Petter Reinholdtsen

Internet-leverandÃ¸rer er ikke vokterne av sine kunders nettbruk

Fri, 6 Nov 2009 18:45:00 +0100

Det er svÃ¦rt gledelig Ã¥ se at -retten -fant at Telenor ikke skal fungere som Internet-voktere pÃ¥ vegne av -opphavsrettsmafiaen. TONO pÃ¥stÃ¥r ikke overraskende "rettighetshaverne -er rettslÃ¸se". De burde jo vite alt om hvordan rettighetshaverne blir -behandlet, som har -nektet -Ã¥ hjelpe en av sine medlemmer i en plagiatsak mot Universal i -Polen.

- -

Ved opphavsrettsbrudd sÃ¥ er det jo den som offentliggjort -kulturuttrykk ulovlig som mÃ¥ stilles til ansvar, og ikke noen andre. -Hverken Telenor eller Pirate Bay publiserer innholdet. Telenor lager -en Internet-tjeneste som brukes av borgerne til sitt daglige virke, -det vÃ¦re seg Ã¥ holde kontakt med barnebarn, skaffe medisinsk viten -eller holde seg orientert i samfunnsdebatten. Det bÃ¸r de gjÃ¸re uten Ã¥ -tvinges til Ã¥ vÃ¦re overvÃ¥kningsinstans. Og Pirate Bay lager en -katalog over hvor lovlig og ulovlig innhold pÃ¥ Internet er Ã¥ fÃ¥ tak i. -De publiserer ikke innholdet, de lager kun en katalog over det. Hvis -en ikke liker det som blir publisert, sÃ¥ mÃ¥ det tas opp med den som -publiserer, ikke noen andre.

- -

Personlig velger jeg Ã¥ stort sett bruke kulturuttrykk som -publiseres med mer brukervennlige vilkÃ¥r, som CC-BY og lignende.

Vagrant mentioned on IRC today that ltsp_config now support +sourcing files from /usr/share/ltsp/ltsp_config.d/ on the thin +clients, and that this can be used to fetch configuration from LDAP if +Debian Edu choose to store configuration there.

+ +

Armed with this information, I got inspired and wrote a test module +to get configuration from LDAP. The idea is to look up the MAC +address of the client in LDAP, and look for attributes on the form +ltspconfigsetting=value, and use this to export SETTING=value to the +LTSP clients.

+ +

The goal is to be able to store the LTSP configuration attributes +in a "computer" LDAP object used by both DNS and DHCP, and thus +allowing us to store all information about a computer in one place.

+ +

This is a untested draft implementation, and I welcome feedback on +this approach. A real LDAP schema for the ltspClientAux objectclass +need to be written. Comments, suggestions, etc?

+ +

+# Store in /opt/ltsp/$arch/usr/share/ltsp/ltsp_config.d/ldap-config
+#
+# Fetch LTSP client settings from LDAP based on MAC address
+#
+# Uses ethernet address as stored in the dhcpHost objectclass using
+# the dhcpHWAddress attribute or ethernet address stored in the
+# ieee802Device objectclass with the macAddress attribute.
+#
+# This module is written to be schema agnostic, and only depend on the
+# existence of attribute names.
+#
+# The LTSP configuration variables are saved directly using a
+# ltspConfig prefix and uppercasing the rest of the attribute name.
+# To set the SERVER variable, set the ltspConfigServer attribute.
+#
+# Some LDAP schema should be created with all the relevant
+# configuration settings.  Something like this should work:
+# 
+# objectclass ( 1.1.2.2 NAME 'ltspClientAux'
+#     SUP top
+#     AUXILIARY
+#     MAY ( ltspConfigServer $ ltsConfigSound $ ... )
+
+LDAPSERVER=$(debian-edu-ldapserver)
+if [ "$LDAPSERVER" ] ; then
+    LDAPBASE=$(debian-edu-ldapserver -b)
+    for MAC in $(LANG=C ifconfig |grep -i hwaddr| awk '{print $5}'|sort -u) ; do
+	filter="(|(dhcpHWAddress=ethernet $MAC)(macAddress=$MAC))"
+	ldapsearch -h "$LDAPSERVER" -b "$LDAPBASE" -v -x "$filter" | \
+	    grep '^ltspConfig' | while read attr value ; do
+	    # Remove prefix and convert to upper case
+	    attr=$(echo $attr | sed 's/^ltspConfig//i' | tr a-z A-Z)
+	    # bass value on to clients
+	    eval "$attr=$value; export $attr"
+	done
+    done
+fi
+

+ +

I'm not sure this shell construction will work, because I suspect +the while block might end up in a subshell causing the variables set +there to not show up in ltsp-config, but if that is the case I am sure +the code can be restructured to make sure the variables are passed on. +I expect that can be solved with some testing. :)

+ +

If you want to help out with implementing this for Debian Edu, +please contact us on debian-edu@lists.debian.org.

Endelig operativt webbasert medlemsregister for Fri programvare i skolen

Mon, 2 Nov 2009 22:40:00 +0100

Under helgens utviklersamling i -Skolelinux fikk jeg endelig -satt meg ned sammen med Ronny Aasen i styret for Ã¥ fÃ¥ et webbasert -medlemsregister tilbake pÃ¥ plass for foreningen som passer pÃ¥ -skolelinuxprosjektet. Etter flere Ã¥rs knot og problemer, er nÃ¥ -memberdb satt opp og klart til bruk. Import av det gamle -medlemsregisteret har vist seg vanskelig, sÃ¥ alle medlemmer bes om Ã¥ -registrere seg pÃ¥ nytt. Hvis du stÃ¸tter FRiSKs formÃ¥l sÃ¥ er du -hjertelig velkommen til -Ã¥ melde deg -inn. FormÃ¥let lyder:

- -

Linux i skolen skal tilrettelegge for og informere om bruk -av fri programvare, i henhold til Debian Free Software Guidelines av -2002-02-03, i den norske skolen, slik som f.eks. Linux og -GNU.

Since +my +last post about available LDAP tools in Debian, I was told about a +LDAP GUI that is even better than luma. The java application +jXplorer is claimed to be capable of +moving LDAP objects and subtrees using drag-and-drop, and can +authenticate using Kerberos. I have only tested the Kerberos +authentication, but do not have a LDAP setup allowing me to rewrite +LDAP with my test user yet. It is +available in +Debian testing and unstable at the moment. The only problem I +have with it is how it handle errors. If something go wrong, its +non-intuitive behaviour require me to go through some query work list +and remove the failing query. Nothing big, but very annoying.

Jeg vil ikke ha BankID

Fri, 30 Oct 2009 13:05:00 +0100

Min hovedbankforbindelse, -Postbanken, har fra 1. oktober -blokkert tilgangen min til nettbanken hvis jeg ikke godtar vilkÃ¥rene -for BankID og gÃ¥r over til Ã¥ -bruke BankID for tilgangskontroll. Tidligere kunne jeg bruke en -kodekalkulator som ga tilgang til nettbanken, men nÃ¥ er dette ikke -lenger mulig. Jeg blokkeres ute fra nettbanken og mine egne penger -hvis jeg ikke godtar det jeg anser som urimelige vilkÃ¥r i -BankID-avtalen.

- -

BankID er en lÃ¸sning der banken gis rett til Ã¥ handle pÃ¥ vegne av -meg, med avtalemessig forutsetning at jeg i hvert enkelt tilfelle har -bedt banken gjÃ¸re dette. BankID kan brukes til Ã¥ signere avtaler, -oppta lÃ¥n og andre handlinger som har alvorlige fÃ¸lger for meg. -Problemet slik jeg ser det er at BankID er lagt opp slik at banken har -all informasjon og tilgang som den trenger for Ã¥ bruke BankID, ogsÃ¥ -uten at jeg er involvert. Avtalemessing og juridisk skal de kun bruke -min BankID nÃ¥r jeg har oppgitt pinkode og passord, men praktisk og -konkret kan de gjÃ¸re dette ogsÃ¥ uten at min pinkode eller mitt passord -er oppgitt, da de allerede har min pinkode og passord tilgjengelig hos -seg for Ã¥ kunne sjekke at riktig pinkode og passord er oppgitt av meg -(eller kan skaffe seg det ved behov). Jeg Ã¸nsker ikke Ã¥ gi banken -rett til Ã¥ inngÃ¥ avtaler pÃ¥ vegne av meg.

- -

Rent teknisk er BankID et offentlig nÃ¸kkelpar, en privat og en -offentlig nÃ¸kkel, der den private nÃ¸kkelen er nÃ¸dvendig for Ã¥ -"signere" pÃ¥ vegne av den nÃ¸kkelen gjelder for, og den offentlige -nÃ¸kkelen er nÃ¸dvendig for Ã¥ sjekke hvem som har signert. Banken -sitter pÃ¥ bÃ¥de den private og den offentlige nÃ¸kkelen, og sier de kun -skal bruke den private hvis kunden ber dem om det og oppgir pinkode og -passord.

- - -

I postbankens -vilkÃ¥r -for BankID stÃ¥r fÃ¸lgende:

- -

-
"6. AnvendelsesomrÃ¥det for BankID
- -
PersonBankID kan benyttes fra en datamaskin, eller etter nÃ¦rmere - avtale fra en mobiltelefon/SIM-kort, for pÃ¥logging i nettbank og til - identifisering og signering i forbindelse med elektronisk - meldingsforsendelse, avtaleinngÃ¥else og annen form for nettbasert - elektronisk kommunikasjon med Banken og andre brukersteder som har - tilrettelagt for bruk av BankID. Dette forutsetter at brukerstedet - har inngÃ¥tt avtale med bank om bruk av BankID."
-

- -

Det er spesielt retten til "avtaleinngÃ¥else" jeg synes er urimelig -Ã¥ kreve for at jeg skal fÃ¥ tilgang til mine penger via nettbanken, men -ogsÃ¥ retten til Ã¥ kommunsere pÃ¥ vegne av meg med andre brukersteder og -signering av meldigner synes jeg er problematisk. Jeg mÃ¥ godta at -banken skal kunne signere for meg pÃ¥ avtaler og annen kommunikasjon -for Ã¥ fÃ¥ BankID.

- -

PÃ¥ spÃ¸rsmÃ¥l om hvordan jeg kan fÃ¥ tilgang til nettbank uten Ã¥ gi -banken rett til Ã¥ inngÃ¥ avtaler pÃ¥ vegne av meg svarer Postbankens -kundestÃ¸tte at "Postbanken har valgt BankID for bl.a. pÃ¥logging i -nettbank , sÃ¥ her mÃ¥ du nok ha hele denne lÃ¸sningen". Jeg nektes -altsÃ¥ tilgang til nettbanken inntil jeg godtar at Postbanken kan -signere avtaler pÃ¥ vegne av meg.

- -

Postbankens kundestÃ¸tte sier videre at "Det har blitt et krav til -alle norske banker om Ã¥ innfÃ¸re BankID, bl.a pÃ¥ grunn av -sikkerhet", uten at jeg her helt sikker pÃ¥ hvem som har framsatt -dette kravet. [Oppdatering: Postbankens kundestÃ¸tte sier kravet er -fastsatt av kreditttilsynet -og BBS.] Det som er situasjonen er -dog at det er svÃ¦rt fÃ¥ banker igjen som ikke bruker BankID, og jeg -vet ikke hvilken bank som er et godt alternativ for meg som ikke vil -gi banken rett til Ã¥ signere avtaler pÃ¥ mine vegne.

- -

Jeg Ã¸nsker mulighet til Ã¥ reservere meg mot at min BankID brukes -til annet enn Ã¥ identifisere meg overfor nettbanken fÃ¸r jeg vil ta i -bruk BankID. Ved nettbankbruk er det begrenset hvor store skader som -kan oppstÃ¥ ved misbruk, mens avtaleinngÃ¥else ikke har tilsvarende -begrensing.

- -

Jeg har klaget vilkÃ¥rene inn for forbrukerombudet, men -regner ikke med at de vil kunne bidra til en rask lÃ¸sning som gir meg -nettbankkontroll over egne midler. :( +

De siste dagene har Aftenposten +fortalt +hvordan +politet har brukt skriveverktÃ¸y som ikke hÃ¥ndterer arabisk tekst og +tekst som skal skrives fra hÃ¸yre mot venstre nÃ¥r de har laget +lÃ¸peseddel for Ã¥ be om informasjon fra publikum. Resultatet har vÃ¦rt +en uleselig arabisk-bit pÃ¥ lÃ¸peseddelen. Feilen har oppstÃ¥tt nÃ¥r +teksten har blitt "kopiert inn i programvare som ikke har stÃ¸tte for +sprÃ¥k som skrives fra hÃ¸yre mot venstre", og jeg er ganske sikker pÃ¥ +at det er snakk om Microsoft Office i dette tilfellet. Er det slik at +MS Office i norsk sprÃ¥kdrakt ikke har stÃ¸tte for tekst som skal +skrives fra hÃ¸yre mot venstre? Jeg tror alle utgaver av +OpenOffice.org har slik stÃ¸tte, og det er jo ikke veldig vanskelig Ã¥ +la slik stÃ¸tte finnes i alle utgaver av et program hvis stÃ¸tten fÃ¸rst +er utviklet. Aftenpostens melding fÃ¥r meg til Ã¥ undre om problemet +ville vÃ¦rt unngÃ¥tt hvis politiet brukte OpenOffice.org i stedet for MS +Office.

+ +

Mon tro om det er flere eksempler pÃ¥ at MS Office har Ã¸delagt for +offentlig myndighet?

Internet-sensur skal i retten pÃ¥ mandag

Sat, 10 Oct 2009 22:00:00 +0200

DagensIT -melder at Telenor og Tono skal i retten pÃ¥ mandag for Ã¥ diskutere -hvorvidt Tonos krav om at Telenor skal blokkere for tilgang til The -Pirate Bay er i trÃ¥d med norsk rett. Det blir interessant Ã¥ se -resultatet fra den rettsaken.

- -

Jeg bet meg dog merke i en av pÃ¥standene fra Tonos advokat Cato -StrÃ¸m, som forteller at "Pirate Bay inneholder 95 prosent ulovlig -utlagt materiale, og Ã¥ stanse tilgangen til det kan ikke kalles -sensur". Jeg tok en titt pÃ¥ -forsiden til The Pirate Bay, -som forteller at det pr. i dag er 1 884 694 torrenter pÃ¥ trackeren. -Dette tilsvarer antall filer en kan sÃ¸ke blant og hente ned ved hjelp -av The Pirate Bay. 5% av dette antallet er 94 235. Det kan dermed -virke som om Tonos advokat mener at det ikke er sensur Ã¥ blokkere for -tilgang til nesten 100 000 lovlige filer. Jeg lurer pÃ¥ om han er -korrekt sitert.

- -

Lurer ogsÃ¥ pÃ¥ hvor 95%-tallet kommer fram. Er det seriÃ¸s og -etterprÃ¸vbar forskning pÃ¥ omrÃ¥det som viser at dette er andelen -ulovlige filer tilgjengelig via The Pirate Bay, eller er det -musikkbransjenes egne tall? De har -jo -demonstrert at de ikke er i stand til Ã¥ skille lovlig og ulovlig -bruk av musikk.

Here is a short update on my my +Debian Lenny->Squeeze upgrade testing. Here is a summary of the +difference for Gnome when it is upgraded by apt-get and aptitude. I'm +not reporting the status for KDE, because the upgrade crashes when +aptitude try because of missing conflicts +(#584861 and +#585716).

+ +

At the end of the upgrade test script, dpkg -l is executed to get a +complete list of the installed packages. Based on this I see these +differences when I did a test run today. As usual, I do not really +know what the correct set of packages would be, but thought it best to +publish the difference.

+ +

Installed using apt-get, missing with aptitude

+ +

+ at-spi cpp-4.3 finger gnome-spell gstreamer0.10-gnomevfs + libatspi1.0-0 libcupsys2 libeel2-data libgail-common libgdl-1-common + libgnomeprint2.2-data libgnomeprintui2.2-common libgnomevfs2-bin + libgtksourceview-common libpt-1.10.10-plugins-alsa + libpt-1.10.10-plugins-v4l libservlet2.4-java libxalan2-java + libxerces2-java openoffice.org-writer2latex openssl-blacklist p7zip + python-4suite-xml python-eggtrayicon python-gtkhtml2 + python-gtkmozembed svgalibg1 xserver-xephyr zip +

+ +

Installed using apt-get, removed with aptitude

+ +

+ bluez-utils dhcdbd djvulibre-desktop epiphany-gecko + gnome-app-install gnome-mount gnome-vfs-obexftp gnome-volume-manager + libao2 libavahi-compat-libdnssd1 libavahi-core5 libbind9-50 + libbluetooth2 libcamel1.2-11 libcdio7 libcucul0 libcurl3 + libdirectfb-1.0-0 libdvdread3 libedata-cal1.2-6 libedataserver1.2-9 + libeel2-2.20 libepc-1.0-1 libepc-ui-1.0-1 libexchange-storage1.2-3 + libfaad0 libgd2-noxpm libgda3-3 libgda3-common libggz2 libggzcore9 + libggzmod4 libgksu1.2-0 libgksuui1.0-1 libgmyth0 libgnome-desktop-2 + libgnome-pilot2 libgnomecups1.0-1 libgnomeprint2.2-0 + libgnomeprintui2.2-0 libgpod3 libgraphviz4 libgtkhtml2-0 + libgtksourceview1.0-0 libgucharmap6 libhesiod0 libicu38 libisccc50 + libisccfg50 libiw29 libkpathsea4 libltdl3 liblwres50 libmagick++10 + libmagick10 libmalaga7 libmtp7 libmysqlclient15off libnautilus-burn4 + libneon27 libnm-glib0 libnm-util0 libopal-2.2 libosp5 + libparted1.8-10 libpisock9 libpisync1 libpoppler-glib3 libpoppler3 + libpt-1.10.10 libraw1394-8 libsensors3 libsmbios2 libsoup2.2-8 + libssh2-1 libsuitesparse-3.1.0 libswfdec-0.6-90 libtalloc1 + libtotem-plparser10 libtrackerclient0 libvoikko1 libxalan2-java-gcj + libxerces2-java-gcj libxklavier12 libxtrap6 libxxf86misc1 libzephyr3 + mysql-common swfdec-gnome totem-gstreamer wodim +

+ +

Installed using aptitude, missing with apt-get

+ +

+ gnome gnome-desktop-environment hamster-applet python-gnomeapplet + python-gnomekeyring python-wnck rhythmbox-plugins xorg + xserver-xorg-input-all xserver-xorg-input-evdev + xserver-xorg-input-kbd xserver-xorg-input-mouse + xserver-xorg-input-synaptics xserver-xorg-video-all + xserver-xorg-video-apm xserver-xorg-video-ark xserver-xorg-video-ati + xserver-xorg-video-chips xserver-xorg-video-cirrus + xserver-xorg-video-dummy xserver-xorg-video-fbdev + xserver-xorg-video-glint xserver-xorg-video-i128 + xserver-xorg-video-i740 xserver-xorg-video-mach64 + xserver-xorg-video-mga xserver-xorg-video-neomagic + xserver-xorg-video-nouveau xserver-xorg-video-nv + xserver-xorg-video-r128 xserver-xorg-video-radeon + xserver-xorg-video-radeonhd xserver-xorg-video-rendition + xserver-xorg-video-s3 xserver-xorg-video-s3virge + xserver-xorg-video-savage xserver-xorg-video-siliconmotion + xserver-xorg-video-sis xserver-xorg-video-sisusb + xserver-xorg-video-tdfx xserver-xorg-video-tga + xserver-xorg-video-trident xserver-xorg-video-tseng + xserver-xorg-video-vesa xserver-xorg-video-vmware + xserver-xorg-video-voodoo +

+ +

Installed using aptitude, removed with apt-get

+ +

+ deskbar-applet xserver-xorg xserver-xorg-core + xserver-xorg-input-wacom xserver-xorg-video-intel + xserver-xorg-video-openchrome +

+ +

I was told on IRC that the xorg-xserver package was +changed +in git today to try to get apt-get to not remove xorg completely. +No idea when it hits Squeeze, but when it does I hope it will reduce +the difference somewhat.

MVA pÃ¥ bÃ¸ker med DRM, ikke MVA pÃ¥ bÃ¸ker uten DRM?

Wed, 23 Sep 2009 10:00:00 +0200

Elektroniske bÃ¸ker diskuteres for tiden, etter at -bokbransjen -hevder det er usikkert om de kommer til Ã¥ gi ut elektroniske -bÃ¸ker sÃ¥ lenge det er merverdiavgift pÃ¥ elektroniske bÃ¸ker og ikke -pÃ¥ papirbÃ¸ker. I den forbindelse sÃ¥ jeg et interessant forslag i -en -digi-debatt -jeg hadde sans for. "einarr" foreslo at DRM-infiserte elektroniske -bÃ¸ker bÃ¸r ha merverdiavgift, da "de ikke bidrar til -kunnskapsspredning pÃ¥ samme mÃ¥te" som papirbÃ¸ker og dermed gÃ¥r -imot intensjonene bak mva-fritaket. BÃ¸ker uten DRM derimot bÃ¸r ha -mva-fritak da de "kan overfÃ¸res mellom enheter, leses pÃ¥ ulike -plattformer, lÃ¥nes ut og siteres og kopieres fra" slik en kan med -papirbÃ¸ker.

- -

En oppfÃ¸lgerkommentar sier seg enig i dette, da DRM-infisert -materiale mÃ¥ anses som leid og dermed en tjeneste, mens materiale uten -DRM mÃ¥ anses som et kjÃ¸p.

For a laptop, centralized user directories and password checking is +a bit troubling. Laptops are typically used also when not connected +to the network, and it is vital for a user to be able to log in or +unlock the screen saver also when a central server is unavailable. +This is possible by caching passwords and directory information (user +and group attributes) locally, and the packages to do so are available +in Debian. Here follow two recipes to set this up in Debian/Squeeze. +It is also possible to set up in Debian/Lenny, but require more manual +setup there because pam-auth-update is missing in Lenny.

+ +

LDAP/Kerberos + nscd + libpam-ccreds + libpam-mklocaluser/pam_mkhomedir

+ +This is the traditional method with a twist. The password caching is +provided by libpam-ccreds (version 10-4 or later is needed on +Squeeze), and the directory caching is done by nscd. The directory +lookup and password checking is done using LDAP. If one want to use +Kerberos for password checking the libpam-ldapd package can be +replaced with libpam-krb5 or libpam-heimdal. If one is happy having a +local home directory with the path listed in LDAP, one can use the +pam_mkhomedir module from pam-modules to make this happen instead of +using libpam-mklocaluser. A setup for pam-auth-update to enable +pam_mkhomedir will have to be written until a fix for +bug #568577 is in the +archive. Because I believe it is a bad idea to have local home +directories using misleading paths like /site/server/partition/, I +prefer to create a local user with the home directory in /home/. This +is done using the libpam-mklocaluser package.

+ +

These packages need to be installed and configured

+ +

+libnss-ldapd libpam-ldapd nscd libpam-ccreds libpam-mklocaluser
+

+ +

The ldapd packages will ask for LDAP connection information, and +one have to fill in the values that fits ones own site. Make sure the +PAM part uses encrypted connections, to make sure the password is not +sent in clear text to the LDAP server. I've been unable to get TLS +certificate checking for a self signed certificate working, which make +LDAP authentication unsafe for Debian Edu (nslcd is not checking if it +is talking to the correct LDAP server), and very much welcome feedback +on how to get this working.

+ +

Because nscd do not have a default configuration fit for offline +caching until bug #485282 +is fixed, this configuration should be used instead of the one +currently in /etc/nscd.conf. The changes are in the fields +reload-count and positive-time-to-live, and is based on the +instructions I found in the +LDAP for Mobile Laptops +instructions by Flyn Computing.

+ +

+	debug-level		0
+	reload-count		unlimited
+	paranoia		no
+
+	enable-cache		passwd		yes
+	positive-time-to-live	passwd		2592000
+	negative-time-to-live	passwd		20
+	suggested-size		passwd		211
+	check-files		passwd		yes
+	persistent		passwd		yes
+	shared			passwd		yes
+	max-db-size		passwd		33554432
+	auto-propagate		passwd		yes
+
+	enable-cache		group		yes
+	positive-time-to-live	group		2592000
+	negative-time-to-live	group		20
+	suggested-size		group		211
+	check-files		group		yes
+	persistent		group		yes
+	shared			group		yes
+	max-db-size		group		33554432
+	auto-propagate		group		yes
+
+	enable-cache		hosts		no
+	positive-time-to-live	hosts		2592000
+	negative-time-to-live	hosts		20
+	suggested-size		hosts		211
+	check-files		hosts		yes
+	persistent		hosts		yes
+	shared			hosts		yes
+	max-db-size		hosts		33554432
+
+	enable-cache		services	yes
+	positive-time-to-live	services	2592000
+	negative-time-to-live	services	20
+	suggested-size		services	211
+	check-files		services	yes
+	persistent		services	yes
+	shared			services	yes
+	max-db-size		services	33554432
+

+ +

While we wait for a mechanism to update /etc/nsswitch.conf +automatically like the one provided in +bug #496915, the file +content need to be manually replaced to ensure LDAP is used as the +directory service on the machine. /etc/nsswitch.conf should normally +look like this:

+ +

+passwd:         files ldap
+group:          files ldap
+shadow:         files ldap
+hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
+networks:       files
+protocols:      files
+services:       files
+ethers:         files
+rpc:            files
+netgroup:       files ldap
+

+ +

The important parts are that ldap is listed last for passwd, group, +shadow and netgroup.

+ +

With these changes in place, any user in LDAP will be able to log +in locally on the machine using for example kdm, get a local home +directory created and have the password as well as user and group +attributes cached. + +

LDAP/Kerberos + nss-updatedb + libpam-ccreds + + libpam-mklocaluser/pam_mkhomedir

+ +

Because nscd have had its share of problems, and seem to have +problems doing proper caching, I've seen suggestions and recipes to +use nss-updatedb to copy parts of the LDAP database locally when the +LDAP database is available. I have not tested such setup, because I +discovered sssd.

+ +

LDAP/Kerberos + sssd + libpam-mklocaluser

+ +

A more flexible and robust setup than the nscd combination +mentioned earlier that has shown up recently, is the +sssd package from Redhat. +It is part of the FreeIPA project +to provide a Active Directory like directory service for Linux +machines. The sssd system combines the caching of passwords and user +information into one package, and remove the need for nscd and +libpam-ccreds. It support LDAP and Kerberos, but not NIS. Version +1.2 do not support netgroups, but it is said that it will support this +in version 1.5 expected to show up later in 2010. Because the +sssd package +was missing in Debian, I ended up co-maintaining it with Werner, and +version 1.2 is now in testing. + +

These packages need to be installed and configured to get the +roaming setup I want

+ +

+libpam-sss libnss-sss libpam-mklocaluser
+

+ +The complete setup of sssd is done by editing/creating +/etc/sssd/sssd.conf. + +

+[sssd]
+config_file_version = 2
+reconnection_retries = 3
+sbus_timeout = 30
+services = nss, pam
+domains = INTERN
+
+[nss]
+filter_groups = root
+filter_users = root
+reconnection_retries = 3
+
+[pam]
+reconnection_retries = 3
+
+[domain/INTERN]
+enumerate = false
+cache_credentials = true
+
+id_provider = ldap
+auth_provider = ldap
+chpass_provider = ldap
+
+ldap_uri = ldap://ldap
+ldap_search_base = dc=skole,dc=skolelinux,dc=no
+ldap_tls_reqcert = never
+ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
+

+ +

I got the same problem here with certificate checking. Had to set +"ldap_tls_reqcert = never" to get it working.

+ +

With the libnss-sss package in testing at the moment, the +nsswitch.conf file is update automatically, so there is no need to +modify it manually.

+ +

If you want to help out with implementing this for Debian Edu, +please contact us on debian-edu@lists.debian.org.

Sikkerhet til sjÃ¸s trenger sjÃ¸kart uten bruksbegresninger

Sun, 23 Aug 2009 10:00:00 +0200

Sikkerhet til sjÃ¸s burde vÃ¦re noe som opptar mange etter den siste -oljeutslippsulykken med Full City, som har drept mye liv langs sjÃ¸en. -En viktig faktor for Ã¥ bedre sikkerheten til sjÃ¸s er at alle som -ferdes pÃ¥ sjÃ¸en har tilgang til oppdaterte sjÃ¸kart som forteller hvor -det grunner og annet en mÃ¥ ta hensyn til pÃ¥ sjÃ¸en.

- -

Hvis en er enig i at tilgang til oppdaterte sjÃ¸kart er viktig for -sikkerheten pÃ¥ sjÃ¸en, sÃ¥ er det godt Ã¥ vite at det i dag er teknisk -mulig Ã¥ sikre alle enkel tilgang til oppdaterte digitale kart over -Internet. Det trenger heller ikke vÃ¦re spesielt kostbart.

- -

BÃ¥de ved Rocknes-ulykken i Vatlestraumen, der 18 mennesker mistet -livet, og ved Full City-ulykken utenfor Langesund, der mange tonn olje -lekket ut i havet, var det registrert problemer relatert til -oppdaterte sjÃ¸kart. Ved Rocknes-ulykken var de elektroniske kartene -som ble brukt ikke oppdatert med informasjon om nyoppdagede grunner og -losen kjente visst ikke til disse nye grunnene. Papirkartene var dog -oppdaterte. Ved Full City-ulykken hadde en kontroll av skipet noen -uker tidligere konstatert manglende sjÃ¸kart.

- -

Jeg tror en lÃ¸sning der digitale sjÃ¸kart kunne lastes ned direkte -fra sjÃ¸kartverket av alle som Ã¸nsket oppdaterte sjÃ¸kart, uten -brukerbetaling og uten bruksbegresninger knyttet til kartene, vil -gjÃ¸re at flere folk pÃ¥ sjÃ¸en vil holde seg med oppdaterte sjÃ¸kart, -eller sjÃ¸kart i det hele tatt. Resultatet av dette vil vÃ¦re Ã¸kt -sikkerhet pÃ¥ sjÃ¸en. En undersÃ¸kelse gjennomfÃ¸rt av Opinion for -Gjensidige i 2008 fortalte at halvparten av alle bÃ¥teierne i landet -ikke har sjÃ¸kart i bÃ¥ten.

- -

Formatet pÃ¥ de digitale sjÃ¸kartene som gjÃ¸rÃ¦s tilgjengelig fra -sjÃ¸kartverket mÃ¥ vÃ¦re i henhold til en fri og Ã¥pen standard, slik at -en ikke er lÃ¥st til enkeltaktÃ¸rers godvilje nÃ¥r datafilene skal tolkes -og forstÃ¥s, men trenger ikke publiseres fra sjÃ¸kartverket i alle -formatene til verdens skips-GPS-er i tillegg. Hvis det ikke er -kostbart for sjÃ¸kartverket bÃ¸r de gjerne gjÃ¸re det selv, men slik -konvertering kan andre ta seg av hvis det er et marked for det.

- -

Hvis staten mener alvor med Ã¥ forbedre sikkerheten til sjÃ¸s, mÃ¥ de -gjÃ¸re sitt for at alle bÃ¥teiere har oppdaterte kart, ikke bare snakke -om hvor viktig det er at de har oppdaterte kart. Det bÃ¸r vÃ¦re -viktigere for staten at bÃ¥tene har oppdaterte kart -enn at de er pÃ¥lagt Ã¥ ha oppdaterte kart.

- -

SjÃ¸kartene er tilgjengelig pÃ¥ web -fra kystverket, men sÃ¥ vidt jeg har klart Ã¥ finne, uten -bruksvilkÃ¥r som muliggjÃ¸r gjenbruk uten bruksbegresninger.

- -

OpenStreetmap.org-folk er lei av mangel pÃ¥ sjÃ¸kart, og har startet -pÃ¥ et dugnadsbasert fribrukskart for havet, -OpenSeaMap. Datagrunnlaget er -OpenStreetmap, mens framvisningen er tilpasset bruk pÃ¥ sjÃ¸en. Det -gjenstÃ¥r mye fÃ¸r en kan bruke dette til Ã¥ seile sikkert pÃ¥ havet, men -det viser at behovet for fribruks-sjÃ¸kart er til stedet.

The last few days I have been looking into the status of the LDAP +directory in Debian Edu, and in the process I started to miss a GUI +tool to browse the LDAP tree. The only one I was able to find in +Debian/Squeeze and Lenny is +LUMA, which has proved to +be a great tool to get a overview of the current LDAP directory +populated by default in Skolelinux. Thanks to it, I have been able to +find empty and obsolete subtrees, misplaced objects and duplicate +objects. It will be installed by default in Debian/Squeeze. If you +are working with LDAP, give it a go. :)

+ +

I did notice one problem with it I have not had time to report to +the BTS yet. There is no .desktop file in the package, so the tool do +not show up in the Gnome and KDE menus, but only deep down in in the +Debian submenu in KDE. I hope that can be fixed before Squeeze is +released.

+ +

I have not yet been able to get it to modify the tree yet. I would +like to move objects and remove subtrees directly in the GUI, but have +not found a way to do that with LUMA yet. So in the mean time, I use +ldapvi for that.

+ +

If you have tips on other GUI tools for LDAP that might be useful +in Debian Edu, please contact us on debian-edu@lists.debian.org.

+ +

Update 2010-06-29: Ross Reedstrom tipped us about the +gq package as a +useful GUI alternative. It seem like a good tool, but is unmaintained +in Debian and got a RC bug keeping it out of Squeeze. Unless that +changes, it will not be an option for Debian Edu based on Squeeze.

Relative popularity of document formats (MS Office vs. ODF)

Wed, 12 Aug 2009 15:50:00 +0200

Just for fun, I did a search right now on Google for a few file ODF -and MS Office based formats (not to be mistaken for ISO or ECMA -OOXML), to get an idea of their relative usage. I searched using -'filetype:odt' and equvalent terms, and got these results:

- - - - - - -

Type	ODF	MS Office
Tekst	odt:282000	docx:308000
Presentasjon	odp:75600	pptx:183000
Regneark	ods:26500	xlsx:145000

- -

Next, I added a 'site:no' limit to get the numbers for Norway, and -got these numbers:

- - - - - - -

Type	ODF	MS Office
Tekst	odt:2480	docx:4460
Presentasjon	odp:299	pptx:741
Regneark	ods:187	xlsx:372

- -

I wonder how these numbers change over time.

- -

I am aware of Google returning different results and numbers based -on where the search is done, so I guess these numbers will differ if -they are conduced in another country. Because of this, I did the same -search from a machine in California, USA, a few minutes after the -search done from a machine here in Norway.

- - - - - - - -

Type	ODF	MS Office
Tekst	odt:129000	docx:308000
Presentasjon	odp:44200	pptx:93900
Regneark	ods:26500	xlsx:82400

- -

And with 'site:no': - -

- - - - -

Type	ODF	MS Office
Tekst	odt:2480	docx:3410
Presentasjon	odp:175	pptx:604
Regneark	ods:186	xlsx:296

- -

Interesting difference, not sure what to conclude from these -numbers.

A while back, I +complained +about the fact that it is not possible with the provided schemas +for storing DNS and DHCP information in LDAP to combine the two sets +of information into one LDAP object representing a computer.

+ +

In the mean time, I discovered that a simple fix would be to make +the dhcpHost object class auxiliary, to allow it to be combined with +the dNSDomain object class, and thus forming one object for one +computer when storing both DHCP and DNS information in LDAP.

+ +

If I understand this correctly, it is not safe to do this change +without also changing the assigned number for the object class, and I +do not know enough about LDAP schema design to do that properly for +Debian Edu.

+ +

Anyway, for future reference, this is how I believe we could change +the +DHCP +schema to solve at least part of the problem with the LDAP schemas +available today from IETF.

+ +

+--- dhcp.schema    (revision 65192)
++++ dhcp.schema    (working copy)
+@@ -376,7 +376,7 @@
+ objectclass ( 2.16.840.1.113719.1.203.6.6
+        NAME 'dhcpHost'
+        DESC 'This represents information about a particular client'
+-       SUP top
++       SUP top AUXILIARY
+        MUST cn
+        MAY  (dhcpLeaseDN $ dhcpHWAddress $ dhcpOptionsDN $ dhcpStatements $ dhcpComments $ dhcpOption)
+        X-NDS_CONTAINMENT ('dhcpService' 'dhcpSubnet' 'dhcpGroup') )
+

+ +

I very much welcome clues on how to do this properly for Debian +Edu/Squeeze. We provide the DHCP schema in our debian-edu-config +package, and should thus be free to rewrite it as we see fit.

+ +

If you want to help out with implementing this for Debian Edu, +please contact us on debian-edu@lists.debian.org.

ISO still hope to fix OOXML

Sat, 8 Aug 2009 14:00:00 +0200

According to a -blog post from Torsten Werner, the current defect report for ISO -29500 (ISO OOXML) is 809 pages. His interesting point is that the -defect report is 71 pages more than the full ODF 1.1 specification. -Personally I find it more interesting that ISO still believe ISO OOXML -can be fixed in ISO. Personally, I believe it is broken beyon repair, -and I completely lack any trust in ISO for being able to get anywhere -close to solving the problems. I was part of the Norwegian committee -involved in the OOXML fast track process, and was not impressed with -Standard Norway and ISO in how they handled it.

- -

These days I focus on ODF instead, which seem like a specification -with the future ahead of it. We are working in NUUG to organise a ODF -seminar this autumn.

A few times I have had the need to simulate the way tasksel +installs packages during the normal debian-installer run. Until now, +I have ended up letting tasksel do the work, with the annoying problem +of not getting any feedback at all when something fails (like a +conffile question from dpkg or a download that fails), using code like +this: + +

+export DEBIAN_FRONTEND=noninteractive
+tasksel --new-install
+

+ +This would invoke tasksel, let its automatic task selection pick the +tasks to install, and continue to install the requested tasks without +any output what so ever. + +Recently I revisited this problem while working on the automatic +package upgrade testing, because tasksel would some times hang without +any useful feedback, and I want to see what is going on when it +happen. Then it occured to me, I can parse the output from tasksel +when asked to run in test mode, and use that aptitude command line +printed by tasksel then to simulate the tasksel run. I ended up using +code like this: + +

+export DEBIAN_FRONTEND=noninteractive
+cmd="$(in_target tasksel -t --new-install | sed 's/debconf-apt-progress -- //')"
+$cmd
+

+ +

The content of $cmd is typically something like "aptitude -q +--without-recommends -o APT::Install-Recommends=no -y install +~t^desktop$ ~t^gnome-desktop$ ~t^laptop$ ~pstandard ~prequired +~pimportant", which will install the gnome desktop task, the +laptop task and all packages with priority standard , required and +important, just like tasksel would have done it during +installation.

+ +

A better approach is probably to extend tasksel to be able to +install packages without using debconf-apt-progress, for use cases +like this.

Debian has switched to dependency based boot sequencing

Mon, 27 Jul 2009 23:50:00 +0200

Since this evening, with the upload of sysvinit version 2.87dsf-2, -and the upload of insserv version 1.12.0-10 yesterday, Debian unstable -have been migrated to using dependency based boot sequencing. This -conclude work me and others have been doing for the last three days. -It feels great to see this finally part of the default Debian -installation. Now we just need to weed out the last few problems that -are bound to show up, to get everything ready for Squeeze.

- -

The next step is migrating /sbin/init from sysvinit to upstart, and -fixing the more fundamental problem of handing the event based -non-predictable kernel in the early boot.

Dagbladet +melder at Vinmonopolet med bakgrunn i vekterstreiken som pÃ¥gÃ¥r i +Norge for tiden, har bestemt seg for med vitende og vilje Ã¥ bryte +sentralbanklovens paragraf 14 ved Ã¥ nekte folk Ã¥ betale med +kontanter, og at flere butikker planlegger Ã¥ fÃ¸lge deres eksempel. +Jeg synes det er hÃ¥rreisende hvis de slipper unna med et slikt +soleklart lovbrudd, og lurer pÃ¥ hva slags muligheter jeg vil ha hvis +jeg blir nektet Ã¥ handle med kontanter. Jeg handler i hovedsak med +kontanter selv, da jeg anser det som en borgerrett Ã¥ kunne handle +anonymt uten at det blir registrert. For meg er det et angrep pÃ¥ mitt +personvern Ã¥ nekte Ã¥ ta imot kontant betaling.

+ +

Paragrafen +i sentralbankloven lyder:

+ +

+
Â§ 14. Tvungent betalingsmiddel
+ +
Bankens sedler og mynter er tvungent betalingsmiddel i Norge. Ingen +er pliktig til i Ã©n betaling Ã¥ ta imot mer enn femogtyve mynter av +hver enhet.
+ +
Sterkt skadde sedler og mynter er ikke tvungent +betalingsmiddel. Banken gir nÃ¦rmere forskrifter om erstatning for +bortkomne, brente eller skadde sedler og mynter.
+ +
Selv om en avtale inneholder klausul om betaling av en +pengeforpliktelse i gullverdi, kan skyldneren frigjÃ¸re seg med tvungne +betalingsmidler uten hensyn til denne klausul.
+

+ +

Det er med bakgrunn i denne lovet ikke tillatt Ã¥ nekte Ã¥ ta imot +kontakt betaling. Det er en lov jeg har sans for, og som jeg mener mÃ¥ +hÃ¥ndheves strengt.

Taking over sysvinit development

Wed, 22 Jul 2009 23:00:00 +0200

After several years of frustration with the lack of activity from -the existing sysvinit upstream developer, I decided a few weeks ago to -take over the package and become the new upstream. The number of -patches to track for the Debian package was becoming a burden, and the -lack of synchronization between the distribution made it hard to keep -the package up to date.

- -

On the new sysvinit team is the SuSe maintainer Dr. Werner Fink, -and my Debian co-maintainer Kel Modderman. About 10 days ago, I made -a new upstream tarball with version number 2.87dsf (for Debian, SuSe -and Fedora), based on the patches currently in use in these -distributions. We Debian maintainers plan to move to this tarball as -the new upstream as soon as we find time to do the merge. Since the -new tarball was created, we agreed with Werner at SuSe to make a new -upstream project at Savannah, and continue -development there. The project is registered and currently waiting -for approval by the Savannah administrators, and as soon as it is -approved, we will import the old versions from svn and continue -working on the future release.

- -

It is a bit ironic that this is done now, when some of the involved -distributions are moving to upstart as a syvinit replacement.

For those of us caring about document exchange and +interoperability, OfficeShots +is a great service. It is to ODF documents what +BrowserShots is for web +pages.

+ +

A while back, I was contacted by Knut Yrvin at the part of Nokia +that used to be Trolltech, who wanted to help the OfficeShots project +and wondered if the University of Oslo where I work would be +interested in supporting the project. I helped him to navigate his +request to the right people at work, and his request was answered with +a spot in the machine room with power and network connected, and Knut +arranged funding for a machine to fill the spot. The machine is +administrated by the OfficeShots people, so I do not have daily +contact with its progress, and thus from time to time check back to +see how the project is doing.

+ +

Today I had a look, and was happy to see that the Dell box in our +machine room now is the host for several virtual machines running as +OfficeShots factories, and the project is able to render ODF documents +in 17 different document processing implementation on Linux and +Windows. This is great.