Petter Reinholdtsen

Standarder fungerer best nÃ¥r en samler seg rundt dem

Tue, 19 May 2009 11:30:00 +0200

En standard er noe man samler seg rundt, ut fra ideen om at en fÃ¥r -fordeler nÃ¥r mange stÃ¥r sammen. Jo flere som stÃ¥r sammen, jo -bedre. NÃ¥r en vet dette, blir det litt merkelig Ã¥ lese noen av -uttalelsene som er kommet inn til -hÃ¸ringen -om versjon 2 av statens referansekatalog over standarder. Blant -annet Abelia, NHO og Microsoft tror det er lurt med flere standarder -innenfor samme omrÃ¥de. Det blir som Ã¥ si at det er fint om Norge -standardiserte bÃ¥de pÃ¥ A4- og Letter-stÃ¸rrelser pÃ¥ arkene, ulik -sporvidde pÃ¥ jernbaneskinnene, meter og fot som lengemÃ¥l, eller -hÃ¸yre- og venstrekjÃ¸ring - slik at en kan konkurrere pÃ¥ hvilken -standard som er best. De fleste forstÃ¥r heldigvis at dette ikke -bidrar positivt.

Vagrant mentioned on IRC today that ltsp_config now support +sourcing files from /usr/share/ltsp/ltsp_config.d/ on the thin +clients, and that this can be used to fetch configuration from LDAP if +Debian Edu choose to store configuration there.

+ +

Armed with this information, I got inspired and wrote a test module +to get configuration from LDAP. The idea is to look up the MAC +address of the client in LDAP, and look for attributes on the form +ltspconfigsetting=value, and use this to export SETTING=value to the +LTSP clients.

+ +

The goal is to be able to store the LTSP configuration attributes +in a "computer" LDAP object used by both DNS and DHCP, and thus +allowing us to store all information about a computer in one place.

+ +

This is a untested draft implementation, and I welcome feedback on +this approach. A real LDAP schema for the ltspClientAux objectclass +need to be written. Comments, suggestions, etc?

+ +

+# Store in /opt/ltsp/$arch/usr/share/ltsp/ltsp_config.d/ldap-config
+#
+# Fetch LTSP client settings from LDAP based on MAC address
+#
+# Uses ethernet address as stored in the dhcpHost objectclass using
+# the dhcpHWAddress attribute or ethernet address stored in the
+# ieee802Device objectclass with the macAddress attribute.
+#
+# This module is written to be schema agnostic, and only depend on the
+# existence of attribute names.
+#
+# The LTSP configuration variables are saved directly using a
+# ltspConfig prefix and uppercasing the rest of the attribute name.
+# To set the SERVER variable, set the ltspConfigServer attribute.
+#
+# Some LDAP schema should be created with all the relevant
+# configuration settings.  Something like this should work:
+# 
+# objectclass ( 1.1.2.2 NAME 'ltspClientAux'
+#     SUP top
+#     AUXILIARY
+#     MAY ( ltspConfigServer $ ltsConfigSound $ ... )
+
+LDAPSERVER=$(debian-edu-ldapserver)
+if [ "$LDAPSERVER" ] ; then
+    LDAPBASE=$(debian-edu-ldapserver -b)
+    for MAC in $(LANG=C ifconfig |grep -i hwaddr| awk '{print $5}'|sort -u) ; do
+	filter="(|(dhcpHWAddress=ethernet $MAC)(macAddress=$MAC))"
+	ldapsearch -h "$LDAPSERVER" -b "$LDAPBASE" -v -x "$filter" | \
+	    grep '^ltspConfig' | while read attr value ; do
+	    # Remove prefix and convert to upper case
+	    attr=$(echo $attr | sed 's/^ltspConfig//i' | tr a-z A-Z)
+	    # bass value on to clients
+	    eval "$attr=$value; export $attr"
+	done
+    done
+fi
+

+ +

I'm not sure this shell construction will work, because I suspect +the while block might end up in a subshell causing the variables set +there to not show up in ltsp-config, but if that is the case I am sure +the code can be restructured to make sure the variables are passed on. +I expect that can be solved with some testing. :)

+ +

If you want to help out with implementing this for Debian Edu, +please contact us on debian-edu@lists.debian.org.

BSAs pÃ¥stander om piratkopiering mÃ¸ter motstand

Sun, 17 May 2009 23:05:00 +0200

Hvert Ã¥r de siste Ã¥rene har BSA, lobbyfronten til de store -programvareselskapene som Microsoft og Apple, publisert en rapport der -de gjetter pÃ¥ hvor mye piratkopiering pÃ¥fÃ¸rer i tapte inntekter i -ulike land rundt om i verden. Resultatene er tendensiÃ¸se. For noen -dager siden kom -siste -rapport, og det er flere kritiske kommentarer publisert de siste -dagene. Et spesielt interessant kommentar fra Sverige, -BSA -hÃ¶ftade Sverigesiffror, oppsummeres slik:

- -

-I sin senaste rapport slÃ¥r BSA fast att 25 procent av all mjukvara i -Sverige Ã¤r piratkopierad. Det utan att ha pratat med ett enda svenskt -fÃ¶retag. "Man bÃ¶r nog kanske inte se de hÃ¤r siffrorna som helt -exakta", sÃ¤ger BSAs Sverigechef John Hugosson. -

- -

Mon tro om de er like metodiske nÃ¥r de gjetter pÃ¥ andelen piratkopiering i Norge? To andre kommentarer er BSA -piracy figures need a shot of reality og Does The WIPO -Copyright Treaty Work?

- -

Fant lenkene via oppslag -pÃ¥ Slashdot.

Since +my +last post about available LDAP tools in Debian, I was told about a +LDAP GUI that is even better than luma. The java application +jXplorer is claimed to be capable of +moving LDAP objects and subtrees using drag-and-drop, and can +authenticate using Kerberos. I have only tested the Kerberos +authentication, but do not have a LDAP setup allowing me to rewrite +LDAP with my test user yet. It is +available in +Debian testing and unstable at the moment. The only problem I +have with it is how it handle errors. If something go wrong, its +non-intuitive behaviour require me to go through some query work list +and remove the failing query. Nothing big, but very annoying.

Webbasert tegneseriearkiv pÃ¥ trappene

Sat, 16 May 2009 19:05:00 +0200

For noen dager siden ble jeg tipset om en ny norsk webtjeneste for -Ã¥ holde styr pÃ¥ ens tegneseriesamling. Har sÃ¥ smÃ¥tt begynt Ã¥ -teste den og lagt inn noen hundre oppfÃ¸ringer, og det ser ut til Ã¥ -fungere fint. Utvikleren, Trond Hallstensen, er selv ivrig samler og -har laget systemet i fÃ¸rste omgang for seg selv, men altsÃ¥ gjort det -mulig ogsÃ¥ for andre Ã¥ bidra. Tjenesten har potensiale til Ã¥ bli -en komplett og verdifull tegneserieindeks over norske serier. Da jeg -oppdaget tjenesten var det endel mangler som gjorde meg skeptisk til -Ã¥ registrere min samling der. Det var nemlig ingen mÃ¥te Ã¥ hente ut -en maskinlesbar oversikt over det jeg registrerte, slik at mine data -ville vÃ¦re innelÃ¥st i tjenesten. Siden den gang har Trond lagt til -en eksportfunksjon til CSV-format, slik at i hvert fall noen av -feltene i databasen kan hentes ut for mine serier. Pr. i dag er det -serie, seriegruppe, Ã¥r, nr og tittel_pÃ¥_forside.

- -

Prinsipielt Ã¸nsker jeg Ã¥ kunne hente ut alle feltene om en -tegneserie, for Ã¥ unngÃ¥ repetisjon av det som skjedde med IMDB og -CDDB pÃ¥ 90-tallet. Begge begynte som fellesskapsprosjekter der -brukerne bidro pÃ¥ like vilkÃ¥r, og ble lukket inne da -initiativtageren og innehaveren av maskinen der tjenesten kjÃ¸rte -hadde fÃ¥tt nok innhold til at de ikke lenger fÃ¸lte at de trengte Ã¥ -behandle brukerne som likemenn. Trond har skrevet til meg at flere -felter vil bli lagt inn i eksporten (blant annet strekkode), men -uttrykt skepsis til Ã¥ gjÃ¸re all informasjonen tilgjengelig (han -Ã¸nsker slik jeg forsto han Ã¥ kontrollere tjenesten og ikke gjÃ¸re -det mulig Ã¥ lage konkurrerende tjeneste). Holdningen gjÃ¸r meg ennÃ¥ -mer skeptisk, men tjenesten fungerer fint, sÃ¥ jeg har bestemt meg for -Ã¥ ta den i bruk, men begrense meg til Ã¥ registrere informasjon som -er tilgjengelig i eksporten.

- -

Har ennÃ¥ ikke begynt masseregistrering, da jeg venter pÃ¥ stÃ¸tte for -strekkoder i tjenesten. Har strekkodeleser, og vil spare litt tid i -registreringen nÃ¥r jeg gÃ¥r lÃ¸s pÃ¥ mine esker. ForelÃ¸big har jeg -registrert litt tilfeldige serier som ligger rundt om i huset, men for -Ã¥ fÃ¥ et komplett arkiv mÃ¥ nok noen tusen tegneserier registreres.

- -

LÃ¸sningen er i fÃ¸lge utvikleren laget med et Oracle-spesifikt -verktÃ¸y for Ã¥ lage webtjenester, og ikke fri programvare. -Utvikleren tar imot innspill men det hÃ¸rtes ikke ut som om utvikling -av systemet var enkelt Ã¥ dele mellom flere, slik at det mÃ¥ via -ham.

- -

HÃ¸res dette interessant ut, besÃ¸k -mineserier.no og ta en -titt.

De siste dagene har Aftenposten +fortalt +hvordan +politet har brukt skriveverktÃ¸y som ikke hÃ¥ndterer arabisk tekst og +tekst som skal skrives fra hÃ¸yre mot venstre nÃ¥r de har laget +lÃ¸peseddel for Ã¥ be om informasjon fra publikum. Resultatet har vÃ¦rt +en uleselig arabisk-bit pÃ¥ lÃ¸peseddelen. Feilen har oppstÃ¥tt nÃ¥r +teksten har blitt "kopiert inn i programvare som ikke har stÃ¸tte for +sprÃ¥k som skrives fra hÃ¸yre mot venstre", og jeg er ganske sikker pÃ¥ +at det er snakk om Microsoft Office i dette tilfellet. Er det slik at +MS Office i norsk sprÃ¥kdrakt ikke har stÃ¸tte for tekst som skal +skrives fra hÃ¸yre mot venstre? Jeg tror alle utgaver av +OpenOffice.org har slik stÃ¸tte, og det er jo ikke veldig vanskelig Ã¥ +la slik stÃ¸tte finnes i alle utgaver av et program hvis stÃ¸tten fÃ¸rst +er utviklet. Aftenpostens melding fÃ¥r meg til Ã¥ undre om problemet +ville vÃ¦rt unngÃ¥tt hvis politiet brukte OpenOffice.org i stedet for MS +Office.

+ +

Mon tro om det er flere eksempler pÃ¥ at MS Office har Ã¸delagt for +offentlig myndighet?

Massiv overvÃ¥kning av kollektivtrafikken i Oslo planlegges

Sat, 16 May 2009 09:30:00 +0200

Flere -og -flere -protesterer pÃ¥ den massive overvÃ¥kningen og registrering av -trafikkmÃ¸nster i kollektivtrafikken som planlegges i Oslo. Det er -bra. Jeg mister lysten til Ã¥ bruke kollektivtransport nÃ¥r jeg ser -hvordan trafikkselskapet holder pÃ¥. Jeg forventer og forlanger Ã¥ -ikke bli overvÃ¥ket med mindre jeg mistenkes for Ã¥ ha gjort noe -alvorlig galt. Den massive registreringen av hvor og nÃ¥r -passasjerene reiser med kollektivtrafikk som planegges av Ruter i Oslo -er et grotesk overgrep mot alle som bruker buss, trikk T-bane og tog i -OsloomrÃ¥det.

Here is a short update on my my +Debian Lenny->Squeeze upgrade testing. Here is a summary of the +difference for Gnome when it is upgraded by apt-get and aptitude. I'm +not reporting the status for KDE, because the upgrade crashes when +aptitude try because of missing conflicts +(#584861 and +#585716).

+ +

At the end of the upgrade test script, dpkg -l is executed to get a +complete list of the installed packages. Based on this I see these +differences when I did a test run today. As usual, I do not really +know what the correct set of packages would be, but thought it best to +publish the difference.

+ +

Installed using apt-get, missing with aptitude

+ +

+ at-spi cpp-4.3 finger gnome-spell gstreamer0.10-gnomevfs + libatspi1.0-0 libcupsys2 libeel2-data libgail-common libgdl-1-common + libgnomeprint2.2-data libgnomeprintui2.2-common libgnomevfs2-bin + libgtksourceview-common libpt-1.10.10-plugins-alsa + libpt-1.10.10-plugins-v4l libservlet2.4-java libxalan2-java + libxerces2-java openoffice.org-writer2latex openssl-blacklist p7zip + python-4suite-xml python-eggtrayicon python-gtkhtml2 + python-gtkmozembed svgalibg1 xserver-xephyr zip +

+ +

Installed using apt-get, removed with aptitude

+ +

+ bluez-utils dhcdbd djvulibre-desktop epiphany-gecko + gnome-app-install gnome-mount gnome-vfs-obexftp gnome-volume-manager + libao2 libavahi-compat-libdnssd1 libavahi-core5 libbind9-50 + libbluetooth2 libcamel1.2-11 libcdio7 libcucul0 libcurl3 + libdirectfb-1.0-0 libdvdread3 libedata-cal1.2-6 libedataserver1.2-9 + libeel2-2.20 libepc-1.0-1 libepc-ui-1.0-1 libexchange-storage1.2-3 + libfaad0 libgd2-noxpm libgda3-3 libgda3-common libggz2 libggzcore9 + libggzmod4 libgksu1.2-0 libgksuui1.0-1 libgmyth0 libgnome-desktop-2 + libgnome-pilot2 libgnomecups1.0-1 libgnomeprint2.2-0 + libgnomeprintui2.2-0 libgpod3 libgraphviz4 libgtkhtml2-0 + libgtksourceview1.0-0 libgucharmap6 libhesiod0 libicu38 libisccc50 + libisccfg50 libiw29 libkpathsea4 libltdl3 liblwres50 libmagick++10 + libmagick10 libmalaga7 libmtp7 libmysqlclient15off libnautilus-burn4 + libneon27 libnm-glib0 libnm-util0 libopal-2.2 libosp5 + libparted1.8-10 libpisock9 libpisync1 libpoppler-glib3 libpoppler3 + libpt-1.10.10 libraw1394-8 libsensors3 libsmbios2 libsoup2.2-8 + libssh2-1 libsuitesparse-3.1.0 libswfdec-0.6-90 libtalloc1 + libtotem-plparser10 libtrackerclient0 libvoikko1 libxalan2-java-gcj + libxerces2-java-gcj libxklavier12 libxtrap6 libxxf86misc1 libzephyr3 + mysql-common swfdec-gnome totem-gstreamer wodim +

+ +

Installed using aptitude, missing with apt-get

+ +

+ gnome gnome-desktop-environment hamster-applet python-gnomeapplet + python-gnomekeyring python-wnck rhythmbox-plugins xorg + xserver-xorg-input-all xserver-xorg-input-evdev + xserver-xorg-input-kbd xserver-xorg-input-mouse + xserver-xorg-input-synaptics xserver-xorg-video-all + xserver-xorg-video-apm xserver-xorg-video-ark xserver-xorg-video-ati + xserver-xorg-video-chips xserver-xorg-video-cirrus + xserver-xorg-video-dummy xserver-xorg-video-fbdev + xserver-xorg-video-glint xserver-xorg-video-i128 + xserver-xorg-video-i740 xserver-xorg-video-mach64 + xserver-xorg-video-mga xserver-xorg-video-neomagic + xserver-xorg-video-nouveau xserver-xorg-video-nv + xserver-xorg-video-r128 xserver-xorg-video-radeon + xserver-xorg-video-radeonhd xserver-xorg-video-rendition + xserver-xorg-video-s3 xserver-xorg-video-s3virge + xserver-xorg-video-savage xserver-xorg-video-siliconmotion + xserver-xorg-video-sis xserver-xorg-video-sisusb + xserver-xorg-video-tdfx xserver-xorg-video-tga + xserver-xorg-video-trident xserver-xorg-video-tseng + xserver-xorg-video-vesa xserver-xorg-video-vmware + xserver-xorg-video-voodoo +

+ +

Installed using aptitude, removed with apt-get

+ +

+ deskbar-applet xserver-xorg xserver-xorg-core + xserver-xorg-input-wacom xserver-xorg-video-intel + xserver-xorg-video-openchrome +

+ +

I was told on IRC that the xorg-xserver package was +changed +in git today to try to get apt-get to not remove xorg completely. +No idea when it hits Squeeze, but when it does I hope it will reduce +the difference somewhat.

3D-printing brer om seg - fabrikkene bestÃ¥r

Sun, 10 May 2009 16:50:00 +0200

I 2004 fikk jeg med meg en forelesning om 3D-printing under euro foo camp -der jeg lÃ¦rte mye nytt om 3D-printing. Fikk se et lite sjakktÃ¥rn -skrevet ut i plast, med vindeltrapp pÃ¥ innsiden av tÃ¥rnet, og en hul -gummiball som ogsÃ¥ var skrevet ut (med et lite hull for Ã¥ fÃ¥ ut -fyllmassen). Ble fortalt at det amerikanske kavaleriet skriver ut -reservedeler i metall i felt, og at det fantes amerikanske husbyggere -som eksperimenterer med utskrift av hus. De to siste har jeg ikke -funnet noen referanser til i ettertid, og har derfor lurt pÃ¥ om det -stemmer. Teknologisk skulle det ikke vÃ¦re noe i veien for slike -lÃ¸sninger, det er kun et spÃ¸rmÃ¥l om pris pÃ¥ skrivehoder og -skrivere. I dag ble jeg tipset om en lÃ¸sning som -kan -skrive ut hus, med sand og bindemiddel i 25 DPI opplÃ¸sning. Mon -tro om det er fremtidens byggemetode.

- -

Jeg er ikke i tvil om at 3D-utskrift vil fÃ¸re til endringer i -hvordan produksjon gjÃ¸res, og at tilgjengeligheten pÃ¥ en rekke produkter -som i dag er vanskelig eller umulig Ã¥ fÃ¥ tak i vil bedre seg. Men de -som tror at 3D-skrivere vil gjÃ¸re fabrikkene overflÃ¸dige, tror jeg har -forregnet seg. 3D-skrivere er fantastisk bra til Ã¥ lage spesielle -dingser pÃ¥ forespÃ¸rsel, f.eks. etter Ã¥ ha lastet ned et 3D-design fra -tjenester som Thingiverse. -De er derimot ikke spesielt bra til Ã¥ lage mange eksemplarer av samme -dings. Lav pris pr. enhet er fabrikkenes fortrinn. Hvis det skal -lages tusenvis, eller millioner av en dings, sÃ¥ vil fabrikkene -sannsynligvis fortsette Ã¥ slÃ¥ 3D-skriving ned i stÃ¸vlene -Ã¸konomisk, selv om en tar hensyn til transport og logistikk. Hvis -det derimot skal lages en hÃ¥ndfull, sÃ¥ vil 3D-skriving fremstÃ¥ som -et suverent alternativ. 3D-skriving er i sÃ¥ mÃ¥te lÃ¸sning for -den lange -halen, mens fabrikker nok fortsatt vil vÃ¦re lÃ¸sningen for -massemarkedet.

For a laptop, centralized user directories and password checking is +a bit troubling. Laptops are typically used also when not connected +to the network, and it is vital for a user to be able to log in or +unlock the screen saver also when a central server is unavailable. +This is possible by caching passwords and directory information (user +and group attributes) locally, and the packages to do so are available +in Debian. Here follow two recipes to set this up in Debian/Squeeze. +It is also possible to set up in Debian/Lenny, but require more manual +setup there because pam-auth-update is missing in Lenny.

+ +

LDAP/Kerberos + nscd + libpam-ccreds + libpam-mklocaluser/pam_mkhomedir

+ +This is the traditional method with a twist. The password caching is +provided by libpam-ccreds (version 10-4 or later is needed on +Squeeze), and the directory caching is done by nscd. The directory +lookup and password checking is done using LDAP. If one want to use +Kerberos for password checking the libpam-ldapd package can be +replaced with libpam-krb5 or libpam-heimdal. If one is happy having a +local home directory with the path listed in LDAP, one can use the +pam_mkhomedir module from pam-modules to make this happen instead of +using libpam-mklocaluser. A setup for pam-auth-update to enable +pam_mkhomedir will have to be written until a fix for +bug #568577 is in the +archive. Because I believe it is a bad idea to have local home +directories using misleading paths like /site/server/partition/, I +prefer to create a local user with the home directory in /home/. This +is done using the libpam-mklocaluser package.

+ +

These packages need to be installed and configured

+ +

+libnss-ldapd libpam-ldapd nscd libpam-ccreds libpam-mklocaluser
+

+ +

The ldapd packages will ask for LDAP connection information, and +one have to fill in the values that fits ones own site. Make sure the +PAM part uses encrypted connections, to make sure the password is not +sent in clear text to the LDAP server. I've been unable to get TLS +certificate checking for a self signed certificate working, which make +LDAP authentication unsafe for Debian Edu (nslcd is not checking if it +is talking to the correct LDAP server), and very much welcome feedback +on how to get this working.

+ +

Because nscd do not have a default configuration fit for offline +caching until bug #485282 +is fixed, this configuration should be used instead of the one +currently in /etc/nscd.conf. The changes are in the fields +reload-count and positive-time-to-live, and is based on the +instructions I found in the +LDAP for Mobile Laptops +instructions by Flyn Computing.

+ +

+	debug-level		0
+	reload-count		unlimited
+	paranoia		no
+
+	enable-cache		passwd		yes
+	positive-time-to-live	passwd		2592000
+	negative-time-to-live	passwd		20
+	suggested-size		passwd		211
+	check-files		passwd		yes
+	persistent		passwd		yes
+	shared			passwd		yes
+	max-db-size		passwd		33554432
+	auto-propagate		passwd		yes
+
+	enable-cache		group		yes
+	positive-time-to-live	group		2592000
+	negative-time-to-live	group		20
+	suggested-size		group		211
+	check-files		group		yes
+	persistent		group		yes
+	shared			group		yes
+	max-db-size		group		33554432
+	auto-propagate		group		yes
+
+	enable-cache		hosts		no
+	positive-time-to-live	hosts		2592000
+	negative-time-to-live	hosts		20
+	suggested-size		hosts		211
+	check-files		hosts		yes
+	persistent		hosts		yes
+	shared			hosts		yes
+	max-db-size		hosts		33554432
+
+	enable-cache		services	yes
+	positive-time-to-live	services	2592000
+	negative-time-to-live	services	20
+	suggested-size		services	211
+	check-files		services	yes
+	persistent		services	yes
+	shared			services	yes
+	max-db-size		services	33554432
+

+ +

While we wait for a mechanism to update /etc/nsswitch.conf +automatically like the one provided in +bug #496915, the file +content need to be manually replaced to ensure LDAP is used as the +directory service on the machine. /etc/nsswitch.conf should normally +look like this:

+ +

+passwd:         files ldap
+group:          files ldap
+shadow:         files ldap
+hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
+networks:       files
+protocols:      files
+services:       files
+ethers:         files
+rpc:            files
+netgroup:       files ldap
+

+ +

The important parts are that ldap is listed last for passwd, group, +shadow and netgroup.

+ +

With these changes in place, any user in LDAP will be able to log +in locally on the machine using for example kdm, get a local home +directory created and have the password as well as user and group +attributes cached. + +

LDAP/Kerberos + nss-updatedb + libpam-ccreds + + libpam-mklocaluser/pam_mkhomedir

+ +

Because nscd have had its share of problems, and seem to have +problems doing proper caching, I've seen suggestions and recipes to +use nss-updatedb to copy parts of the LDAP database locally when the +LDAP database is available. I have not tested such setup, because I +discovered sssd.

+ +

LDAP/Kerberos + sssd + libpam-mklocaluser

+ +

A more flexible and robust setup than the nscd combination +mentioned earlier that has shown up recently, is the +sssd package from Redhat. +It is part of the FreeIPA project +to provide a Active Directory like directory service for Linux +machines. The sssd system combines the caching of passwords and user +information into one package, and remove the need for nscd and +libpam-ccreds. It support LDAP and Kerberos, but not NIS. Version +1.2 do not support netgroups, but it is said that it will support this +in version 1.5 expected to show up later in 2010. Because the +sssd package +was missing in Debian, I ended up co-maintaining it with Werner, and +version 1.2 is now in testing. + +

These packages need to be installed and configured to get the +roaming setup I want

+ +

+libpam-sss libnss-sss libpam-mklocaluser
+

+ +The complete setup of sssd is done by editing/creating +/etc/sssd/sssd.conf. + +

+[sssd]
+config_file_version = 2
+reconnection_retries = 3
+sbus_timeout = 30
+services = nss, pam
+domains = INTERN
+
+[nss]
+filter_groups = root
+filter_users = root
+reconnection_retries = 3
+
+[pam]
+reconnection_retries = 3
+
+[domain/INTERN]
+enumerate = false
+cache_credentials = true
+
+id_provider = ldap
+auth_provider = ldap
+chpass_provider = ldap
+
+ldap_uri = ldap://ldap
+ldap_search_base = dc=skole,dc=skolelinux,dc=no
+ldap_tls_reqcert = never
+ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
+

+ +

I got the same problem here with certificate checking. Had to set +"ldap_tls_reqcert = never" to get it working.

+ +

With the libnss-sss package in testing at the moment, the +nsswitch.conf file is update automatically, so there is no need to +modify it manually.

+ +

If you want to help out with implementing this for Debian Edu, +please contact us on debian-edu@lists.debian.org.

Lenker samlet 2009-05-09

Sat, 9 May 2009 22:40:00 +0200

The last few days I have been looking into the status of the LDAP +directory in Debian Edu, and in the process I started to miss a GUI +tool to browse the LDAP tree. The only one I was able to find in +Debian/Squeeze and Lenny is +LUMA, which has proved to +be a great tool to get a overview of the current LDAP directory +populated by default in Skolelinux. Thanks to it, I have been able to +find empty and obsolete subtrees, misplaced objects and duplicate +objects. It will be installed by default in Debian/Squeeze. If you +are working with LDAP, give it a go. :)

Jeg, et offer -
Aage Borchgrevink drodler om offerrollens framvekst i den norske -offentligheten.

I did notice one problem with it I have not had time to report to +the BTS yet. There is no .desktop file in the package, so the tool do +not show up in the Gnome and KDE menus, but only deep down in in the +Debian submenu in KDE. I hope that can be fixed before Squeeze is +released.

Opptak fra Go Open 2009 pÃ¥ web -
Endelig kan jeg fÃ¥ med meg foredragene jeg gikk glipp av.

I have not yet been able to get it to modify the tree yet. I would +like to move objects and remove subtrees directly in the GUI, but have +not found a way to do that with LUMA yet. So in the mean time, I use +ldapvi for that.

MS Excel 2007 hÃ¥ndterer ODF dÃ¥rlig -
Microsoft har lykkes med Ã¥ implementere ODF slik at de ikke -samhandler med noen av de andre som hÃ¥ndterer ODF-regneark.

If you have tips on other GUI tools for LDAP that might be useful +in Debian Edu, please contact us on debian-edu@lists.debian.org.

MS -Word 2007 hÃ¥ndterer ODF dÃ¥rlig -
Fotnoter laget i MS Office blir merkelige i OpenOffice.org.

Update 2010-06-29: Ross Reedstrom tipped us about the +gq package as a +useful GUI alternative. It seem like a good tool, but is unmaintained +in Debian and got a RC bug keeping it out of Squeeze. Unless that +changes, it will not be an option for Debian Edu based on Squeeze.

IDG mener linux i servermarkedet vil vokse med 21% i 2009

Thu, 7 May 2009 22:30:00 +0200

Kom over -interessante -tall fra IDG om utviklingen av linuxservermarkedet. Fikk meg til -Ã¥ tenke pÃ¥ antall tjenermaskiner ved Universitetet i Oslo der jeg -jobber til daglig. En rask opptelling forteller meg at vi har 490 -(61%) fysiske unix-tjener (mest linux men ogsÃ¥ noen solaris) og 196 -(25%) windowstjenere, samt 112 (14%) virtuelle unix-tjenere. Med den -bakgrunnskunnskapen kan jeg godt tro at IDG er inne pÃ¥ noe.

A while back, I +complained +about the fact that it is not possible with the provided schemas +for storing DNS and DHCP information in LDAP to combine the two sets +of information into one LDAP object representing a computer.

+ +

In the mean time, I discovered that a simple fix would be to make +the dhcpHost object class auxiliary, to allow it to be combined with +the dNSDomain object class, and thus forming one object for one +computer when storing both DHCP and DNS information in LDAP.

+ +

If I understand this correctly, it is not safe to do this change +without also changing the assigned number for the object class, and I +do not know enough about LDAP schema design to do that properly for +Debian Edu.

+ +

Anyway, for future reference, this is how I believe we could change +the +DHCP +schema to solve at least part of the problem with the LDAP schemas +available today from IETF.

+ +

+--- dhcp.schema    (revision 65192)
++++ dhcp.schema    (working copy)
+@@ -376,7 +376,7 @@
+ objectclass ( 2.16.840.1.113719.1.203.6.6
+        NAME 'dhcpHost'
+        DESC 'This represents information about a particular client'
+-       SUP top
++       SUP top AUXILIARY
+        MUST cn
+        MAY  (dhcpLeaseDN $ dhcpHWAddress $ dhcpOptionsDN $ dhcpStatements $ dhcpComments $ dhcpOption)
+        X-NDS_CONTAINMENT ('dhcpService' 'dhcpSubnet' 'dhcpGroup') )
+

+ +

I very much welcome clues on how to do this properly for Debian +Edu/Squeeze. We provide the DHCP schema in our debian-edu-config +package, and should thus be free to rewrite it as we see fit.

+ +

If you want to help out with implementing this for Debian Edu, +please contact us on debian-edu@lists.debian.org.

Kryptert harddisk - naturligvis

Sat, 2 May 2009 15:30:00 +0200

Dagens -IT melder at Intel hevder at det er dyrt Ã¥ miste en datamaskin, -nÃ¥r en tar tap av arbeidstid, fortrolige dokumenter, -personopplysninger og alt annet det innebÃ¦rer. Det er ingen tvil om -at det er en kostbar affÃ¦re Ã¥ miste sin datamaskin, og det er Ã¥rsaken -til at jeg har kryptert harddisken pÃ¥ bÃ¥de kontormaskinen og min -bÃ¦rbare. Begge inneholder personopplysninger jeg ikke Ã¸nsker skal -komme pÃ¥ avveie, den fÃ¸rste informasjon relatert til jobben min ved -Universitetet i Oslo, og den andre relatert til blant annet -foreningsarbeide. Kryptering av diskene gjÃ¸r at det er lite -sannsynlig at dophoder som kan finne pÃ¥ Ã¥ rappe maskinene fÃ¥r noe ut -av dem. Maskinene lÃ¥ses automatisk etter noen minutter uten bruk, -og en reboot vil gjÃ¸re at de ber om passord fÃ¸r de vil starte opp. -Jeg bruker Debian pÃ¥ begge maskinene, og installasjonssystemet der -gjÃ¸r det trivielt Ã¥ sette opp krypterte disker. Jeg har LVM pÃ¥ toppen -av krypterte partisjoner, slik at alt av datapartisjoner er kryptert. -Jeg anbefaler alle Ã¥ kryptere diskene pÃ¥ sine bÃ¦rbare. Kostnaden nÃ¥r -det er gjort slik jeg gjÃ¸r det er minimale, og gevinstene er -betydelige. En bÃ¸r dog passe pÃ¥ passordet. Hvis det gÃ¥r tapt, mÃ¥ -maskinen reinstalleres og alt er tapt.

- -

Krypteringen vil ikke stoppe kompetente angripere som f.eks. kjÃ¸ler -ned minnebrikkene fÃ¸r maskinen rebootes med programvare for Ã¥ hente ut -krypteringsnÃ¸klene. Kostnaden med Ã¥ forsvare seg mot slike angripere -er for min del hÃ¸yere enn gevinsten. Jeg tror oddsene for at -f.eks. etteretningsorganisasjoner har glede av Ã¥ titte pÃ¥ mine -maskiner er minimale, og ulempene jeg ville oppnÃ¥ ved Ã¥ forsÃ¸ke Ã¥ -gjÃ¸re det vanskeligere for angripere med kompetanse og ressurser er -betydelige.

A few times I have had the need to simulate the way tasksel +installs packages during the normal debian-installer run. Until now, +I have ended up letting tasksel do the work, with the annoying problem +of not getting any feedback at all when something fails (like a +conffile question from dpkg or a download that fails), using code like +this: + +

+export DEBIAN_FRONTEND=noninteractive
+tasksel --new-install
+

+ +This would invoke tasksel, let its automatic task selection pick the +tasks to install, and continue to install the requested tasks without +any output what so ever. + +Recently I revisited this problem while working on the automatic +package upgrade testing, because tasksel would some times hang without +any useful feedback, and I want to see what is going on when it +happen. Then it occured to me, I can parse the output from tasksel +when asked to run in test mode, and use that aptitude command line +printed by tasksel then to simulate the tasksel run. I ended up using +code like this: + +

+export DEBIAN_FRONTEND=noninteractive
+cmd="$(in_target tasksel -t --new-install | sed 's/debconf-apt-progress -- //')"
+$cmd
+

+ +

The content of $cmd is typically something like "aptitude -q +--without-recommends -o APT::Install-Recommends=no -y install +~t^desktop$ ~t^gnome-desktop$ ~t^laptop$ ~pstandard ~prequired +~pimportant", which will install the gnome desktop task, the +laptop task and all packages with priority standard , required and +important, just like tasksel would have done it during +installation.

+ +

A better approach is probably to extend tasksel to be able to +install packages without using debconf-apt-progress, for use cases +like this.

Two projects that have improved the quality of free software a lot

Sat, 2 May 2009 15:00:00 +0200

There are two software projects that have had huge influence on the -quality of free software, and I wanted to mention both in case someone -do not yet know them.

- -

The first one is valgrind, a -tool to detect and expose errors in the memory handling of programs. -It is easy to use, all one need to do is to run 'valgrind program', -and it will report any problems on stdout. It is even better if the -program include debug information. With debug information, it is able -to report the source file name and line number where the problem -occurs. It can report things like 'reading past memory block in file -X line N, the memory block was allocated in file Y, line M', and -'using uninitialised value in control logic'. This tool has made it -trivial to investigate reproducible crash bugs in programs, and have -reduced the number of this kind of bugs in free software a lot. - -

The second one is -Coverity which is -a source code checker. It is able to process the source of a program -and find problems in the logic without running the program. It -started out as the Stanford Checker and became well known when it was -used to find bugs in the Linux kernel. It is now a commercial tool -and the company behind it is running -a community service for the -free software community, where a lot of free software projects get -their source checked for free. Several thousand defects have been -found and fixed so far. It can find errors like 'lock L taken in file -X line N is never released if exiting in line M', or 'the code in file -Y lines O to P can never be executed'. The projects included in the -community service project have managed to get rid of a lot of -reliability problems thanks to Coverity.

- -

I believe tools like this, that are able to automatically find -errors in the source, are vital to improve the quality of software and -make sure we can get rid of the crashing and failing software we are -surrounded by today.

Dagbladet +melder at Vinmonopolet med bakgrunn i vekterstreiken som pÃ¥gÃ¥r i +Norge for tiden, har bestemt seg for med vitende og vilje Ã¥ bryte +sentralbanklovens paragraf 14 ved Ã¥ nekte folk Ã¥ betale med +kontanter, og at flere butikker planlegger Ã¥ fÃ¸lge deres eksempel. +Jeg synes det er hÃ¥rreisende hvis de slipper unna med et slikt +soleklart lovbrudd, og lurer pÃ¥ hva slags muligheter jeg vil ha hvis +jeg blir nektet Ã¥ handle med kontanter. Jeg handler i hovedsak med +kontanter selv, da jeg anser det som en borgerrett Ã¥ kunne handle +anonymt uten at det blir registrert. For meg er det et angrep pÃ¥ mitt +personvern Ã¥ nekte Ã¥ ta imot kontant betaling.

+ +

Paragrafen +i sentralbankloven lyder:

+ +

+
Â§ 14. Tvungent betalingsmiddel
+ +
Bankens sedler og mynter er tvungent betalingsmiddel i Norge. Ingen +er pliktig til i Ã©n betaling Ã¥ ta imot mer enn femogtyve mynter av +hver enhet.
+ +
Sterkt skadde sedler og mynter er ikke tvungent +betalingsmiddel. Banken gir nÃ¦rmere forskrifter om erstatning for +bortkomne, brente eller skadde sedler og mynter.
+ +
Selv om en avtale inneholder klausul om betaling av en +pengeforpliktelse i gullverdi, kan skyldneren frigjÃ¸re seg med tvungne +betalingsmidler uten hensyn til denne klausul.
+

+ +

Det er med bakgrunn i denne lovet ikke tillatt Ã¥ nekte Ã¥ ta imot +kontakt betaling. Det er en lov jeg har sans for, og som jeg mener mÃ¥ +hÃ¥ndheves strengt.

No patch is not better than a useless patch

Tue, 28 Apr 2009 09:30:00 +0200

Julien Blache -claim that no -patch is better than a useless patch. I completely disagree, as a -patch allow one to discuss a concrete and proposed solution, and also -prove that the issue at hand is important enough for someone to spent -time on fixing it. No patch do not provide any of these positive -properties.

For those of us caring about document exchange and +interoperability, OfficeShots +is a great service. It is to ODF documents what +BrowserShots is for web +pages.

+ +

A while back, I was contacted by Knut Yrvin at the part of Nokia +that used to be Trolltech, who wanted to help the OfficeShots project +and wondered if the University of Oslo where I work would be +interested in supporting the project. I helped him to navigate his +request to the right people at work, and his request was answered with +a spot in the machine room with power and network connected, and Knut +arranged funding for a machine to fill the spot. The machine is +administrated by the OfficeShots people, so I do not have daily +contact with its progress, and thus from time to time check back to +see how the project is doing.

+ +

Today I had a look, and was happy to see that the Dell box in our +machine room now is the host for several virtual machines running as +OfficeShots factories, and the project is able to render ODF documents +in 17 different document processing implementation on Linux and +Windows. This is great.