X-Git-Url: http://pere.pagekite.me/gitweb/homepage.git/blobdiff_plain/d2fde99078ebf8634cb17ac0fbfc3e3e1b3e6a0f..89c527ec6b7ffb3549922017fdc362d27cdecf05:/blog/index.html diff --git a/blog/index.html b/blog/index.html index 7c09dc923e..8cd4102548 100644 --- a/blog/index.html +++ b/blog/index.html @@ -20,1004 +20,1172 @@
-
OpenStreetmap one step closer to having routing on its front page
-
2010-07-18 16:45
+
DND hedrer overvåkning av barn med Rosingsprisen
+
2010-11-23 14:15
-

Thanks to -todays -opengeodata blog entry, I just discovered that the -OpenStreetmap.org site have gotten -support -for calculating routes. The support is still experimental and -only available from the development server, until more experience is -gathered on the user interface and any scalability issues.

- -

Earlier, the routing I knew about using the OpenStreetmap.org data -was provided by Cloudmade, -but having it on the main page is required to make everyone aware of -the issue. I've had people reject Openstreetmap.org as a viable -alternative for them because the front page lacked routing support, -and I hope their needs will be catered for when routing show up on the -www.openstreetmap.org front page.

+

Jeg registrerer med vond smak i munnen at Den Norske Dataforening +hedrer +overvåkning av barn med Rosingsprisen for kreativitet i år. Jeg +er glad jeg nå er meldt ut av DND.

+ +

Å elektronisk overvåke sine barn er ikke å gjøre dem en tjeneste, +men et overgrep mot individer i utvikling som bør læres opp til å ta +egne valg.

+ +

For å sitere Datatilsynets nye leder, Bjørn Erik Thon, i +et intervju +med Computerworld Norge:

+ +

+- For alle som har barn, meg selv inkludert, er førstetanken at det +hadde vært fint å vite hvor barnet sitt er til enhver tid. Men ungene +har ikke godt av det. De er små individer som skal søke rundt og finne +sine små gjemmesteder og utvide horisonten, uten at foreldrene ser dem +i kortene. Det kan være fristende, men jeg ville ikke gått inn i +dette. +

+ +

Det er skremmende å se at DND mener en tjeneste som legger opp til +slike overgrep bør hedres. Å flytte oppveksten for barn inn i en +virtuell +Panopticon er et +grovt overgrep og vil gjøre skade på barnenes utvikling, og foreldre +burde tenke seg godt om før de gir etter for sine instinkter her.

+ +

Blipper-tjenesten får meg til å tenke på bøkene til +John Twelve +Hawks, som forbilledlig beskriver hvordan et totalitært +overvåkningssamfunn bygges sakte men sikkert rundt oss, satt sammen av +gode intensjoner og manglende bevissthet om hvilke prinsipper et +liberalt demokrati er fundamentert på. Jeg har hatt stor glede av å +lese alle de tre bøkene.

- Tags: english, kart, web. + Tags: norsk, personvern, sikkerhet.
-
What are they searching for - PowerDNS and ISC DHCP in LDAP
-
2010-07-17 21:00
+
Lenny->Squeeze upgrades of the Gnome and KDE desktop, now with apt-get autoremove
+
2010-11-22 14:15
-

This is a -followup -on my -previous -work on -merging -all the computer related LDAP objects in Debian Edu.

- -

As a step to try to see if it possible to merge the DNS and DHCP -LDAP objects, I have had a look at how the packages pdns-backend-ldap -and dhcp3-server-ldap in Debian use the LDAP server. The two -implementations are quite different in how they use LDAP.

- -To get this information, I started slapd with debugging enabled and -dumped the debug output to a file to get the LDAP searches performed -on a Debian Edu main-server. Here is a summary. - -

powerdns

- -Clues -on how to set up PowerDNS to use a LDAP backend is available on -the web. - -

PowerDNS have two modes of operation using LDAP as its backend. -One "strict" mode where the forward and reverse DNS lookups are done -using the same LDAP objects, and a "tree" mode where the forward and -reverse entries are in two different subtrees in LDAP with a structure -based on the DNS names, as in tjener.intern and -2.2.0.10.in-addr.arpa.

- -

In tree mode, the server is set up to use a LDAP subtree as its -base, and uses a "base" scoped search for the DNS name by adding -"dc=tjener,dc=intern," to the base with a filter for -"(associateddomain=tjener.intern)" for the forward entry and -"dc=2,dc=2,dc=0,dc=10,dc=in-addr,dc=arpa," with a filter for -"(associateddomain=2.2.0.10.in-addr.arpa)" for the reverse entry. For -forward entries, it is looking for attributes named dnsttl, arecord, -nsrecord, cnamerecord, soarecord, ptrrecord, hinforecord, mxrecord, -txtrecord, rprecord, afsdbrecord, keyrecord, aaaarecord, locrecord, -srvrecord, naptrrecord, kxrecord, certrecord, dsrecord, sshfprecord, -ipseckeyrecord, rrsigrecord, nsecrecord, dnskeyrecord, dhcidrecord, -spfrecord and modifytimestamp. For reverse entries it is looking for -the attributes dnsttl, arecord, nsrecord, cnamerecord, soarecord, -ptrrecord, hinforecord, mxrecord, txtrecord, rprecord, aaaarecord, -locrecord, srvrecord, naptrrecord and modifytimestamp. The equivalent -ldapsearch commands could look like this:

- -
-ldapsearch -h ldap \
-  -b dc=tjener,dc=intern,ou=hosts,dc=skole,dc=skolelinux,dc=no \
-  -s base -x '(associateddomain=tjener.intern)' dNSTTL aRecord nSRecord \
-  cNAMERecord sOARecord pTRRecord hInfoRecord mXRecord tXTRecord \
-  rPRecord aFSDBRecord KeyRecord aAAARecord lOCRecord sRVRecord \
-  nAPTRRecord kXRecord certRecord dSRecord sSHFPRecord iPSecKeyRecord \
-  rRSIGRecord nSECRecord dNSKeyRecord dHCIDRecord sPFRecord modifyTimestamp
-
-ldapsearch -h ldap \
-  -b dc=2,dc=2,dc=0,dc=10,dc=in-addr,dc=arpa,ou=hosts,dc=skole,dc=skolelinux,dc=no \
-  -s base -x '(associateddomain=2.2.0.10.in-addr.arpa)'
-  dnsttl, arecord, nsrecord, cnamerecord soarecord ptrrecord \
-  hinforecord mxrecord txtrecord rprecord aaaarecord locrecord \
-  srvrecord naptrrecord modifytimestamp
-
- -

In Debian Edu/Lenny, the PowerDNS tree mode is used with -ou=hosts,dc=skole,dc=skolelinux,dc=no as the base, and these are two -example LDAP objects used there. In addition to these objects, the -parent objects all th way up to ou=hosts,dc=skole,dc=skolelinux,dc=no -also exist.

- -
-dn: dc=tjener,dc=intern,ou=hosts,dc=skole,dc=skolelinux,dc=no
-objectclass: top
-objectclass: dnsdomain
-objectclass: domainrelatedobject
-dc: tjener
-arecord: 10.0.2.2
-associateddomain: tjener.intern
-
-dn: dc=2,dc=2,dc=0,dc=10,dc=in-addr,dc=arpa,ou=hosts,dc=skole,dc=skolelinux,dc=no
-objectclass: top
-objectclass: dnsdomain2
-objectclass: domainrelatedobject
-dc: 2
-ptrrecord: tjener.intern
-associateddomain: 2.2.0.10.in-addr.arpa
-
- -

In strict mode, the server behaves differently. When looking for -forward DNS entries, it is doing a "subtree" scoped search with the -same base as in the tree mode for a object with filter -"(associateddomain=tjener.intern)" and requests the attributes dnsttl, -arecord, nsrecord, cnamerecord, soarecord, ptrrecord, hinforecord, -mxrecord, txtrecord, rprecord, aaaarecord, locrecord, srvrecord, -naptrrecord and modifytimestamp. For reverse entires it also do a -subtree scoped search but this time the filter is "(arecord=10.0.2.2)" -and the requested attributes are associateddomain, dnsttl and -modifytimestamp. In short, in strict mode the objects with ptrrecord -go away, and the arecord attribute in the forward object is used -instead.

- -

The forward and reverse searches can be simulated using ldapsearch -like this:

- -
-ldapsearch -h ldap -b ou=hosts,dc=skole,dc=skolelinux,dc=no -s sub -x \
-  '(associateddomain=tjener.intern)' dNSTTL aRecord nSRecord \
-  cNAMERecord sOARecord pTRRecord hInfoRecord mXRecord tXTRecord \
-  rPRecord aFSDBRecord KeyRecord aAAARecord lOCRecord sRVRecord \
-  nAPTRRecord kXRecord certRecord dSRecord sSHFPRecord iPSecKeyRecord \
-  rRSIGRecord nSECRecord dNSKeyRecord dHCIDRecord sPFRecord modifyTimestamp
-
-ldapsearch -h ldap -b ou=hosts,dc=skole,dc=skolelinux,dc=no -s sub -x \
-  '(arecord=10.0.2.2)' associateddomain dnsttl modifytimestamp
-
- -

In addition to the forward and reverse searches , there is also a -search for SOA records, which behave similar to the forward and -reverse lookups.

- -

A thing to note with the PowerDNS behaviour is that it do not -specify any objectclass names, and instead look for the attributes it -need to generate a DNS reply. This make it able to work with any -objectclass that provide the needed attributes.

- -

The attributes are normally provided in the cosine (RFC 1274) and -dnsdomain2 schemas. The latter is used for reverse entries like -ptrrecord and recent DNS additions like aaaarecord and srvrecord.

- -

In Debian Edu, we have created DNS objects using the object classes -dcobject (for dc), dnsdomain or dnsdomain2 (structural, for the DNS -attributes) and domainrelatedobject (for associatedDomain). The use -of structural object classes make it impossible to combine these -classes with the object classes used by DHCP.

- -

There are other schemas that could be used too, for example the -dnszone structural object class used by Gosa and bind-sdb for the DNS -attributes combined with the domainrelatedobject object class, but in -this case some unused attributes would have to be included as well -(zonename and relativedomainname).

- -

My proposal for Debian Edu would be to switch PowerDNS to strict -mode and not use any of the existing objectclasses (dnsdomain, -dnsdomain2 and dnszone) when one want to combine the DNS information -with DHCP information, and instead create a auxiliary object class -defined something like this (using the attributes defined for -dnsdomain and dnsdomain2 or dnszone):

- -
-objectclass ( some-oid NAME 'dnsDomainAux'
-    SUP top
-    AUXILIARY
-    MAY ( ARecord $ MDRecord $ MXRecord $ NSRecord $ SOARecord $ CNAMERecord $
-          DNSTTL $ DNSClass $ PTRRecord $ HINFORecord $ MINFORecord $
-          TXTRecord $ SIGRecord $ KEYRecord $ AAAARecord $ LOCRecord $
-          NXTRecord $ SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $
-          A6Record $ DNAMERecord
-    ))
-
- -

This will allow any object to become a DNS entry when combined with -the domainrelatedobject object class, and allow any entity to include -all the attributes PowerDNS wants. I've sent an email to the PowerDNS -developers asking for their view on this schema and if they are -interested in providing such schema with PowerDNS, and I hope my -message will be accepted into their mailing list soon.

- -

ISC dhcp

- -

The DHCP server searches for specific objectclass and requests all -the object attributes, and then uses the attributes it want. This -make it harder to figure out exactly what attributes are used, but -thanks to the working example in Debian Edu I can at least get an idea -what is needed without having to read the source code.

- -

In the DHCP server configuration, the LDAP base to use and the -search filter to use to locate the correct dhcpServer entity is -stored. These are the relevant entries from -/etc/dhcp3/dhcpd.conf:

- -
-ldap-base-dn "dc=skole,dc=skolelinux,dc=no";
-ldap-dhcp-server-cn "dhcp";
-
- -

The DHCP server uses this information to nest all the DHCP -configuration it need. The cn "dhcp" is located using the given LDAP -base and the filter "(&(objectClass=dhcpServer)(cn=dhcp))". The -search result is this entry:

- -
-dn: cn=dhcp,dc=skole,dc=skolelinux,dc=no
-cn: dhcp
-objectClass: top
-objectClass: dhcpServer
-dhcpServiceDN: cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
-
- -

The content of the dhcpServiceDN attribute is next used to locate the -subtree with DHCP configuration. The DHCP configuration subtree base -is located using a base scope search with base "cn=DHCP -Config,dc=skole,dc=skolelinux,dc=no" and filter -"(&(objectClass=dhcpService)(|(dhcpPrimaryDN=cn=dhcp,dc=skole,dc=skolelinux,dc=no)(dhcpSecondaryDN=cn=dhcp,dc=skole,dc=skolelinux,dc=no)))". -The search result is this entry:

- -
-dn: cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
-cn: DHCP Config
-objectClass: top
-objectClass: dhcpService
-objectClass: dhcpOptions
-dhcpPrimaryDN: cn=dhcp, dc=skole,dc=skolelinux,dc=no
-dhcpStatements: ddns-update-style none
-dhcpStatements: authoritative
-dhcpOption: smtp-server code 69 = array of ip-address
-dhcpOption: www-server code 72 = array of ip-address
-dhcpOption: wpad-url code 252 = text
-
- -

Next, the entire subtree is processed, one level at the time. When -all the DHCP configuration is loaded, it is ready to receive requests. -The subtree in Debian Edu contain objects with object classes -top/dhcpService/dhcpOptions, top/dhcpSharedNetwork/dhcpOptions, -top/dhcpSubnet, top/dhcpGroup and top/dhcpHost. These provide options -and information about netmasks, dynamic range etc. Leaving out the -details here because it is not relevant for the focus of my -investigation, which is to see if it is possible to merge dns and dhcp -related computer objects.

- -

When a DHCP request come in, LDAP is searched for the MAC address -of the client (00:00:00:00:00:00 in this example), using a subtree -scoped search with "cn=DHCP Config,dc=skole,dc=skolelinux,dc=no" as -the base and "(&(objectClass=dhcpHost)(dhcpHWAddress=ethernet -00:00:00:00:00:00))" as the filter. This is what a host object look -like:

- -
-dn: cn=hostname,cn=group1,cn=THINCLIENTS,cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
-cn: hostname
-objectClass: top
-objectClass: dhcpHost
-dhcpHWAddress: ethernet 00:00:00:00:00:00
-dhcpStatements: fixed-address hostname
-
- -

There is less flexiblity in the way LDAP searches are done here. -The object classes need to have fixed names, and the configuration -need to be stored in a fairly specific LDAP structure. On the -positive side, the invidiual dhcpHost entires can be anywhere without -the DN pointed to by the dhcpServer entries. The latter should make -it possible to group all host entries in a subtree next to the -configuration entries, and this subtree can also be shared with the -DNS server if the schema proposed above is combined with the dhcpHost -structural object class. - -

Conclusion

- -

The PowerDNS implementation seem to be very flexible when it come -to which LDAP schemas to use. While its "tree" mode is rigid when it -come to the the LDAP structure, the "strict" mode is very flexible, -allowing DNS objects to be stored anywhere under the base cn specified -in the configuration.

- -

The DHCP implementation on the other hand is very inflexible, both -regarding which LDAP schemas to use and which LDAP structure to use. -I guess one could implement ones own schema, as long as the -objectclasses and attributes have the names used, but this do not -really help when the DHCP subtree need to have a fairly fixed -structure.

- -

Based on the observed behaviour, I suspect a LDAP structure like -this might work for Debian Edu:

- -
-ou=services
-  cn=machine-info (dhcpService) - dhcpServiceDN points here
-    cn=dhcp (dhcpServer)
-    cn=dhcp-internal (dhcpSharedNetwork/dhcpOptions)
-      cn=10.0.2.0 (dhcpSubnet)
-        cn=group1 (dhcpGroup/dhcpOptions)
-    cn=dhcp-thinclients (dhcpSharedNetwork/dhcpOptions)
-      cn=192.168.0.0 (dhcpSubnet)
-        cn=group1 (dhcpGroup/dhcpOptions)
-    ou=machines - PowerDNS base points here
-      cn=hostname (dhcpHost/domainrelatedobject/dnsDomainAux)
-
- -

This is not tested yet. If the DHCP server require the dhcpHost -entries to be in the dhcpGroup subtrees, the entries can be stored -there instead of a common machines subtree, and the PowerDNS base -would have to be moved one level up to the machine-info subtree.

- -

The combined object under the machines subtree would look something -like this:

- -
-dn: dc=hostname,ou=machines,cn=machine-info,dc=skole,dc=skolelinux,dc=no
-dc: hostname
-objectClass: top
-objectClass: dhcpHost
-objectclass: domainrelatedobject
-objectclass: dnsDomainAux
-associateddomain: hostname.intern
-arecord: 10.11.12.13
-dhcpHWAddress: ethernet 00:00:00:00:00:00
-dhcpStatements: fixed-address hostname.intern
-
- -

One could even add the LTSP configuration associated with a given -machine, as long as the required attributes are available in a -auxiliary object class.

+

Michael Biebl suggested to me on IRC, that I changed my automated +upgrade testing of the +Lenny +Gnome and KDE Desktop to do apt-get autoremove when using apt-get. +This seem like a very good idea, so I adjusted by test scripts and +can now present the updated result from today:

+ +

This is for Gnome:

+ +

Installed using apt-get, missing with aptitude

+ +

+ apache2.2-bin + aptdaemon + baobab + binfmt-support + browser-plugin-gnash + cheese-common + cli-common + cups-pk-helper + dmz-cursor-theme + empathy + empathy-common + freedesktop-sound-theme + freeglut3 + gconf-defaults-service + gdm-themes + gedit-plugins + geoclue + geoclue-hostip + geoclue-localnet + geoclue-manual + geoclue-yahoo + gnash + gnash-common + gnome + gnome-backgrounds + gnome-cards-data + gnome-codec-install + gnome-core + gnome-desktop-environment + gnome-disk-utility + gnome-screenshot + gnome-search-tool + gnome-session-canberra + gnome-system-log + gnome-themes-extras + gnome-themes-more + gnome-user-share + gstreamer0.10-fluendo-mp3 + gstreamer0.10-tools + gtk2-engines + gtk2-engines-pixbuf + gtk2-engines-smooth + hamster-applet + libapache2-mod-dnssd + libapr1 + libaprutil1 + libaprutil1-dbd-sqlite3 + libaprutil1-ldap + libart2.0-cil + libboost-date-time1.42.0 + libboost-python1.42.0 + libboost-thread1.42.0 + libchamplain-0.4-0 + libchamplain-gtk-0.4-0 + libcheese-gtk18 + libclutter-gtk-0.10-0 + libcryptui0 + libdiscid0 + libelf1 + libepc-1.0-2 + libepc-common + libepc-ui-1.0-2 + libfreerdp-plugins-standard + libfreerdp0 + libgconf2.0-cil + libgdata-common + libgdata7 + libgdu-gtk0 + libgee2 + libgeoclue0 + libgexiv2-0 + libgif4 + libglade2.0-cil + libglib2.0-cil + libgmime2.4-cil + libgnome-vfs2.0-cil + libgnome2.24-cil + libgnomepanel2.24-cil + libgpod-common + libgpod4 + libgtk2.0-cil + libgtkglext1 + libgtksourceview2.0-common + libmono-addins-gui0.2-cil + libmono-addins0.2-cil + libmono-cairo2.0-cil + libmono-corlib2.0-cil + libmono-i18n-west2.0-cil + libmono-posix2.0-cil + libmono-security2.0-cil + libmono-sharpzip2.84-cil + libmono-system2.0-cil + libmtp8 + libmusicbrainz3-6 + libndesk-dbus-glib1.0-cil + libndesk-dbus1.0-cil + libopal3.6.8 + libpolkit-gtk-1-0 + libpt2.6.7 + libpython2.6 + librpm1 + librpmio1 + libsdl1.2debian + libsrtp0 + libssh-4 + libtelepathy-farsight0 + libtelepathy-glib0 + libtidy-0.99-0 + media-player-info + mesa-utils + mono-2.0-gac + mono-gac + mono-runtime + nautilus-sendto + nautilus-sendto-empathy + p7zip-full + pkg-config + python-aptdaemon + python-aptdaemon-gtk + python-axiom + python-beautifulsoup + python-bugbuddy + python-clientform + python-coherence + python-configobj + python-crypto + python-cupshelpers + python-elementtree + python-epsilon + python-evolution + python-feedparser + python-gdata + python-gdbm + python-gst0.10 + python-gtkglext1 + python-gtksourceview2 + python-httplib2 + python-louie + python-mako + python-markupsafe + python-mechanize + python-nevow + python-notify + python-opengl + python-openssl + python-pam + python-pkg-resources + python-pyasn1 + python-pysqlite2 + python-rdflib + python-serial + python-tagpy + python-twisted-bin + python-twisted-conch + python-twisted-core + python-twisted-web + python-utidylib + python-webkit + python-xdg + python-zope.interface + remmina + remmina-plugin-data + remmina-plugin-rdp + remmina-plugin-vnc + rhythmbox-plugin-cdrecorder + rhythmbox-plugins + rpm-common + rpm2cpio + seahorse-plugins + shotwell + software-center + system-config-printer-udev + telepathy-gabble + telepathy-mission-control-5 + telepathy-salut + tomboy + totem + totem-coherence + totem-mozilla + totem-plugins + transmission-common + xdg-user-dirs + xdg-user-dirs-gtk + xserver-xephyr +

+ +

Installed using apt-get, removed with aptitude

+ +

+ cheese + ekiga + eog + epiphany-extensions + evolution-exchange + fast-user-switch-applet + file-roller + gcalctool + gconf-editor + gdm + gedit + gedit-common + gnome-games + gnome-games-data + gnome-nettool + gnome-system-tools + gnome-themes + gnuchess + gucharmap + guile-1.8-libs + libavahi-ui0 + libdmx1 + libgalago3 + libgtk-vnc-1.0-0 + libgtksourceview2.0-0 + liblircclient0 + libsdl1.2debian-alsa + libspeexdsp1 + libsvga1 + rhythmbox + seahorse + sound-juicer + system-config-printer + totem-common + transmission-gtk + vinagre + vino +

+ +

Installed using aptitude, missing with apt-get

+ +

+ gstreamer0.10-gnomevfs +

+ +

Installed using aptitude, removed with apt-get

+ +

+[nothing] +

+ +

This is for KDE:

+ +

Installed using apt-get, missing with aptitude

+ +

+ ksmserver +

+ +

Installed using apt-get, removed with aptitude

+ +

+ kwin + network-manager-kde +

+ +

Installed using aptitude, missing with apt-get

+ +

+ arts + dolphin + freespacenotifier + google-gadgets-gst + google-gadgets-xul + kappfinder + kcalc + kcharselect + kde-core + kde-plasma-desktop + kde-standard + kde-window-manager + kdeartwork + kdeartwork-emoticons + kdeartwork-style + kdeartwork-theme-icon + kdebase + kdebase-apps + kdebase-workspace + kdebase-workspace-bin + kdebase-workspace-data + kdeeject + kdelibs + kdeplasma-addons + kdeutils + kdewallpapers + kdf + kfloppy + kgpg + khelpcenter4 + kinfocenter + konq-plugins-l10n + konqueror-nsplugins + kscreensaver + kscreensaver-xsavers + ktimer + kwrite + libgle3 + libkde4-ruby1.8 + libkonq5 + libkonq5-templates + libnetpbm10 + libplasma-ruby + libplasma-ruby1.8 + libqt4-ruby1.8 + marble-data + marble-plugins + netpbm + nuvola-icon-theme + plasma-dataengines-workspace + plasma-desktop + plasma-desktopthemes-artwork + plasma-runners-addons + plasma-scriptengine-googlegadgets + plasma-scriptengine-python + plasma-scriptengine-qedje + plasma-scriptengine-ruby + plasma-scriptengine-webkit + plasma-scriptengines + plasma-wallpapers-addons + plasma-widget-folderview + plasma-widget-networkmanagement + ruby + sweeper + update-notifier-kde + xscreensaver-data-extra + xscreensaver-gl + xscreensaver-gl-extra + xscreensaver-screensaver-bsod +

+ +

Installed using aptitude, removed with apt-get

+ +

+ ark + google-gadgets-common + google-gadgets-qt + htdig + kate + kdebase-bin + kdebase-data + kdepasswd + kfind + klipper + konq-plugins + konqueror + ksysguard + ksysguardd + libarchive1 + libcln6 + libeet1 + libeina-svn-06 + libggadget-1.0-0b + libggadget-qt-1.0-0b + libgps19 + libkdecorations4 + libkephal4 + libkonq4 + libkonqsidebarplugin4a + libkscreensaver5 + libksgrd4 + libksignalplotter4 + libkunitconversion4 + libkwineffects1a + libmarblewidget4 + libntrack-qt4-1 + libntrack0 + libplasma-geolocation-interface4 + libplasmaclock4a + libplasmagenericshell4 + libprocesscore4a + libprocessui4a + libqalculate5 + libqedje0a + libqtruby4shared2 + libqzion0a + libruby1.8 + libscim8c2a + libsmokekdecore4-3 + libsmokekdeui4-3 + libsmokekfile3 + libsmokekhtml3 + libsmokekio3 + libsmokeknewstuff2-3 + libsmokeknewstuff3-3 + libsmokekparts3 + libsmokektexteditor3 + libsmokekutils3 + libsmokenepomuk3 + libsmokephonon3 + libsmokeplasma3 + libsmokeqtcore4-3 + libsmokeqtdbus4-3 + libsmokeqtgui4-3 + libsmokeqtnetwork4-3 + libsmokeqtopengl4-3 + libsmokeqtscript4-3 + libsmokeqtsql4-3 + libsmokeqtsvg4-3 + libsmokeqttest4-3 + libsmokeqtuitools4-3 + libsmokeqtwebkit4-3 + libsmokeqtxml4-3 + libsmokesolid3 + libsmokesoprano3 + libtaskmanager4a + libtidy-0.99-0 + libweather-ion4a + libxklavier16 + libxxf86misc1 + okteta + oxygencursors + plasma-dataengines-addons + plasma-scriptengine-superkaramba + plasma-widget-lancelot + plasma-widgets-addons + plasma-widgets-workspace + polkit-kde-1 + ruby1.8 + systemsettings + update-notifier-common +

+ +

Running apt-get autoremove made the results using apt-get and +aptitude a bit more similar, but there are still quite a lott of +differences. I have no idea what packages should be installed after +the upgrade, but hope those that do can have a look.

- Tags: debian, debian edu, english, ldap, nuug. + Tags: debian, debian edu, english.
-
Combining PowerDNS and ISC DHCP LDAP objects
-
2010-07-14 23:45
+
Migrating Xen virtual machines using LVM to KVM using disk images
+
2010-11-22 11:20
-

For a while now, I have wanted to find a way to change the DNS and -DHCP services in Debian Edu to use the same LDAP objects for a given -computer, to avoid the possibility of having a inconsistent state for -a computer in LDAP (as in DHCP but no DNS entry or the other way -around) and make it easier to add computers to LDAP.

- -

I've looked at how powerdns and dhcpd is using LDAP, and using this -information finally found a solution that seem to work.

- -

The old setup required three LDAP objects for a given computer. -One forward DNS entry, one reverse DNS entry and one DHCP entry. If -we switch powerdns to use its strict LDAP method (ldap-method=strict -in pdns-debian-edu.conf), the forward and reverse DNS entries are -merged into one while making it impossible to transfer the reverse map -to a slave DNS server.

- -

If we also replace the object class used to get the DNS related -attributes to one allowing these attributes to be combined with the -dhcphost object class, we can merge the DNS and DHCP entries into one. -I've written such object class in the dnsdomainaux.schema file (need -proper OIDs, but that is a minor issue), and tested the setup. It -seem to work.

- -

With this test setup in place, we can get away with one LDAP object -for both DNS and DHCP, and even the LTSP configuration I suggested in -an earlier email. The combined LDAP object will look something like -this:

- -
-  dn: cn=hostname,cn=group1,cn=THINCLIENTS,cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
-  cn: hostname
-  objectClass: dhcphost
-  objectclass: domainrelatedobject
-  objectclass: dnsdomainaux
-  associateddomain: hostname.intern
-  arecord: 10.11.12.13
-  dhcphwaddress: ethernet 00:00:00:00:00:00
-  dhcpstatements: fixed-address hostname
-  ldapconfigsound: Y
-
- -

The DNS server uses the associateddomain and arecord entries, while -the DHCP server uses the dhcphwaddress and dhcpstatements entries -before asking DNS to resolve the fixed-adddress. LTSP will use -dhcphwaddress or associateddomain and the ldapconfig* attributes.

- -

I am not yet sure if I can get the DHCP server to look for its -dhcphost in a different location, to allow us to put the objects -outside the "DHCP Config" subtree, but hope to figure out a way to do -that. If I can't figure out a way to do that, we can still get rid of -the hosts subtree and move all its content into the DHCP Config tree -(which probably should be renamed to be more related to the new -content. I suspect cn=dnsdhcp,ou=services or something like that -might be a good place to put it.

- -

If you want to help out with implementing this for Debian Edu, -please contact us on debian-edu@lists.debian.org.

+

Most of the computers in use by the +Debian Edu/Skolelinux project +are virtual machines. And they have been Xen machines running on a +fairly old IBM eserver xseries 345 machine, and we wanted to migrate +them to KVM on a newer Dell PowerEdge 2950 host machine. This was a +bit harder that it could have been, because we set up the Xen virtual +machines to get the virtual partitions from LVM, which as far as I +know is not supported by KVM. So to migrate, we had to convert +several LVM logical volumes to partitions on a virtual disk file.

+ +

I found +a +nice recipe to do this, and wrote the following script to do the +migration. It uses qemu-img from the qemu package to make the disk +image, parted to partition it, losetup and kpartx to present the disk +image partions as devices, and dd to copy the data. I NFS mounted the +new servers storage area on the old server to do the migration.

+ +
+#!/bin/sh
+
+# Based on
+# http://searchnetworking.techtarget.com.au/articles/35011-Six-steps-for-migrating-Xen-virtual-machines-to-KVM
+
+set -e
+set -x
+
+if [ -z "$1" ] ; then
+    echo "Usage: $0 <hostname>"
+    exit 1
+else
+    host="$1"
+fi
+
+if [ ! -e /dev/vg_data/$host-disk ] ; then
+    echo "error: unable to find LVM volume for $host"
+    exit 1
+fi
+
+# Partitions need to be a bit bigger than the LVM LVs.  not sure why.
+disksize=$( lvs --units m | grep $host-disk | awk '{sum = sum + $4} END { print int(sum * 1.05) }')
+swapsize=$( lvs --units m | grep $host-swap | awk '{sum = sum + $4} END { print int(sum * 1.05) }')
+totalsize=$(( ( $disksize + $swapsize ) ))
+
+img=$host.img
+#dd if=/dev/zero of=$img bs=1M count=$(( $disksize + $swapsize ))
+qemu-img create $img ${totalsize}MMaking room on the Debian Edu/Sqeeze DVD
+
+parted $img mklabel msdos
+parted $img mkpart primary linux-swap 0 $disksize
+parted $img mkpart primary ext2 $disksize $totalsize
+parted $img set 1 boot on
+
+modprobe dm-mod
+losetup /dev/loop0 $img
+kpartx -a /dev/loop0
+
+dd if=/dev/vg_data/$host-disk of=/dev/mapper/loop0p1 bs=1M
+fsck.ext3 -f /dev/mapper/loop0p1 || true
+mkswap /dev/mapper/loop0p2
+
+kpartx -d /dev/loop0
+losetup -d /dev/loop0
+
+ +

The script is perhaps so simple that it is not copyrightable, but +if it is, it is licenced using GPL v2 or later at your discretion.

+ +

After doing this, I booted a Debian CD in rescue mode in KVM with +the new disk image attached, installed grub-pc and linux-image-686 and +set up grub to boot from the disk image. After this, the KVM machines +seem to work just fine.

- Tags: debian, debian edu, english, ldap, nuug. + Tags: debian, debian edu, english.
-
Idea for storing LTSP configuration in LDAP
-
2010-07-11 22:00
+
Lenny->Squeeze upgrades, apt vs aptitude with the Gnome and KDE desktop
+
2010-11-20 22:50
-

Vagrant mentioned on IRC today that ltsp_config now support -sourcing files from /usr/share/ltsp/ltsp_config.d/ on the thin -clients, and that this can be used to fetch configuration from LDAP if -Debian Edu choose to store configuration there.

- -

Armed with this information, I got inspired and wrote a test module -to get configuration from LDAP. The idea is to look up the MAC -address of the client in LDAP, and look for attributes on the form -ltspconfigsetting=value, and use this to export SETTING=value to the -LTSP clients.

- -

The goal is to be able to store the LTSP configuration attributes -in a "computer" LDAP object used by both DNS and DHCP, and thus -allowing us to store all information about a computer in one place.

- -

This is a untested draft implementation, and I welcome feedback on -this approach. A real LDAP schema for the ltspClientAux objectclass -need to be written. Comments, suggestions, etc?

- -
-# Store in /opt/ltsp/$arch/usr/share/ltsp/ltsp_config.d/ldap-config
-#
-# Fetch LTSP client settings from LDAP based on MAC address
-#
-# Uses ethernet address as stored in the dhcpHost objectclass using
-# the dhcpHWAddress attribute or ethernet address stored in the
-# ieee802Device objectclass with the macAddress attribute.
-#
-# This module is written to be schema agnostic, and only depend on the
-# existence of attribute names.
-#
-# The LTSP configuration variables are saved directly using a
-# ltspConfig prefix and uppercasing the rest of the attribute name.
-# To set the SERVER variable, set the ltspConfigServer attribute.
-#
-# Some LDAP schema should be created with all the relevant
-# configuration settings.  Something like this should work:
-# 
-# objectclass ( 1.1.2.2 NAME 'ltspClientAux'
-#     SUP top
-#     AUXILIARY
-#     MAY ( ltspConfigServer $ ltsConfigSound $ ... )
-
-LDAPSERVER=$(debian-edu-ldapserver)
-if [ "$LDAPSERVER" ] ; then
-    LDAPBASE=$(debian-edu-ldapserver -b)
-    for MAC in $(LANG=C ifconfig |grep -i hwaddr| awk '{print $5}'|sort -u) ; do
-	filter="(|(dhcpHWAddress=ethernet $MAC)(macAddress=$MAC))"
-	ldapsearch -h "$LDAPSERVER" -b "$LDAPBASE" -v -x "$filter" | \
-	    grep '^ltspConfig' | while read attr value ; do
-	    # Remove prefix and convert to upper case
-	    attr=$(echo $attr | sed 's/^ltspConfig//i' | tr a-z A-Z)
-	    # bass value on to clients
-	    eval "$attr=$value; export $attr"
-	done
-    done
-fi
-
- -

I'm not sure this shell construction will work, because I suspect -the while block might end up in a subshell causing the variables set -there to not show up in ltsp-config, but if that is the case I am sure -the code can be restructured to make sure the variables are passed on. -I expect that can be solved with some testing. :)

- -

If you want to help out with implementing this for Debian Edu, -please contact us on debian-edu@lists.debian.org.

- -

Update 2010-07-17: I am aware of another effort to store LTSP -configuration in LDAP that was created around year 2000 by -PC -Xperience, Inc., 2000. I found its -files on a -personal home page over at redhat.com.

+

I'm still running upgrade testing of the +Lenny +Gnome and KDE Desktop, but have not had time to spend on reporting the +status. Here is a short update based on a test I ran 20101118.

+ +

I still do not know what a correct migration should look like, so I +report any differences between apt and aptitude and hope someone else +can see if anything should be changed.

+ +

This is for Gnome:

+ +

Installed using apt-get, missing with aptitude

+ +

+ apache2.2-bin aptdaemon at-spi baobab binfmt-support + browser-plugin-gnash cheese-common cli-common cpp-4.3 cups-pk-helper + dmz-cursor-theme empathy empathy-common finger + freedesktop-sound-theme freeglut3 gconf-defaults-service gdm-themes + gedit-plugins geoclue geoclue-hostip geoclue-localnet geoclue-manual + geoclue-yahoo gnash gnash-common gnome gnome-backgrounds + gnome-cards-data gnome-codec-install gnome-core + gnome-desktop-environment gnome-disk-utility gnome-screenshot + gnome-search-tool gnome-session-canberra gnome-spell + gnome-system-log gnome-themes-extras gnome-themes-more + gnome-user-share gs-common gstreamer0.10-fluendo-mp3 + gstreamer0.10-tools gtk2-engines gtk2-engines-pixbuf + gtk2-engines-smooth hal-info hamster-applet libapache2-mod-dnssd + libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap + libart2.0-cil libatspi1.0-0 libboost-date-time1.42.0 + libboost-python1.42.0 libboost-thread1.42.0 libchamplain-0.4-0 + libchamplain-gtk-0.4-0 libcheese-gtk18 libclutter-gtk-0.10-0 + libcryptui0 libcupsys2 libdiscid0 libeel2-data libelf1 libepc-1.0-2 + libepc-common libepc-ui-1.0-2 libfreerdp-plugins-standard + libfreerdp0 libgail-common libgconf2.0-cil libgdata-common libgdata7 + libgdl-1-common libgdu-gtk0 libgee2 libgeoclue0 libgexiv2-0 libgif4 + libglade2.0-cil libglib2.0-cil libgmime2.4-cil libgnome-vfs2.0-cil + libgnome2.24-cil libgnomepanel2.24-cil libgnomeprint2.2-data + libgnomeprintui2.2-common libgnomevfs2-bin libgpod-common libgpod4 + libgtk2.0-cil libgtkglext1 libgtksourceview-common + libgtksourceview2.0-common libmono-addins-gui0.2-cil + libmono-addins0.2-cil libmono-cairo2.0-cil libmono-corlib2.0-cil + libmono-i18n-west2.0-cil libmono-posix2.0-cil + libmono-security2.0-cil libmono-sharpzip2.84-cil + libmono-system2.0-cil libmtp8 libmusicbrainz3-6 + libndesk-dbus-glib1.0-cil libndesk-dbus1.0-cil libopal3.6.8 + libpolkit-gtk-1-0 libpt-1.10.10-plugins-alsa + libpt-1.10.10-plugins-v4l libpt2.6.7 libpython2.6 librpm1 librpmio1 + libsdl1.2debian libservlet2.4-java libsrtp0 libssh-4 + libtelepathy-farsight0 libtelepathy-glib0 libtidy-0.99-0 + libxalan2-java libxerces2-java media-player-info mesa-utils + mono-2.0-gac mono-gac mono-runtime nautilus-sendto + nautilus-sendto-empathy openoffice.org-writer2latex + openssl-blacklist p7zip p7zip-full pkg-config python-4suite-xml + python-aptdaemon python-aptdaemon-gtk python-axiom + python-beautifulsoup python-bugbuddy python-clientform + python-coherence python-configobj python-crypto python-cupshelpers + python-cupsutils python-eggtrayicon python-elementtree + python-epsilon python-evolution python-feedparser python-gdata + python-gdbm python-gst0.10 python-gtkglext1 python-gtkmozembed + python-gtksourceview2 python-httplib2 python-louie python-mako + python-markupsafe python-mechanize python-nevow python-notify + python-opengl python-openssl python-pam python-pkg-resources + python-pyasn1 python-pysqlite2 python-rdflib python-serial + python-tagpy python-twisted-bin python-twisted-conch + python-twisted-core python-twisted-web python-utidylib python-webkit + python-xdg python-zope.interface remmina remmina-plugin-data + remmina-plugin-rdp remmina-plugin-vnc rhythmbox-plugin-cdrecorder + rhythmbox-plugins rpm-common rpm2cpio seahorse-plugins shotwell + software-center svgalibg1 system-config-printer-udev + telepathy-gabble telepathy-mission-control-5 telepathy-salut tomboy + totem totem-coherence totem-mozilla totem-plugins + transmission-common xdg-user-dirs xdg-user-dirs-gtk xserver-xephyr + zip +

+ +Installed using apt-get, removed with aptitude + +

+ arj bluez-utils cheese dhcdbd djvulibre-desktop ekiga eog + epiphany-extensions epiphany-gecko evolution-exchange + fast-user-switch-applet file-roller gcalctool gconf-editor gdm gedit + gedit-common gnome-app-install gnome-games gnome-games-data + gnome-nettool gnome-system-tools gnome-themes gnome-utils + gnome-vfs-obexftp gnome-volume-manager gnuchess gucharmap + guile-1.8-libs hal libavahi-compat-libdnssd1 libavahi-core5 + libavahi-ui0 libbind9-50 libbluetooth2 libcamel1.2-11 libcdio7 + libcucul0 libcurl3 libdirectfb-1.0-0 libdmx1 libdvdread3 + libedata-cal1.2-6 libedataserver1.2-9 libeel2-2.20 libepc-1.0-1 + libepc-ui-1.0-1 libexchange-storage1.2-3 libfaad0 libgadu3 + libgalago3 libgd2-noxpm libgda3-3 libgda3-common libggz2 libggzcore9 + libggzmod4 libgksu1.2-0 libgksuui1.0-1 libgmyth0 libgnome-desktop-2 + libgnome-pilot2 libgnomecups1.0-1 libgnomeprint2.2-0 + libgnomeprintui2.2-0 libgpod3 libgraphviz4 libgtk-vnc-1.0-0 + libgtkhtml2-0 libgtksourceview1.0-0 libgtksourceview2.0-0 + libgucharmap6 libhesiod0 libicu38 libisccc50 libisccfg50 libiw29 + libjaxp1.3-java-gcj libkpathsea4 liblircclient0 libltdl3 liblwres50 + libmagick++10 libmagick10 libmalaga7 libmozjs1d libmpfr1ldbl libmtp7 + libmysqlclient15off libnautilus-burn4 libneon27 libnm-glib0 + libnm-util0 libopal-2.2 libosp5 libparted1.8-10 libpisock9 + libpisync1 libpoppler-glib3 libpoppler3 libpt-1.10.10 libraw1394-8 + libsdl1.2debian-alsa libsensors3 libsexy2 libsmbios2 libsoup2.2-8 + libspeexdsp1 libssh2-1 libsuitesparse-3.1.0 libsvga1 + libswfdec-0.6-90 libtalloc1 libtotem-plparser10 libtrackerclient0 + libvoikko1 libxalan2-java-gcj libxerces2-java-gcj libxklavier12 + libxtrap6 libxxf86misc1 libzephyr3 mysql-common rhythmbox seahorse + sound-juicer swfdec-gnome system-config-printer totem-common + totem-gstreamer transmission-gtk vinagre vino w3c-dtd-xhtml wodim +

+ +

Installed using aptitude, missing with apt-get

+ +

+ gstreamer0.10-gnomevfs +

+ +

Installed using aptitude, removed with apt-get

+ +

+[nothing] +

+ +

This is for KDE:

+ +

Installed using apt-get, missing with aptitude

+ +

+ autopoint bomber bovo cantor cantor-backend-kalgebra cpp-4.3 dcoprss + edict espeak espeak-data eyesapplet fifteenapplet finger gettext + ghostscript-x git gnome-audio gnugo granatier gs-common + gstreamer0.10-pulseaudio indi kaddressbook-plugins kalgebra + kalzium-data kanjidic kapman kate-plugins kblocks kbreakout kbstate + kde-icons-mono kdeaccessibility kdeaddons-kfile-plugins + kdeadmin-kfile-plugins kdeartwork-misc kdeartwork-theme-window + kdeedu kdeedu-data kdeedu-kvtml-data kdegames kdegames-card-data + kdegames-mahjongg-data kdegraphics-kfile-plugins kdelirc + kdemultimedia-kfile-plugins kdenetwork-kfile-plugins + kdepim-kfile-plugins kdepim-kio-plugins kdessh kdetoys kdewebdev + kdiamond kdnssd kfilereplace kfourinline kgeography-data kigo + killbots kiriki klettres-data kmoon kmrml knewsticker-scripts + kollision kpf krosspython ksirk ksmserver ksquares kstars-data + ksudoku kubrick kweather libasound2-plugins libboost-python1.42.0 + libcfitsio3 libconvert-binhex-perl libcrypt-ssleay-perl libdb4.6++ + libdjvulibre-text libdotconf1.0 liberror-perl libespeak1 + libfinance-quote-perl libgail-common libgsl0ldbl libhtml-parser-perl + libhtml-tableextract-perl libhtml-tagset-perl libhtml-tree-perl + libio-stringy-perl libkdeedu4 libkdegames5 libkiten4 libkpathsea5 + libkrossui4 libmailtools-perl libmime-tools-perl + libnews-nntpclient-perl libopenbabel3 libportaudio2 libpulse-browse0 + libservlet2.4-java libspeechd2 libtiff-tools libtimedate-perl + libunistring0 liburi-perl libwww-perl libxalan2-java libxerces2-java + lirc luatex marble networkstatus noatun-plugins + openoffice.org-writer2latex palapeli palapeli-data parley + parley-data poster psutils pulseaudio pulseaudio-esound-compat + pulseaudio-module-x11 pulseaudio-utils quanta-data rocs rsync + speech-dispatcher step svgalibg1 texlive-binaries texlive-luatex + ttf-sazanami-gothic +

+ +

Installed using apt-get, removed with aptitude

+ +

+ amor artsbuilder atlantik atlantikdesigner blinken bluez-utils cvs + dhcdbd djvulibre-desktop imlib-base imlib11 kalzium kanagram kandy + kasteroids katomic kbackgammon kbattleship kblackbox kbounce kbruch + kcron kdat kdemultimedia-kappfinder-data kdeprint kdict kdvi kedit + keduca kenolaba kfax kfaxview kfouleggs kgeography kghostview + kgoldrunner khangman khexedit kiconedit kig kimagemapeditor + kitchensync kiten kjumpingcube klatin klettres klickety klines + klinkstatus kmag kmahjongg kmailcvt kmenuedit kmid kmilo kmines + kmousetool kmouth kmplot knetwalk kodo kolf kommander konquest kooka + kpager kpat kpdf kpercentage kpilot kpoker kpovmodeler krec + kregexpeditor kreversi ksame ksayit kshisen ksig ksim ksirc ksirtet + ksmiletris ksnake ksokoban kspaceduel kstars ksvg ksysv kteatime + ktip ktnef ktouch ktron kttsd ktuberling kturtle ktux kuickshow + kverbos kview kviewshell kvoctrain kwifimanager kwin kwin4 kwordquiz + kworldclock kxsldbg libakode2 libarts1-akode libarts1-audiofile + libarts1-mpeglib libarts1-xine libavahi-compat-libdnssd1 + libavahi-core5 libavc1394-0 libbind9-50 libbluetooth2 + libboost-python1.34.1 libcucul0 libcurl3 libcvsservice0 + libdirectfb-1.0-0 libdjvulibre21 libdvdread3 libfaad0 libfreebob0 + libgd2-noxpm libgraphviz4 libgsmme1c2a libgtkhtml2-0 libicu38 + libiec61883-0 libindex0 libisccc50 libisccfg50 libiw29 + libjaxp1.3-java-gcj libk3b3 libkcal2b libkcddb1 libkdeedu3 + libkdegames1 libkdepim1a libkgantt0 libkleopatra1 libkmime2 + libkpathsea4 libkpimexchange1 libkpimidentities1 libkscan1 + libksieve0 libktnef1 liblockdev1 libltdl3 liblwres50 libmagick10 + libmimelib1c2a libmodplug0c2 libmozjs1d libmpcdec3 libmpfr1ldbl + libneon27 libnm-util0 libopensync0 libpisock9 libpoppler-glib3 + libpoppler-qt2 libpoppler3 libraw1394-8 librss1 libsensors3 + libsmbios2 libssh2-1 libsuitesparse-3.1.0 libswfdec-0.6-90 + libtalloc1 libxalan2-java-gcj libxerces2-java-gcj libxtrap6 lskat + mpeglib network-manager-kde noatun pmount tex-common texlive-base + texlive-common texlive-doc-base texlive-fonts-recommended tidy + ttf-dustin ttf-kochi-gothic ttf-sjfonts +

+ +

Installed using aptitude, missing with apt-get

+ +

+ dolphin kde-core kde-plasma-desktop kde-standard kde-window-manager + kdeartwork kdebase kdebase-apps kdebase-workspace + kdebase-workspace-bin kdebase-workspace-data kdeutils kscreensaver + kscreensaver-xsavers libgle3 libkonq5 libkonq5-templates libnetpbm10 + netpbm plasma-widget-folderview plasma-widget-networkmanagement + xscreensaver-data-extra xscreensaver-gl xscreensaver-gl-extra + xscreensaver-screensaver-bsod +

+ +

Installed using aptitude, removed with apt-get

+ +

+ kdebase-bin konq-plugins konqueror +

- Tags: debian, debian edu, english, ldap, nuug. + Tags: debian, debian edu, english.
-
jXplorer, a very nice LDAP GUI
-
2010-07-09 12:55
+
Gnash buildbot slave and Debian kfreebsd
+
2010-11-20 07:20
-

Since -my -last post about available LDAP tools in Debian, I was told about a -LDAP GUI that is even better than luma. The java application -jXplorer is claimed to be capable of -moving LDAP objects and subtrees using drag-and-drop, and can -authenticate using Kerberos. I have only tested the Kerberos -authentication, but do not have a LDAP setup allowing me to rewrite -LDAP with my test user yet. It is -available in -Debian testing and unstable at the moment. The only problem I -have with it is how it handle errors. If something go wrong, its -non-intuitive behaviour require me to go through some query work list -and remove the failing query. Nothing big, but very annoying.

+

Answering +the +call from the Gnash project for +buildbot slaves to test the +current source, I have set up a virtual KVM machine on the Debian +Edu/Skolelinux virtualization host to test the git source on +Debian/Squeeze. I hope this can help the developers in getting new +releases out more often.

+ +

As the developers want less main-stream build platforms tested to, +I have considered setting up a Debian/kfreebsd +machine as well. I have also considered using the kfreebsd +architecture in Debian as a file server in NUUG to get access to the 5 +TB zfs volume we currently use to store DV video. Because of this, I +finally got around to do a test installation of Debian/Squeeze with +kfreebsd. Installation went fairly smooth, thought I noticed some +visual glitches in the cdebconf dialogs (black cursor left on the +screen at random locations). Have not gotten very far with the +testing. Noticed cfdisk did not work, but fdisk did so it was not a +fatal problem. Have to spend some more time on it to see if it is +useful as a file server for NUUG. Will try to find time to set up a +gnash buildbot slave on the Debian Edu/Skolelinux this weekend.

- Tags: debian, debian edu, english, ldap, nuug. + Tags: debian, debian edu, english, nuug.
-
MS Word krøller det til for politiet?
-
2010-07-08 14:00
+
Nå er 74 norske overvåkningskamera registert i OpenStreetmap.org
+
2010-11-18 11:25
-

De siste dagene har Aftenposten -fortalt -hvordan -politet har brukt skriveverktøy som ikke håndterer arabisk tekst og -tekst som skal skrives fra høyre mot venstre når de har laget -løpeseddel for å be om informasjon fra publikum. Resultatet har vært -en uleselig arabisk-bit på løpeseddelen. Feilen har oppstått når -teksten har blitt "kopiert inn i programvare som ikke har støtte for -språk som skrives fra høyre mot venstre", og jeg er ganske sikker på -at det er snakk om Microsoft Office i dette tilfellet. Er det slik at -MS Office i norsk språkdrakt ikke har støtte for tekst som skal -skrives fra høyre mot venstre? Jeg tror alle utgaver av -OpenOffice.org har slik støtte, og det er jo ikke veldig vanskelig å -la slik støtte finnes i alle utgaver av et program hvis støtten først -er utviklet. Aftenpostens melding får meg til å undre om problemet -ville vært unngått hvis politiet brukte OpenOffice.org i stedet for MS -Office.

- -

Mon tro om det er flere eksempler på at MS Office har ødelagt for -offentlig myndighet?

+

Jeg oppdaterte nettopp kartet med overvåkningskamera som +jeg +startet for ca. et og et halvt år siden, og nå er det 74 kamera på +plass. I prosessen med å oppdatere kartet oppdaget jeg ved en +tilfeldighet at webreferansen til registermeldingen hos Datatilsynet +nå ikke lenger er gyldig (se +tidligere +melding). Antar Datatilsynet fjerner utdaterte meldinger fra +databasen. Konsekvensen blir at kameraoversikten i OSM må ha med +søkekriteriene som ble brukt for å finne registermeldingen +(dvs. virksomhetsnavn og organisasjonsnummer), slik at eventuelt nye +meldinger for samme kamera kan finnes igjen.

+ +

Det er dukket opp kamera på +kartet +i Bergensområdet, Stavangerområdet, Osloområdet, Gjøvikområdet og i +Troms. Mange områder og kamera mangler, og jeg er overbevist om at +bare en brøkdel av den enorme mengden kamera som nå finnes i det +offentlige rom er registrert så langt. Instrukser for å legge inn +kamera finnes på websiden for kartet hos +personvernforeningen.

- Tags: norsk. + Tags: norsk, personvern.
-
Lenny->Squeeze upgrades, apt vs aptitude with the Gnome desktop
-
2010-07-03 23:55
+
Gjendikte sangen "Copying Is Not Theft" på Norsk?
+
2010-11-10 14:40
-

Here is a short update on my my -Debian Lenny->Squeeze upgrade testing. Here is a summary of the -difference for Gnome when it is upgraded by apt-get and aptitude. I'm -not reporting the status for KDE, because the upgrade crashes when -aptitude try because of missing conflicts -(#584861 and -#585716).

- -

At the end of the upgrade test script, dpkg -l is executed to get a -complete list of the installed packages. Based on this I see these -differences when I did a test run today. As usual, I do not really -know what the correct set of packages would be, but thought it best to -publish the difference.

- -

Installed using apt-get, missing with aptitude

- -

- at-spi cpp-4.3 finger gnome-spell gstreamer0.10-gnomevfs - libatspi1.0-0 libcupsys2 libeel2-data libgail-common libgdl-1-common - libgnomeprint2.2-data libgnomeprintui2.2-common libgnomevfs2-bin - libgtksourceview-common libpt-1.10.10-plugins-alsa - libpt-1.10.10-plugins-v4l libservlet2.4-java libxalan2-java - libxerces2-java openoffice.org-writer2latex openssl-blacklist p7zip - python-4suite-xml python-eggtrayicon python-gtkhtml2 - python-gtkmozembed svgalibg1 xserver-xephyr zip -

- -

Installed using apt-get, removed with aptitude

- -

- bluez-utils dhcdbd djvulibre-desktop epiphany-gecko - gnome-app-install gnome-mount gnome-vfs-obexftp gnome-volume-manager - libao2 libavahi-compat-libdnssd1 libavahi-core5 libbind9-50 - libbluetooth2 libcamel1.2-11 libcdio7 libcucul0 libcurl3 - libdirectfb-1.0-0 libdvdread3 libedata-cal1.2-6 libedataserver1.2-9 - libeel2-2.20 libepc-1.0-1 libepc-ui-1.0-1 libexchange-storage1.2-3 - libfaad0 libgd2-noxpm libgda3-3 libgda3-common libggz2 libggzcore9 - libggzmod4 libgksu1.2-0 libgksuui1.0-1 libgmyth0 libgnome-desktop-2 - libgnome-pilot2 libgnomecups1.0-1 libgnomeprint2.2-0 - libgnomeprintui2.2-0 libgpod3 libgraphviz4 libgtkhtml2-0 - libgtksourceview1.0-0 libgucharmap6 libhesiod0 libicu38 libisccc50 - libisccfg50 libiw29 libkpathsea4 libltdl3 liblwres50 libmagick++10 - libmagick10 libmalaga7 libmtp7 libmysqlclient15off libnautilus-burn4 - libneon27 libnm-glib0 libnm-util0 libopal-2.2 libosp5 - libparted1.8-10 libpisock9 libpisync1 libpoppler-glib3 libpoppler3 - libpt-1.10.10 libraw1394-8 libsensors3 libsmbios2 libsoup2.2-8 - libssh2-1 libsuitesparse-3.1.0 libswfdec-0.6-90 libtalloc1 - libtotem-plparser10 libtrackerclient0 libvoikko1 libxalan2-java-gcj - libxerces2-java-gcj libxklavier12 libxtrap6 libxxf86misc1 libzephyr3 - mysql-common swfdec-gnome totem-gstreamer wodim -

- -

Installed using aptitude, missing with apt-get

- -

- gnome gnome-desktop-environment hamster-applet python-gnomeapplet - python-gnomekeyring python-wnck rhythmbox-plugins xorg - xserver-xorg-input-all xserver-xorg-input-evdev - xserver-xorg-input-kbd xserver-xorg-input-mouse - xserver-xorg-input-synaptics xserver-xorg-video-all - xserver-xorg-video-apm xserver-xorg-video-ark xserver-xorg-video-ati - xserver-xorg-video-chips xserver-xorg-video-cirrus - xserver-xorg-video-dummy xserver-xorg-video-fbdev - xserver-xorg-video-glint xserver-xorg-video-i128 - xserver-xorg-video-i740 xserver-xorg-video-mach64 - xserver-xorg-video-mga xserver-xorg-video-neomagic - xserver-xorg-video-nouveau xserver-xorg-video-nv - xserver-xorg-video-r128 xserver-xorg-video-radeon - xserver-xorg-video-radeonhd xserver-xorg-video-rendition - xserver-xorg-video-s3 xserver-xorg-video-s3virge - xserver-xorg-video-savage xserver-xorg-video-siliconmotion - xserver-xorg-video-sis xserver-xorg-video-sisusb - xserver-xorg-video-tdfx xserver-xorg-video-tga - xserver-xorg-video-trident xserver-xorg-video-tseng - xserver-xorg-video-vesa xserver-xorg-video-vmware - xserver-xorg-video-voodoo -

- -

Installed using aptitude, removed with apt-get

- -

- deskbar-applet xserver-xorg xserver-xorg-core - xserver-xorg-input-wacom xserver-xorg-video-intel - xserver-xorg-video-openchrome -

- -

I was told on IRC that the xorg-xserver package was -changed -in git today to try to get apt-get to not remove xorg completely. -No idea when it hits Squeeze, but when it does I hope it will reduce -the difference somewhat. +

En genial liten sang om kopiering og tyveri er +Copying Is +Not Theft av Nina Paley. Den vil jeg at +NUUG skal sende på +Frikanalen, men først må vi +fikse norske undertekster eller dubbing. Og i og med at det er en +sang, tror jeg den kanskje bør gjendiktes. + +Selve teksten finner en på bloggen til +tekstforfatteren og den ser slik ut: + +

+

Copying is not theft. +
Stealing a thing leaves one less left +
Copying it makes one thing more; +
that's what copying's for.

+ +

Copying is not theft. +
If I copy yours you have it too +
One for me and one for you +
That's what copies can do

+ +

If I steal your bicycle +
you have to take the bus, +
but if I just copy it +
there's one for each of us!

+ +

Making more of a thing, +
that is what we call "copying" +
Sharing ideas with everyone +
That's why copying +
is +
FUN!

+

+ +

Her er et naivt forsøk på oversettelse, uten noe forsøk på +gjendiktning eller få det til å flyte sammen med melodien.

+ +

+

Kopiering er ikke tyveri. +
Stjeler du en ting er det en mindre igjen +
Kopier den og det er ting til. +
det er derfor vi har kopiering.

+ +

Kopiering er ikke tyveri. +
Hvis jeg kopierer din så har du den fortsatt +
En for meg og en for deg. +
Det er det kopier gir oss

+ +

Hvis jeg stjeler sykkelen din +
så må du ta bussen, +
men hvis jeg bare kopierer den, +
så får vi hver vår!

+ +

Lage mer av en ting, +
det er det vi kaller "kopiering". +
Deler ideer med enhver +
Det er derfor kopiering +
er +
MORSOMT!

+

+ +

Hvis du har forslag til bedre oversettelse eller lyst til å bidra +til å få denne sangen over i norsk språkdrakt, ta kontakt med video +(at) nuug.no.

- Tags: debian, debian edu, english. + Tags: fildeling, norsk, nuug, opphavsrett, personvern.
-
Caching password, user and group on a roaming Debian laptop
-
2010-07-01 11:40
+
Debian in 3D
+
2010-11-09 16:10
-

For a laptop, centralized user directories and password checking is -a bit troubling. Laptops are typically used also when not connected -to the network, and it is vital for a user to be able to log in or -unlock the screen saver also when a central server is unavailable. -This is possible by caching passwords and directory information (user -and group attributes) locally, and the packages to do so are available -in Debian. Here follow two recipes to set this up in Debian/Squeeze. -It is also possible to set up in Debian/Lenny, but require more manual -setup there because pam-auth-update is missing in Lenny.

- -

LDAP/Kerberos + nscd + libpam-ccreds + libpam-mklocaluser/pam_mkhomedir

- -This is the traditional method with a twist. The password caching is -provided by libpam-ccreds (version 10-4 or later is needed on -Squeeze), and the directory caching is done by nscd. The directory -lookup and password checking is done using LDAP. If one want to use -Kerberos for password checking the libpam-ldapd package can be -replaced with libpam-krb5 or libpam-heimdal. If one is happy having a -local home directory with the path listed in LDAP, one can use the -pam_mkhomedir module from pam-modules to make this happen instead of -using libpam-mklocaluser. A setup for pam-auth-update to enable -pam_mkhomedir will have to be written until a fix for -bug #568577 is in the -archive. Because I believe it is a bad idea to have local home -directories using misleading paths like /site/server/partition/, I -prefer to create a local user with the home directory in /home/. This -is done using the libpam-mklocaluser package.

- -

These packages need to be installed and configured

- -
-libnss-ldapd libpam-ldapd nscd libpam-ccreds libpam-mklocaluser
-
- -

The ldapd packages will ask for LDAP connection information, and -one have to fill in the values that fits ones own site. Make sure the -PAM part uses encrypted connections, to make sure the password is not -sent in clear text to the LDAP server. I've been unable to get TLS -certificate checking for a self signed certificate working, which make -LDAP authentication unsafe for Debian Edu (nslcd is not checking if it -is talking to the correct LDAP server), and very much welcome feedback -on how to get this working.

- -

Because nscd do not have a default configuration fit for offline -caching until bug #485282 -is fixed, this configuration should be used instead of the one -currently in /etc/nscd.conf. The changes are in the fields -reload-count and positive-time-to-live, and is based on the -instructions I found in the -LDAP for Mobile Laptops -instructions by Flyn Computing.

- -
-	debug-level		0
-	reload-count		unlimited
-	paranoia		no
-
-	enable-cache		passwd		yes
-	positive-time-to-live	passwd		2592000
-	negative-time-to-live	passwd		20
-	suggested-size		passwd		211
-	check-files		passwd		yes
-	persistent		passwd		yes
-	shared			passwd		yes
-	max-db-size		passwd		33554432
-	auto-propagate		passwd		yes
-
-	enable-cache		group		yes
-	positive-time-to-live	group		2592000
-	negative-time-to-live	group		20
-	suggested-size		group		211
-	check-files		group		yes
-	persistent		group		yes
-	shared			group		yes
-	max-db-size		group		33554432
-	auto-propagate		group		yes
-
-	enable-cache		hosts		no
-	positive-time-to-live	hosts		2592000
-	negative-time-to-live	hosts		20
-	suggested-size		hosts		211
-	check-files		hosts		yes
-	persistent		hosts		yes
-	shared			hosts		yes
-	max-db-size		hosts		33554432
-
-	enable-cache		services	yes
-	positive-time-to-live	services	2592000
-	negative-time-to-live	services	20
-	suggested-size		services	211
-	check-files		services	yes
-	persistent		services	yes
-	shared			services	yes
-	max-db-size		services	33554432
-
- -

While we wait for a mechanism to update /etc/nsswitch.conf -automatically like the one provided in -bug #496915, the file -content need to be manually replaced to ensure LDAP is used as the -directory service on the machine. /etc/nsswitch.conf should normally -look like this:

- -
-passwd:         files ldap
-group:          files ldap
-shadow:         files ldap
-hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
-networks:       files
-protocols:      files
-services:       files
-ethers:         files
-rpc:            files
-netgroup:       files ldap
-
- -

The important parts are that ldap is listed last for passwd, group, -shadow and netgroup.

- -

With these changes in place, any user in LDAP will be able to log -in locally on the machine using for example kdm, get a local home -directory created and have the password as well as user and group -attributes cached. - -

LDAP/Kerberos + nss-updatedb + libpam-ccreds + - libpam-mklocaluser/pam_mkhomedir

- -

Because nscd have had its share of problems, and seem to have -problems doing proper caching, I've seen suggestions and recipes to -use nss-updatedb to copy parts of the LDAP database locally when the -LDAP database is available. I have not tested such setup, because I -discovered sssd.

- -

LDAP/Kerberos + sssd + libpam-mklocaluser

- -

A more flexible and robust setup than the nscd combination -mentioned earlier that has shown up recently, is the -sssd package from Redhat. -It is part of the FreeIPA project -to provide a Active Directory like directory service for Linux -machines. The sssd system combines the caching of passwords and user -information into one package, and remove the need for nscd and -libpam-ccreds. It support LDAP and Kerberos, but not NIS. Version -1.2 do not support netgroups, but it is said that it will support this -in version 1.5 expected to show up later in 2010. Because the -sssd package -was missing in Debian, I ended up co-maintaining it with Werner, and -version 1.2 is now in testing. - -

These packages need to be installed and configured to get the -roaming setup I want

- -
-libpam-sss libnss-sss libpam-mklocaluser
-
- -The complete setup of sssd is done by editing/creating -/etc/sssd/sssd.conf. - -
-[sssd]
-config_file_version = 2
-reconnection_retries = 3
-sbus_timeout = 30
-services = nss, pam
-domains = INTERN
-
-[nss]
-filter_groups = root
-filter_users = root
-reconnection_retries = 3
-
-[pam]
-reconnection_retries = 3
-
-[domain/INTERN]
-enumerate = false
-cache_credentials = true
-
-id_provider = ldap
-auth_provider = ldap
-chpass_provider = ldap
-
-ldap_uri = ldap://ldap
-ldap_search_base = dc=skole,dc=skolelinux,dc=no
-ldap_tls_reqcert = never
-ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
-
- -

I got the same problem here with certificate checking. Had to set -"ldap_tls_reqcert = never" to get it working.

- -

With the libnss-sss package in testing at the moment, the -nsswitch.conf file is update automatically, so there is no need to -modify it manually.

- -

If you want to help out with implementing this for Debian Edu, -please contact us on debian-edu@lists.debian.org.

+

+ +

3D printing is just great. I just came across this Debian logo in +3D linked in from +the +thingiverse blog.

- Tags: debian edu, english, ldap, nuug. + Tags: 3d-printer, debian, english.
-
LUMA, a very nice LDAP GUI
-
2010-06-28 00:30
+
Datatilsynet mangler verktøyet som trengs for å kontrollere kameraovervåkning
+
2010-11-09 14:35
-

The last few days I have been looking into the status of the LDAP -directory in Debian Edu, and in the process I started to miss a GUI -tool to browse the LDAP tree. The only one I was able to find in -Debian/Squeeze and Lenny is -LUMA, which has proved to -be a great tool to get a overview of the current LDAP directory -populated by default in Skolelinux. Thanks to it, I have been able to -find empty and obsolete subtrees, misplaced objects and duplicate -objects. It will be installed by default in Debian/Squeeze. If you -are working with LDAP, give it a go. :)

- -

I did notice one problem with it I have not had time to report to -the BTS yet. There is no .desktop file in the package, so the tool do -not show up in the Gnome and KDE menus, but only deep down in in the -Debian submenu in KDE. I hope that can be fixed before Squeeze is -released.

- -

I have not yet been able to get it to modify the tree yet. I would -like to move objects and remove subtrees directly in the GUI, but have -not found a way to do that with LUMA yet. So in the mean time, I use -ldapvi for that.

- -

If you have tips on other GUI tools for LDAP that might be useful -in Debian Edu, please contact us on debian-edu@lists.debian.org.

- -

Update 2010-06-29: Ross Reedstrom tipped us about the -gq package as a -useful GUI alternative. It seem like a good tool, but is unmaintained -in Debian and got a RC bug keeping it out of Squeeze. Unless that -changes, it will not be an option for Debian Edu based on Squeeze.

+

En stund tilbake ble jeg oppmerksom på at Datatilsynets verktøy for +å holde rede på overvåkningskamera i Norge ikke var egnet til annet +enn å lage statistikk, og ikke kunne brukes for å kontrollere om et +overvåkningskamera i det offentlige rom er lovlig satt opp og +registrert. For å teste hypotesen sendte jeg for noen dager siden +følgende spørsmål til datatilsynet. Det omtalte kameraet står litt +merkelig plassert i veigrøften ved gangstien langs Sandakerveien, og +jeg lurer oppriktig på om det er lovlig plassert og registrert.

+ +

+

Date: Tue, 2 Nov 2010 16:08:20 +0100 +
From: Petter Reinholdtsen <pere (at) hungry.com> +
To: postkasse (at) datatilsynet.no +
Subject: Er overvåkningskameraet korrekt registrert?

+ +

Hei.

+ +

I Nydalen i Oslo er det mange overvåkningskamera, og et av dem er +spesielt merkelig plassert like over et kumlokk. Jeg lurer på om +dette kameraet er korrekt registrert og i henhold til lovverket.

+ +

Finner ingen eierinformasjon på kameraet, og dermed heller ingenting å +søke på i <URL: +http://hetti.datatilsynet.no/melding/report_search.pl >. +Kartreferanse for kameraet er tilgjengelig fra +<URL: +http://people.skolelinux.no/pere/surveillance-norway/?zoom=17&lat=59.94918&lon=10.76962&layers=B0T >. + +

Kan dere fortelle meg om dette kameraet er registrert hos +Datatilsynet som det skal være i henhold til lovverket?

+ +

Det hadde forresten vært fint om rådata fra kameraregisteret var +tilgjengelig på web og regelmessig oppdatert, for å kunne søke på +andre ting enn organisasjonsnavn og -nummer ved å laste det ned og +gjøre egne søk.

+ +

Vennlig hilsen, +
-- +
Petter Reinholdtsen +

+ +

Her er svaret som kom dagen etter:

+ +

+

Date: Wed, 3 Nov 2010 14:44:09 +0100 +
From: "juridisk" <juridisk (at) Datatilsynet.no> +
To: Petter Reinholdtsen +
Subject: VS: Er overvåkningskameraet korrekt registrert? + +

Viser til e-post av 2. november. + +

Datatilsynet er det forvaltningsorganet som skal kontrollere at +personopplysningsloven blir fulgt. Formålet med loven er å verne +enkeltpersoner mot krenking av personvernet gjennom behandling av +personopplysninger.

+ +

Juridisk veiledningstjeneste hos Datatilsynet gir råd og veiledning +omkring personopplysningslovens regler på generelt grunnlag.

+ +

Datatilsynet har dessverre ikke en fullstendig oversikt over alle +kameraer, den oversikten som finner er i vår meldingsdatabase som du +finner her: +http://www.datatilsynet.no/templates/article____211.aspx

+ +

Denne databasen gir en oversikt over virksomheter som har meldt inn +kameraovervåkning. Dersom man ikek vet hvilken virksomhet som er +ansvarlig, er det heller ikke mulig for Datatilsynet å søke dette +opp.

+ +

Webkameraer som har så dårlig oppløsning at man ikke kan gjenkjenne +enkeltpersoner er ikke meldepliktige, da dette ikke anses som +kameraovervåkning i personopplysningslovens forstand. Dersom kameraet +du sikter til er et slikt webkamera, vil det kanskje ikke finnes i +meldingsdatabasen på grunn av dette. Også dersom et kamera med god +oppløsning ikke filmer mennesker, faller det utenfor loven.

+ +

Datatilsynet har laget en veileder som gjennomgår når det er lov å +overvåke med kamera, se lenke: +http://www.datatilsynet.no/templates/article____401.aspx

+ +

Dersom det ikke er klart hvem som er ansvarlig for kameraet, er det +vanskelig for Datatilsynet å ta kontakt med den ansvarlige for å få +avklart om kameraet er satt opp i tråd med tilsynets regelverk. Dersom +du mener at kameraet ikke er lovlig ut fra informasjonen ovenfor, kan +kameraet anmeldes til politiet.

+ +

Med vennlig hilsen

+ +

Maria Bakke +
Juridisk veiledningstjeneste +
Datatilsynet

+

+ +

Personlig synes jeg det bør være krav om å registrere hvert eneste +overvåkningskamera i det offentlige rom hos Datatilsynet, med +kartreferanse og begrunnelse om hvorfor det er satt opp, slik at +enhver borger enkelt kan hente ut kart over områder vi er interessert +i og sjekke om det er overvåkningskamera der som er satt opp uten å +være registert. Slike registreringer skal jo i dag fornyes +regelmessing, noe jeg mistenker ikke blir gjort. Dermed kan kamera +som en gang var korrekt registrert nå være ulovlig satt opp. Det +burde også være bøter for å ha kamera som ikke er korrekt registrert, +slik at en ikke kan ignorere registrering uten at det får +konsekvenser.

+ +

En ide fra England som jeg har sans (lite annet jeg har sans for +når det gjelder overvåkningskamera i England) for er at enhver borger +kan be om å få kopi av det som er tatt opp med et overvåkningskamera i +det offentlige rom, noe som gjør at det kan komme løpende utgifter ved +å sette overvåkningskamera. Jeg tror alt som gjør det mindre +attraktivt å ha overvåkningskamera i det offentlige rom er en god +ting, så et slikt lovverk i Norge tror jeg hadde vært nyttig.

- Tags: debian, debian edu, english, ldap, nuug. + Tags: norsk, personvern, sikkerhet.
-
Idea for a change to LDAP schemas allowing DNS and DHCP info to be combined into one object
-
2010-06-24 00:35
+
Making room on the Debian Edu/Sqeeze DVD
+
2010-11-07 11:45
-

A while back, I -complained -about the fact that it is not possible with the provided schemas -for storing DNS and DHCP information in LDAP to combine the two sets -of information into one LDAP object representing a computer.

- -

In the mean time, I discovered that a simple fix would be to make -the dhcpHost object class auxiliary, to allow it to be combined with -the dNSDomain object class, and thus forming one object for one -computer when storing both DHCP and DNS information in LDAP.

- -

If I understand this correctly, it is not safe to do this change -without also changing the assigned number for the object class, and I -do not know enough about LDAP schema design to do that properly for -Debian Edu.

- -

Anyway, for future reference, this is how I believe we could change -the -DHCP -schema to solve at least part of the problem with the LDAP schemas -available today from IETF.

- -
---- dhcp.schema    (revision 65192)
-+++ dhcp.schema    (working copy)
-@@ -376,7 +376,7 @@
- objectclass ( 2.16.840.1.113719.1.203.6.6
-        NAME 'dhcpHost'
-        DESC 'This represents information about a particular client'
--       SUP top
-+       SUP top AUXILIARY
-        MUST cn
-        MAY  (dhcpLeaseDN $ dhcpHWAddress $ dhcpOptionsDN $ dhcpStatements $ dhcpComments $ dhcpOption)
-        X-NDS_CONTAINMENT ('dhcpService' 'dhcpSubnet' 'dhcpGroup') )
-
- -

I very much welcome clues on how to do this properly for Debian -Edu/Squeeze. We provide the DHCP schema in our debian-edu-config -package, and should thus be free to rewrite it as we see fit.

- -

If you want to help out with implementing this for Debian Edu, -please contact us on debian-edu@lists.debian.org.

+

Prioritising packages for the Debian Edu / +Skolelinux DVD, which is +supposed provide a school with all the services and user applications +needed on the pupils computer network has always been hard. Even +schools without Internet connections should be able to get Debian Edu +working using this DVD.

+ +

The job became a lot harder when apt and aptitude started +installing recommended packages by default. We want the same set of +packages to be installed when using the DVD and the netinst CD, and +that means all recommended packages need to be on the DVD. I created +a patch for debian-cd in BTS +report #601203 to do this, and since this change was applied to +the Debian Edu DVD build, we have been seriously short on space.

+ +

A few days ago we decided to drop blender, wxmaxima and kicad from +the default installation to save space on the DVD, believing that +those needing these applications are few and can get them from the +Debian archive.

+ +

Yesterday, I had a look what source packages to see which packages +were using most space. A few large packages are well know; +openoffice.org, openclipart and fluid-soundfont. But I also +discovered that lilypond used 106 MiB and fglrx-driver used 53 MiB. +The lilypond package is pulled in as a dependency for rosegarden, and +when looking a bit closer I discovered that 99 MiB of the 106 MiB were +the documentation package, which is recommended by the binary package. +I decided to drop this documentation package from our DVD, as most of +our users will use the GUI front-ends and do not need the lilypond +documentation. Similarly, I dropped the non-free fglrx-driver package +which might be installed by d-i when its hardware is detected, as the +free X driver should work.

+ +

With this change, we finally got space for the LXDE and Gnome +desktop packages as well as the language specific packages making the +DVD more useful again.

- Tags: debian, debian edu, english, ldap, nuug. + Tags: debian edu, english, nuug.
@@ -1049,7 +1217,15 @@ please contact us on debian-edu@lists.debian.org.

  • June (14)
    • -
  • July (8)
    • +
  • July (12)
    • + +
  • August (13)
    • + +
  • September (7)
    • + +
  • October (9)
    • + +
  • November (11)
    • @@ -1098,7 +1274,7 @@ please contact us on debian-edu@lists.debian.org.

    Tags

    -Created by Chronicle v3.7 +Created by Chronicle v3.2