X-Git-Url: http://pere.pagekite.me/gitweb/homepage.git/blobdiff_plain/7d45bc77474335f56a123d3d83da3f6aa94d0889..e42f5b1dad855a6ee4fe4dec43b101f4d02a5f2b:/blog/index.html diff --git a/blog/index.html b/blog/index.html index e9b7901ac8..56e0d3e6d0 100644 --- a/blog/index.html +++ b/blog/index.html @@ -20,990 +20,422 @@
-
One step closer to single signon in Debian Edu
-
2010-07-25 10:00
+
Oppdatert kart over overvåkningskamera i Norge
+
2010-09-22 20:50
-

The last few months I have been working hard to get the -Debian/Squeeze based version of Debian Edu/Skolelinux into shape. -This future version will use Kerberos for authentication, and services -are slowly migrated to single sign, getting rid of password questions -one at the time.

- -

It will also feature a roaming workstation profile with local home -directory, for laptops that are only some times on the Skolelinux -network, and for this profile a shortcut is created in Gnome and KDE -to gain access to the users home directory on the file server. This -shortcut uses SMB at the moment, and yesterday I had time to test if -SMB mounting had started working in KDE after we added the cifs-utils -package. I was surprised how well it worked.

- -

Thanks to the recent changes to our samba configuration to get it -to use Kerberos for authentication, there were no question about user -password when mounting the SMB volume. A simple click on the shortcut -in the KDE menu, and a window with the home directory popped -up. :)

- -

One step closer to a single signon solution out of the box in -Debian Edu. We already had PAM, LDAP, IMAP and SMTP in place, and now -also Samba. Next step is Cups and hopefully also NFS.

- -

We had planned a alpha0 release of Debian Edu for today, but thanks -to the autobuilder administrators for some architectures being slow to -sign packages, we are still missing the fixed LTSP package we need for -the release. It was uploaded three days ago with urgency=high, and if -it had entered testing yesterday we would have been able to test it in -time for a alpha0 release today. As the binaries for ia64 and powerpc -still not uploaded to the Debian archive, we need to delay the alpha -release another day.

- -

If you want to help out with implementing Kerberos for Debian Edu, -please contact us on debian-edu@lists.debian.org.

+

For ca. et og et halvt år siden +startet +jeg på et kart over overvåkningskamera i Norge, i regi av +personvernforeningen. Det har +blitt oppdatert regelmessing, og jeg oppdaterte det nettopp. Fra den +spede start med 22 kamera registrert er det nå registrert 54 kamera. +Det er bare en brøkdel av de kamera som finnes i Norge, men det går +sakte men sikkert i riktig retning.

+ +

Informasjonen registreres fortsatt direkte inn i +OpenStreetmap, og hentes +automatisk over i + +når jeg kjører et script for å filtrere ut overvåkningskamera fra +OSM-dumpen for Norge.

- Tags: debian edu, english, nuug. + Tags: norsk, personvern.
-
Digitale restriksjonsmekanismer fikk meg til å slutte å kjøpe musikk
-
2010-07-22 23:50
+
Anonym ferdsel er en menneskerett
+
2010-09-15 12:15
-

For mange år siden slutte jeg å kjøpe musikk-CDer. Årsaken var at -musikkbransjen var godt i gang med å selge platene sine med DRM som -gjorde at jeg ikke fikk spilt av musikken jeg kjøpte på utstyret jeg -hadde tilgjengelig, dvs. min datamaskin. Det var umulig å se på en -plate om den var ødelagt eller ikke, og jeg hadde jo allerede en -anseelig samling med plater, så jeg bestemme meg for å slutte å gi -penger til en bransje som åpenbart ikke respekterte meg.

- -

Jeg har mange titalls dager med musikk på CD i dag. Det meste er -lagt i et stort arkiv som kan spilles av fra husets datamaskiner (har -ikke rukket rippe alt). Jeg ser dermed ikke behovet for å skaffe mer -musikk. De fleste av mine favoritter er i hus, og jeg er dermed godt -fornøyd.

- -

Hvis musikkbransjen ønsker mine penger, så må de demonstrere at de -setter pris på meg som kunde, og ikke skremme meg bort med DRM og -antydninger om at kundene er kriminelle.

- -

Filmbransjen er like ille, men mens musikk gjerne varer lenge, er -filmer mer ferskvare. Har dermed ikke helt sluttet å kjøpe filmer, men -holder meg til DVD-filmer som kan spilles av på mine Linuxbokser. -Kommer neppe til å ta i bruk Blueray, og ei heller de nye DRM-greiene -«Ultraviolet» som be annonsert her om dagen.

+

Debatten rundt sporveiselskapet i Oslos (Ruter AS) ønske om +å +radiomerke med RFID alle sine kunder og +registerere +hvor hver og en av oss beveger oss pågår, og en ting som har +kommet lite frem i debatten er at det faktisk er en menneskerett å +kunne ferdes anonymt internt i ens eget land.

+ +

Fant en grei kilde for dette i et +skriv +fra Datatilsynet til Samferdselsdepartementet om tema:

+ +

Retten til å ferdes anonymt kan utledes av +menneskerettskonvensjonen artikkel 8 og av EUs personverndirektiv. +Her heter det at enkeltpersoners grunnleggende rettigheter og frihet +må respekteres, særlig retten til privatlivets fred. I både +personverndirektivet og i den norske personopplysningsloven er +selvråderetten til hver enkelt et av grunnprinsippene, hovedsaklig +uttrykt ved at en må gi et frivillig, informert og uttrykkelig +samtykke til behandling av personopplysninger.

+ +

For meg er det viktig at jeg kan ferdes anonymt, og det er litt av +bakgrunnen til at jeg handler med kontanter, ikke har mobiltelefon og +forventer å kunne reise med bil og kollektivtrafikk uten at det blir +registrert hvor jeg har vært. Ruter angriper min rett til å ferdes +uten radiopeiler med sin innføring av RFID-kort, og dokumenterer sitt +ønske om å registrere hvor kundene befant seg ved å ønske å gebyrlegge +oss som ikke registrerer oss hver gang vi beveger oss med +kollektivtrafikken i Oslo. Jeg synes det er hårreisende.

- Tags: fildeling, norsk, nuug, opphavsrett, personvern. + Tags: norsk, nuug, personvern, sikkerhet.
-
OpenStreetmap one step closer to having routing on its front page
-
2010-07-18 16:45
+
Terms of use for video produced by a Canon IXUS 130 digital camera
+
2010-09-09 23:55
-

Thanks to -todays -opengeodata blog entry, I just discovered that the -OpenStreetmap.org site have gotten -support -for calculating routes. The support is still experimental and -only available from the development server, until more experience is -gathered on the user interface and any scalability issues.

- -

Earlier, the routing I knew about using the OpenStreetmap.org data -was provided by Cloudmade, -but having it on the main page is required to make everyone aware of -the issue. I've had people reject Openstreetmap.org as a viable -alternative for them because the front page lacked routing support, -and I hope their needs will be catered for when routing show up on the -www.openstreetmap.org front page.

+

A few days ago I had the mixed pleasure of bying a new digital +camera, a Canon IXUS 130. It was instructive and very disturbing to +be able to verify that also this camera producer have the nerve to +specify how I can or can not use the videos produced with the camera. +Even thought I was aware of the issue, the options with new cameras +are limited and I ended up bying the camera anyway. What is the +problem, you might ask? It is software patents, MPEG-4, H.264 and the +MPEG-LA that is the problem, and our right to record our experiences +without asking for permissions that is at risk. + +

On page 27 of the Danish instruction manual, this section is +written:

+ +
+

This product is licensed under AT&T patents for the MPEG-4 standard +and may be used for encoding MPEG-4 compliant video and/or decoding +MPEG-4 compliant video that was encoded only (1) for a personal and +non-commercial purpose or (2) by a video provider licensed under the +AT&T patents to provide MPEG-4 compliant video.

+ +

No license is granted or implied for any other use for MPEG-4 +standard.

+
+ +

In short, the camera producer have chosen to use technology +(MPEG-4/H.264) that is only provided if I used it for personal and +non-commercial purposes, or ask for permission from the organisations +holding the knowledge monopoly (patent) for technology used.

+ +

This issue has been brewing for a while, and I recommend you to +read +"Why +Our Civilization's Video Art and Culture is Threatened by the +MPEG-LA" by Eugenia Loli-Queru and +"H.264 Is Not +The Sort Of Free That Matters" by Simon Phipps to learn more about +the issue. The solution is to support the +free and +open standards for video, like Ogg +Theora, and avoid MPEG-4 and H.264 if you can.

- Tags: english, kart, web. + Tags: english, fildeling, multimedia, nuug, opphavsrett, personvern, standard, video, web.
-
What are they searching for - PowerDNS and ISC DHCP in LDAP
-
2010-07-17 21:00
+
Navteq bruker 3-12 måneder, OpenStreetmap.org trenger noen dager
+
2010-09-07 21:40
-

This is a -followup -on my -previous -work on -merging -all the computer related LDAP objects in Debian Edu.

- -

As a step to try to see if it possible to merge the DNS and DHCP -LDAP objects, I have had a look at how the packages pdns-backend-ldap -and dhcp3-server-ldap in Debian use the LDAP server. The two -implementations are quite different in how they use LDAP.

- -To get this information, I started slapd with debugging enabled and -dumped the debug output to a file to get the LDAP searches performed -on a Debian Edu main-server. Here is a summary. - -

powerdns

- -Clues -on how to set up PowerDNS to use a LDAP backend is available on -the web. - -

PowerDNS have two modes of operation using LDAP as its backend. -One "strict" mode where the forward and reverse DNS lookups are done -using the same LDAP objects, and a "tree" mode where the forward and -reverse entries are in two different subtrees in LDAP with a structure -based on the DNS names, as in tjener.intern and -2.2.0.10.in-addr.arpa.

- -

In tree mode, the server is set up to use a LDAP subtree as its -base, and uses a "base" scoped search for the DNS name by adding -"dc=tjener,dc=intern," to the base with a filter for -"(associateddomain=tjener.intern)" for the forward entry and -"dc=2,dc=2,dc=0,dc=10,dc=in-addr,dc=arpa," with a filter for -"(associateddomain=2.2.0.10.in-addr.arpa)" for the reverse entry. For -forward entries, it is looking for attributes named dnsttl, arecord, -nsrecord, cnamerecord, soarecord, ptrrecord, hinforecord, mxrecord, -txtrecord, rprecord, afsdbrecord, keyrecord, aaaarecord, locrecord, -srvrecord, naptrrecord, kxrecord, certrecord, dsrecord, sshfprecord, -ipseckeyrecord, rrsigrecord, nsecrecord, dnskeyrecord, dhcidrecord, -spfrecord and modifytimestamp. For reverse entries it is looking for -the attributes dnsttl, arecord, nsrecord, cnamerecord, soarecord, -ptrrecord, hinforecord, mxrecord, txtrecord, rprecord, aaaarecord, -locrecord, srvrecord, naptrrecord and modifytimestamp. The equivalent -ldapsearch commands could look like this:

- -
-ldapsearch -h ldap \
-  -b dc=tjener,dc=intern,ou=hosts,dc=skole,dc=skolelinux,dc=no \
-  -s base -x '(associateddomain=tjener.intern)' dNSTTL aRecord nSRecord \
-  cNAMERecord sOARecord pTRRecord hInfoRecord mXRecord tXTRecord \
-  rPRecord aFSDBRecord KeyRecord aAAARecord lOCRecord sRVRecord \
-  nAPTRRecord kXRecord certRecord dSRecord sSHFPRecord iPSecKeyRecord \
-  rRSIGRecord nSECRecord dNSKeyRecord dHCIDRecord sPFRecord modifyTimestamp
-
-ldapsearch -h ldap \
-  -b dc=2,dc=2,dc=0,dc=10,dc=in-addr,dc=arpa,ou=hosts,dc=skole,dc=skolelinux,dc=no \
-  -s base -x '(associateddomain=2.2.0.10.in-addr.arpa)'
-  dnsttl, arecord, nsrecord, cnamerecord soarecord ptrrecord \
-  hinforecord mxrecord txtrecord rprecord aaaarecord locrecord \
-  srvrecord naptrrecord modifytimestamp
-
- -

In Debian Edu/Lenny, the PowerDNS tree mode is used with -ou=hosts,dc=skole,dc=skolelinux,dc=no as the base, and these are two -example LDAP objects used there. In addition to these objects, the -parent objects all th way up to ou=hosts,dc=skole,dc=skolelinux,dc=no -also exist.

- -
-dn: dc=tjener,dc=intern,ou=hosts,dc=skole,dc=skolelinux,dc=no
-objectclass: top
-objectclass: dnsdomain
-objectclass: domainrelatedobject
-dc: tjener
-arecord: 10.0.2.2
-associateddomain: tjener.intern
-
-dn: dc=2,dc=2,dc=0,dc=10,dc=in-addr,dc=arpa,ou=hosts,dc=skole,dc=skolelinux,dc=no
-objectclass: top
-objectclass: dnsdomain2
-objectclass: domainrelatedobject
-dc: 2
-ptrrecord: tjener.intern
-associateddomain: 2.2.0.10.in-addr.arpa
-
- -

In strict mode, the server behaves differently. When looking for -forward DNS entries, it is doing a "subtree" scoped search with the -same base as in the tree mode for a object with filter -"(associateddomain=tjener.intern)" and requests the attributes dnsttl, -arecord, nsrecord, cnamerecord, soarecord, ptrrecord, hinforecord, -mxrecord, txtrecord, rprecord, aaaarecord, locrecord, srvrecord, -naptrrecord and modifytimestamp. For reverse entires it also do a -subtree scoped search but this time the filter is "(arecord=10.0.2.2)" -and the requested attributes are associateddomain, dnsttl and -modifytimestamp. In short, in strict mode the objects with ptrrecord -go away, and the arecord attribute in the forward object is used -instead.

- -

The forward and reverse searches can be simulated using ldapsearch -like this:

- -
-ldapsearch -h ldap -b ou=hosts,dc=skole,dc=skolelinux,dc=no -s sub -x \
-  '(associateddomain=tjener.intern)' dNSTTL aRecord nSRecord \
-  cNAMERecord sOARecord pTRRecord hInfoRecord mXRecord tXTRecord \
-  rPRecord aFSDBRecord KeyRecord aAAARecord lOCRecord sRVRecord \
-  nAPTRRecord kXRecord certRecord dSRecord sSHFPRecord iPSecKeyRecord \
-  rRSIGRecord nSECRecord dNSKeyRecord dHCIDRecord sPFRecord modifyTimestamp
-
-ldapsearch -h ldap -b ou=hosts,dc=skole,dc=skolelinux,dc=no -s sub -x \
-  '(arecord=10.0.2.2)' associateddomain dnsttl modifytimestamp
-
- -

In addition to the forward and reverse searches , there is also a -search for SOA records, which behave similar to the forward and -reverse lookups.

- -

A thing to note with the PowerDNS behaviour is that it do not -specify any objectclass names, and instead look for the attributes it -need to generate a DNS reply. This make it able to work with any -objectclass that provide the needed attributes.

- -

The attributes are normally provided in the cosine (RFC 1274) and -dnsdomain2 schemas. The latter is used for reverse entries like -ptrrecord and recent DNS additions like aaaarecord and srvrecord.

- -

In Debian Edu, we have created DNS objects using the object classes -dcobject (for dc), dnsdomain or dnsdomain2 (structural, for the DNS -attributes) and domainrelatedobject (for associatedDomain). The use -of structural object classes make it impossible to combine these -classes with the object classes used by DHCP.

- -

There are other schemas that could be used too, for example the -dnszone structural object class used by Gosa and bind-sdb for the DNS -attributes combined with the domainrelatedobject object class, but in -this case some unused attributes would have to be included as well -(zonename and relativedomainname).

- -

My proposal for Debian Edu would be to switch PowerDNS to strict -mode and not use any of the existing objectclasses (dnsdomain, -dnsdomain2 and dnszone) when one want to combine the DNS information -with DHCP information, and instead create a auxiliary object class -defined something like this (using the attributes defined for -dnsdomain and dnsdomain2 or dnszone):

- -
-objectclass ( some-oid NAME 'dnsDomainAux'
-    SUP top
-    AUXILIARY
-    MAY ( ARecord $ MDRecord $ MXRecord $ NSRecord $ SOARecord $ CNAMERecord $
-          DNSTTL $ DNSClass $ PTRRecord $ HINFORecord $ MINFORecord $
-          TXTRecord $ SIGRecord $ KEYRecord $ AAAARecord $ LOCRecord $
-          NXTRecord $ SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $
-          A6Record $ DNAMERecord
-    ))
-
- -

This will allow any object to become a DNS entry when combined with -the domainrelatedobject object class, and allow any entity to include -all the attributes PowerDNS wants. I've sent an email to the PowerDNS -developers asking for their view on this schema and if they are -interested in providing such schema with PowerDNS, and I hope my -message will be accepted into their mailing list soon.

- -

ISC dhcp

- -

The DHCP server searches for specific objectclass and requests all -the object attributes, and then uses the attributes it want. This -make it harder to figure out exactly what attributes are used, but -thanks to the working example in Debian Edu I can at least get an idea -what is needed without having to read the source code.

- -

In the DHCP server configuration, the LDAP base to use and the -search filter to use to locate the correct dhcpServer entity is -stored. These are the relevant entries from -/etc/dhcp3/dhcpd.conf:

- -
-ldap-base-dn "dc=skole,dc=skolelinux,dc=no";
-ldap-dhcp-server-cn "dhcp";
-
- -

The DHCP server uses this information to nest all the DHCP -configuration it need. The cn "dhcp" is located using the given LDAP -base and the filter "(&(objectClass=dhcpServer)(cn=dhcp))". The -search result is this entry:

- -
-dn: cn=dhcp,dc=skole,dc=skolelinux,dc=no
-cn: dhcp
-objectClass: top
-objectClass: dhcpServer
-dhcpServiceDN: cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
-
- -

The content of the dhcpServiceDN attribute is next used to locate the -subtree with DHCP configuration. The DHCP configuration subtree base -is located using a base scope search with base "cn=DHCP -Config,dc=skole,dc=skolelinux,dc=no" and filter -"(&(objectClass=dhcpService)(|(dhcpPrimaryDN=cn=dhcp,dc=skole,dc=skolelinux,dc=no)(dhcpSecondaryDN=cn=dhcp,dc=skole,dc=skolelinux,dc=no)))". -The search result is this entry:

- -
-dn: cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
-cn: DHCP Config
-objectClass: top
-objectClass: dhcpService
-objectClass: dhcpOptions
-dhcpPrimaryDN: cn=dhcp, dc=skole,dc=skolelinux,dc=no
-dhcpStatements: ddns-update-style none
-dhcpStatements: authoritative
-dhcpOption: smtp-server code 69 = array of ip-address
-dhcpOption: www-server code 72 = array of ip-address
-dhcpOption: wpad-url code 252 = text
-
- -

Next, the entire subtree is processed, one level at the time. When -all the DHCP configuration is loaded, it is ready to receive requests. -The subtree in Debian Edu contain objects with object classes -top/dhcpService/dhcpOptions, top/dhcpSharedNetwork/dhcpOptions, -top/dhcpSubnet, top/dhcpGroup and top/dhcpHost. These provide options -and information about netmasks, dynamic range etc. Leaving out the -details here because it is not relevant for the focus of my -investigation, which is to see if it is possible to merge dns and dhcp -related computer objects.

- -

When a DHCP request come in, LDAP is searched for the MAC address -of the client (00:00:00:00:00:00 in this example), using a subtree -scoped search with "cn=DHCP Config,dc=skole,dc=skolelinux,dc=no" as -the base and "(&(objectClass=dhcpHost)(dhcpHWAddress=ethernet -00:00:00:00:00:00))" as the filter. This is what a host object look -like:

- -
-dn: cn=hostname,cn=group1,cn=THINCLIENTS,cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
-cn: hostname
-objectClass: top
-objectClass: dhcpHost
-dhcpHWAddress: ethernet 00:00:00:00:00:00
-dhcpStatements: fixed-address hostname
-
- -

There is less flexiblity in the way LDAP searches are done here. -The object classes need to have fixed names, and the configuration -need to be stored in a fairly specific LDAP structure. On the -positive side, the invidiual dhcpHost entires can be anywhere without -the DN pointed to by the dhcpServer entries. The latter should make -it possible to group all host entries in a subtree next to the -configuration entries, and this subtree can also be shared with the -DNS server if the schema proposed above is combined with the dhcpHost -structural object class. - -

Conclusion

- -

The PowerDNS implementation seem to be very flexible when it come -to which LDAP schemas to use. While its "tree" mode is rigid when it -come to the the LDAP structure, the "strict" mode is very flexible, -allowing DNS objects to be stored anywhere under the base cn specified -in the configuration.

- -

The DHCP implementation on the other hand is very inflexible, both -regarding which LDAP schemas to use and which LDAP structure to use. -I guess one could implement ones own schema, as long as the -objectclasses and attributes have the names used, but this do not -really help when the DHCP subtree need to have a fairly fixed -structure.

- -

Based on the observed behaviour, I suspect a LDAP structure like -this might work for Debian Edu:

- -
-ou=services
-  cn=machine-info (dhcpService) - dhcpServiceDN points here
-    cn=dhcp (dhcpServer)
-    cn=dhcp-internal (dhcpSharedNetwork/dhcpOptions)
-      cn=10.0.2.0 (dhcpSubnet)
-        cn=group1 (dhcpGroup/dhcpOptions)
-    cn=dhcp-thinclients (dhcpSharedNetwork/dhcpOptions)
-      cn=192.168.0.0 (dhcpSubnet)
-        cn=group1 (dhcpGroup/dhcpOptions)
-    ou=machines - PowerDNS base points here
-      cn=hostname (dhcpHost/domainrelatedobject/dnsDomainAux)
-
- -

This is not tested yet. If the DHCP server require the dhcpHost -entries to be in the dhcpGroup subtrees, the entries can be stored -there instead of a common machines subtree, and the PowerDNS base -would have to be moved one level up to the machine-info subtree.

- -

The combined object under the machines subtree would look something -like this:

- -
-dn: dc=hostname,ou=machines,cn=machine-info,dc=skole,dc=skolelinux,dc=no
-dc: hostname
-objectClass: top
-objectClass: dhcpHost
-objectclass: domainrelatedobject
-objectclass: dnsDomainAux
-associateddomain: hostname.intern
-arecord: 10.11.12.13
-dhcpHWAddress: ethernet 00:00:00:00:00:00
-dhcpStatements: fixed-address hostname.intern
-
- -

One could even add the LTSP configuration associated with a given -machine, as long as the required attributes are available in a -auxiliary object class.

+

Jeg ble riktig fascinert av +en +artikkel i Aftenposten om hvor hardt Navteq jobber for å oppdatere +kartene som brukes i navigasjons-GPSer, der det blant annet heter at +"på grunn av teknikken tar det alt fra tre til tolv måneder før +kartene er oppdatert". Når en kjenner hva slags oppdateringshastighet +som er tilgjengelig på +OpenStreetmap som +oppdateres på dugnad, blir det litt trist å se hva noe av det beste en +kan kjøpe for penger får til.

+ +

Fra en endrer kartdataene i databasen til OpenStreetmap tar det +ca. 15 minutter før endringen er synlig på kartet som alle kan se på +web. Dernest overføres det daglig til en kartdump som lastes ned av +personen som lager Garmin-kart for Norge ca. en gang i uken. Med +OpenStreetmap.org og Frikart.no +kan en altså ha korreksjonene på plass i sin Garmin-GPS i løpet av en +uke. Det er også av tekniske årsaker at det tar så langt tid. +Jobbene som tegner kartene, henter ut kartdumpene og konverterer til +Garmin-format tar minutter og timer å gjennomføre, slik at de ikke +gjøres kontinuerlig men kun regelmessing.

- Tags: debian, debian edu, english, ldap, nuug. + Tags: kart, norsk, nuug.
-
Combining PowerDNS and ISC DHCP LDAP objects
-
2010-07-14 23:45
+
Some notes on Flash in Debian and Debian Edu
+
2010-09-04 10:10
-

For a while now, I have wanted to find a way to change the DNS and -DHCP services in Debian Edu to use the same LDAP objects for a given -computer, to avoid the possibility of having a inconsistent state for -a computer in LDAP (as in DHCP but no DNS entry or the other way -around) and make it easier to add computers to LDAP.

- -

I've looked at how powerdns and dhcpd is using LDAP, and using this -information finally found a solution that seem to work.

- -

The old setup required three LDAP objects for a given computer. -One forward DNS entry, one reverse DNS entry and one DHCP entry. If -we switch powerdns to use its strict LDAP method (ldap-method=strict -in pdns-debian-edu.conf), the forward and reverse DNS entries are -merged into one while making it impossible to transfer the reverse map -to a slave DNS server.

- -

If we also replace the object class used to get the DNS related -attributes to one allowing these attributes to be combined with the -dhcphost object class, we can merge the DNS and DHCP entries into one. -I've written such object class in the dnsdomainaux.schema file (need -proper OIDs, but that is a minor issue), and tested the setup. It -seem to work.

- -

With this test setup in place, we can get away with one LDAP object -for both DNS and DHCP, and even the LTSP configuration I suggested in -an earlier email. The combined LDAP object will look something like -this:

- -
-  dn: cn=hostname,cn=group1,cn=THINCLIENTS,cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
-  cn: hostname
-  objectClass: dhcphost
-  objectclass: domainrelatedobject
-  objectclass: dnsdomainaux
-  associateddomain: hostname.intern
-  arecord: 10.11.12.13
-  dhcphwaddress: ethernet 00:00:00:00:00:00
-  dhcpstatements: fixed-address hostname
-  ldapconfigsound: Y
-
- -

The DNS server uses the associateddomain and arecord entries, while -the DHCP server uses the dhcphwaddress and dhcpstatements entries -before asking DNS to resolve the fixed-adddress. LTSP will use -dhcphwaddress or associateddomain and the ldapconfig* attributes.

- -

I am not yet sure if I can get the DHCP server to look for its -dhcphost in a different location, to allow us to put the objects -outside the "DHCP Config" subtree, but hope to figure out a way to do -that. If I can't figure out a way to do that, we can still get rid of -the hosts subtree and move all its content into the DHCP Config tree -(which probably should be renamed to be more related to the new -content. I suspect cn=dnsdhcp,ou=services or something like that -might be a good place to put it.

- -

If you want to help out with implementing this for Debian Edu, -please contact us on debian-edu@lists.debian.org.

+

In the Debian +popularity-contest numbers, the adobe-flashplugin package the +second most popular used package that is missing in Debian. The sixth +most popular is flashplayer-mozilla. This is a clear indication that +working flash is important for Debian users. Around 10 percent of the +users submitting data to popcon.debian.org have this package +installed.

+ +

In the report written by Lars Risan in August 2008 +(«Skolelinux +i bruk – Rapport for Hurum kommune, Universitetet i Agder og +stiftelsen SLX Debian Labs»), one of the most important problems +schools experienced with Debian +Edu/Skolelinux was the lack of working Flash. A lot of educational +web sites require Flash to work, and lacking working Flash support in +the web browser and the problems with installing it was perceived as a +good reason to stay with Windows.

+ +

I once saw a funny and sad comment in a web forum, where Linux was +said to be the retarded cousin that did not really understand +everything you told him but could work fairly well. This was a +comment regarding the problems Linux have with proprietary formats and +non-standard web pages, and is sad because it exposes a fairly common +understanding of whose fault it is if web pages that only work in for +example Internet Explorer 6 fail to work on Firefox, and funny because +it explain very well how annoying it is for users when Linux +distributions do not work with the documents they receive or the web +pages they want to visit.

+ +

This is part of the reason why I believe it is important for Debian +and Debian Edu to have a well working Flash implementation in the +distribution, to get at least popular sites as Youtube and Google +Video to working out of the box. For Squeeze, Debian have the chance +to include the latest version of Gnash that will make this happen, as +the new release 0.8.8 was published a few weeks ago and is resting in +unstable. The new version work with more sites that version 0.8.7. +The Gnash maintainers have asked for a freeze exception, but the +release team have not had time to reply to it yet. I hope they agree +with me that Flash is important for the Debian desktop users, and thus +accept the new package into Squeeze.

- Tags: debian, debian edu, english, ldap, nuug. + Tags: debian, debian edu, english, multimedia, video, web.
-
Idea for storing LTSP configuration in LDAP
-
2010-07-11 22:00
+
My first perl GUI application - controlling a Spykee robot
+
2010-09-01 21:00
-

Vagrant mentioned on IRC today that ltsp_config now support -sourcing files from /usr/share/ltsp/ltsp_config.d/ on the thin -clients, and that this can be used to fetch configuration from LDAP if -Debian Edu choose to store configuration there.

- -

Armed with this information, I got inspired and wrote a test module -to get configuration from LDAP. The idea is to look up the MAC -address of the client in LDAP, and look for attributes on the form -ltspconfigsetting=value, and use this to export SETTING=value to the -LTSP clients.

- -

The goal is to be able to store the LTSP configuration attributes -in a "computer" LDAP object used by both DNS and DHCP, and thus -allowing us to store all information about a computer in one place.

- -

This is a untested draft implementation, and I welcome feedback on -this approach. A real LDAP schema for the ltspClientAux objectclass -need to be written. Comments, suggestions, etc?

- -
-# Store in /opt/ltsp/$arch/usr/share/ltsp/ltsp_config.d/ldap-config
-#
-# Fetch LTSP client settings from LDAP based on MAC address
-#
-# Uses ethernet address as stored in the dhcpHost objectclass using
-# the dhcpHWAddress attribute or ethernet address stored in the
-# ieee802Device objectclass with the macAddress attribute.
-#
-# This module is written to be schema agnostic, and only depend on the
-# existence of attribute names.
-#
-# The LTSP configuration variables are saved directly using a
-# ltspConfig prefix and uppercasing the rest of the attribute name.
-# To set the SERVER variable, set the ltspConfigServer attribute.
-#
-# Some LDAP schema should be created with all the relevant
-# configuration settings.  Something like this should work:
-# 
-# objectclass ( 1.1.2.2 NAME 'ltspClientAux'
-#     SUP top
-#     AUXILIARY
-#     MAY ( ltspConfigServer $ ltsConfigSound $ ... )
-
-LDAPSERVER=$(debian-edu-ldapserver)
-if [ "$LDAPSERVER" ] ; then
-    LDAPBASE=$(debian-edu-ldapserver -b)
-    for MAC in $(LANG=C ifconfig |grep -i hwaddr| awk '{print $5}'|sort -u) ; do
-	filter="(|(dhcpHWAddress=ethernet $MAC)(macAddress=$MAC))"
-	ldapsearch -h "$LDAPSERVER" -b "$LDAPBASE" -v -x "$filter" | \
-	    grep '^ltspConfig' | while read attr value ; do
-	    # Remove prefix and convert to upper case
-	    attr=$(echo $attr | sed 's/^ltspConfig//i' | tr a-z A-Z)
-	    # bass value on to clients
-	    eval "$attr=$value; export $attr"
-	done
-    done
-fi
-
- -

I'm not sure this shell construction will work, because I suspect -the while block might end up in a subshell causing the variables set -there to not show up in ltsp-config, but if that is the case I am sure -the code can be restructured to make sure the variables are passed on. -I expect that can be solved with some testing. :)

- -

If you want to help out with implementing this for Debian Edu, -please contact us on debian-edu@lists.debian.org.

- -

Update 2010-07-17: I am aware of another effort to store LTSP -configuration in LDAP that was created around year 2000 by -PC -Xperience, Inc., 2000. I found its -files on a -personal home page over at redhat.com.

+

This evening I made my first Perl GUI application. The last few +days I have worked on a Perl module for controlling my recently +aquired Spykee robots, and the module is now getting complete enought +that it is possible to use it to control the robot driving at least. +It was now time to figure out how to use it to create some GUI to +allow me to drive the robot around. I picked PerlQt as I have had +positive experiences with the Qt API before, and spent a few minutes +browsing the web for examples. Using Qt Designer seemed like a short +cut, so I ended up writing the perl GUI using Qt Designer and +compiling it into a perl program using the puic program from +libqt-perl. Nothing fancy yet, but it got buttons to connect and +drive around.

+ +

The perl module I have written provide a object oriented API for +controlling the robot. Here is an small example on how to use it:

+ +

+use Spykee;
+Spykee::discover(sub {$robot{$_[0]} = $_[1]});
+my $host = (keys %robot)[0];
+my $spykee = Spykee->new();
+$spykee->contact($host, "admin", "admin");
+$spykee->left();
+sleep 2;
+$spykee->right();
+sleep 2;
+$spykee->forward();
+sleep 2;
+$spykee->back();
+sleep 2;
+$spykee->stop();
+

+ +

Thanks to the release of the source of the robot firmware, I could +peek into the implementation at the other end to figure out how to +implement the protocol used by the robot. I've implemented several of +the commands the robot understand, but is still missing the camera +support to make it possible to control the robot from remote. First I +want to implement support for uploading new firmware and configuring +the wireless network, to make it possible to bootstrap a Spykee robot +without the producers Windows and MacOSX software (I only have Linux, +so I had to ask a friend to come over to get the robot testing +going. :).

+ +

Will release the source to the public soon, but need to figure out +where to make it available first. I will add a link to +the NUUG wiki for +those that want to check back later to find it.

- Tags: debian, debian edu, english, ldap, nuug. + Tags: english, nuug, robot.
-
jXplorer, a very nice LDAP GUI
-
2010-07-09 12:55
+
Forslag i stortinget om å stoppe elektronisk stemmegiving i Norge
+
2010-08-31 21:00
-

Since -my -last post about available LDAP tools in Debian, I was told about a -LDAP GUI that is even better than luma. The java application -jXplorer is claimed to be capable of -moving LDAP objects and subtrees using drag-and-drop, and can -authenticate using Kerberos. I have only tested the Kerberos -authentication, but do not have a LDAP setup allowing me to rewrite -LDAP with my test user yet. It is -available in -Debian testing and unstable at the moment. The only problem I -have with it is how it handle errors. If something go wrong, its -non-intuitive behaviour require me to go through some query work list -and remove the failing query. Nothing big, but very annoying.

+

Ble tipset i dag om at et forslag om å stoppe forsøkene med +elektronisk stemmegiving utenfor valglokaler er +til +behandling i Stortinget. +Forslaget +er fremmet av Erna Solberg, Michael Tetzschner og Trond Helleland.

+ +

Håper det får flertall.

- Tags: debian, debian edu, english, ldap, nuug. + Tags: norsk, nuug, sikkerhet.
-
MS Word krøller det til for politiet?
-
2010-07-08 14:00
+
Broken hard link handling with sshfs
+
2010-08-30 19:30
-

De siste dagene har Aftenposten -fortalt -hvordan -politet har brukt skriveverktøy som ikke håndterer arabisk tekst og -tekst som skal skrives fra høyre mot venstre når de har laget -løpeseddel for å be om informasjon fra publikum. Resultatet har vært -en uleselig arabisk-bit på løpeseddelen. Feilen har oppstått når -teksten har blitt "kopiert inn i programvare som ikke har støtte for -språk som skrives fra høyre mot venstre", og jeg er ganske sikker på -at det er snakk om Microsoft Office i dette tilfellet. Er det slik at -MS Office i norsk språkdrakt ikke har støtte for tekst som skal -skrives fra høyre mot venstre? Jeg tror alle utgaver av -OpenOffice.org har slik støtte, og det er jo ikke veldig vanskelig å -la slik støtte finnes i alle utgaver av et program hvis støtten først -er utviklet. Aftenpostens melding får meg til å undre om problemet -ville vært unngått hvis politiet brukte OpenOffice.org i stedet for MS -Office.

- -

Mon tro om det er flere eksempler på at MS Office har ødelagt for -offentlig myndighet?

+

Just got an email from Tobias Gruetzmacher as a followup on my +previous +post about sshfs. He reported another problem with sshfs. It +fail to handle hard links properly. A simple way to spot this is to +look at the . and .. entries in the directory tree. These should have +a link count >1, but on sshfs the count is 1. I just tested to see +what happen when trying to hardlink, and this fail as well:

+ +
+% ln foo bar
+ln: creating hard link `bar' => `foo': Function not implemented
+%
+
+ +

I have not yet found time to implement a test for this in my file +system test code, but believe having working hard links is useful to +avoid surprised unix programs. Not as useful as working file locking +and symlinks, which are required to get a working desktop, but useful +nevertheless. :)

+ +

The latest version of the file system test code is available via +git from +http://github.com/gebi/fs-test

- Tags: norsk. + Tags: debian edu, english, nuug.
-
Lenny->Squeeze upgrades, apt vs aptitude with the Gnome desktop
-
2010-07-03 23:55
+
Sikkerhetsteateret på flyplassene fortsetter
+
2010-08-28 10:40
-

Here is a short update on my my -Debian Lenny->Squeeze upgrade testing. Here is a summary of the -difference for Gnome when it is upgraded by apt-get and aptitude. I'm -not reporting the status for KDE, because the upgrade crashes when -aptitude try because of missing conflicts -(#584861 and -#585716).

- -

At the end of the upgrade test script, dpkg -l is executed to get a -complete list of the installed packages. Based on this I see these -differences when I did a test run today. As usual, I do not really -know what the correct set of packages would be, but thought it best to -publish the difference.

- -

Installed using apt-get, missing with aptitude

- -

- at-spi cpp-4.3 finger gnome-spell gstreamer0.10-gnomevfs - libatspi1.0-0 libcupsys2 libeel2-data libgail-common libgdl-1-common - libgnomeprint2.2-data libgnomeprintui2.2-common libgnomevfs2-bin - libgtksourceview-common libpt-1.10.10-plugins-alsa - libpt-1.10.10-plugins-v4l libservlet2.4-java libxalan2-java - libxerces2-java openoffice.org-writer2latex openssl-blacklist p7zip - python-4suite-xml python-eggtrayicon python-gtkhtml2 - python-gtkmozembed svgalibg1 xserver-xephyr zip -

- -

Installed using apt-get, removed with aptitude

- -

- bluez-utils dhcdbd djvulibre-desktop epiphany-gecko - gnome-app-install gnome-mount gnome-vfs-obexftp gnome-volume-manager - libao2 libavahi-compat-libdnssd1 libavahi-core5 libbind9-50 - libbluetooth2 libcamel1.2-11 libcdio7 libcucul0 libcurl3 - libdirectfb-1.0-0 libdvdread3 libedata-cal1.2-6 libedataserver1.2-9 - libeel2-2.20 libepc-1.0-1 libepc-ui-1.0-1 libexchange-storage1.2-3 - libfaad0 libgd2-noxpm libgda3-3 libgda3-common libggz2 libggzcore9 - libggzmod4 libgksu1.2-0 libgksuui1.0-1 libgmyth0 libgnome-desktop-2 - libgnome-pilot2 libgnomecups1.0-1 libgnomeprint2.2-0 - libgnomeprintui2.2-0 libgpod3 libgraphviz4 libgtkhtml2-0 - libgtksourceview1.0-0 libgucharmap6 libhesiod0 libicu38 libisccc50 - libisccfg50 libiw29 libkpathsea4 libltdl3 liblwres50 libmagick++10 - libmagick10 libmalaga7 libmtp7 libmysqlclient15off libnautilus-burn4 - libneon27 libnm-glib0 libnm-util0 libopal-2.2 libosp5 - libparted1.8-10 libpisock9 libpisync1 libpoppler-glib3 libpoppler3 - libpt-1.10.10 libraw1394-8 libsensors3 libsmbios2 libsoup2.2-8 - libssh2-1 libsuitesparse-3.1.0 libswfdec-0.6-90 libtalloc1 - libtotem-plparser10 libtrackerclient0 libvoikko1 libxalan2-java-gcj - libxerces2-java-gcj libxklavier12 libxtrap6 libxxf86misc1 libzephyr3 - mysql-common swfdec-gnome totem-gstreamer wodim -

- -

Installed using aptitude, missing with apt-get

- -

- gnome gnome-desktop-environment hamster-applet python-gnomeapplet - python-gnomekeyring python-wnck rhythmbox-plugins xorg - xserver-xorg-input-all xserver-xorg-input-evdev - xserver-xorg-input-kbd xserver-xorg-input-mouse - xserver-xorg-input-synaptics xserver-xorg-video-all - xserver-xorg-video-apm xserver-xorg-video-ark xserver-xorg-video-ati - xserver-xorg-video-chips xserver-xorg-video-cirrus - xserver-xorg-video-dummy xserver-xorg-video-fbdev - xserver-xorg-video-glint xserver-xorg-video-i128 - xserver-xorg-video-i740 xserver-xorg-video-mach64 - xserver-xorg-video-mga xserver-xorg-video-neomagic - xserver-xorg-video-nouveau xserver-xorg-video-nv - xserver-xorg-video-r128 xserver-xorg-video-radeon - xserver-xorg-video-radeonhd xserver-xorg-video-rendition - xserver-xorg-video-s3 xserver-xorg-video-s3virge - xserver-xorg-video-savage xserver-xorg-video-siliconmotion - xserver-xorg-video-sis xserver-xorg-video-sisusb - xserver-xorg-video-tdfx xserver-xorg-video-tga - xserver-xorg-video-trident xserver-xorg-video-tseng - xserver-xorg-video-vesa xserver-xorg-video-vmware - xserver-xorg-video-voodoo -

- -

Installed using aptitude, removed with apt-get

- -

- deskbar-applet xserver-xorg xserver-xorg-core - xserver-xorg-input-wacom xserver-xorg-video-intel - xserver-xorg-video-openchrome -

- -

I was told on IRC that the xorg-xserver package was -changed -in git today to try to get apt-get to not remove xorg completely. -No idea when it hits Squeeze, but when it does I hope it will reduce -the difference somewhat. +

Jeg skrev for et halvt år siden hvordan +samfunnet +kaster bort ressurser på sikkerhetstiltak som ikke fungerer. Kom +nettopp over en +historie +fra en pilot fra USA som kommenterer det samme. Jeg mistenker det +kun er uvitenhet og autoritetstro som gjør at så få protesterer. Har +veldig sans for piloten omtalt i Aftenposten 2007-10-23, +og skulle ønske flere rettet oppmerksomhet mot problemet. Det gir +ikke meg trygghetsfølelse på flyplassene når jeg ser at +flyplassadministrasjonen kaster bort folk, penger og tid på tull i +stedet for ting som bidrar til reell økning av sikkerheten. Det +forteller meg jo at vurderingsevnen til de som burde bidra til økt +sikkerhet er svært sviktende, noe som ikke taler godt for de andre +tiltakene.

+ +

Mon tro hva som skjer hvis det fantes en enkel brosjyre å skrive ut +fra Internet som forklarte hva som er galt med sikkerhetsopplegget på +flyplassene, og folk skrev ut og la en bunke på flyplassene når de +passerte. Kanskje det ville fått flere til å få øynene opp for +problemet.

+ +

Personlig synes jeg flyopplevelsen er blitt så avskyelig at jeg +forsøker å klare meg med tog, bil og båt for å slippe ubehaget. Det +er dog noe vanskelig i det langstrakte Norge og for å kunne besøke de +delene av verden jeg ønsker å nå. Mistenker at flere har det slik, og +at dette går ut over inntjeningen til flyselskapene. Det er antagelig +en god ting sett fra et miljøperspektiv, men det er en annen sak.

- Tags: debian, debian edu, english. + Tags: norsk, nuug, personvern, sikkerhet.
-
Caching password, user and group on a roaming Debian laptop
-
2010-07-01 11:40
+
Skolelinux i Osloskolen
+
2010-08-26 22:25
-

For a laptop, centralized user directories and password checking is -a bit troubling. Laptops are typically used also when not connected -to the network, and it is vital for a user to be able to log in or -unlock the screen saver also when a central server is unavailable. -This is possible by caching passwords and directory information (user -and group attributes) locally, and the packages to do so are available -in Debian. Here follow two recipes to set this up in Debian/Squeeze. -It is also possible to set up in Debian/Lenny, but require more manual -setup there because pam-auth-update is missing in Lenny.

- -

LDAP/Kerberos + nscd + libpam-ccreds + libpam-mklocaluser/pam_mkhomedir

- -This is the traditional method with a twist. The password caching is -provided by libpam-ccreds (version 10-4 or later is needed on -Squeeze), and the directory caching is done by nscd. The directory -lookup and password checking is done using LDAP. If one want to use -Kerberos for password checking the libpam-ldapd package can be -replaced with libpam-krb5 or libpam-heimdal. If one is happy having a -local home directory with the path listed in LDAP, one can use the -pam_mkhomedir module from pam-modules to make this happen instead of -using libpam-mklocaluser. A setup for pam-auth-update to enable -pam_mkhomedir will have to be written until a fix for -bug #568577 is in the -archive. Because I believe it is a bad idea to have local home -directories using misleading paths like /site/server/partition/, I -prefer to create a local user with the home directory in /home/. This -is done using the libpam-mklocaluser package.

- -

These packages need to be installed and configured

- -
-libnss-ldapd libpam-ldapd nscd libpam-ccreds libpam-mklocaluser
-
- -

The ldapd packages will ask for LDAP connection information, and -one have to fill in the values that fits ones own site. Make sure the -PAM part uses encrypted connections, to make sure the password is not -sent in clear text to the LDAP server. I've been unable to get TLS -certificate checking for a self signed certificate working, which make -LDAP authentication unsafe for Debian Edu (nslcd is not checking if it -is talking to the correct LDAP server), and very much welcome feedback -on how to get this working.

- -

Because nscd do not have a default configuration fit for offline -caching until bug #485282 -is fixed, this configuration should be used instead of the one -currently in /etc/nscd.conf. The changes are in the fields -reload-count and positive-time-to-live, and is based on the -instructions I found in the -LDAP for Mobile Laptops -instructions by Flyn Computing.

- -
-	debug-level		0
-	reload-count		unlimited
-	paranoia		no
-
-	enable-cache		passwd		yes
-	positive-time-to-live	passwd		2592000
-	negative-time-to-live	passwd		20
-	suggested-size		passwd		211
-	check-files		passwd		yes
-	persistent		passwd		yes
-	shared			passwd		yes
-	max-db-size		passwd		33554432
-	auto-propagate		passwd		yes
-
-	enable-cache		group		yes
-	positive-time-to-live	group		2592000
-	negative-time-to-live	group		20
-	suggested-size		group		211
-	check-files		group		yes
-	persistent		group		yes
-	shared			group		yes
-	max-db-size		group		33554432
-	auto-propagate		group		yes
-
-	enable-cache		hosts		no
-	positive-time-to-live	hosts		2592000
-	negative-time-to-live	hosts		20
-	suggested-size		hosts		211
-	check-files		hosts		yes
-	persistent		hosts		yes
-	shared			hosts		yes
-	max-db-size		hosts		33554432
-
-	enable-cache		services	yes
-	positive-time-to-live	services	2592000
-	negative-time-to-live	services	20
-	suggested-size		services	211
-	check-files		services	yes
-	persistent		services	yes
-	shared			services	yes
-	max-db-size		services	33554432
-
- -

While we wait for a mechanism to update /etc/nsswitch.conf -automatically like the one provided in -bug #496915, the file -content need to be manually replaced to ensure LDAP is used as the -directory service on the machine. /etc/nsswitch.conf should normally -look like this:

- -
-passwd:         files ldap
-group:          files ldap
-shadow:         files ldap
-hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
-networks:       files
-protocols:      files
-services:       files
-ethers:         files
-rpc:            files
-netgroup:       files ldap
-
- -

The important parts are that ldap is listed last for passwd, group, -shadow and netgroup.

- -

With these changes in place, any user in LDAP will be able to log -in locally on the machine using for example kdm, get a local home -directory created and have the password as well as user and group -attributes cached. - -

LDAP/Kerberos + nss-updatedb + libpam-ccreds + - libpam-mklocaluser/pam_mkhomedir

- -

Because nscd have had its share of problems, and seem to have -problems doing proper caching, I've seen suggestions and recipes to -use nss-updatedb to copy parts of the LDAP database locally when the -LDAP database is available. I have not tested such setup, because I -discovered sssd.

- -

LDAP/Kerberos + sssd + libpam-mklocaluser

- -

A more flexible and robust setup than the nscd combination -mentioned earlier that has shown up recently, is the -sssd package from Redhat. -It is part of the FreeIPA project -to provide a Active Directory like directory service for Linux -machines. The sssd system combines the caching of passwords and user -information into one package, and remove the need for nscd and -libpam-ccreds. It support LDAP and Kerberos, but not NIS. Version -1.2 do not support netgroups, but it is said that it will support this -in version 1.5 expected to show up later in 2010. Because the -sssd package -was missing in Debian, I ended up co-maintaining it with Werner, and -version 1.2 is now in testing. - -

These packages need to be installed and configured to get the -roaming setup I want

- -
-libpam-sss libnss-sss libpam-mklocaluser
-
- -The complete setup of sssd is done by editing/creating -/etc/sssd/sssd.conf. - -
-[sssd]
-config_file_version = 2
-reconnection_retries = 3
-sbus_timeout = 30
-services = nss, pam
-domains = INTERN
-
-[nss]
-filter_groups = root
-filter_users = root
-reconnection_retries = 3
-
-[pam]
-reconnection_retries = 3
-
-[domain/INTERN]
-enumerate = false
-cache_credentials = true
-
-id_provider = ldap
-auth_provider = ldap
-chpass_provider = ldap
-
-ldap_uri = ldap://ldap
-ldap_search_base = dc=skole,dc=skolelinux,dc=no
-ldap_tls_reqcert = never
-ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
-
- -

I got the same problem here with certificate checking. Had to set -"ldap_tls_reqcert = never" to get it working.

- -

With the libnss-sss package in testing at the moment, the -nsswitch.conf file is update automatically, so there is no need to -modify it manually.

- -

If you want to help out with implementing this for Debian Edu, -please contact us on debian-edu@lists.debian.org.

+

Denne høsten skal endelig alle Osloskolene få mulighet til å bruke +Skolelinux. Ny IT-løsning +har vært rullet ut i noen måneder nå, og så vidt jeg fikk vite før +sommeren skulle alle skoler ha nytt opplegg på plass før oppstart nå i +høst. På alle skolene skal en kunne velge ved installasjon om en skal +ha Windows eller Skolelinux på maskinene, og en kan i tillegg +PXE-boote maskinene over nett som tynne klienter eller diskløse +arbeidsstasjoner. Jeg er spent på hvor mange skoler som velger å ta i +bruk Skolelinux, og gleder meg til å se hvordan dette utvikler seg. +Løsningen leveres av +Logica med +Skolelinux Drift AS som +underleverandør, og jeg har vært involvert i utviklingen av løsningen +via Skolelinux Drift AS siden prosjektet starter. Jeg synes det er +fantastisk at Skolelinux er kommet så langt siden vi startet i 2001 at +alle elevene i Osloskolene nå skal få mulighet til å bruke +løsningen. Jeg håper de vil sette pris på alle de +fantastiske +brukerprogrammene som er tilgjengelig i Skolelinux.

- Tags: debian edu, english, ldap, nuug. + Tags: debian edu, norsk.
@@ -1035,7 +467,11 @@ please contact us on debian-edu@lists.debian.org.

  • June (14)
    • -
  • July (10)
    • +
  • July (12)
    • + +
  • August (13)
    • + +
  • September (6)
    • @@ -1092,51 +528,53 @@ please contact us on debian-edu@lists.debian.org.

  • bootsystem (10)
    • -
  • debian (34)
    • +
  • debian (36)
    • -
  • debian edu (35)
    • +
  • debian edu (44)
    • -
  • english (49)
    • +
  • english (61)
  • fiksgatami (1)
    • -
  • fildeling (8)
    • +
  • fildeling (9)
    • -
  • kart (3)
    • +
  • kart (4)
  • ldap (8)
    • -
  • lenker (1)
    • +
  • lenker (2)
  • ltsp (1)
    • -
  • multimedia (5)
    • +
  • multimedia (7)
    • -
  • norsk (71)
    • +
  • norsk (80)
    • -
  • nuug (86)
    • +
  • nuug (104)
    • -
  • opphavsrett (14)
    • +
  • opphavsrett (15)
    • -
  • personvern (14)
    • +
  • personvern (19)
  • reprap (10)
    • +
  • robot (3)
    • +
  • rss (1)
    • -
  • sikkerhet (9)
    • +
  • sikkerhet (15)
  • sitesummary (3)
    • -
  • standard (13)
    • +
  • standard (14)
  • stavekontroll (1)
    • -
  • video (10)
    • +
  • video (12)
  • vitenskap (1)
    • -
  • web (7)
    • +
  • web (9)