X-Git-Url: http://pere.pagekite.me/gitweb/homepage.git/blobdiff_plain/e57109f196de8b39dbb0a8b27fd68db2bf50c35e..b57eb9c7caad39a795dc603797272d7c644f2730:/blog/index.html diff --git a/blog/index.html b/blog/index.html index 4e9762964b..4f0a93f00b 100644 --- a/blog/index.html +++ b/blog/index.html @@ -20,256 +20,528 @@
-
systemd, an interesting alternative to upstart
-
2010-05-13 22:20
+
Testing if a file system can be used for home directories...
+
2010-08-08 21:20
-

The last few days a new boot system called -systemd -has been -introduced - -to the free software world. I have not yet had time to play around -with it, but it seem to be a very interesting alternative to -upstart, and might prove to be -a good alternative for Debian when we are able to switch to an event -based boot system. Tollef is -in the process of getting -systemd into Debian, and I look forward to seeing how well it work. I -like the fact that systemd handles init.d scripts with dependency -information natively, allowing them to run in parallel where upstart -at the moment do not.

- -

Unfortunately do systemd have the same problem as upstart regarding -platform support. It only work on recent Linux kernels, and also need -some new kernel features enabled to function properly. This means -kFreeBSD and Hurd ports of Debian will need a port or a different boot -system. Not sure how that will be handled if systemd proves to be the -way forward.

- -

In the mean time, based on the -input -on debian-devel@ regarding parallel booting in Debian, I have -decided to enable full parallel booting as the default in Debian as -soon as possible (probably this weekend or early next week), to see if -there are any remaining serious bugs in the init.d dependencies. A -new version of the sysvinit package implementing this change is -already in experimental. If all go well, Squeeze will be released -with parallel booting enabled by default.

+

A few years ago, I was involved in a project planning to use +Windows file servers as home directory servers for Debian +Edu/Skolelinux machines. This was thought to be no problem, as the +access would be through the SMB network file system protocol, and we +knew other sites used SMB with unix and samba as the file server to +mount home directories without any problems. But, after months of +struggling, we had to conclude that our goal was impossible.

+ +

The reason is simply that while SMB can be used for home +directories when the file server is Samba running on Unix, this only +work because of Samba have some extensions and the fact that the +underlying file system is a unix file system. When using a Windows +file server, the underlying file system do not have POSIX semantics, +and several programs will fail if the users home directory where they +want to store their configuration lack POSIX semantics.

+ +

As part of this work, I wrote a small C program I want to share +with you all, to replicate a few of the problematic applications (like +OpenOffice.org and GCompris) and see if the file system was working as +it should. If you find yourself in spooky file system land, it might +help you find your way out again. This is the fs-test.c source:

+ +
+/*
+ * Some tests to check the file system sematics.  Used to verify that
+ * CIFS from a windows server do not work properly as a linux home
+ * directory.
+ * License: GPL v2 or later
+ * 
+ * needs libsqlite3-dev and build-essential installed
+ * compile with: gcc -Wall -lsqlite3 -DTEST_SQLITE fs-test.c -o fs-test
+*/
+
+#define _FILE_OFFSET_BITS 64
+#define _LARGEFILE_SOURCE 1
+#define _LARGEFILE64_SOURCE 1
+
+#define _GNU_SOURCE /* for asprintf() */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <sys/file.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#ifdef TEST_SQLITE
+/*
+ * Test sqlite open, as done by gcompris require the libsqlite3-dev
+ * package and linking with -lsqlite3.  A more low level test is
+ * below.
+ * See also <URL: http://www.sqlite.org./faq.html#q5 >.
+ */
+#include <sqlite3.h>
+#define CREATE_TABLE_USERS                                              \
+  "CREATE TABLE users (user_id INT UNIQUE, login TEXT, lastname TEXT, firstname TEXT, birthdate TEXT, class_id INT ); "
+int test_sqlite_open(void) {
+  char *zErrMsg;
+  char *name = "testsqlite.db";
+  sqlite3 *db=NULL;
+  unlink(name);
+  int rc = sqlite3_open(name, &db);
+  if( rc ){
+    printf("error: sqlite open of %s failed: %s\n", name, sqlite3_errmsg(db));
+    sqlite3_close(db);
+    return -1;
+  }
+
+  /* create tables */
+  rc = sqlite3_exec(db,CREATE_TABLE_USERS, NULL,  0, &zErrMsg);
+  if( rc != SQLITE_OK ){
+    printf("error: sqlite table create failed: %s\n", zErrMsg);
+    sqlite3_close(db);
+    return -1;
+  }
+  printf("info: sqlite worked\n");
+  sqlite3_close(db);
+  return 0;
+}
+#endif /* TEST_SQLITE */
+
+/*
+ * Demonstrate locking issue found in gcompris using sqlite3.  This
+ * work with ext3, but not with cifs server on Windows 2003.  This is
+ * done in the sqlite3 library.
+ * See also
+ * <URL:http://www.cygwin.com/ml/cygwin/2001-08/msg00854.html> and the
+ * POSIX specification
+ * <URL:http://www.opengroup.org/onlinepubs/009695399/functions/fcntl.html>.
+ */
+int test_gcompris_locking(void) {
+  struct flock fl;
+  char *name = "testsqlite.db";
+  unlink(name);
+  int fd = open(name, O_RDWR|O_CREAT|O_LARGEFILE, 0644);
+  printf("info: testing fcntl locking\n");
+
+  fl.l_whence = SEEK_SET;
+  fl.l_pid    = getpid();
+  printf("  Read-locking 1 byte from 1073741824");
+  fl.l_start  = 1073741824;
+  fl.l_len    = 1;
+  fl.l_type   = F_RDLCK;
+  if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
+
+  printf("  Read-locking 510 byte from 1073741826");
+  fl.l_start  = 1073741826;
+  fl.l_len    = 510;
+  fl.l_type   = F_RDLCK;
+  if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
+
+  printf("  Unlocking 1 byte from 1073741824");
+  fl.l_start  = 1073741824;
+  fl.l_len    = 1;
+  fl.l_type   = F_UNLCK;
+  if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
+
+  printf("  Write-locking 1 byte from 1073741824");
+  fl.l_start  = 1073741824;
+  fl.l_len    = 1;
+  fl.l_type   = F_WRLCK;
+  if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
+
+  printf("  Write-locking 510 byte from 1073741826");
+  fl.l_start  = 1073741826;
+  fl.l_len    = 510;
+  if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
+
+  printf("  Unlocking 2 byte from 1073741824");
+  fl.l_start  = 1073741824;
+  fl.l_len    = 2;
+  fl.l_type   = F_UNLCK;
+  if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
+
+  close(fd);
+  return 0;
+}
+
+/*
+ * Test if permissions of freshly created directories allow entries
+ * below them.  This was a problem with OpenOffice.org and gcompris.
+ * Mounting with option 'sync' seem to solve this problem while
+ * slowing down file operations.
+ */
+int test_subdirectory_creation(void) {
+#define LEVELS 5
+  char *path = strdup("test");
+  char *dirs[LEVELS];
+  int level;
+  printf("info: testing subdirectory creation\n");
+  for (level = 0; level < LEVELS; level++) {
+    char *newpath = NULL;
+    if (-1 == mkdir(path, 0777)) {
+      printf("  error: Unable to create directory '%s': %s\n",
+	     path, strerror(errno));
+      break;
+    }
+    asprintf(&newpath, "%s/%s", path, "test");
+    free(path);
+    path = newpath;
+  }
+  return 0;
+}
+
+/*
+ * Test if symlinks can be created.  This was a problem detected with
+ * KDE.
+ */
+int test_symlinks(void) {
+  printf("info: testing symlink creation\n");
+  unlink("symlink");
+  if (-1 == symlink("file", "symlink"))
+    printf("  error: Unable to create symlink\n");
+  return 0;
+}
+
+int main(int argc, char **argv) {
+  printf("Testing POSIX/Unix sematics on file system\n");
+  test_symlinks();
+  test_subdirectory_creation();
+#ifdef TEST_SQLITE
+  test_sqlite_open();
+#endif /* TEST_SQLITE */
+  test_gcompris_locking();
+  return 0;
+}
+
+ +

When everything is working, it should print something like +this:

+ +
+Testing POSIX/Unix sematics on file system
+info: testing symlink creation
+info: testing subdirectory creation
+info: sqlite worked
+info: testing fcntl locking
+  Read-locking 1 byte from 1073741824
+  Read-locking 510 byte from 1073741826
+  Unlocking 1 byte from 1073741824
+  Write-locking 1 byte from 1073741824
+  Write-locking 510 byte from 1073741826
+  Unlocking 2 byte from 1073741824
+
+ +

I do not remember the exact details of the problems we saw, but one +of them was with locking, where if I remember correctly, POSIX allow a +read-only lock to be upgraded to a read-write lock without unlocking +the read-only lock (while Windows do not). Another was a bug in the +CIFS/SMB client implementation in the Linux kernel where directory +meta information would be wrong for a fraction of a second, making +OpenOffice.org fail to create its deep directory tree because it was +not allowed to create files in its freshly created directory.

+ +

Anyway, here is a nice tool for your tool box, might you never need +it. :)

- Tags: debian, english. + Tags: debian edu, english, nuug.
-
Parallellizing the boot in Debian Squeeze - ready for wider testing
-
2010-05-06 23:25
+
Autodetecting Client setup for roaming workstations in Debian Edu
+
2010-08-07 14:45
-

These days, the init.d script dependencies in Squeeze are quite -complete, so complete that it is actually possible to run all the -init.d scripts in parallell based on these dependencies. If you want -to test your Squeeze system, make sure -dependency -based boot sequencing is enabled, and add this line to -/etc/default/rcS:

- -
-CONCURRENCY=makefile
-
- -

That is it. It will cause sysv-rc to use the startpar tool to run -scripts in parallel using the dependency information stored in -/etc/init.d/.depend.boot, /etc/init.d/.depend.start and -/etc/init.d/.depend.stop to order the scripts. Startpar is configured -to try to start the kdm and gdm scripts as early as possible, and will -start the facilities required by kdm or gdm as early as possible to -make this happen.

- -

Give it a try, and see if you like the result. If some services -fail to start properly, it is most likely because they have incomplete -init.d script dependencies in their startup script (or some of their -dependent scripts have incomplete dependencies). Report bugs and get -the package maintainers to fix it. :)

- -

Running scripts in parallel could be the default in Debian when we -manage to get the init.d script dependencies complete and correct. I -expect we will get there in Squeeze+1, if we get manage to test and -fix the remaining issues.

- -

If you report any problems with dependencies in init.d scripts to -the BTS, please usertag the report to get it to show up at -the -list of usertagged bugs related to this.

+

A few days ago, I +tried +to install a Roaming workation profile from Debian Edu/Squeeze +while on the university network here at the University of Oslo, and +noticed how much had to change to get it operational using the +university infrastructure. It was fairly easy, but it occured to me +that Debian Edu would improve a lot if I could get the client to +connect without any changes at all, and thus let the client configure +itself during installation and first boot to use the infrastructure +around it. Now I am a huge step further along that road.

+ +

With our current squeeze-test packages, I can select the roaming +workstation profile and get a working laptop connecting to the +university LDAP server for user and group and our active directory +servers for Kerberos authentication. All this without any +configuration at all during installation. My users home directory got +a bookmark in the KDE menu to mount it via SMB, with the correct URL. +In short, openldap and sssd is correctly configured. In addition to +this, the client look for http://wpad/wpad.dat to configure a web +proxy, and when it fail to find it no proxy settings are stored in +/etc/environment and /etc/apt/apt.conf. Iceweasel and KDE is +configured to look for the same wpad configuration and also do not use +a proxy when at the university network. If the machine is moved to a +network with such wpad setup, it would automatically use it when DHCP +gave it a IP address.

+ +

The LDAP server is located using DNS, by first looking for the DNS +entry ldap.$domain. If this do not exist, it look for the +_ldap._tcp.$domain SRV records and use the first one as the LDAP +server. Next, it connects to the LDAP server and search all +namingContexts entries for posixAccount or posixGroup objects, and +pick the first one as the LDAP base. For Kerberos, a similar +algorithm is used to locate the LDAP server, and the realm is the +uppercase version of $domain.

+ +

So, what is not working, you might ask. SMB mounting my home +directory do not work. No idea why, but suspected the incorrect +Kerberos settings in /etc/krb5.conf and /etc/samba/smb.conf might be +the cause. These are not properly configured during installation, and +had to be hand-edited to get the correct Kerberos realm and server, +but SMB mounting still do not work. :(

+ +

With this automatic configuration in place, I expect a Debian Edu +roaming profile installation would be able to automatically detect and +connect to any site using LDAP and Kerberos for NSS directory and PAM +authentication. It should also work out of the box in a Active +Directory environment providing posixAccount and posixGroup objects +with UID and GID values.

+ +

If you want to help out with implementing these things for Debian +Edu, please contact us on debian-edu@lists.debian.org.

- Tags: debian, english. + Tags: debian edu, english, nuug.
-
Forcing new users to change their password on first login
-
2010-05-02 13:47
+
Debian Edu roaming workstation - at the university of Oslo
+
2010-08-03 23:30
-

One interesting feature in Active Directory, is the ability to -create a new user with an expired password, and thus force the user to -change the password on the first login attempt.

- -

I'm not quite sure how to do that with the LDAP setup in Debian -Edu, but did some initial testing with a local account. The account -and password aging information is available in /etc/shadow, but -unfortunately, it is not possible to specify an expiration time for -passwords, only a maximum age for passwords.

- -

A freshly created account (using adduser test) will have these -settings in /etc/shadow:

- -
-root@tjener:~# chage -l test
-Last password change                                    : May 02, 2010
-Password expires                                        : never
-Password inactive                                       : never
-Account expires                                         : never
-Minimum number of days between password change          : 0
-Maximum number of days between password change          : 99999
-Number of days of warning before password expires       : 7
-root@tjener:~#
-
- -

The only way I could come up with to create a user with an expired -account, is to change the date of the last password change to the -lowest value possible (January 1th 1970), and the maximum password age -to the difference in days between that date and today. To make it -simple, I went for 30 years (30 * 365 = 10950) and January 2th (to -avoid testing if 0 is a valid value).

+

The new roaming workstation profile in Debian Edu/Squeeze is fairly +similar to the laptop setup am I working on using Ubuntu for the +University of Oslo, and just for the heck of it, I tested today how +hard it would be to integrate that profile into the university +infrastructure. In this case, it is the university LDAP server, +Active Directory Kerberos server and SMB mounting from the Netapp file +servers.

+ +

I was pleasantly surprised that the only three files needed to be +changed (/etc/sssd/sssd.conf, /etc/ldap.conf and +/etc/mklocaluser.d/20-debian-edu-config) and one file had to be added +(/usr/share/perl5/Debian/Edu_Local.pm), to get the client working. +Most of the changes were to get the client to use the university LDAP +for NSS and Kerberos server for PAM, but one was to change a hard +coded DNS domain name in the mklocaluser hook from .intern to +.uio.no.

+ +

This testing was so encouraging, that I went ahead and adjusted the +Debian Edu scripts and setup in subversion to centralise the roaming +workstation setup a bit more and avoid the hardcoded DNS domain name, +so that when I test this tomorrow, I expect to get away with modifying +only /etc/sssd/sssd.conf and /etc/ldap.conf to get it to use the +university servers.

+ +

My goal is to get the clients to have no hardcoded settings and +fetch all their initial setup during installation and first boot, to +allow them to be inserted also into environments where the default +setup in Debian Edu has been changed or as with the university, where +the environment is different but provides the protocols Debian Edu +uses.

+
+
+ -

After using these commands to set it up, it seem to work as -intended:

+ + Tags: debian edu, english, nuug. + +
+
+
+ +
+
Circular package dependencies harms apt recovery
+
2010-07-27 23:50
+
+

I discovered this while doing +automated +testing of upgrades from Debian Lenny to Squeeze. A few packages +in Debian still got circular dependencies, and it is often claimed +that apt and aptitude should be able to handle this just fine, but +some times these dependency loops causes apt to fail.

+ +

An example is from todays +upgrade +of KDE using aptitude. In it, a bug in kdebase-workspace-data +causes perl-modules to fail to upgrade. The cause is simple. If a +package fail to unpack, then only part of packages with the circular +dependency might end up being unpacked when unpacking aborts, and the +ones already unpacked will fail to configure in the recovery phase +because its dependencies are unavailable.

+ +

In this log, the problem manifest itself with this error:

-root@tjener:~# chage -d 1 test; chage -M 10950 test
-root@tjener:~# chage -l test
-Last password change                                    : Jan 02, 1970
-Password expires                                        : never
-Password inactive                                       : never
-Account expires                                         : never
-Minimum number of days between password change          : 0
-Maximum number of days between password change          : 10950
-Number of days of warning before password expires       : 7
-root@tjener:~#  
+dpkg: dependency problems prevent configuration of perl-modules:
+ perl-modules depends on perl (>= 5.10.1-1); however:
+  Version of perl on system is 5.10.0-19lenny2.
+dpkg: error processing perl-modules (--configure):
+ dependency problems - leaving unconfigured
-

So far I have tested this with ssh and console, and kdm (in -Squeeze) login, and all ask for a new password before login in the -user (with ssh, I was thrown out and had to log in again).

- -

Perhaps we should set up something similar for Debian Edu, to make -sure only the user itself have the account password?

- -

If you want to comment on or help out with implementing this for -Debian Edu, please contact us on debian-edu@lists.debian.org.

- -

Update 2010-05-02 17:20: Paul Tötterman tells me on IRC that the -shadow(8) page in Debian/testing now state that setting the date of -last password change to zero (0) will force the password to be changed -on the first login. This was not mentioned in the manual in Lenny, so -I did not notice this in my initial testing. I have tested it on -Squeeze, and 'chage -d 0 username' do work there. I have not -tested it on Lenny yet.

- -

Update 2010-05-02-19:05: Jim Paris tells me via email that an -equivalent command to expire a password is 'passwd -e -username', which insert zero into the date of the last password -change.

+

The perl/perl-modules circular dependency is already +reported as a bug, and will +hopefully be solved as soon as possible, but it is not the only one, +and each one of these loops in the dependency tree can cause similar +failures. Of course, they only occur when there are bugs in other +packages causing the unpacking to fail, but it is rather nasty when +the failure of one package causes the problem to become worse because +of dependency loops.

+ +

Thanks to +the +tireless effort by Bill Allombert, the number of circular +dependencies +left in Debian +is dropping, and perhaps it will reach zero one day. :)

+ +

Todays testing also exposed a bug in +update-notifier and +different behaviour between +apt-get and aptitude, the latter possibly caused by some circular +dependency. Reported both to BTS to try to get someone to look at +it.

- Tags: debian edu, english, nuug, sikkerhet. + Tags: debian, english, nuug.
-
Thoughts on roaming laptop setup for Debian Edu
-
2010-04-28 20:40
+
First Debian Edu test release (alpha0) based on Squeeze is released
+
2010-07-27 17:45
-

For some years now, I have wondered how we should handle laptops in -Debian Edu. The Debian Edu infrastructure is mostly designed to -handle stationary computers, and less suited for computers that come -and go.

+

I just posted this announcement culminating several months of work +with the next Debian Edu release. Not nearly done, but one major step +completed.

+ +
+

This is the first test release based on Squeeze. The focus of this +release is to test the user application selection. To have a look, +install the standalone profile and let the developers know if the set +of installed packages i.e. applications should be modified. If some +user application is missing, or if there are some applications that no +longer make sense to be included in Debian Edu, please let us know. +Also, if a useful application is missing the translation for your +language of choice, please let us know too.

+ +

In addition, feedback and help to polish the desktop (menus, +artwork, starters, etc.) is appreciated. We would like to ship a nice +and handy KDE4 desktop targeted for schools out of the box.

+ +

The other profiles should be installable, but there is a lot more +work left to be done before they are ready, so do not expect to +much.

+ +

Changes compared to the lenny based version

-

Now I finally believe I have an sensible idea on how to adjust -Debian Edu for laptops, by introducing a new profile for them, for -example called Roaming Workstations. Here are my thought on this. -The setup would consist of the following:

+
    +
  • Everything from Debian Squeeze +
      +
    • Desktop environment KDE 4.4 => the new KDE desktop in + combination with some new artwork +
    • Web browser Iceweasel 3.5 +
    • OpenOffice.org 3.2 +
    • Educational toolbox GCompris 9.3 +
    • Music creator Rosegarden 10.04.2 +
    • Image editor Gimp 2.6.10 +
    • Virtual universe Celestia 1.6.0 +
    • Virtual stargazer Stellarium 0.10.4 +
    • 3D modeler Blender 2.49.2 (new application) +
    • Video editor Kdenlive 0.7.7 (new application) +
    • +
  • Now using Kerberos for password checking (migration not finished). + Enabled for: +
      +
    • PAM +
    • LDAP +
    • IMAP +
    • SMTP (sender verification) +
    +
    • +
  • New experimental roaming workstation profile for laptops.
    • +
  • Show welcome page to users when they first log in. The URL is + fetched from LDAP.
    • +
  • New LXDE desktop option, in addition to KDE (default) and Gnome.
    • +
  • General cleanup (not finished)
    • +
+

The following features are not working as they should

    +
  • No web based administration tool for creating users and groups. The + scripts ldap-createuser-krb and ldap-add-user-to-group can be used + for testing.
    • +
  • DVD installs are missing debian-installer images for the PXE boot, + and do not set up the PXE menu on eth0 because of this. LTSP + clients should still boot from eth1 on thin client servers.
    • +
  • The restructured KDE menu is not implemented.
    • +
  • The LDAP server setup need to be reviewed for security.
    • +
  • The LDAP directory structure need to be reworked.
    • +
  • Different sets of packages are installed when using the DVD and the + netinst CD. More packages are installed using the netinst CD.
    • +
  • The jackd package fail to install. This is believed to be caused by + some ongoing transition, and hopefully should be solved soon. The + jackd1 package can be installed manually for those that need it.
    • +
  • Some packages lack translations. See + http://wiki.debian.org/DebianEdu/Status/Squeeze for updated status, + and help out with translations.
    • +
-
  • During installation, the user name of the owner / primary user of - the laptop is requested and a local home directory is set up for - the user, with uid and gid information fetched from the LDAP - server. This allow the user to work also when offline. The - central home directory can be available in a subdirectory on - request, for example mounted via CIFS. It could be mounted - automatically when a user log in while on the Debian Edu network, - and unmounted when the machine is taken away (network down, - hibernate, etc), it can be set up to do automatic mounting on - request (using autofs), or perhaps some GUI button on the desktop - can be used to access it when needed. Perhaps it is enough to use - the fish protocol in KDE?
    • - -
  • Password checking is set up to use LDAP or Kerberos - authentication when the machine is on the Debian Edu network, and - to cache the password for offline checking when the machine unable - to reach the LDAP or Kerberos server. This can be done using - libpam-ccreds - or the Fedora developed - System - Security Services Daemon packages.
    • - -
  • File synchronisation with the central home directory is set up - using a shared directory in both the local and the central home - directory, using unison.
    • - -
  • Printing should be set up to print to all printers broadcasting - their existence on the local network, and should then work out of - the box with CUPS. For sites needing accurate printer quotas, some - system with Kerberos authentication or printing via ssh could be - implemented.
    • - -
  • For users that should have local root access to their laptop, - sudo should be used to allow this to the local user.
    • - -
  • It would be nice if user and group information from LDAP is - cached on the client, but given that there are entries for the - local user and primary group in /etc/, it should not be needed.
    • +

    To download this multiarch netinstall release you can use

    + +

    To download this multiarch dvd release you can use

    -

    I believe all the pieces to implement this are in Debian/testing at -the moment. If we work quickly, we should be able to get this ready -in time for the Squeeze release to freeze. Some of the pieces need -tweaking, like libpam-ccreds should get support for pam-auth-update -(#566718) and nslcd (or -perhaps debian-edu-config) should get some integration code to stop -its daemon when the LDAP server is unavailable to avoid long timeouts -when disconnected from the net. If we get Kerberos enabled, we need -to make sure we avoid long timeouts there too.

    + -

    If you want to help out with implementing this for Debian Edu, -please contact us on debian-edu@lists.debian.org.

    +

    There is no source DVD available yet. It will be prepared when we +get closer to the final release.

    + +

    The MD5SUM of these images are

    + +
      +
    • 3dbf45d59f42a53518b6e3c9ec3b5eb6 debian-edu-6.0.0+edua0-CD.iso
      • +
    • 22f2cbfce281d1c6e478be452638675d debian-edu-6.0.0+edua0-DVD.iso
      • +
    + +

    The SHA1SUM of these images are

    +
      +
    • c53d1b69b40cf37cd27aefaf33f6f6a3821bedf0 debian-edu-6.0.0+edua0-CD.iso
      • +
    • 2ec29d7db676d59d32197b05c277ffe16348376c debian-edu-6.0.0+edua0-DVD.iso
      • +
    +

    How to report bugs: +http://wiki.debian.org/DebianEdu/HowTo/ReportBugsInBugzilla

    + +

    Please direct replies to debian-edu@lists.debian.org

    +
    @@ -282,211 +554,517 @@ please contact us on debian-edu@lists.debian.org.

    -
    Great book: "Content: Selected Essays on Technology, Creativity, Copyright, and the Future of the Future"
    -
    2010-04-19 17:10
    +
    One step closer to single signon in Debian Edu
    +
    2010-07-25 10:00
    -

    The last few weeks i have had the pleasure of reading a -thought-provoking collection of essays by Cory Doctorow, on topics -touching copyright, virtual worlds, the future of man when the -conscience mind can be duplicated into a computer and many more. The -book titled "Content: Selected Essays on Technology, Creativity, -Copyright, and the Future of the Future" is available with few -restrictions on the web, for example from -his own site. I read the -epub-version from -feedbooks using -fbreader and my N810. I -strongly recommend this book.

    +

    The last few months me and the other Debian Edu developers have +been working hard to get the Debian/Squeeze based version of Debian +Edu/Skolelinux into shape. This future version will use Kerberos for +authentication, and services are slowly migrated to single signon, +getting rid of password questions one at the time.

    + +

    It will also feature a roaming workstation profile with local home +directory, for laptops that are only some times on the Skolelinux +network, and for this profile a shortcut is created in Gnome and KDE +to gain access to the users home directory on the file server. This +shortcut uses SMB at the moment, and yesterday I had time to test if +SMB mounting had started working in KDE after we added the cifs-utils +package. I was pleasantly surprised how well it worked.

    + +

    Thanks to the recent changes to our samba configuration to get it +to use Kerberos for authentication, there were no question about user +password when mounting the SMB volume. A simple click on the shortcut +in the KDE menu, and a window with the home directory popped +up. :)

    + +

    One step closer to a single signon solution out of the box in +Debian Edu. We already had PAM, LDAP, IMAP and SMTP in place, and now +also Samba. Next step is Cups and hopefully also NFS.

    + +

    We had planned a alpha0 release of Debian Edu for today, but thanks +to the autobuilder administrators for some architectures being slow to +sign packages, we are still missing the fixed LTSP package we need for +the release. It was uploaded three days ago with urgency=high, and if +it had entered testing yesterday we would have been able to test it in +time for a alpha0 release today. As the binaries for ia64 and powerpc +still not uploaded to the Debian archive, we need to delay the alpha +release another day.

    + +

    If you want to help out with implementing Kerberos for Debian Edu, +please contact us on debian-edu@lists.debian.org.

    - Tags: english, fildeling, nuug, opphavsrett, personvern, sikkerhet, web. + Tags: debian edu, english, nuug, sikkerhet.
    -
    Kerberos for Debian Edu/Squeeze?
    -
    2010-04-14 17:20
    +
    Digitale restriksjonsmekanismer fikk meg til å slutte å kjøpe musikk
    +
    2010-07-22 23:50
    -

    Yesterdays -NUUG presentation about Kerberos was inspiring, and reminded me -about the need to start using Kerberos in Skolelinux. Setting up a -Kerberos server seem to be straight forward, and if we get this in -place a long time before the Squeeze version of Debian freezes, we -have a chance to migrate Skolelinux away from NFSv3 for the home -directories, and over to an architecture where the infrastructure do -not have to trust IP addresses and machines, and instead can trust -users and cryptographic keys instead.

    - -

    A challenge will be integration and administration. Is there a -Kerberos implementation for Debian where one can control the -administration access in Kerberos using LDAP groups? With it, the -school administration will have to maintain access control using flat -files on the main server, which give a huge potential for errors.

    - -

    A related question I would like to know is how well Kerberos and -pam-ccreds (offline password check) work together. Anyone know?

    - -

    Next step will be to use Kerberos for access control in Lwat and -Nagios. I have no idea how much work that will be to implement. We -would also need to document how to integrate with Windows AD, as such -shared network will require two Kerberos realms that need to cooperate -to work properly.

    - -

    I believe a good start would be to start using Kerberos on the -skolelinux.no machines, and this way get ourselves experience with -configuration and integration. A natural starting point would be -setting up ldap.skolelinux.no as the Kerberos server, and migrate the -rest of the machines from PAM via LDAP to PAM via Kerberos one at the -time.

    - -

    If you would like to contribute to get this working in Skolelinux, -I recommend you to see the video recording from yesterdays NUUG -presentation, and start using Kerberos at home. The video show show -up in a few days.

    +

    For mange år siden slutte jeg å kjøpe musikk-CDer. Årsaken var at +musikkbransjen var godt i gang med å selge platene sine med DRM som +gjorde at jeg ikke fikk spilt av musikken jeg kjøpte på utstyret jeg +hadde tilgjengelig, dvs. min datamaskin. Det var umulig å se på en +plate om den var ødelagt eller ikke, og jeg hadde jo allerede en +anseelig samling med plater, så jeg bestemme meg for å slutte å gi +penger til en bransje som åpenbart ikke respekterte meg.

    + +

    Jeg har mange titalls dager med musikk på CD i dag. Det meste er +lagt i et stort arkiv som kan spilles av fra husets datamaskiner (har +ikke rukket rippe alt). Jeg ser dermed ikke behovet for å skaffe mer +musikk. De fleste av mine favoritter er i hus, og jeg er dermed godt +fornøyd.

    + +

    Hvis musikkbransjen ønsker mine penger, så må de demonstrere at de +setter pris på meg som kunde, og ikke skremme meg bort med DRM og +antydninger om at kundene er kriminelle.

    + +

    Filmbransjen er like ille, men mens musikk gjerne varer lenge, er +filmer mer ferskvare. Har dermed ikke helt sluttet å kjøpe filmer, men +holder meg til DVD-filmer som kan spilles av på mine Linuxbokser. +Kommer neppe til å ta i bruk Blueray, og ei heller de nye DRM-greiene +«Ultraviolet» som be annonsert her om dagen.

    - Tags: debian edu, english, nuug. + Tags: fildeling, norsk, nuug, opphavsrett, personvern.
    -
    PÃ¥ vegne av vanvitting mange, Aftenposten!
    -
    2010-03-06 21:15
    +
    OpenStreetmap one step closer to having routing on its front page
    +
    2010-07-18 16:45
    -

    Aftenposten -melder på forsiden av webavisen sin at de tror Erling Fossen -provoserer nordlendinger med sine uttalelser på -fotballtinget. Jeg er utflyttet nordlending, og må innrømme at jeg -ikke kjennet så mye som et snev av provokasjon fra denne litt morsomme -uttalelsen til Hr. Fossen. Lurer på om Aftenposten har noen kilder -utenom redaksjonen for sin påstand om at nordledinger er provosert av -Hr. Fossen. Må innrømme at jeg tviler på det.

    - -

    Det hele bringer tankene tilbake til Sture Hansen i Hallo i Uken.

    +

    Thanks to +todays +opengeodata blog entry, I just discovered that the +OpenStreetmap.org site have gotten +support +for calculating routes. The support is still experimental and +only available from the development server, until more experience is +gathered on the user interface and any scalability issues.

    + +

    Earlier, the routing I knew about using the OpenStreetmap.org data +was provided by Cloudmade, +but having it on the main page is required to make everyone aware of +the issue. I've had people reject Openstreetmap.org as a viable +alternative for them because the front page lacked routing support, +and I hope their needs will be catered for when routing show up on the +www.openstreetmap.org front page.

    - Tags: norsk. + Tags: english, kart, web.
    -
    After 6 years of waiting, the Xreset.d feature is implemented
    -
    2010-03-06 18:15
    +
    What are they searching for - PowerDNS and ISC DHCP in LDAP
    +
    2010-07-17 21:00
    -

    6 years ago, as part of the Debian Edu development I am involved -in, I asked for a hook in the kdm and gdm setup to run scripts as root -when the user log out. A bug was submitted against the xfree86-common -package in 2004 (#230422), -and revisited every time Debian Edu was working on a new release. -Today, this finally paid off.

    - -

    The framework for this feature was today commited to the git -repositry for the xorg package, and the git repository for xdm has -been updated to use this framework. Next on my agenda is to make sure -kdm and gdm also add code to use this framework.

    - -

    In Debian Edu, we want to ability to run commands as root when the -user log out, to get rid of runaway processes and do general cleanup -after a user. With this framework in place, we finally can do that in -a generic way that work with all display managers using this -framework. My goal is to get all display managers in Debian use it, -similar to how they use the Xsession.d framework today.

    -

    -
    - +

    This is a +followup +on my +previous +work on +merging +all the computer related LDAP objects in Debian Edu.

    + +

    As a step to try to see if it possible to merge the DNS and DHCP +LDAP objects, I have had a look at how the packages pdns-backend-ldap +and dhcp3-server-ldap in Debian use the LDAP server. The two +implementations are quite different in how they use LDAP.

    + +To get this information, I started slapd with debugging enabled and +dumped the debug output to a file to get the LDAP searches performed +on a Debian Edu main-server. Here is a summary. + +

    powerdns

    + +Clues +on how to set up PowerDNS to use a LDAP backend is available on +the web. + +

    PowerDNS have two modes of operation using LDAP as its backend. +One "strict" mode where the forward and reverse DNS lookups are done +using the same LDAP objects, and a "tree" mode where the forward and +reverse entries are in two different subtrees in LDAP with a structure +based on the DNS names, as in tjener.intern and +2.2.0.10.in-addr.arpa.

    + +

    In tree mode, the server is set up to use a LDAP subtree as its +base, and uses a "base" scoped search for the DNS name by adding +"dc=tjener,dc=intern," to the base with a filter for +"(associateddomain=tjener.intern)" for the forward entry and +"dc=2,dc=2,dc=0,dc=10,dc=in-addr,dc=arpa," with a filter for +"(associateddomain=2.2.0.10.in-addr.arpa)" for the reverse entry. For +forward entries, it is looking for attributes named dnsttl, arecord, +nsrecord, cnamerecord, soarecord, ptrrecord, hinforecord, mxrecord, +txtrecord, rprecord, afsdbrecord, keyrecord, aaaarecord, locrecord, +srvrecord, naptrrecord, kxrecord, certrecord, dsrecord, sshfprecord, +ipseckeyrecord, rrsigrecord, nsecrecord, dnskeyrecord, dhcidrecord, +spfrecord and modifytimestamp. For reverse entries it is looking for +the attributes dnsttl, arecord, nsrecord, cnamerecord, soarecord, +ptrrecord, hinforecord, mxrecord, txtrecord, rprecord, aaaarecord, +locrecord, srvrecord, naptrrecord and modifytimestamp. The equivalent +ldapsearch commands could look like this:

    - - Tags: debian edu, english, nuug. - -
    -
    -
    - -
    -
    Digitale bøker uten digitale restriksjonsmekanismer (DRM) bør få mva-fritak
    -
    2010-03-03 19:00
    -
    -

    Den norske bokbransjen har -bedt om at -digitale bøker må få mva-fritak slik papirbøker har det, og -finansdepartementet -har sagt nei. Det er et interessant spørsmål om digitale bøker -bør ha mva-fritak eller ikke, og svaret er ikke så enkelt som et ja -eller nei. -Enkelte -medlemmer av bokbransjen truer med å droppe den planlagte -lanseringen av norske digitale bøker med digitale restriksjonsmekanismer -(DRM) som de har snakket om å gjennomføre nå i vår, og det må de -gjerne gjøre for min del.

    - -

    Papirbøker har mva-fritak pga. at de fremmer kultur- og -kunnskapsspredning. Digitale bøker uten digitale -restriksjonsmekanismer (DRM) fremmer kultur- og kunnskapsspredning, -mens digitale bøker med DRM hindrer kultur og kunnskapsspredning. -Digitale bøker uten DRM bør få mva-fritak da det er salg av bøker på -lik linje med salg av papirbøker, mens digitale bøker med DRM ikke bør -få det da det er utleie av bøker og ikke salg.

    - -

    Jeg foretrekker å kjøpe bøker, og velger dermed å la være å bruke -DRM-belastede digitale bøker. Vet ikke helt hva jeg ville være villig -til å betale for å leie en bok, men tror ikke det er mange kronene. -Heldigvis er det mye bøker tilgjengelig uten slike restriksjoner, og -de som vil ha tak i engelske bøker kan laste ned bøker som er -tilgjengelig uten bruksbegresninger fra The -Internet Archive. Der er det pr. i dag 1 889 313 bøker -tilgjengelig. De er tilgjengelig i flere formater. Besøk -oversikten over tekster -der for å se hva de har. +

    +ldapsearch -h ldap \
+  -b dc=tjener,dc=intern,ou=hosts,dc=skole,dc=skolelinux,dc=no \
+  -s base -x '(associateddomain=tjener.intern)' dNSTTL aRecord nSRecord \
+  cNAMERecord sOARecord pTRRecord hInfoRecord mXRecord tXTRecord \
+  rPRecord aFSDBRecord KeyRecord aAAARecord lOCRecord sRVRecord \
+  nAPTRRecord kXRecord certRecord dSRecord sSHFPRecord iPSecKeyRecord \
+  rRSIGRecord nSECRecord dNSKeyRecord dHCIDRecord sPFRecord modifyTimestamp
+
+ldapsearch -h ldap \
+  -b dc=2,dc=2,dc=0,dc=10,dc=in-addr,dc=arpa,ou=hosts,dc=skole,dc=skolelinux,dc=no \
+  -s base -x '(associateddomain=2.2.0.10.in-addr.arpa)'
+  dnsttl, arecord, nsrecord, cnamerecord soarecord ptrrecord \
+  hinforecord mxrecord txtrecord rprecord aaaarecord locrecord \
+  srvrecord naptrrecord modifytimestamp
+
    + +

    In Debian Edu/Lenny, the PowerDNS tree mode is used with +ou=hosts,dc=skole,dc=skolelinux,dc=no as the base, and these are two +example LDAP objects used there. In addition to these objects, the +parent objects all th way up to ou=hosts,dc=skole,dc=skolelinux,dc=no +also exist.

    + +
    +dn: dc=tjener,dc=intern,ou=hosts,dc=skole,dc=skolelinux,dc=no
+objectclass: top
+objectclass: dnsdomain
+objectclass: domainrelatedobject
+dc: tjener
+arecord: 10.0.2.2
+associateddomain: tjener.intern
+
+dn: dc=2,dc=2,dc=0,dc=10,dc=in-addr,dc=arpa,ou=hosts,dc=skole,dc=skolelinux,dc=no
+objectclass: top
+objectclass: dnsdomain2
+objectclass: domainrelatedobject
+dc: 2
+ptrrecord: tjener.intern
+associateddomain: 2.2.0.10.in-addr.arpa
+
    + +

    In strict mode, the server behaves differently. When looking for +forward DNS entries, it is doing a "subtree" scoped search with the +same base as in the tree mode for a object with filter +"(associateddomain=tjener.intern)" and requests the attributes dnsttl, +arecord, nsrecord, cnamerecord, soarecord, ptrrecord, hinforecord, +mxrecord, txtrecord, rprecord, aaaarecord, locrecord, srvrecord, +naptrrecord and modifytimestamp. For reverse entires it also do a +subtree scoped search but this time the filter is "(arecord=10.0.2.2)" +and the requested attributes are associateddomain, dnsttl and +modifytimestamp. In short, in strict mode the objects with ptrrecord +go away, and the arecord attribute in the forward object is used +instead.

    + +

    The forward and reverse searches can be simulated using ldapsearch +like this:

    + +
    +ldapsearch -h ldap -b ou=hosts,dc=skole,dc=skolelinux,dc=no -s sub -x \
+  '(associateddomain=tjener.intern)' dNSTTL aRecord nSRecord \
+  cNAMERecord sOARecord pTRRecord hInfoRecord mXRecord tXTRecord \
+  rPRecord aFSDBRecord KeyRecord aAAARecord lOCRecord sRVRecord \
+  nAPTRRecord kXRecord certRecord dSRecord sSHFPRecord iPSecKeyRecord \
+  rRSIGRecord nSECRecord dNSKeyRecord dHCIDRecord sPFRecord modifyTimestamp
+
+ldapsearch -h ldap -b ou=hosts,dc=skole,dc=skolelinux,dc=no -s sub -x \
+  '(arecord=10.0.2.2)' associateddomain dnsttl modifytimestamp
+
    + +

    In addition to the forward and reverse searches , there is also a +search for SOA records, which behave similar to the forward and +reverse lookups.

    + +

    A thing to note with the PowerDNS behaviour is that it do not +specify any objectclass names, and instead look for the attributes it +need to generate a DNS reply. This make it able to work with any +objectclass that provide the needed attributes.

    + +

    The attributes are normally provided in the cosine (RFC 1274) and +dnsdomain2 schemas. The latter is used for reverse entries like +ptrrecord and recent DNS additions like aaaarecord and srvrecord.

    + +

    In Debian Edu, we have created DNS objects using the object classes +dcobject (for dc), dnsdomain or dnsdomain2 (structural, for the DNS +attributes) and domainrelatedobject (for associatedDomain). The use +of structural object classes make it impossible to combine these +classes with the object classes used by DHCP.

    + +

    There are other schemas that could be used too, for example the +dnszone structural object class used by Gosa and bind-sdb for the DNS +attributes combined with the domainrelatedobject object class, but in +this case some unused attributes would have to be included as well +(zonename and relativedomainname).

    + +

    My proposal for Debian Edu would be to switch PowerDNS to strict +mode and not use any of the existing objectclasses (dnsdomain, +dnsdomain2 and dnszone) when one want to combine the DNS information +with DHCP information, and instead create a auxiliary object class +defined something like this (using the attributes defined for +dnsdomain and dnsdomain2 or dnszone):

    + +
    +objectclass ( some-oid NAME 'dnsDomainAux'
+    SUP top
+    AUXILIARY
+    MAY ( ARecord $ MDRecord $ MXRecord $ NSRecord $ SOARecord $ CNAMERecord $
+          DNSTTL $ DNSClass $ PTRRecord $ HINFORecord $ MINFORecord $
+          TXTRecord $ SIGRecord $ KEYRecord $ AAAARecord $ LOCRecord $
+          NXTRecord $ SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $
+          A6Record $ DNAMERecord
+    ))
+
    + +

    This will allow any object to become a DNS entry when combined with +the domainrelatedobject object class, and allow any entity to include +all the attributes PowerDNS wants. I've sent an email to the PowerDNS +developers asking for their view on this schema and if they are +interested in providing such schema with PowerDNS, and I hope my +message will be accepted into their mailing list soon.

    + +

    ISC dhcp

    + +

    The DHCP server searches for specific objectclass and requests all +the object attributes, and then uses the attributes it want. This +make it harder to figure out exactly what attributes are used, but +thanks to the working example in Debian Edu I can at least get an idea +what is needed without having to read the source code.

    + +

    In the DHCP server configuration, the LDAP base to use and the +search filter to use to locate the correct dhcpServer entity is +stored. These are the relevant entries from +/etc/dhcp3/dhcpd.conf:

    + +
    +ldap-base-dn "dc=skole,dc=skolelinux,dc=no";
+ldap-dhcp-server-cn "dhcp";
+
    + +

    The DHCP server uses this information to nest all the DHCP +configuration it need. The cn "dhcp" is located using the given LDAP +base and the filter "(&(objectClass=dhcpServer)(cn=dhcp))". The +search result is this entry:

    + +
    +dn: cn=dhcp,dc=skole,dc=skolelinux,dc=no
+cn: dhcp
+objectClass: top
+objectClass: dhcpServer
+dhcpServiceDN: cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
+
    + +

    The content of the dhcpServiceDN attribute is next used to locate the +subtree with DHCP configuration. The DHCP configuration subtree base +is located using a base scope search with base "cn=DHCP +Config,dc=skole,dc=skolelinux,dc=no" and filter +"(&(objectClass=dhcpService)(|(dhcpPrimaryDN=cn=dhcp,dc=skole,dc=skolelinux,dc=no)(dhcpSecondaryDN=cn=dhcp,dc=skole,dc=skolelinux,dc=no)))". +The search result is this entry:

    + +
    +dn: cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
+cn: DHCP Config
+objectClass: top
+objectClass: dhcpService
+objectClass: dhcpOptions
+dhcpPrimaryDN: cn=dhcp, dc=skole,dc=skolelinux,dc=no
+dhcpStatements: ddns-update-style none
+dhcpStatements: authoritative
+dhcpOption: smtp-server code 69 = array of ip-address
+dhcpOption: www-server code 72 = array of ip-address
+dhcpOption: wpad-url code 252 = text
+
    + +

    Next, the entire subtree is processed, one level at the time. When +all the DHCP configuration is loaded, it is ready to receive requests. +The subtree in Debian Edu contain objects with object classes +top/dhcpService/dhcpOptions, top/dhcpSharedNetwork/dhcpOptions, +top/dhcpSubnet, top/dhcpGroup and top/dhcpHost. These provide options +and information about netmasks, dynamic range etc. Leaving out the +details here because it is not relevant for the focus of my +investigation, which is to see if it is possible to merge dns and dhcp +related computer objects.

    + +

    When a DHCP request come in, LDAP is searched for the MAC address +of the client (00:00:00:00:00:00 in this example), using a subtree +scoped search with "cn=DHCP Config,dc=skole,dc=skolelinux,dc=no" as +the base and "(&(objectClass=dhcpHost)(dhcpHWAddress=ethernet +00:00:00:00:00:00))" as the filter. This is what a host object look +like:

    + +
    +dn: cn=hostname,cn=group1,cn=THINCLIENTS,cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
+cn: hostname
+objectClass: top
+objectClass: dhcpHost
+dhcpHWAddress: ethernet 00:00:00:00:00:00
+dhcpStatements: fixed-address hostname
+
    + +

    There is less flexiblity in the way LDAP searches are done here. +The object classes need to have fixed names, and the configuration +need to be stored in a fairly specific LDAP structure. On the +positive side, the invidiual dhcpHost entires can be anywhere without +the DN pointed to by the dhcpServer entries. The latter should make +it possible to group all host entries in a subtree next to the +configuration entries, and this subtree can also be shared with the +DNS server if the schema proposed above is combined with the dhcpHost +structural object class. + +

    Conclusion

    + +

    The PowerDNS implementation seem to be very flexible when it come +to which LDAP schemas to use. While its "tree" mode is rigid when it +come to the the LDAP structure, the "strict" mode is very flexible, +allowing DNS objects to be stored anywhere under the base cn specified +in the configuration.

    + +

    The DHCP implementation on the other hand is very inflexible, both +regarding which LDAP schemas to use and which LDAP structure to use. +I guess one could implement ones own schema, as long as the +objectclasses and attributes have the names used, but this do not +really help when the DHCP subtree need to have a fairly fixed +structure.

    + +

    Based on the observed behaviour, I suspect a LDAP structure like +this might work for Debian Edu:

    + +
    +ou=services
+  cn=machine-info (dhcpService) - dhcpServiceDN points here
+    cn=dhcp (dhcpServer)
+    cn=dhcp-internal (dhcpSharedNetwork/dhcpOptions)
+      cn=10.0.2.0 (dhcpSubnet)
+        cn=group1 (dhcpGroup/dhcpOptions)
+    cn=dhcp-thinclients (dhcpSharedNetwork/dhcpOptions)
+      cn=192.168.0.0 (dhcpSubnet)
+        cn=group1 (dhcpGroup/dhcpOptions)
+    ou=machines - PowerDNS base points here
+      cn=hostname (dhcpHost/domainrelatedobject/dnsDomainAux)
+
    + +

    This is not tested yet. If the DHCP server require the dhcpHost +entries to be in the dhcpGroup subtrees, the entries can be stored +there instead of a common machines subtree, and the PowerDNS base +would have to be moved one level up to the machine-info subtree.

    + +

    The combined object under the machines subtree would look something +like this:

    + +
    +dn: dc=hostname,ou=machines,cn=machine-info,dc=skole,dc=skolelinux,dc=no
+dc: hostname
+objectClass: top
+objectClass: dhcpHost
+objectclass: domainrelatedobject
+objectclass: dnsDomainAux
+associateddomain: hostname.intern
+arecord: 10.11.12.13
+dhcpHWAddress: ethernet 00:00:00:00:00:00
+dhcpStatements: fixed-address hostname.intern
+
    + +

    One could even add the LTSP configuration associated with a given +machine, as long as the required attributes are available in a +auxiliary object class.

    - Tags: norsk, nuug, opphavsrett. + Tags: debian, debian edu, english, ldap, nuug.
    -
    Debian Edu / Skolelinux based on Lenny released, work continues
    -
    2010-02-11 17:15
    +
    Combining PowerDNS and ISC DHCP LDAP objects
    +
    2010-07-14 23:45
    -

    On Tuesday, the Debian/Lenny based version of -Skolelinux was finally -shipped. This was a major leap forward for the project, and I am very -pleased that we finally got the release wrapped up. Work on the first -point release starts imediately, as we plan to get that one out a -month after the major release, to include all fixes for bugs we found -and fixed too late in the release process to include last Tuesday.

    - -

    Perhaps it even is time for some partying?

    - -

    After this first point release, my plan is to focus again on the -next major release, based on Squeeze. We will try to get as many of -the fixes we need into the official Debian packages before the freeze, -and have just a few weeks or months to make it happen.

    +

    For a while now, I have wanted to find a way to change the DNS and +DHCP services in Debian Edu to use the same LDAP objects for a given +computer, to avoid the possibility of having a inconsistent state for +a computer in LDAP (as in DHCP but no DNS entry or the other way +around) and make it easier to add computers to LDAP.

    + +

    I've looked at how powerdns and dhcpd is using LDAP, and using this +information finally found a solution that seem to work.

    + +

    The old setup required three LDAP objects for a given computer. +One forward DNS entry, one reverse DNS entry and one DHCP entry. If +we switch powerdns to use its strict LDAP method (ldap-method=strict +in pdns-debian-edu.conf), the forward and reverse DNS entries are +merged into one while making it impossible to transfer the reverse map +to a slave DNS server.

    + +

    If we also replace the object class used to get the DNS related +attributes to one allowing these attributes to be combined with the +dhcphost object class, we can merge the DNS and DHCP entries into one. +I've written such object class in the dnsdomainaux.schema file (need +proper OIDs, but that is a minor issue), and tested the setup. It +seem to work.

    + +

    With this test setup in place, we can get away with one LDAP object +for both DNS and DHCP, and even the LTSP configuration I suggested in +an earlier email. The combined LDAP object will look something like +this:

    + +
    +  dn: cn=hostname,cn=group1,cn=THINCLIENTS,cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
+  cn: hostname
+  objectClass: dhcphost
+  objectclass: domainrelatedobject
+  objectclass: dnsdomainaux
+  associateddomain: hostname.intern
+  arecord: 10.11.12.13
+  dhcphwaddress: ethernet 00:00:00:00:00:00
+  dhcpstatements: fixed-address hostname
+  ldapconfigsound: Y
+
    + +

    The DNS server uses the associateddomain and arecord entries, while +the DHCP server uses the dhcphwaddress and dhcpstatements entries +before asking DNS to resolve the fixed-adddress. LTSP will use +dhcphwaddress or associateddomain and the ldapconfig* attributes.

    + +

    I am not yet sure if I can get the DHCP server to look for its +dhcphost in a different location, to allow us to put the objects +outside the "DHCP Config" subtree, but hope to figure out a way to do +that. If I can't figure out a way to do that, we can still get rid of +the hosts subtree and move all its content into the DHCP Config tree +(which probably should be renamed to be more related to the new +content. I suspect cn=dnsdhcp,ou=services or something like that +might be a good place to put it.

    + +

    If you want to help out with implementing this for Debian Edu, +please contact us on debian-edu@lists.debian.org.

    - Tags: debian edu, english, nuug. + Tags: debian, debian edu, english, ldap, nuug.
    @@ -514,7 +1092,13 @@ and have just a few weeks or months to make it happen.

  • April (3)
    • -
  • May (3)
    • +
  • May (9)
    • + +
  • June (14)
    • + +
  • July (12)
    • + +
  • August (3)
    • @@ -569,17 +1153,21 @@ and have just a few weeks or months to make it happen.

  • aros (1)
    • -
  • debian (16)
    • +
  • bootsystem (10)
    • -
  • debian edu (15)
    • +
  • debian (35)
    • -
  • english (26)
    • +
  • debian edu (39)
    • + +
  • english (54)
  • fiksgatami (1)
    • -
  • fildeling (6)
    • +
  • fildeling (8)
    • + +
  • kart (3)
    • -
  • kart (2)
    • +
  • ldap (8)
  • lenker (1)
    • @@ -587,21 +1175,23 @@ and have just a few weeks or months to make it happen.

  • multimedia (5)
    • -
  • norsk (64)
    • +
  • norsk (71)
    • -
  • nuug (71)
    • +
  • nuug (91)
    • -
  • opphavsrett (12)
    • +
  • opphavsrett (14)
    • -
  • personvern (11)
    • +
  • personvern (14)
  • reprap (10)
  • rss (1)
    • -
  • sikkerhet (7)
    • +
  • sikkerhet (10)
    • + +
  • sitesummary (3)
    • -
  • standard (11)
    • +
  • standard (13)
  • stavekontroll (1)
    • @@ -609,7 +1199,7 @@ and have just a few weeks or months to make it happen.

  • vitenskap (1)
    • -
  • web (6)
    • +
  • web (7)