Petter Reinholdtsen

PÃ¥ vegne av vanvitting mange, Aftenposten!

Sat, 6 Mar 2010 21:15:00 +0100

Aftenposten -melder pÃ¥ forsiden av webavisen sin at de tror Erling Fossen -provoserer nordledinger med sine uttalelser pÃ¥ -fotballtinget. Jeg er utflyttet nordlending, og mÃ¥ innrÃ¸mme at jeg -ikke kjennet sÃ¥ mye som et snev av provokasjon fra denne litt morsomme -uttalelsen til Hr. Fossen. Lurer pÃ¥ om Aftenposten har noen kilder -utenom redaksjonen for sin pÃ¥stand om at nordledinger er provosert av -Hr. Fossen. MÃ¥ innrÃ¸mme at jeg tviler pÃ¥ det.

- -

Det hele bringer tankene tilbake til Sture Hansen i Hallo i Uken.

Vagrant mentioned on IRC today that ltsp_config now support +sourcing files from /usr/share/ltsp/ltsp_config.d/ on the thin +clients, and that this can be used to fetch configuration from LDAP if +Debian Edu choose to store configuration there.

+ +

Armed with this information, I got inspired and wrote a test module +to get configuration from LDAP. The idea is to look up the MAC +address of the client in LDAP, and look for attributes on the form +ltspconfigsetting=value, and use this to export SETTING=value to the +LTSP clients.

+ +

The goal is to be able to store the LTSP configuration attributes +in a "computer" LDAP object used by both DNS and DHCP, and thus +allowing us to store all information about a computer in one place.

+ +

This is a untested draft implementation, and I welcome feedback on +this approach. A real LDAP schema for the ltspClientAux objectclass +need to be written. Comments, suggestions, etc?

+ +

+# Store in /opt/ltsp/$arch/usr/share/ltsp/ltsp_config.d/ldap-config
+#
+# Fetch LTSP client settings from LDAP based on MAC address
+#
+# Uses ethernet address as stored in the dhcpHost objectclass using
+# the dhcpHWAddress attribute or ethernet address stored in the
+# ieee802Device objectclass with the macAddress attribute.
+#
+# This module is written to be schema agnostic, and only depend on the
+# existence of attribute names.
+#
+# The LTSP configuration variables are saved directly using a
+# ltspConfig prefix and uppercasing the rest of the attribute name.
+# To set the SERVER variable, set the ltspConfigServer attribute.
+#
+# Some LDAP schema should be created with all the relevant
+# configuration settings.  Something like this should work:
+# 
+# objectclass ( 1.1.2.2 NAME 'ltspClientAux'
+#     SUP top
+#     AUXILIARY
+#     MAY ( ltspConfigServer $ ltsConfigSound $ ... )
+
+LDAPSERVER=$(debian-edu-ldapserver)
+if [ "$LDAPSERVER" ] ; then
+    LDAPBASE=$(debian-edu-ldapserver -b)
+    for MAC in $(LANG=C ifconfig |grep -i hwaddr| awk '{print $5}'|sort -u) ; do
+	filter="(|(dhcpHWAddress=ethernet $MAC)(macAddress=$MAC))"
+	ldapsearch -h "$LDAPSERVER" -b "$LDAPBASE" -v -x "$filter" | \
+	    grep '^ltspConfig' | while read attr value ; do
+	    # Remove prefix and convert to upper case
+	    attr=$(echo $attr | sed 's/^ltspConfig//i' | tr a-z A-Z)
+	    # bass value on to clients
+	    eval "$attr=$value; export $attr"
+	done
+    done
+fi
+

+ +

I'm not sure this shell construction will work, because I suspect +the while block might end up in a subshell causing the variables set +there to not show up in ltsp-config, but if that is the case I am sure +the code can be restructured to make sure the variables are passed on. +I expect that can be solved with some testing. :)

+ +

If you want to help out with implementing this for Debian Edu, +please contact us on debian-edu@lists.debian.org.

After 6 years of waiting, the Xreset.d feature is implemented

Sat, 6 Mar 2010 18:15:00 +0100

6 years ago, as part of the Debian Edu development I am involved -in, I asked for a hook in the kdm and gdm setup to run scripts as root -when the user log out. A bug was submitted against the xfree86-common -package in 2004 (#230422), -and revisited every time Debian Edu was working on a new release. -Today, this finally paid off.

- -

The framework for this feature was today commited to the git -repositry for the xorg package, and the git repository for xdm has -been updated to use this framework. Next on my agenda is to make sure -kdm and gdm also add code to use this framework.

- -

In Debian Edu, we want to ability to run commands as root when the -user log out, to get rid of runaway processes and do general cleanup -after a user. With this framework in place, we finally can do that in -a generic way that work with all display managers using this -framework. My goal is to get all display managers in Debian use it, -similar to how they use the Xsession.d framework today.

Since +my +last post about available LDAP tools in Debian, I was told about a +LDAP GUI that is even better than luma. The java application +jXplorer is claimed to be capable of +moving LDAP objects and subtrees using drag-and-drop, and can +authenticate using Kerberos. I have only tested the Kerberos +authentication, but do not have a LDAP setup allowing me to rewrite +LDAP with my test user yet. It is +available in +Debian testing and unstable at the moment. The only problem I +have with it is how it handle errors. If something go wrong, its +non-intuitive behaviour require me to go through some query work list +and remove the failing query. Nothing big, but very annoying.

Digitale bÃ¸ker uten digitale restriksjonsmekanismer (DRM) bÃ¸r fÃ¥ mva-fritak

Wed, 3 Mar 2010 19:00:00 +0100

Den norske bokbransjen har -bedt om at -digitale bÃ¸ker mÃ¥ fÃ¥ mva-fritak slik papirbÃ¸ker har det, og -finansdepartementet -har sagt nei. Det er et interessant spÃ¸rsmÃ¥l om digitale bÃ¸ker -bÃ¸r ha mva-fritak eller ikke, og svaret er ikke sÃ¥ enkelt som et ja -eller nei. -Enkelte -medlemmer av bokbransjen truer med Ã¥ droppe den planlagte -lanseringen av norske digitale bÃ¸ker med digitale restriksjonsmekanismer -(DRM) som de har snakket om Ã¥ gjennomfÃ¸re nÃ¥ i vÃ¥r, og det mÃ¥ de -gjerne gjÃ¸re for min del.

- -

PapirbÃ¸ker har mva-fritak pga. at de fremmer kultur- og -kunnskapsspredning. Digitale bÃ¸ker uten digitale -restriksjonsmekanismer (DRM) fremmer kultur- og kunnskapsspredning, -mens digitale bÃ¸ker med DRM hindrer kultur og kunnskapsspredning. -Digitale bÃ¸ker uten DRM bÃ¸r fÃ¥ mva-fritak da det er salg av bÃ¸ker pÃ¥ -lik linje med salg av papirbÃ¸ker, mens digitale bÃ¸ker med DRM ikke bÃ¸r -fÃ¥ det da det er utleie av bÃ¸ker og ikke salg.

- -

Jeg foretrekker Ã¥ kjÃ¸pe bÃ¸ker, og velger dermed Ã¥ la vÃ¦re Ã¥ bruke -DRM-belastede digitale bÃ¸ker. Vet ikke helt hva jeg ville vÃ¦re villig -til Ã¥ betale for Ã¥ leie en bok, men tror ikke det er mange kronene. -Heldigvis er det mye bÃ¸ker tilgjengelig uten slike restriksjoner, og -de som vil ha tak i engelske bÃ¸ker kan laste ned bÃ¸ker som er -tilgjengelig uten bruksbegresninger fra The -Internet Archive. Der er det pr. i dag 1 889 313 bÃ¸ker -tilgjengelig. De er tilgjengelig i flere formater. BesÃ¸k -oversikten over tekster -der for Ã¥ se hva de har. +

De siste dagene har Aftenposten +fortalt +hvordan +politet har brukt skriveverktÃ¸y som ikke hÃ¥ndterer arabisk tekst og +tekst som skal skrives fra hÃ¸yre mot venstre nÃ¥r de har laget +lÃ¸peseddel for Ã¥ be om informasjon fra publikum. Resultatet har vÃ¦rt +en uleselig arabisk-bit pÃ¥ lÃ¸peseddelen. Feilen har oppstÃ¥tt nÃ¥r +teksten har blitt "kopiert inn i programvare som ikke har stÃ¸tte for +sprÃ¥k som skrives fra hÃ¸yre mot venstre", og jeg er ganske sikker pÃ¥ +at det er snakk om Microsoft Office i dette tilfellet. Er det slik at +MS Office i norsk sprÃ¥kdrakt ikke har stÃ¸tte for tekst som skal +skrives fra hÃ¸yre mot venstre? Jeg tror alle utgaver av +OpenOffice.org har slik stÃ¸tte, og det er jo ikke veldig vanskelig Ã¥ +la slik stÃ¸tte finnes i alle utgaver av et program hvis stÃ¸tten fÃ¸rst +er utviklet. Aftenpostens melding fÃ¥r meg til Ã¥ undre om problemet +ville vÃ¦rt unngÃ¥tt hvis politiet brukte OpenOffice.org i stedet for MS +Office.

+ +

Mon tro om det er flere eksempler pÃ¥ at MS Office har Ã¸delagt for +offentlig myndighet?

Debian Edu / Skolelinux based on Lenny released, work continues

Thu, 11 Feb 2010 17:15:00 +0100

On Tuesday, the Debian/Lenny based version of -Skolelinux was finally -shipped. This was a major leap forward for the project, and I am very -pleased that we finally got the release wrapped up. Work on the first -point release starts imediately, as we plan to get that one out a -month after the major release, to include all fixes for bugs we found -and fixed too late in the release process to include last Tuesday.

- -

Perhaps it even is time for some partying?

- -

After this first point release, my plan is to focus again on the -next major release, based on Squeeze. We will try to get as many of -the fixes we need into the official Debian packages before the freeze, -and have just a few weeks or months to make it happen.

Here is a short update on my my +Debian Lenny->Squeeze upgrade testing. Here is a summary of the +difference for Gnome when it is upgraded by apt-get and aptitude. I'm +not reporting the status for KDE, because the upgrade crashes when +aptitude try because of missing conflicts +(#584861 and +#585716).

+ +

At the end of the upgrade test script, dpkg -l is executed to get a +complete list of the installed packages. Based on this I see these +differences when I did a test run today. As usual, I do not really +know what the correct set of packages would be, but thought it best to +publish the difference.

+ +

Installed using apt-get, missing with aptitude

+ +

+ at-spi cpp-4.3 finger gnome-spell gstreamer0.10-gnomevfs + libatspi1.0-0 libcupsys2 libeel2-data libgail-common libgdl-1-common + libgnomeprint2.2-data libgnomeprintui2.2-common libgnomevfs2-bin + libgtksourceview-common libpt-1.10.10-plugins-alsa + libpt-1.10.10-plugins-v4l libservlet2.4-java libxalan2-java + libxerces2-java openoffice.org-writer2latex openssl-blacklist p7zip + python-4suite-xml python-eggtrayicon python-gtkhtml2 + python-gtkmozembed svgalibg1 xserver-xephyr zip +

+ +

Installed using apt-get, removed with aptitude

+ +

+ bluez-utils dhcdbd djvulibre-desktop epiphany-gecko + gnome-app-install gnome-mount gnome-vfs-obexftp gnome-volume-manager + libao2 libavahi-compat-libdnssd1 libavahi-core5 libbind9-50 + libbluetooth2 libcamel1.2-11 libcdio7 libcucul0 libcurl3 + libdirectfb-1.0-0 libdvdread3 libedata-cal1.2-6 libedataserver1.2-9 + libeel2-2.20 libepc-1.0-1 libepc-ui-1.0-1 libexchange-storage1.2-3 + libfaad0 libgd2-noxpm libgda3-3 libgda3-common libggz2 libggzcore9 + libggzmod4 libgksu1.2-0 libgksuui1.0-1 libgmyth0 libgnome-desktop-2 + libgnome-pilot2 libgnomecups1.0-1 libgnomeprint2.2-0 + libgnomeprintui2.2-0 libgpod3 libgraphviz4 libgtkhtml2-0 + libgtksourceview1.0-0 libgucharmap6 libhesiod0 libicu38 libisccc50 + libisccfg50 libiw29 libkpathsea4 libltdl3 liblwres50 libmagick++10 + libmagick10 libmalaga7 libmtp7 libmysqlclient15off libnautilus-burn4 + libneon27 libnm-glib0 libnm-util0 libopal-2.2 libosp5 + libparted1.8-10 libpisock9 libpisync1 libpoppler-glib3 libpoppler3 + libpt-1.10.10 libraw1394-8 libsensors3 libsmbios2 libsoup2.2-8 + libssh2-1 libsuitesparse-3.1.0 libswfdec-0.6-90 libtalloc1 + libtotem-plparser10 libtrackerclient0 libvoikko1 libxalan2-java-gcj + libxerces2-java-gcj libxklavier12 libxtrap6 libxxf86misc1 libzephyr3 + mysql-common swfdec-gnome totem-gstreamer wodim +

+ +

Installed using aptitude, missing with apt-get

+ +

+ gnome gnome-desktop-environment hamster-applet python-gnomeapplet + python-gnomekeyring python-wnck rhythmbox-plugins xorg + xserver-xorg-input-all xserver-xorg-input-evdev + xserver-xorg-input-kbd xserver-xorg-input-mouse + xserver-xorg-input-synaptics xserver-xorg-video-all + xserver-xorg-video-apm xserver-xorg-video-ark xserver-xorg-video-ati + xserver-xorg-video-chips xserver-xorg-video-cirrus + xserver-xorg-video-dummy xserver-xorg-video-fbdev + xserver-xorg-video-glint xserver-xorg-video-i128 + xserver-xorg-video-i740 xserver-xorg-video-mach64 + xserver-xorg-video-mga xserver-xorg-video-neomagic + xserver-xorg-video-nouveau xserver-xorg-video-nv + xserver-xorg-video-r128 xserver-xorg-video-radeon + xserver-xorg-video-radeonhd xserver-xorg-video-rendition + xserver-xorg-video-s3 xserver-xorg-video-s3virge + xserver-xorg-video-savage xserver-xorg-video-siliconmotion + xserver-xorg-video-sis xserver-xorg-video-sisusb + xserver-xorg-video-tdfx xserver-xorg-video-tga + xserver-xorg-video-trident xserver-xorg-video-tseng + xserver-xorg-video-vesa xserver-xorg-video-vmware + xserver-xorg-video-voodoo +

+ +

Installed using aptitude, removed with apt-get

+ +

+ deskbar-applet xserver-xorg xserver-xorg-core + xserver-xorg-input-wacom xserver-xorg-video-intel + xserver-xorg-video-openchrome +

+ +

I was told on IRC that the xorg-xserver package was +changed +in git today to try to get apt-get to not remove xorg completely. +No idea when it hits Squeeze, but when it does I hope it will reduce +the difference somewhat.

Danmark gÃ¥r for ODF?

Fri, 29 Jan 2010 12:00:00 +0100

Ble nettopp gjort oppmerksom pÃ¥ en -nyhet fra Version2 -fra Danmark, der det hevdes at Folketinget har vedtatt at ODF skal -brukes som dokumentutvekslingsformat i Staten.

- -

Hyggelig lesning, spesielt hvis det viser seg at de av vedtatt -kravlisten for hva som skal aksepteres som referert i kommentarfeltet -til artikkelen og -en -annen artikkel i samme nett-avis. Liker spesielt godt denne:

- -

Det skal demonstreres, at standarden i sin helhed kan -implementeres af alle direkte i sin helhed pÃ¥ flere -platforme.

- -

Noe slikt burde vÃ¦re et krav ogsÃ¥ i Norge.

For a laptop, centralized user directories and password checking is +a bit troubling. Laptops are typically used also when not connected +to the network, and it is vital for a user to be able to log in or +unlock the screen saver also when a central server is unavailable. +This is possible by caching passwords and directory information (user +and group attributes) locally, and the packages to do so are available +in Debian. Here follow two recipes to set this up in Debian/Squeeze. +It is also possible to set up in Debian/Lenny, but require more manual +setup there because pam-auth-update is missing in Lenny.

+ +

LDAP/Kerberos + nscd + libpam-ccreds + libpam-mklocaluser/pam_mkhomedir

+ +This is the traditional method with a twist. The password caching is +provided by libpam-ccreds (version 10-4 or later is needed on +Squeeze), and the directory caching is done by nscd. The directory +lookup and password checking is done using LDAP. If one want to use +Kerberos for password checking the libpam-ldapd package can be +replaced with libpam-krb5 or libpam-heimdal. If one is happy having a +local home directory with the path listed in LDAP, one can use the +pam_mkhomedir module from pam-modules to make this happen instead of +using libpam-mklocaluser. A setup for pam-auth-update to enable +pam_mkhomedir will have to be written until a fix for +bug #568577 is in the +archive. Because I believe it is a bad idea to have local home +directories using misleading paths like /site/server/partition/, I +prefer to create a local user with the home directory in /home/. This +is done using the libpam-mklocaluser package.

+ +

These packages need to be installed and configured

+ +

+libnss-ldapd libpam-ldapd nscd libpam-ccreds libpam-mklocaluser
+

+ +

The ldapd packages will ask for LDAP connection information, and +one have to fill in the values that fits ones own site. Make sure the +PAM part uses encrypted connections, to make sure the password is not +sent in clear text to the LDAP server. I've been unable to get TLS +certificate checking for a self signed certificate working, which make +LDAP authentication unsafe for Debian Edu (nslcd is not checking if it +is talking to the correct LDAP server), and very much welcome feedback +on how to get this working.

+ +

Because nscd do not have a default configuration fit for offline +caching until bug #485282 +is fixed, this configuration should be used instead of the one +currently in /etc/nscd.conf. The changes are in the fields +reload-count and positive-time-to-live, and is based on the +instructions I found in the +LDAP for Mobile Laptops +instructions by Flyn Computing.

+ +

+	debug-level		0
+	reload-count		unlimited
+	paranoia		no
+
+	enable-cache		passwd		yes
+	positive-time-to-live	passwd		2592000
+	negative-time-to-live	passwd		20
+	suggested-size		passwd		211
+	check-files		passwd		yes
+	persistent		passwd		yes
+	shared			passwd		yes
+	max-db-size		passwd		33554432
+	auto-propagate		passwd		yes
+
+	enable-cache		group		yes
+	positive-time-to-live	group		2592000
+	negative-time-to-live	group		20
+	suggested-size		group		211
+	check-files		group		yes
+	persistent		group		yes
+	shared			group		yes
+	max-db-size		group		33554432
+	auto-propagate		group		yes
+
+	enable-cache		hosts		no
+	positive-time-to-live	hosts		2592000
+	negative-time-to-live	hosts		20
+	suggested-size		hosts		211
+	check-files		hosts		yes
+	persistent		hosts		yes
+	shared			hosts		yes
+	max-db-size		hosts		33554432
+
+	enable-cache		services	yes
+	positive-time-to-live	services	2592000
+	negative-time-to-live	services	20
+	suggested-size		services	211
+	check-files		services	yes
+	persistent		services	yes
+	shared			services	yes
+	max-db-size		services	33554432
+

+ +

While we wait for a mechanism to update /etc/nsswitch.conf +automatically like the one provided in +bug #496915, the file +content need to be manually replaced to ensure LDAP is used as the +directory service on the machine. /etc/nsswitch.conf should normally +look like this:

+ +

+passwd:         files ldap
+group:          files ldap
+shadow:         files ldap
+hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
+networks:       files
+protocols:      files
+services:       files
+ethers:         files
+rpc:            files
+netgroup:       files ldap
+

+ +

The important parts are that ldap is listed last for passwd, group, +shadow and netgroup.

+ +

With these changes in place, any user in LDAP will be able to log +in locally on the machine using for example kdm, get a local home +directory created and have the password as well as user and group +attributes cached. + +

LDAP/Kerberos + nss-updatedb + libpam-ccreds + + libpam-mklocaluser/pam_mkhomedir

+ +

Because nscd have had its share of problems, and seem to have +problems doing proper caching, I've seen suggestions and recipes to +use nss-updatedb to copy parts of the LDAP database locally when the +LDAP database is available. I have not tested such setup, because I +discovered sssd.

+ +

LDAP/Kerberos + sssd + libpam-mklocaluser

+ +

A more flexible and robust setup than the nscd combination +mentioned earlier that has shown up recently, is the +sssd package from Redhat. +It is part of the FreeIPA project +to provide a Active Directory like directory service for Linux +machines. The sssd system combines the caching of passwords and user +information into one package, and remove the need for nscd and +libpam-ccreds. It support LDAP and Kerberos, but not NIS. Version +1.2 do not support netgroups, but it is said that it will support this +in version 1.5 expected to show up later in 2010. Because the +sssd package +was missing in Debian, I ended up co-maintaining it with Werner, and +version 1.2 is now in testing. + +

These packages need to be installed and configured to get the +roaming setup I want

+ +

+libpam-sss libnss-sss libpam-mklocaluser
+

+ +The complete setup of sssd is done by editing/creating +/etc/sssd/sssd.conf. + +

+[sssd]
+config_file_version = 2
+reconnection_retries = 3
+sbus_timeout = 30
+services = nss, pam
+domains = INTERN
+
+[nss]
+filter_groups = root
+filter_users = root
+reconnection_retries = 3
+
+[pam]
+reconnection_retries = 3
+
+[domain/INTERN]
+enumerate = false
+cache_credentials = true
+
+id_provider = ldap
+auth_provider = ldap
+chpass_provider = ldap
+
+ldap_uri = ldap://ldap
+ldap_search_base = dc=skole,dc=skolelinux,dc=no
+ldap_tls_reqcert = never
+ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
+

+ +

I got the same problem here with certificate checking. Had to set +"ldap_tls_reqcert = never" to get it working.

+ +

With the libnss-sss package in testing at the moment, the +nsswitch.conf file is update automatically, so there is no need to +modify it manually.

+ +

If you want to help out with implementing this for Debian Edu, +please contact us on debian-edu@lists.debian.org.

Automatic Munin and Nagios configuration

Wed, 27 Jan 2010 15:15:00 +0100

One of the new features in the next Debian/Lenny based release of -Debian Edu/Skolelinux, which is scheduled for release in the next few -days, is automatic configuration of the service monitoring system -Nagios. The previous release had automatic configuration of trend -analysis using Munin, and this Lenny based release take that a step -further.

- -

When installing a Debian Edu Main-server, it is automatically -configured as a Munin and Nagios server. In addition, it is -configured to be a server for the -SiteSummary -system I have written for use in Debian Edu. The SiteSummary -system is inspired by a system used by the University of Oslo where I -work. In short, the system provide a centralised collector of -information about the computers on the network, and a client on each -computer submitting information to this collector. This allow for -automatic information on which packages are installed on each machine, -which kernel the machines are using, what kind of configuration the -packages got etc. This also allow us to automatically generate Munin -and Nagios configuration.

- -

All computers reporting to the sitesummary collector with the -munin-node package installed is automatically enabled as a Munin -client and graphs from the statistics collected from that machine show -up automatically on http://www/munin/ on the Main-server.

- -

All non-laptop computers reporting to the sitesummary collector are -automatically monitored for network presence (ping and any network -services detected). In addition, all computers (also laptops) with -the nagios-nrpe-server package installed and configured the way -sitesummary would configure it, are monitored for full disks, software -raid status, swap free and other checks that need to run locally on -the machine.

- -

The result is that the administrator on a school using Debian Edu -based on Lenny will be able to check the health of his installation -with one look at the Nagios settings, without having to spend any time -keeping the Nagios configuration up-to-date.

- -

The only configuration one need to do to get Nagios up and running -is to set the password used to get access via HTTP. The system -administrator need to run "htpasswd /etc/nagios3/htpasswd.users -nagiosadmin" to create a nagiosadmin user and set a password for -it to be able to log into the Nagios web pages. After that, -everything is taken care of.

The last few days I have been looking into the status of the LDAP +directory in Debian Edu, and in the process I started to miss a GUI +tool to browse the LDAP tree. The only one I was able to find in +Debian/Squeeze and Lenny is +LUMA, which has proved to +be a great tool to get a overview of the current LDAP directory +populated by default in Skolelinux. Thanks to it, I have been able to +find empty and obsolete subtrees, misplaced objects and duplicate +objects. It will be installed by default in Debian/Squeeze. If you +are working with LDAP, give it a go. :)

+ +

I did notice one problem with it I have not had time to report to +the BTS yet. There is no .desktop file in the package, so the tool do +not show up in the Gnome and KDE menus, but only deep down in in the +Debian submenu in KDE. I hope that can be fixed before Squeeze is +released.

+ +

I have not yet been able to get it to modify the tree yet. I would +like to move objects and remove subtrees directly in the GUI, but have +not found a way to do that with LUMA yet. So in the mean time, I use +ldapvi for that.

+ +

If you have tips on other GUI tools for LDAP that might be useful +in Debian Edu, please contact us on debian-edu@lists.debian.org.

+ +

Update 2010-06-29: Ross Reedstrom tipped us about the +gq package as a +useful GUI alternative. It seem like a good tool, but is unmaintained +in Debian and got a RC bug keeping it out of Squeeze. Unless that +changes, it will not be an option for Debian Edu based on Squeeze.

Sikkerhet, teater, og hvordan gjÃ¸re verden sikrere

Wed, 30 Dec 2009 16:35:00 +0100

Via Slashdot fant jeg en -nydelig -kommentar fra Bruce Schneier som ble publisert hos CNN i gÃ¥r. Den -forklarer forbilledlig hvorfor sikkerhetsteater og innfÃ¸ring av -totalitÃ¦re politistatmetoder ikke er lÃ¸sningen for Ã¥ gjÃ¸re verden -sikrere. Anbefales pÃ¥ det varmeste.

- -

Oppdatering: Kom over -nok -en kommentar om den manglende effekten av dagens sikkerhetsteater -pÃ¥ flyplassene.

A while back, I +complained +about the fact that it is not possible with the provided schemas +for storing DNS and DHCP information in LDAP to combine the two sets +of information into one LDAP object representing a computer.

+ +

In the mean time, I discovered that a simple fix would be to make +the dhcpHost object class auxiliary, to allow it to be combined with +the dNSDomain object class, and thus forming one object for one +computer when storing both DHCP and DNS information in LDAP.

+ +

If I understand this correctly, it is not safe to do this change +without also changing the assigned number for the object class, and I +do not know enough about LDAP schema design to do that properly for +Debian Edu.

+ +

Anyway, for future reference, this is how I believe we could change +the +DHCP +schema to solve at least part of the problem with the LDAP schemas +available today from IETF.

+ +

+--- dhcp.schema    (revision 65192)
++++ dhcp.schema    (working copy)
+@@ -376,7 +376,7 @@
+ objectclass ( 2.16.840.1.113719.1.203.6.6
+        NAME 'dhcpHost'
+        DESC 'This represents information about a particular client'
+-       SUP top
++       SUP top AUXILIARY
+        MUST cn
+        MAY  (dhcpLeaseDN $ dhcpHWAddress $ dhcpOptionsDN $ dhcpStatements $ dhcpComments $ dhcpOption)
+        X-NDS_CONTAINMENT ('dhcpService' 'dhcpSubnet' 'dhcpGroup') )
+

+ +

I very much welcome clues on how to do this properly for Debian +Edu/Squeeze. We provide the DHCP schema in our debian-edu-config +package, and should thus be free to rewrite it as we see fit.

+ +

If you want to help out with implementing this for Debian Edu, +please contact us on debian-edu@lists.debian.org.

Opphavet til Skolelinux-prosjektet

Thu, 17 Dec 2009 10:50:00 +0100

De fÃ¦rreste er klar over at Skolelinux-prosjektet kom som et resultat -av en avgjÃ¸relse pÃ¥ Ã¥rsmÃ¸tet i -NUUG i 2000-06-29, der HÃ¥kon Wium -Lie, da varamedlem i styret, tok pÃ¥ seg oppdraget om Ã¥ starte et -initiativ kalt "Teach the Teacher", som skulle vÃ¦re et initiativ for -Ã¥ fÃ¥ fri programvare og unix-lignende operativsystemer inn i Skolen. -Tanken var at en mÃ¥tte starte med lÃ¦rerne for at ungene skulle fÃ¥ -mulighet til Ã¥ mÃ¸te en bedre IT-hverdag. Jeg var tilstede pÃ¥ -mÃ¸tet, og hadde sans for ideen, men intet skjedde. PÃ¥ vÃ¥rparten -2001 ble det arrangert en demonstrasjon i anledning at First Tuesday -hadde invitert Microsoft til et mÃ¸te for Ã¥ fortelle om fremtidens -Internet. Dette provoserte endel av oss, og EFN og NUUG tok initiativ -til Ã¥ arrangere -en -demonstrasjon utenfor lokalene 2001-05-21. Blant de som sto bak -demonstrasjonen var Vidar Bakke fra NUUG og HÃ¥kon W. Lie fra EFN. -Etter demonstrasjonen arrangerte HÃ¥kon en fest hjemme hos seg der alle -som hadde vÃ¦rt aktive i demonstrasjonsplanlegging og gjennomfÃ¸ringen -deltok. FÃ¸r festen var jeg blitt lei av Ã¥ vente pÃ¥ at HÃ¥kon skulle ta -initiativ til "Teach the Teacher", og for Ã¥ forsÃ¸ke Ã¥ fÃ¥ litt fremgang -besteme jeg meg for Ã¥ benytte anledningen hos HÃ¥kon til Ã¥ snakke om -behovet for Ã¥ hjelpe skolene i gang med bedre datasystemer bestÃ¥ende -av fri programvare og unix-lignende operativsystemer. Flere var -interessert, og Knut Yrvin tenkte pÃ¥ ideen. Han -ropte -sammen til et stiftelsesmÃ¸te i prosjektet i sin arbeidsgivers -Objectwares lokaler ved UllevÃ¥l stadion 2001-07-02, og jeg ble med. -Resten er historie. :)

A few times I have had the need to simulate the way tasksel +installs packages during the normal debian-installer run. Until now, +I have ended up letting tasksel do the work, with the annoying problem +of not getting any feedback at all when something fails (like a +conffile question from dpkg or a download that fails), using code like +this: + +

+export DEBIAN_FRONTEND=noninteractive
+tasksel --new-install
+

+ +This would invoke tasksel, let its automatic task selection pick the +tasks to install, and continue to install the requested tasks without +any output what so ever. + +Recently I revisited this problem while working on the automatic +package upgrade testing, because tasksel would some times hang without +any useful feedback, and I want to see what is going on when it +happen. Then it occured to me, I can parse the output from tasksel +when asked to run in test mode, and use that aptitude command line +printed by tasksel then to simulate the tasksel run. I ended up using +code like this: + +

+export DEBIAN_FRONTEND=noninteractive
+cmd="$(in_target tasksel -t --new-install | sed 's/debconf-apt-progress -- //')"
+$cmd
+

+ +

The content of $cmd is typically something like "aptitude -q +--without-recommends -o APT::Install-Recommends=no -y install +~t^desktop$ ~t^gnome-desktop$ ~t^laptop$ ~pstandard ~prequired +~pimportant", which will install the gnome desktop task, the +laptop task and all packages with priority standard , required and +important, just like tasksel would have done it during +installation.

+ +

A better approach is probably to extend tasksel to be able to +install packages without using debconf-apt-progress, for use cases +like this.

FÃ¸rste NUUG-fordrag sendt pÃ¥ TV

Tue, 8 Dec 2009 12:00:00 +0100

Endelig har NUUG klart Ã¥ fÃ¥ kringkastet ut et av sine fordrag pÃ¥ -TV. Foredraget om -utskriftslÃ¸sningen -Biforst var fÃ¸rst ute, pga. at det var det nyeste foredraget som -var holdt pÃ¥ norsk, og dermed slapp vi Ã¥ finne ut av hvordan -teksting av video skulle gjÃ¸res.

- -

NUUG har vÃ¦rt involvert i -Frikanalen en stund nÃ¥, for Ã¥ -forsÃ¸ke Ã¥ fÃ¥ ut budskapet vÃ¥rt ogsÃ¥ pÃ¥ TV, og dette fÃ¸rste foredraget -er en sped start pÃ¥ det vi har planlagt.

- -

NUUGs fÃ¸rste foredrag sendes ut via frikanelen pÃ¥ digitalt -bakkenett, og alle abonnenter av riks-TV skal dermed ha mulighet til Ã¥ -ta inn sendingen. SlÃ¥ pÃ¥ TVen 5/12 16:05 (for sent), 12/12 14:00, -19/12 16:00, 24/12 15:37 eller 26/12 16:11 i Ã¥r, sÃ¥ skal du fÃ¥ se -meg, Tollef og alle andre de som deltok pÃ¥ mÃ¸tet pÃ¥ TV.

Dagbladet +melder at Vinmonopolet med bakgrunn i vekterstreiken som pÃ¥gÃ¥r i +Norge for tiden, har bestemt seg for med vitende og vilje Ã¥ bryte +sentralbanklovens paragraf 14 ved Ã¥ nekte folk Ã¥ betale med +kontanter, og at flere butikker planlegger Ã¥ fÃ¸lge deres eksempel. +Jeg synes det er hÃ¥rreisende hvis de slipper unna med et slikt +soleklart lovbrudd, og lurer pÃ¥ hva slags muligheter jeg vil ha hvis +jeg blir nektet Ã¥ handle med kontanter. Jeg handler i hovedsak med +kontanter selv, da jeg anser det som en borgerrett Ã¥ kunne handle +anonymt uten at det blir registrert. For meg er det et angrep pÃ¥ mitt +personvern Ã¥ nekte Ã¥ ta imot kontant betaling.

+ +

Paragrafen +i sentralbankloven lyder:

+ +

+
Â§ 14. Tvungent betalingsmiddel
+ +
Bankens sedler og mynter er tvungent betalingsmiddel i Norge. Ingen +er pliktig til i Ã©n betaling Ã¥ ta imot mer enn femogtyve mynter av +hver enhet.
+ +
Sterkt skadde sedler og mynter er ikke tvungent +betalingsmiddel. Banken gir nÃ¦rmere forskrifter om erstatning for +bortkomne, brente eller skadde sedler og mynter.
+ +
Selv om en avtale inneholder klausul om betaling av en +pengeforpliktelse i gullverdi, kan skyldneren frigjÃ¸re seg med tvungne +betalingsmidler uten hensyn til denne klausul.
+

+ +

Det er med bakgrunn i denne lovet ikke tillatt Ã¥ nekte Ã¥ ta imot +kontakt betaling. Det er en lov jeg har sans for, og som jeg mener mÃ¥ +hÃ¥ndheves strengt.

Kartverket "frigjÃ¸r" data men er fortsatt ikke interessante

Thu, 12 Nov 2009 10:10:00 +0100

Dagens -kartnyhet -er at kartverket gir ikke-kommersiell tilgang til -en WMS-tjeneste der en til privat bruk kan hente ut bilder av -kartutsnitt sÃ¥ lenge disse ikke lagres lokalt, brukes i begrenset -opplÃ¸sning og ikke skader kartverket og rettighetshavernes omdÃ¸mme og -interesse.

- -

I gÃ¥r publiserte Ivan Sanchez -kaketesten -som et forslag til en (av forhÃ¥pentligvis flere) mÃ¥ter Ã¥ teste om kart -eller kartdata er fritt tilgjengelige pÃ¥. Testen er enkel, og sier -enkelt (oversatt av meg): Et sett med geodata, eller en kart, er kun -fritt tilgjengelig hvis noen kan gi deg en kake med det kartet pÃ¥ -toppen, som en gave. Kartverkets publisering av kart feiler sÃ¥ vidt -jeg kan se denne testen fullstendig. En kan slik jeg leser vilkÃ¥rene -ikke be en konditor om Ã¥ lage en kake (brudd pÃ¥ kravet om -ikke-kommersiell bruk) med kartverkets kart.

- -

De som vil lage karttjenester basert pÃ¥ denne nye tjenesten fra -kartverket vil gjÃ¸re det pÃ¥ kartverkets nÃ¥de og med sterke bindinger -og begresninger. Det blir dermed helt uinteressant for meg. Jeg vil -nok fortsette Ã¥ bruke data fra -OpenStreetmap.org, der jeg -har kontrollen med tilgang til kartdataene, og kan endre pÃ¥ de -underliggende dataene som jeg Ã¸nsker.

- -

Som et eksempel, sÃ¥ trenger vi til en norsk -FixMyStreet-installasjon -tilgang til vektorutgaven av kommunegrensene. Denne nye karttjenesten -er ubrukelig til dette.

For those of us caring about document exchange and +interoperability, OfficeShots +is a great service. It is to ODF documents what +BrowserShots is for web +pages.

+ +

A while back, I was contacted by Knut Yrvin at the part of Nokia +that used to be Trolltech, who wanted to help the OfficeShots project +and wondered if the University of Oslo where I work would be +interested in supporting the project. I helped him to navigate his +request to the right people at work, and his request was answered with +a spot in the machine room with power and network connected, and Knut +arranged funding for a machine to fill the spot. The machine is +administrated by the OfficeShots people, so I do not have daily +contact with its progress, and thus from time to time check back to +see how the project is doing.

+ +

Today I had a look, and was happy to see that the Dell box in our +machine room now is the host for several virtual machines running as +OfficeShots factories, and the project is able to render ODF documents +in 17 different document processing implementation on Linux and +Windows. This is great.