo ikke veldig vanskelig å
+la slik støtte finnes i alle utgaver av et program hvis støtten først
+er utviklet.  Aftenpostens melding får meg til å undre om problemet
+ville vært unngått hvis politiet brukte OpenOffice.org i stedet for MS
+Office.&lt;/p&gt;
+
+&lt;p&gt;Mon tro om det er flere eksempler på at MS Office har ødelagt for
+offentlig myndighet?&lt;/p&gt;
+</description>
+       </item>
+       
+       <item>
+               <title>Lenny-&gt;Squeeze upgrades, apt vs aptitude with the Gnome desktop</title>
+               <link>http://people.skolelinux.org/pere/blog/Lenny__Squeeze_upgrades__apt_vs_aptitude_with_the_Gnome_desktop.html</link>        
+               <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Lenny__Squeeze_upgrades__apt_vs_aptitude_with_the_Gnome_desktop.html</guid>
+                <pubDate>Sat, 3 Jul 2010 23:55:00 +0200</pubDate>
+               <description>&lt;p&gt;Here is a short update on my &lt;a
+href=&quot;http://people.skolelinux.org/~pere/debian-upgrade-testing/&quot;&gt;my
+Debian Lenny-&gt;Squeeze upgrade testing&lt;/a&gt;.  Here is a summary of the
+difference for Gnome when it is upgraded by apt-get and aptitude.  I&#39;m
+not reporting the status for KDE, because the upgrade crashes when
+aptitude try because of missing conflicts
+(&lt;a href=&quot;http://bugs.debian.org/584861&quot;&gt;#584861&lt;/a&gt; and
+&lt;a href=&quot;http://bugs.debian.org/585716&quot;&gt;#585716&lt;/a&gt;).&lt;/p&gt;
+
+&lt;p&gt;At the end of the upgrade test script, dpkg -l is executed to get a
+complete list of the installed packages.  Based on this I see these
+differences when I did a test run today.  As usual, I do not really
+know what the correct set of packages would be, but thought it best to
+publish the difference.&lt;/p&gt;
+
+&lt;p&gt;Installed using apt-get, missing with aptitude&lt;/p&gt;
+
+&lt;blockquote&gt;&lt;p&gt;
+  at-spi cpp-4.3 finger gnome-spell gstreamer0.10-gnomevfs
+  libatspi1.0-0 libcupsys2 libeel2-data libgail-common libgdl-1-common
+  libgnomeprint2.2-data libgnomeprintui2.2-common libgnomevfs2-bin
+  libgtksourceview-common libpt-1.10.10-plugins-alsa
+  libpt-1.10.10-plugins-v4l libservlet2.4-java libxalan2-java
+  libxerces2-java openoffice.org-writer2latex openssl-blacklist p7zip
+  python-4suite-xml python-eggtrayicon python-gtkhtml2
+  python-gtkmozembed svgalibg1 xserver-xephyr zip
+&lt;/p&gt;&lt;/blockquote&gt;
+
+&lt;p&gt;Installed using apt-get, removed with aptitude&lt;/p&gt;
+
+&lt;blockquote&gt;&lt;p&gt;
+  bluez-utils dhcdbd djvulibre-desktop epiphany-gecko
+  gnome-app-install gnome-mount gnome-vfs-obexftp gnome-volume-manager
+  libao2 libavahi-compat-libdnssd1 libavahi-core5 libbind9-50
+  libbluetooth2 libcamel1.2-11 libcdio7 libcucul0 libcurl3
+  libdirectfb-1.0-0 libdvdread3 libedata-cal1.2-6 libedataserver1.2-9
+  libeel2-2.20 libepc-1.0-1 libepc-ui-1.0-1 libexchange-storage1.2-3
+  libfaad0 libgd2-noxpm libgda3-3 libgda3-common libggz2 libggzcore9
+  libggzmod4 libgksu1.2-0 libgksuui1.0-1 libgmyth0 libgnome-desktop-2
+  libgnome-pilot2 libgnomecups1.0-1 libgnomeprint2.2-0
+  libgnomeprintui2.2-0 libgpod3 libgraphviz4 libgtkhtml2-0
+  libgtksourceview1.0-0 libgucharmap6 libhesiod0 libicu38 libisccc50
+  libisccfg50 libiw29 libkpathsea4 libltdl3 liblwres50 libmagick++10
+  libmagick10 libmalaga7 libmtp7 libmysqlclient15off libnautilus-burn4
+  libneon27 libnm-glib0 libnm-util0 libopal-2.2 libosp5
+  libparted1.8-10 libpisock9 libpisync1 libpoppler-glib3 libpoppler3
+  libpt-1.10.10 libraw1394-8 libsensors3 libsmbios2 libsoup2.2-8
+  libssh2-1 libsuitesparse-3.1.0 libswfdec-0.6-90 libtalloc1
+  libtotem-plparser10 libtrackerclient0 libvoikko1 libxalan2-java-gcj
+  libxerces2-java-gcj libxklavier12 libxtrap6 libxxf86misc1 libzephyr3
+  mysql-common swfdec-gnome totem-gstreamer wodim
+&lt;/p&gt;&lt;/blockquote&gt;
+
+&lt;p&gt;Installed using aptitude, missing with apt-get&lt;/p&gt;
+
+&lt;blockquote&gt;&lt;p&gt;
+  gnome gnome-desktop-environment hamster-applet python-gnomeapplet
+  python-gnomekeyring python-wnck rhythmbox-plugins xorg
+  xserver-xorg-input-all xserver-xorg-input-evdev
+  xserver-xorg-input-kbd xserver-xorg-input-mouse
+  xserver-xorg-input-synaptics xserver-xorg-video-all
+  xserver-xorg-video-apm xserver-xorg-video-ark xserver-xorg-video-ati
+  xserver-xorg-video-chips xserver-xorg-video-cirrus
+  xserver-xorg-video-dummy xserver-xorg-video-fbdev
+  xserver-xorg-video-glint xserver-xorg-video-i128
+  xserver-xorg-video-i740 xserver-xorg-video-mach64
+  xserver-xorg-video-mga xserver-xorg-video-neomagic
+  xserver-xorg-video-nouveau xserver-xorg-video-nv
+  xserver-xorg-video-r128 xserver-xorg-video-radeon
+  xserver-xorg-video-radeonhd xserver-xorg-video-rendition
+  xserver-xorg-video-s3 xserver-xorg-video-s3virge
+  xserver-xorg-video-savage xserver-xorg-video-siliconmotion
+  xserver-xorg-video-sis xserver-xorg-video-sisusb
+  xserver-xorg-video-tdfx xserver-xorg-video-tga
+  xserver-xorg-video-trident xserver-xorg-video-tseng
+  xserver-xorg-video-vesa xserver-xorg-video-vmware
+  xserver-xorg-video-voodoo
+&lt;/p&gt;&lt;/blockquote&gt;
+
+&lt;p&gt;Installed using aptitude, removed with apt-get&lt;/p&gt;
+
+&lt;blockquote&gt;&lt;p&gt;
+  deskbar-applet xserver-xorg xserver-xorg-core
+  xserver-xorg-input-wacom xserver-xorg-video-intel
+  xserver-xorg-video-openchrome
+&lt;/p&gt;&lt;/blockquote&gt;
+
+&lt;p&gt;I was told on IRC that the xorg-xserver package was
+&lt;a href=&quot;http://git.debian.org/?p=pkg-xorg/xserver/xorg-server.git;a=commit;h=9c8080d06c457932d3bfec021c69ac000aa60120&quot;&gt;changed
+in git&lt;/a&gt; today to try to get apt-get to not remove xorg completely.
+No idea when it hits Squeeze, but when it does I hope it will reduce
+the difference somewhat.
+</description>
+       </item>
+       
+       <item>
+               <title>Caching password, user and group on a roaming Debian laptop</title>
+               <link>http://people.skolelinux.org/pere/blog/Caching_password__user_and_group_on_a_roaming_Debian_laptop.html</link>        
+               <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Caching_password__user_and_group_on_a_roaming_Debian_laptop.html</guid>
+                <pubDate>Thu, 1 Jul 2010 11:40:00 +0200</pubDate>
+               <description>&lt;p&gt;For a laptop, centralized user directories and password checking is
+a bit troubling.  Laptops are typically used also when not connected
+to the network, and it is vital for a user to be able to log in or
+unlock the screen saver also when a central server is unavailable.
+This is possible by caching passwords and directory information (user
+and group attributes) locally, and the packages to do so are available
+in Debian.  Here follow two recipes to set this up in Debian/Squeeze.
+It is also possible to set up in Debian/Lenny, but require more manual
+setup there because pam-auth-update is missing in Lenny.&lt;/p&gt;
+
+&lt;h2&gt;LDAP/Kerberos + nscd + libpam-ccreds + libpam-mklocaluser/pam_mkhomedir&lt;/h2&gt;
+
+This is the traditional method with a twist.  The password caching is
+provided by libpam-ccreds (version 10-4 or later is needed on
+Squeeze), and the directory caching is done by nscd.  The directory
+lookup and password checking is done using LDAP.  If one want to use
+Kerberos for password checking the libpam-ldapd package can be
+replaced with libpam-krb5 or libpam-heimdal.  If one is happy having a
+local home directory with the path listed in LDAP, one can use the
+pam_mkhomedir module from pam-modules to make this happen instead of
+using libpam-mklocaluser.  A setup for pam-auth-update to enable
+pam_mkhomedir will have to be written until a fix for
+&lt;a href=&quot;http://bugs.debian.org/568577&quot;&gt;bug #568577&lt;/a&gt; is in the
+archive.  Because I believe it is a bad idea to have local home
+directories using misleading paths like /site/server/partition/, I
+prefer to create a local user with the home directory in /home/.  This
+is done using the libpam-mklocaluser package.&lt;/p&gt;
+
+&lt;p&gt;These packages need to be installed and configured&lt;/p&gt;
+
+&lt;blockquote&gt;&lt;pre&gt;
+libnss-ldapd libpam-ldapd nscd libpam-ccreds libpam-mklocaluser
+&lt;/pre&gt;&lt;/blockquote&gt;
+
+&lt;p&gt;The ldapd packages will ask for LDAP connection information, and
+one have to fill in the values that fits ones own site.  Make sure the
+PAM part uses encrypted connections, to make sure the password is not
+sent in clear text to the LDAP server.  I&#39;ve been unable to get TLS
+certificate checking for a self signed certificate working, which make
+LDAP authentication unsafe for Debian Edu (nslcd is not checking if it
+is talking to the correct LDAP server), and very much welcome feedback
+on how to get this working.&lt;/p&gt;
+
+&lt;p&gt;Because nscd do not have a default configuration fit for offline
+caching until &lt;a href=&quot;http://bugs.debian.org/485282&quot;&gt;bug #485282&lt;/a&gt;
+is fixed, this configuration should be used instead of the one
+currently in /etc/nscd.conf.  The changes are in the fields
+reload-count and positive-time-to-live, and is based on the
+instructions I found in the
+&lt;a href=&quot;http://www.flyn.org/laptopldap/&quot;&gt;LDAP for Mobile Laptops&lt;/a&gt;
+instructions by Flyn Computing.&lt;/p&gt;
+
+&lt;blockquote&gt;&lt;pre&gt;
+       debug-level             0
+       reload-count            unlimited
+       paranoia                no
+
+       enable-cache            passwd          yes
+       positive-time-to-live   passwd          2592000
+       negative-time-to-live   passwd          20
+       suggested-size          passwd          211
+       check-files             passwd          yes
+       persistent              passwd          yes
+       shared                  passwd          yes
+       max-db-size             passwd          33554432
+       auto-propagate          passwd          yes
+
+       enable-cache            group           yes
+       positive-time-to-live   group           2592000
+       negative-time-to-live   group           20
+       suggested-size          group           211
+       check-files             group           yes
+       persistent              group           yes
+       shared                  group           yes
+       max-db-size             group           33554432
+       auto-propagate          group           yes

 
 

-&lt;p&gt;Jeg har mange titalls dager med musikk på CD i dag. Det meste er
-lagt i et stort arkiv som kan spilles av fra husets datamaskiner (har
-ikke rukket rippe alt). Jeg ser dermed ikke behovet for å skaffe mer
-musikk. De fleste av mine favoritter er i hus, og jeg er dermed godt
-fornøyd.&lt;/p&gt;
+       enable-cache            hosts           no
+       positive-time-to-live   hosts           2592000
+       negative-time-to-live   hosts           20
+       suggested-size          hosts           211
+       check-files             hosts           yes
+       persistent              hosts           yes
+       shared                  hosts           yes
+       max-db-size             hosts           33554432

 
 

-&lt;p&gt;Hvis musikkbransjen ønsker mine penger, så må de demonstrere at de
-setter pris på meg som kunde, og ikke skremme meg bort med DRM og
-antydninger om at kundene er kriminelle.&lt;/p&gt;
+       enable-cache            services        yes
+       positive-time-to-live   services        2592000
+       negative-time-to-live   services        20
+       suggested-size          services        211
+       check-files             services        yes
+       persistent              services        yes
+       shared                  services        yes
+       max-db-size             services        33554432
+&lt;/pre&gt;&lt;/blockquote&gt;

 
 

-&lt;p&gt;Filmbransjen er like ille, men mens musikk gjerne varer lenge, er
-filmer mer ferskvare. Har dermed ikke helt sluttet å kjøpe filmer, men
-holder meg til DVD-filmer som kan spilles av på mine Linuxbokser.
-Kommer neppe til å ta i bruk Blueray, og ei heller de nye DRM-greiene
-«Ultraviolet» som be annonsert her om dagen.&lt;/p&gt;
-</description>
-       </item>
-       
-       <item>
-               <title>One step closer to single signon in Debian Edu</title>
-               <link>http://people.skolelinux.org/pere/blog/One_step_closer_to_single_signon_in_Debian_Edu.html</link>        
-               <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/One_step_closer_to_single_signon_in_Debian_Edu.html</guid>
-                <pubDate>Sun, 25 Jul 2010 10:00:00 +0200</pubDate>
-               <description>
-&lt;p&gt;The last few months me and the other Debian Edu developers have
-been working hard to get the Debian/Squeeze based version of Debian
-Edu/Skolelinux into shape.  This future version will use Kerberos for
-authentication, and services are slowly migrated to single signon,
-getting rid of password questions one at the time.&lt;/p&gt;
+&lt;p&gt;While we wait for a mechanism to update /etc/nsswitch.conf
+automatically like the one provided in
+&lt;a href=&quot;http://bugs.debian.org/496915&quot;&gt;bug #496915&lt;/a&gt;, the file
+content need to be manually replaced to ensure LDAP is used as the
+directory service on the machine.  /etc/nsswitch.conf should normally
+look like this:&lt;/p&gt;

 
 

-&lt;p&gt;It will also feature a roaming workstation profile with local home
-directory, for laptops that are only some times on the Skolelinux
-network, and for this profile a shortcut is created in Gnome and KDE
-to gain access to the users home directory on the file server.  This
-shortcut uses SMB at the moment, and yesterday I had time to test if
-SMB mounting had started working in KDE after we added the cifs-utils
-package.  I was pleasantly surprised how well it worked.&lt;/p&gt;
+&lt;blockquote&gt;&lt;pre&gt;
+passwd:         files ldap
+group:          files ldap
+shadow:         files ldap
+hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
+networks:       files
+protocols:      files
+services:       files
+ethers:         files
+rpc:            files
+netgroup:       files ldap
+&lt;/pre&gt;&lt;/blockquote&gt;

 
 

-&lt;p&gt;Thanks to the recent changes to our samba configuration to get it
-to use Kerberos for authentication, there were no question about user
-password when mounting the SMB volume.  A simple click on the shortcut
-in the KDE menu, and a window with the home directory popped
-up. :)&lt;/p&gt;
+&lt;p&gt;The important parts are that ldap is listed last for passwd, group,
+shadow and netgroup.&lt;/p&gt;

 
 

-&lt;p&gt;One step closer to a single signon solution out of the box in
-Debian Edu.  We already had PAM, LDAP, IMAP and SMTP in place, and now
-also Samba.  Next step is Cups and hopefully also NFS.&lt;/p&gt;
+&lt;p&gt;With these changes in place, any user in LDAP will be able to log
+in locally on the machine using for example kdm, get a local home
+directory created and have the password as well as user and group
+attributes cached.

 
 

-&lt;p&gt;We had planned a alpha0 release of Debian Edu for today, but thanks
-to the autobuilder administrators for some architectures being slow to
-sign packages, we are still missing the fixed LTSP package we need for
-the release.  It was uploaded three days ago with urgency=high, and if
-it had entered testing yesterday we would have been able to test it in
-time for a alpha0 release today.  As the binaries for ia64 and powerpc
-still not uploaded to the Debian archive, we need to delay the alpha
-release another day.&lt;/p&gt;
+&lt;h2&gt;LDAP/Kerberos + nss-updatedb + libpam-ccreds +
+  libpam-mklocaluser/pam_mkhomedir&lt;/h2&gt;

 
 

-&lt;p&gt;If you want to help out with implementing Kerberos for Debian Edu,
-please contact us on debian-edu@lists.debian.org.&lt;/p&gt;
-</description>
-       </item>
-       
-       <item>
-               <title>First Debian Edu test release (alpha0) based on Squeeze is released</title>
-               <link>http://people.skolelinux.org/pere/blog/First_Debian_Edu_test_release__alpha0__based_on_Squeeze_is_released.html</link>        
-               <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/First_Debian_Edu_test_release__alpha0__based_on_Squeeze_is_released.html</guid>
-                <pubDate>Tue, 27 Jul 2010 17:45:00 +0200</pubDate>
-               <description>
-&lt;p&gt;I just posted this announcement culminating several months of work
-with the next Debian Edu release.  Not nearly done, but one major step
-completed.&lt;/p&gt;
+&lt;p&gt;Because nscd have had its share of problems, and seem to have
+problems doing proper caching, I&#39;ve seen suggestions and recipes to
+use nss-updatedb to copy parts of the LDAP database locally when the
+LDAP database is available.  I have not tested such setup, because I
+discovered sssd.&lt;/p&gt;

 
 

-&lt;blockquote&gt;
-&lt;p&gt;This is the first test release based on Squeeze. The focus of this
-release is to test the user application selection. To have a look,
-install the standalone profile and let the developers know if the set
-of installed packages i.e. applications should be modified. If some
-user application is missing, or if there are some applications that no
-longer make sense to be included in Debian Edu, please let us know.
-Also, if a useful application is missing the translation for your
-language of choice, please let us know too.&lt;/p&gt;
+&lt;h2&gt;LDAP/Kerberos + sssd + libpam-mklocaluser&lt;/h2&gt;

 
 

-&lt;p&gt;In addition, feedback and help to polish the desktop (menus,
-artwork, starters, etc.) is appreciated. We would like to ship a nice
-and handy KDE4 desktop targeted for schools out of the box.&lt;/p&gt;
+&lt;p&gt;A more flexible and robust setup than the nscd combination
+mentioned earlier that has shown up recently, is the
+&lt;a href=&quot;https://fedorahosted.org/sssd/&quot;&gt;sssd&lt;/a&gt; package from Redhat.
+It is part of the &lt;a href=&quot;http://www.freeipa.org/&quot;&gt;FreeIPA&lt;/A&gt; project
+to provide a Active Directory like directory service for Linux
+machines.  The sssd system combines the caching of passwords and user
+information into one package, and remove the need for nscd and
+libpam-ccreds.  It support LDAP and Kerberos, but not NIS.  Version
+1.2 do not support netgroups, but it is said that it will support this
+in version 1.5 expected to show up later in 2010.  Because the
+&lt;a href=&quot;http://packages.qa.debian.org/s/sssd.html&quot;&gt;sssd package&lt;/a&gt;
+was missing in Debian, I ended up co-maintaining it with Werner, and
+version 1.2 is now in testing.

 
 

-&lt;p&gt;The other profiles should be installable, but there is a lot more
-work left to be done before they are ready, so do not expect to
-much.&lt;/p&gt;
+&lt;p&gt;These packages need to be installed and configured to get the
+roaming setup I want&lt;/p&gt;

 
 

-&lt;p&gt;Changes compared to the lenny based version&lt;/p&gt;
+&lt;blockquote&gt;&lt;pre&gt;
+libpam-sss libnss-sss libpam-mklocaluser
+&lt;/pre&gt;&lt;/blockquote&gt;

 
 

-&lt;ul&gt;
-&lt;li&gt;Everything from Debian Squeeze
-&lt;ul&gt;
-  &lt;li&gt;Desktop environment KDE 4.4 =&gt; the new KDE desktop in
-         combination with some new artwork
-  &lt;li&gt;Web browser Iceweasel 3.5
-  &lt;li&gt;OpenOffice.org 3.2
-  &lt;li&gt;Educational toolbox GCompris 9.3
-  &lt;li&gt;Music creator Rosegarden 10.04.2
-  &lt;li&gt;Image editor Gimp 2.6.10
-  &lt;li&gt;Virtual universe Celestia 1.6.0
-  &lt;li&gt;Virtual stargazer Stellarium 0.10.4
-  &lt;li&gt;3D modeler Blender 2.49.2 (new application)
-  &lt;li&gt;Video editor Kdenlive 0.7.7 (new application)
-&lt;/ul&gt;&lt;/li&gt;
-&lt;li&gt;Now using Kerberos for password checking (migration not finished).
-    Enabled for:
-&lt;ul&gt;
-  &lt;li&gt;PAM
-  &lt;li&gt;LDAP
-  &lt;li&gt;IMAP
-  &lt;li&gt;SMTP (sender verification)
-&lt;/ul&gt;
-&lt;/li&gt;
-&lt;li&gt;New experimental roaming workstation profile for laptops.&lt;/li&gt;
-&lt;li&gt;Show welcome page to users when they first log in. The URL is
-    fetched from LDAP.&lt;/li&gt;
-&lt;li&gt;New LXDE desktop option, in addition to KDE (default) and Gnome.&lt;/li&gt;
-&lt;li&gt;General cleanup (not finished)&lt;/li&gt;
-&lt;/ul&gt;
-&lt;p&gt;The following features are not working as they should&lt;/p&gt;
+The complete setup of sssd is done by editing/creating
+&lt;tt&gt;/etc/sssd/sssd.conf&lt;/tt&gt;.

 
 

-&lt;ul&gt;
-&lt;li&gt;No web based administration tool for creating users and groups. The
-    scripts ldap-createuser-krb and ldap-add-user-to-group can be used
-    for testing.&lt;/li&gt;
-&lt;li&gt;DVD installs are missing debian-installer images for the PXE boot,
-    and do not set up the PXE menu on eth0 because of this. LTSP
-    clients should still boot from eth1 on thin client servers.&lt;/li&gt;
-&lt;li&gt;The restructured KDE menu is not implemented.&lt;/li&gt;
-&lt;li&gt;The LDAP server setup need to be reviewed for security.&lt;/li&gt;
-&lt;li&gt;The LDAP directory structure need to be reworked.&lt;/li&gt;
-&lt;li&gt;Different sets of packages are installed when using the DVD and the
-    netinst CD. More packages are installed using the netinst CD.&lt;/li&gt;
-&lt;li&gt;The jackd package fail to install. This is believed to be caused by
-    some ongoing transition, and hopefully should be solved soon. The
-    jackd1 package can be installed manually for those that need it.&lt;/li&gt;
-&lt;li&gt;Some packages lack translations. See
-    http://wiki.debian.org/DebianEdu/Status/Squeeze for updated status,
-    and help out with translations.&lt;/li&gt;
-&lt;/ul&gt;
+&lt;blockquote&gt;&lt;pre&gt;
+[sssd]
+config_file_version = 2
+reconnection_retries = 3
+sbus_timeout = 30
+services = nss, pam
+domains = INTERN

 
 

-&lt;p&gt;To download this multiarch netinstall release you can use&lt;/p&gt;
+[nss]
+filter_groups = root
+filter_users = root
+reconnection_retries = 3

 
 

-&lt;ul&gt;
-&lt;li&gt;&lt;a href=&quot;ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso&quot;&gt;ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso&lt;/a&gt;&lt;/li&gt;
-&lt;li&gt;&lt;a href=&quot;http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso&quot;&gt;http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso&lt;/a&gt;&lt;/li&gt;
-&lt;li&gt;rsync -avzP ftp.skolelinux.org::skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso&lt;/li&gt;
-&lt;/ul&gt;
-&lt;p&gt;To download this multiarch dvd release you can use&lt;/p&gt;
+[pam]
+reconnection_retries = 3

 
 

-&lt;ul&gt;
-&lt;li&gt;&lt;a href=&quot;ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso&quot;&gt;ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso&lt;/a&gt;&lt;/li&gt;
-&lt;li&gt;&lt;a href=&quot;http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso&quot;&gt;http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso&lt;/a&gt;&lt;/li&gt;
-&lt;li&gt;rsync -avzP ftp.skolelinux.org::skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso&lt;/li&gt;
-&lt;/ul&gt;
+[domain/INTERN]
+enumerate = false
+cache_credentials = true

 
 

-&lt;p&gt;There is no source DVD available yet. It will be prepared when we
-get closer to the final release.&lt;/p&gt;
+id_provider = ldap
+auth_provider = ldap
+chpass_provider = ldap

 
 

-&lt;p&gt;The MD5SUM of these images are&lt;/p&gt;
+ldap_uri = ldap://ldap
+ldap_search_base = dc=skole,dc=skolelinux,dc=no
+ldap_tls_reqcert = never
+ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
+&lt;/pre&gt;&lt;/blockquote&gt;

 
 

-&lt;ul&gt;
-&lt;li&gt;3dbf45d59f42a53518b6e3c9ec3b5eb6 debian-edu-6.0.0+edua0-CD.iso&lt;/li&gt;
-&lt;li&gt;22f2cbfce281d1c6e478be452638675d debian-edu-6.0.0+edua0-DVD.iso&lt;/li&gt;
-&lt;/ul&gt;
+&lt;p&gt;I got the same problem here with certificate checking.  Had to set
+&quot;ldap_tls_reqcert = never&quot; to get it working.&lt;/p&gt;

 
 

-&lt;p&gt;The SHA1SUM of these images are&lt;/p&gt;
-&lt;ul&gt;
-&lt;li&gt;c53d1b69b40cf37cd27aefaf33f6f6a3821bedf0 debian-edu-6.0.0+edua0-CD.iso&lt;/li&gt;
-&lt;li&gt;2ec29d7db676d59d32197b05c277ffe16348376c debian-edu-6.0.0+edua0-DVD.iso&lt;/li&gt;
-&lt;/ul&gt;
-&lt;p&gt;How to report bugs:
-http://wiki.debian.org/DebianEdu/HowTo/ReportBugsInBugzilla&lt;/p&gt;
+&lt;p&gt;With the libnss-sss package in testing at the moment, the
+nsswitch.conf file is update automatically, so there is no need to
+modify it manually.&lt;/p&gt;

 
 

-&lt;p&gt;Please direct replies to debian-edu@lists.debian.org&lt;/p&gt;
-&lt;/blockquote&gt;
+&lt;p&gt;If you want to help out with implementing this for Debian Edu,
+please contact us on debian-edu@lists.debian.org.&lt;/p&gt;

 </description>
        </item>
        
 </description>
        </item>