Typo.

[homepage.git] / blog / archive / 2010 / 07 / 07.rss

<?xml version="1.0" encoding="ISO-8859-1"?>
<rss version='2.0' xmlns:lj='http://www.livejournal.org/rss/lj/1.0/'>
        <channel>
                <title>Petter Reinholdtsen - Entries from July 2010</title>
                <description>Entries from July 2010</description>
                <link>http://people.skolelinux.org/pere/blog/</link>

        
        <item>
                <title>Caching password, user and group on a roaming Debian laptop</title>
                <link>http://people.skolelinux.org/pere/blog/Caching_password__user_and_group_on_a_roaming_Debian_laptop.html</link>        
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Caching_password__user_and_group_on_a_roaming_Debian_laptop.html</guid>
                <pubDate>Thu, 1 Jul 2010 11:40:00 +0200</pubDate>
                <description>&lt;p&gt;For a laptop, centralized user directories and password checking is
a bit troubling.  Laptops are typically used also when not connected
to the network, and it is vital for a user to be able to log in or
unlock the screen saver also when a central server is unavailable.
This is possible by caching passwords and directory information (user
and group attributes) locally, and the packages to do so are available
in Debian.  Here follow two recipes to set this up in Debian/Squeeze.
It is also possible to set up in Debian/Lenny, but require more manual
setup there because pam-auth-update is missing in Lenny.&lt;/p&gt;

&lt;h2&gt;LDAP/Kerberos + nscd + libpam-ccreds + libpam-mklocaluser/pam_mkhomedir&lt;/h2&gt;

This is the traditional method with a twist.  The password caching is
provided by libpam-ccreds (version 10-4 or later is needed on
Squeeze), and the directory caching is done by nscd.  The directory
lookup and password checking is done using LDAP.  If one want to use
Kerberos for password checking the libpam-ldapd package can be
replaced with libpam-krb5 or libpam-heimdal.  If one is happy having a
local home directory with the path listed in LDAP, one can use the
pam_mkhomedir module from pam-modules to make this happen instead of
using libpam-mklocaluser.  A setup for pam-auth-update to enable
pam_mkhomedir will have to be written until a fix for
&lt;a href=&quot;http://bugs.debian.org/568577&quot;&gt;bug #568577&lt;/a&gt; is in the
archive.  Because I believe it is a bad idea to have local home
directories using misleading paths like /site/server/partition/, I
prefer to create a local user with the home directory in /home/.  This
is done using the libpam-mklocaluser package.&lt;/p&gt;

&lt;p&gt;These packages need to be installed and configured&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
libnss-ldapd libpam-ldapd nscd libpam-ccreds libpam-mklocaluser
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;The ldapd packages will ask for LDAP connection information, and
one have to fill in the values that fits ones own site.  Make sure the
PAM part uses encrypted connections, to make sure the password is not
sent in clear text to the LDAP server.  I&#39;ve been unable to get TLS
certificate checking for a self signed certificate working, which make
LDAP authentication unsafe for Debian Edu (nslcd is not checking if it
is talking to the correct LDAP server), and very much welcome feedback
on how to get this working.&lt;/p&gt;

&lt;p&gt;Because nscd do not have a default configuration fit for offline
caching until &lt;a href=&quot;http://bugs.debian.org/485282&quot;&gt;bug #485282&lt;/a&gt;
is fixed, this configuration should be used instead of the one
currently in /etc/nscd.conf.  The changes are in the fields
reload-count and positive-time-to-live, and is based on the
instructions I found in the
&lt;a href=&quot;http://www.flyn.org/laptopldap/&quot;&gt;LDAP for Mobile Laptops&lt;/a&gt;
instructions by Flyn Computing.&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
        debug-level             0
        reload-count            unlimited
        paranoia                no

        enable-cache            passwd          yes
        positive-time-to-live   passwd          2592000
        negative-time-to-live   passwd          20
        suggested-size          passwd          211
        check-files             passwd          yes
        persistent              passwd          yes
        shared                  passwd          yes
        max-db-size             passwd          33554432
        auto-propagate          passwd          yes

        enable-cache            group           yes
        positive-time-to-live   group           2592000
        negative-time-to-live   group           20
        suggested-size          group           211
        check-files             group           yes
        persistent              group           yes
        shared                  group           yes
        max-db-size             group           33554432
        auto-propagate          group           yes

        enable-cache            hosts           no
        positive-time-to-live   hosts           2592000
        negative-time-to-live   hosts           20
        suggested-size          hosts           211
        check-files             hosts           yes
        persistent              hosts           yes
        shared                  hosts           yes
        max-db-size             hosts           33554432

        enable-cache            services        yes
        positive-time-to-live   services        2592000
        negative-time-to-live   services        20
        suggested-size          services        211
        check-files             services        yes
        persistent              services        yes
        shared                  services        yes
        max-db-size             services        33554432
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;While we wait for a mechanism to update /etc/nsswitch.conf
automatically like the one provided in
&lt;a href=&quot;http://bugs.debian.org/496915&quot;&gt;bug #496915&lt;/a&gt;, the file
content need to be manually replaced to ensure LDAP is used as the
directory service on the machine.  /etc/nsswitch.conf should normally
look like this:&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
passwd:         files ldap
group:          files ldap
shadow:         files ldap
hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files
protocols:      files
services:       files
ethers:         files
rpc:            files
netgroup:       files ldap
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;The important parts are that ldap is listed last for passwd, group,
shadow and netgroup.&lt;/p&gt;

&lt;p&gt;With these changes in place, any user in LDAP will be able to log
in locally on the machine using for example kdm, get a local home
directory created and have the password as well as user and group
attributes cached.

&lt;h2&gt;LDAP/Kerberos + nss-updatedb + libpam-ccreds +
  libpam-mklocaluser/pam_mkhomedir&lt;/h2&gt;

&lt;p&gt;Because nscd have had its share of problems, and seem to have
problems doing proper caching, I&#39;ve seen suggestions and recipes to
use nss-updatedb to copy parts of the LDAP database locally when the
LDAP database is available.  I have not tested such setup, because I
discovered sssd.&lt;/p&gt;

&lt;h2&gt;LDAP/Kerberos + sssd + libpam-mklocaluser&lt;/h2&gt;

&lt;p&gt;A more flexible and robust setup than the nscd combination
mentioned earlier that has shown up recently, is the
&lt;a href=&quot;https://fedorahosted.org/sssd/&quot;&gt;sssd&lt;/a&gt; package from Redhat.
It is part of the &lt;a href=&quot;http://www.freeipa.org/&quot;&gt;FreeIPA&lt;/A&gt; project
to provide a Active Directory like directory service for Linux
machines.  The sssd system combines the caching of passwords and user
information into one package, and remove the need for nscd and
libpam-ccreds.  It support LDAP and Kerberos, but not NIS.  Version
1.2 do not support netgroups, but it is said that it will support this
in version 1.5 expected to show up later in 2010.  Because the
&lt;a href=&quot;http://packages.qa.debian.org/s/sssd.html&quot;&gt;sssd package&lt;/a&gt;
was missing in Debian, I ended up co-maintaining it with Werner, and
version 1.2 is now in testing.

&lt;p&gt;These packages need to be installed and configured to get the
roaming setup I want&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
libpam-sss libnss-sss libpam-mklocaluser
&lt;/pre&gt;&lt;/blockquote&gt;

The complete setup of sssd is done by editing/creating
&lt;tt&gt;/etc/sssd/sssd.conf&lt;/tt&gt;.

&lt;blockquote&gt;&lt;pre&gt;
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = INTERN

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/INTERN]
enumerate = false
cache_credentials = true

id_provider = ldap
auth_provider = ldap
chpass_provider = ldap

ldap_uri = ldap://ldap
ldap_search_base = dc=skole,dc=skolelinux,dc=no
ldap_tls_reqcert = never
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;I got the same problem here with certificate checking.  Had to set
&quot;ldap_tls_reqcert = never&quot; to get it working.&lt;/p&gt;

&lt;p&gt;With the libnss-sss package in testing at the moment, the
nsswitch.conf file is update automatically, so there is no need to
modify it manually.&lt;/p&gt;

&lt;p&gt;If you want to help out with implementing this for Debian Edu,
please contact us on debian-edu@lists.debian.org.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Lenny-&gt;Squeeze upgrades, apt vs aptitude with the Gnome desktop</title>
                <link>http://people.skolelinux.org/pere/blog/Lenny__Squeeze_upgrades__apt_vs_aptitude_with_the_Gnome_desktop.html</link>        
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Lenny__Squeeze_upgrades__apt_vs_aptitude_with_the_Gnome_desktop.html</guid>
                <pubDate>Sat, 3 Jul 2010 23:55:00 +0200</pubDate>
                <description>&lt;p&gt;Here is a short update on my &lt;a
href=&quot;http://people.skolelinux.org/~pere/debian-upgrade-testing/&quot;&gt;my
Debian Lenny-&gt;Squeeze upgrade testing&lt;/a&gt;.  Here is a summary of the
difference for Gnome when it is upgraded by apt-get and aptitude.  I&#39;m
not reporting the status for KDE, because the upgrade crashes when
aptitude try because of missing conflicts
(&lt;a href=&quot;http://bugs.debian.org/584861&quot;&gt;#584861&lt;/a&gt; and
&lt;a href=&quot;http://bugs.debian.org/585716&quot;&gt;#585716&lt;/a&gt;).&lt;/p&gt;

&lt;p&gt;At the end of the upgrade test script, dpkg -l is executed to get a
complete list of the installed packages.  Based on this I see these
differences when I did a test run today.  As usual, I do not really
know what the correct set of packages would be, but thought it best to
publish the difference.&lt;/p&gt;

&lt;p&gt;Installed using apt-get, missing with aptitude&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;
  at-spi cpp-4.3 finger gnome-spell gstreamer0.10-gnomevfs
  libatspi1.0-0 libcupsys2 libeel2-data libgail-common libgdl-1-common
  libgnomeprint2.2-data libgnomeprintui2.2-common libgnomevfs2-bin
  libgtksourceview-common libpt-1.10.10-plugins-alsa
  libpt-1.10.10-plugins-v4l libservlet2.4-java libxalan2-java
  libxerces2-java openoffice.org-writer2latex openssl-blacklist p7zip
  python-4suite-xml python-eggtrayicon python-gtkhtml2
  python-gtkmozembed svgalibg1 xserver-xephyr zip
&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;Installed using apt-get, removed with aptitude&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;
  bluez-utils dhcdbd djvulibre-desktop epiphany-gecko
  gnome-app-install gnome-mount gnome-vfs-obexftp gnome-volume-manager
  libao2 libavahi-compat-libdnssd1 libavahi-core5 libbind9-50
  libbluetooth2 libcamel1.2-11 libcdio7 libcucul0 libcurl3
  libdirectfb-1.0-0 libdvdread3 libedata-cal1.2-6 libedataserver1.2-9
  libeel2-2.20 libepc-1.0-1 libepc-ui-1.0-1 libexchange-storage1.2-3
  libfaad0 libgd2-noxpm libgda3-3 libgda3-common libggz2 libggzcore9
  libggzmod4 libgksu1.2-0 libgksuui1.0-1 libgmyth0 libgnome-desktop-2
  libgnome-pilot2 libgnomecups1.0-1 libgnomeprint2.2-0
  libgnomeprintui2.2-0 libgpod3 libgraphviz4 libgtkhtml2-0
  libgtksourceview1.0-0 libgucharmap6 libhesiod0 libicu38 libisccc50
  libisccfg50 libiw29 libkpathsea4 libltdl3 liblwres50 libmagick++10
  libmagick10 libmalaga7 libmtp7 libmysqlclient15off libnautilus-burn4
  libneon27 libnm-glib0 libnm-util0 libopal-2.2 libosp5
  libparted1.8-10 libpisock9 libpisync1 libpoppler-glib3 libpoppler3
  libpt-1.10.10 libraw1394-8 libsensors3 libsmbios2 libsoup2.2-8
  libssh2-1 libsuitesparse-3.1.0 libswfdec-0.6-90 libtalloc1
  libtotem-plparser10 libtrackerclient0 libvoikko1 libxalan2-java-gcj
  libxerces2-java-gcj libxklavier12 libxtrap6 libxxf86misc1 libzephyr3
  mysql-common swfdec-gnome totem-gstreamer wodim
&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;Installed using aptitude, missing with apt-get&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;
  gnome gnome-desktop-environment hamster-applet python-gnomeapplet
  python-gnomekeyring python-wnck rhythmbox-plugins xorg
  xserver-xorg-input-all xserver-xorg-input-evdev
  xserver-xorg-input-kbd xserver-xorg-input-mouse
  xserver-xorg-input-synaptics xserver-xorg-video-all
  xserver-xorg-video-apm xserver-xorg-video-ark xserver-xorg-video-ati
  xserver-xorg-video-chips xserver-xorg-video-cirrus
  xserver-xorg-video-dummy xserver-xorg-video-fbdev
  xserver-xorg-video-glint xserver-xorg-video-i128
  xserver-xorg-video-i740 xserver-xorg-video-mach64
  xserver-xorg-video-mga xserver-xorg-video-neomagic
  xserver-xorg-video-nouveau xserver-xorg-video-nv
  xserver-xorg-video-r128 xserver-xorg-video-radeon
  xserver-xorg-video-radeonhd xserver-xorg-video-rendition
  xserver-xorg-video-s3 xserver-xorg-video-s3virge
  xserver-xorg-video-savage xserver-xorg-video-siliconmotion
  xserver-xorg-video-sis xserver-xorg-video-sisusb
  xserver-xorg-video-tdfx xserver-xorg-video-tga
  xserver-xorg-video-trident xserver-xorg-video-tseng
  xserver-xorg-video-vesa xserver-xorg-video-vmware
  xserver-xorg-video-voodoo
&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;Installed using aptitude, removed with apt-get&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;
  deskbar-applet xserver-xorg xserver-xorg-core
  xserver-xorg-input-wacom xserver-xorg-video-intel
  xserver-xorg-video-openchrome
&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;I was told on IRC that the xorg-xserver package was
&lt;a href=&quot;http://git.debian.org/?p=pkg-xorg/xserver/xorg-server.git;a=commit;h=9c8080d06c457932d3bfec021c69ac000aa60120&quot;&gt;changed
in git&lt;/a&gt; today to try to get apt-get to not remove xorg completely.
No idea when it hits Squeeze, but when it does I hope it will reduce
the difference somewhat.
</description>
        </item>
        
        <item>
                <title>MS Word krøller det til for politiet?</title>
                <link>http://people.skolelinux.org/pere/blog/MS_Word_kr_ller_det_til_for_politiet_.html</link>        
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/MS_Word_kr_ller_det_til_for_politiet_.html</guid>
                <pubDate>Thu, 8 Jul 2010 14:00:00 +0200</pubDate>
                <description>&lt;p&gt;De siste dagene har Aftenposten
&lt;a href=&quot;http://www.aftenposten.no/nyheter/iriks/article3718597.ece&quot;&gt;fortalt&lt;/a&gt;
&lt;a href=&quot;http://www.aftenposten.no/nyheter/iriks/article3724249.ece&quot;&gt;hvordan&lt;/a&gt;
politet har brukt skriveverktøy som ikke håndterer arabisk tekst og
tekst som skal skrives fra høyre mot venstre når de har laget
løpeseddel for å be om informasjon fra publikum.  Resultatet har vært
en uleselig arabisk-bit på løpeseddelen.  Feilen har oppstått når
teksten har blitt &quot;kopiert inn i programvare som ikke har støtte for
språk som skrives fra høyre mot venstre&quot;, og jeg er ganske sikker på
at det er snakk om Microsoft Office i dette tilfellet.  Er det slik at
MS Office i norsk språkdrakt ikke har støtte for tekst som skal
skrives fra høyre mot venstre?  Jeg tror alle utgaver av
OpenOffice.org har slik støtte, og det er jo ikke veldig vanskelig å
la slik støtte finnes i alle utgaver av et program hvis støtten først
er utviklet.  Aftenpostens melding får meg til å undre om problemet
ville vært unngått hvis politiet brukte OpenOffice.org i stedet for MS
Office.&lt;/p&gt;

&lt;p&gt;Mon tro om det er flere eksempler på at MS Office har ødelagt for
offentlig myndighet?&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>jXplorer, a very nice LDAP GUI</title>
                <link>http://people.skolelinux.org/pere/blog/jXplorer__a_very_nice_LDAP_GUI.html</link>        
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/jXplorer__a_very_nice_LDAP_GUI.html</guid>
                <pubDate>Fri, 9 Jul 2010 12:55:00 +0200</pubDate>
                <description>&lt;p&gt;Since
&lt;a href=&quot;http://people.skolelinux.org/pere/blog/LUMA__a_very_nice_LDAP_GUI.html&quot;&gt;my
last post&lt;/a&gt; about available LDAP tools in Debian, I was told about a
LDAP GUI that is even better than luma.  The java application
&lt;a href=&quot;http://jxplorer.org/&quot;&gt;jXplorer&lt;/a&gt; is claimed to be capable of
moving LDAP objects and subtrees using drag-and-drop, and can
authenticate using Kerberos.  I have only tested the Kerberos
authentication, but do not have a LDAP setup allowing me to rewrite
LDAP with my test user yet.  It is
&lt;a href=&quot;http://packages.qa.debian.org/j/jxplorer.html&quot;&gt;available in
Debian&lt;/a&gt; testing and unstable at the moment.  The only problem I
have with it is how it handle errors.  If something go wrong, its
non-intuitive behaviour require me to go through some query work list
and remove the failing query.  Nothing big, but very annoying.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Idea for storing LTSP configuration in LDAP</title>
                <link>http://people.skolelinux.org/pere/blog/Idea_for_storing_LTSP_configuration_in_LDAP.html</link>        
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Idea_for_storing_LTSP_configuration_in_LDAP.html</guid>
                <pubDate>Sun, 11 Jul 2010 22:00:00 +0200</pubDate>
                <description>&lt;p&gt;Vagrant mentioned on IRC today that ltsp_config now support
sourcing files from /usr/share/ltsp/ltsp_config.d/ on the thin
clients, and that this can be used to fetch configuration from LDAP if
Debian Edu choose to store configuration there.&lt;/p&gt;

&lt;p&gt;Armed with this information, I got inspired and wrote a test module
to get configuration from LDAP.  The idea is to look up the MAC
address of the client in LDAP, and look for attributes on the form
ltspconfigsetting=value, and use this to export SETTING=value to the
LTSP clients.&lt;/p&gt;

&lt;p&gt;The goal is to be able to store the LTSP configuration attributes
in a &quot;computer&quot; LDAP object used by both DNS and DHCP, and thus
allowing us to store all information about a computer in one place.&lt;/p&gt;

&lt;p&gt;This is a untested draft implementation, and I welcome feedback on
this approach.  A real LDAP schema for the ltspClientAux objectclass
need to be written.  Comments, suggestions, etc?&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
# Store in /opt/ltsp/$arch/usr/share/ltsp/ltsp_config.d/ldap-config
#
# Fetch LTSP client settings from LDAP based on MAC address
#
# Uses ethernet address as stored in the dhcpHost objectclass using
# the dhcpHWAddress attribute or ethernet address stored in the
# ieee802Device objectclass with the macAddress attribute.
#
# This module is written to be schema agnostic, and only depend on the
# existence of attribute names.
#
# The LTSP configuration variables are saved directly using a
# ltspConfig prefix and uppercasing the rest of the attribute name.
# To set the SERVER variable, set the ltspConfigServer attribute.
#
# Some LDAP schema should be created with all the relevant
# configuration settings.  Something like this should work:
# 
# objectclass ( 1.1.2.2 NAME &#39;ltspClientAux&#39;
#     SUP top
#     AUXILIARY
#     MAY ( ltspConfigServer $ ltsConfigSound $ ... )

LDAPSERVER=$(debian-edu-ldapserver)
if [ &quot;$LDAPSERVER&quot; ] ; then
    LDAPBASE=$(debian-edu-ldapserver -b)
    for MAC in $(LANG=C ifconfig |grep -i hwaddr| awk &#39;{print $5}&#39;|sort -u) ; do
        filter=&quot;(|(dhcpHWAddress=ethernet $MAC)(macAddress=$MAC))&quot;
        ldapsearch -h &quot;$LDAPSERVER&quot; -b &quot;$LDAPBASE&quot; -v -x &quot;$filter&quot; | \
            grep &#39;^ltspConfig&#39; | while read attr value ; do
            # Remove prefix and convert to upper case
            attr=$(echo $attr | sed &#39;s/^ltspConfig//i&#39; | tr a-z A-Z)
            # bass value on to clients
            eval &quot;$attr=$value; export $attr&quot;
        done
    done
fi
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;I&#39;m not sure this shell construction will work, because I suspect
the while block might end up in a subshell causing the variables set
there to not show up in ltsp-config, but if that is the case I am sure
the code can be restructured to make sure the variables are passed on.
I expect that can be solved with some testing. :)&lt;/p&gt;

&lt;p&gt;If you want to help out with implementing this for Debian Edu,
please contact us on debian-edu@lists.debian.org.&lt;/p&gt;

&lt;p&gt;Update 2010-07-17: I am aware of another effort to store LTSP
configuration in LDAP that was created around year 2000 by
&lt;a href=&quot;http://www.pcxperience.com/thinclient/documentation/ldap.html&quot;&gt;PC
Xperience, Inc., 2000&lt;/a&gt;.  I found its
&lt;a href=&quot;http://people.redhat.com/alikins/ltsp/ldap/&quot;&gt;files&lt;/a&gt; on a
personal home page over at redhat.com.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Combining PowerDNS and ISC DHCP LDAP objects</title>
                <link>http://people.skolelinux.org/pere/blog/Combining_PowerDNS_and_ISC_DHCP_LDAP_objects.html</link>        
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Combining_PowerDNS_and_ISC_DHCP_LDAP_objects.html</guid>
                <pubDate>Wed, 14 Jul 2010 23:45:00 +0200</pubDate>
                <description>&lt;p&gt;For a while now, I have wanted to find a way to change the DNS and
DHCP services in Debian Edu to use the same LDAP objects for a given
computer, to avoid the possibility of having a inconsistent state for
a computer in LDAP (as in DHCP but no DNS entry or the other way
around) and make it easier to add computers to LDAP.&lt;/p&gt;

&lt;p&gt;I&#39;ve looked at how powerdns and dhcpd is using LDAP, and using this
information finally found a solution that seem to work.&lt;/p&gt;

&lt;p&gt;The old setup required three LDAP objects for a given computer.
One forward DNS entry, one reverse DNS entry and one DHCP entry.  If
we switch powerdns to use its strict LDAP method (ldap-method=strict
in pdns-debian-edu.conf), the forward and reverse DNS entries are
merged into one while making it impossible to transfer the reverse map
to a slave DNS server.&lt;/p&gt;

&lt;p&gt;If we also replace the object class used to get the DNS related
attributes to one allowing these attributes to be combined with the
dhcphost object class, we can merge the DNS and DHCP entries into one.
I&#39;ve written such object class in the dnsdomainaux.schema file (need
proper OIDs, but that is a minor issue), and tested the setup.  It
seem to work.&lt;/p&gt;

&lt;p&gt;With this test setup in place, we can get away with one LDAP object
for both DNS and DHCP, and even the LTSP configuration I suggested in
an earlier email.  The combined LDAP object will look something like
this:&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
  dn: cn=hostname,cn=group1,cn=THINCLIENTS,cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
  cn: hostname
  objectClass: dhcphost
  objectclass: domainrelatedobject
  objectclass: dnsdomainaux
  associateddomain: hostname.intern
  arecord: 10.11.12.13
  dhcphwaddress: ethernet 00:00:00:00:00:00
  dhcpstatements: fixed-address hostname
  ldapconfigsound: Y
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;The DNS server uses the associateddomain and arecord entries, while
the DHCP server uses the dhcphwaddress and dhcpstatements entries
before asking DNS to resolve the fixed-adddress.  LTSP will use
dhcphwaddress or associateddomain and the ldapconfig* attributes.&lt;/p&gt;

&lt;p&gt;I am not yet sure if I can get the DHCP server to look for its
dhcphost in a different location, to allow us to put the objects
outside the &quot;DHCP Config&quot; subtree, but hope to figure out a way to do
that.  If I can&#39;t figure out a way to do that, we can still get rid of
the hosts subtree and move all its content into the DHCP Config tree
(which probably should be renamed to be more related to the new
content.  I suspect cn=dnsdhcp,ou=services or something like that
might be a good place to put it.&lt;/p&gt;

&lt;p&gt;If you want to help out with implementing this for Debian Edu,
please contact us on debian-edu@lists.debian.org.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>What are they searching for - PowerDNS and ISC DHCP in LDAP</title>
                <link>http://people.skolelinux.org/pere/blog/What_are_they_searching_for___PowerDNS_and_ISC_DHCP_in_LDAP.html</link>        
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/What_are_they_searching_for___PowerDNS_and_ISC_DHCP_in_LDAP.html</guid>
                <pubDate>Sat, 17 Jul 2010 21:00:00 +0200</pubDate>
                <description>&lt;p&gt;This is a
&lt;a href=&quot;http://people.skolelinux.org/pere/blog/Time_for_new__LDAP_schemas_replacing_RFC_2307_.html&quot;&gt;followup&lt;/a&gt;
on my
&lt;a href=&quot;http://people.skolelinux.org/pere/blog/Idea_for_a_change_to_LDAP_schemas_allowing_DNS_and_DHCP_info_to_be_combined_into_one_object.html&quot;&gt;previous
work&lt;/a&gt; on
&lt;a href=&quot;http://people.skolelinux.org/pere/blog/Combining_PowerDNS_and_ISC_DHCP_LDAP_objects.html&quot;&gt;merging
all&lt;/a&gt; the computer related LDAP objects in Debian Edu.&lt;/p&gt;

&lt;p&gt;As a step to try to see if it possible to merge the DNS and DHCP
LDAP objects, I have had a look at how the packages pdns-backend-ldap
and dhcp3-server-ldap in Debian use the LDAP server.  The two
implementations are quite different in how they use LDAP.&lt;/p&gt;

To get this information, I started slapd with debugging enabled and
dumped the debug output to a file to get the LDAP searches performed
on a Debian Edu main-server.  Here is a summary.

&lt;p&gt;&lt;strong&gt;powerdns&lt;/strong&gt;&lt;/p&gt;

&lt;a href=&quot;http://www.linuxnetworks.de/doc/index.php/PowerDNS_LDAP_Backend&quot;&gt;Clues
on how to&lt;/a&gt; set up PowerDNS to use a LDAP backend is available on
the web.

&lt;p&gt;PowerDNS have two modes of operation using LDAP as its backend.
One &quot;strict&quot; mode where the forward and reverse DNS lookups are done
using the same LDAP objects, and a &quot;tree&quot; mode where the forward and
reverse entries are in two different subtrees in LDAP with a structure
based on the DNS names, as in tjener.intern and
2.2.0.10.in-addr.arpa.&lt;/p&gt;

&lt;p&gt;In tree mode, the server is set up to use a LDAP subtree as its
base, and uses a &quot;base&quot; scoped search for the DNS name by adding
&quot;dc=tjener,dc=intern,&quot; to the base with a filter for
&quot;(associateddomain=tjener.intern)&quot; for the forward entry and
&quot;dc=2,dc=2,dc=0,dc=10,dc=in-addr,dc=arpa,&quot; with a filter for
&quot;(associateddomain=2.2.0.10.in-addr.arpa)&quot; for the reverse entry.  For
forward entries, it is looking for attributes named dnsttl, arecord,
nsrecord, cnamerecord, soarecord, ptrrecord, hinforecord, mxrecord,
txtrecord, rprecord, afsdbrecord, keyrecord, aaaarecord, locrecord,
srvrecord, naptrrecord, kxrecord, certrecord, dsrecord, sshfprecord,
ipseckeyrecord, rrsigrecord, nsecrecord, dnskeyrecord, dhcidrecord,
spfrecord and modifytimestamp.  For reverse entries it is looking for
the attributes dnsttl, arecord, nsrecord, cnamerecord, soarecord,
ptrrecord, hinforecord, mxrecord, txtrecord, rprecord, aaaarecord,
locrecord, srvrecord, naptrrecord and modifytimestamp.  The equivalent
ldapsearch commands could look like this:&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
ldapsearch -h ldap \
  -b dc=tjener,dc=intern,ou=hosts,dc=skole,dc=skolelinux,dc=no \
  -s base -x &#39;(associateddomain=tjener.intern)&#39; dNSTTL aRecord nSRecord \
  cNAMERecord sOARecord pTRRecord hInfoRecord mXRecord tXTRecord \
  rPRecord aFSDBRecord KeyRecord aAAARecord lOCRecord sRVRecord \
  nAPTRRecord kXRecord certRecord dSRecord sSHFPRecord iPSecKeyRecord \
  rRSIGRecord nSECRecord dNSKeyRecord dHCIDRecord sPFRecord modifyTimestamp

ldapsearch -h ldap \
  -b dc=2,dc=2,dc=0,dc=10,dc=in-addr,dc=arpa,ou=hosts,dc=skole,dc=skolelinux,dc=no \
  -s base -x &#39;(associateddomain=2.2.0.10.in-addr.arpa)&#39;
  dnsttl, arecord, nsrecord, cnamerecord soarecord ptrrecord \
  hinforecord mxrecord txtrecord rprecord aaaarecord locrecord \
  srvrecord naptrrecord modifytimestamp
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;In Debian Edu/Lenny, the PowerDNS tree mode is used with
ou=hosts,dc=skole,dc=skolelinux,dc=no as the base, and these are two
example LDAP objects used there.  In addition to these objects, the
parent objects all th way up to ou=hosts,dc=skole,dc=skolelinux,dc=no
also exist.&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
dn: dc=tjener,dc=intern,ou=hosts,dc=skole,dc=skolelinux,dc=no
objectclass: top
objectclass: dnsdomain
objectclass: domainrelatedobject
dc: tjener
arecord: 10.0.2.2
associateddomain: tjener.intern

dn: dc=2,dc=2,dc=0,dc=10,dc=in-addr,dc=arpa,ou=hosts,dc=skole,dc=skolelinux,dc=no
objectclass: top
objectclass: dnsdomain2
objectclass: domainrelatedobject
dc: 2
ptrrecord: tjener.intern
associateddomain: 2.2.0.10.in-addr.arpa
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;In strict mode, the server behaves differently.  When looking for
forward DNS entries, it is doing a &quot;subtree&quot; scoped search with the
same base as in the tree mode for a object with filter
&quot;(associateddomain=tjener.intern)&quot; and requests the attributes dnsttl,
arecord, nsrecord, cnamerecord, soarecord, ptrrecord, hinforecord,
mxrecord, txtrecord, rprecord, aaaarecord, locrecord, srvrecord,
naptrrecord and modifytimestamp.  For reverse entires it also do a
subtree scoped search but this time the filter is &quot;(arecord=10.0.2.2)&quot;
and the requested attributes are associateddomain, dnsttl and
modifytimestamp.  In short, in strict mode the objects with ptrrecord
go away, and the arecord attribute in the forward object is used
instead.&lt;/p&gt;

&lt;p&gt;The forward and reverse searches can be simulated using ldapsearch
like this:&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
ldapsearch -h ldap -b ou=hosts,dc=skole,dc=skolelinux,dc=no -s sub -x \
  &#39;(associateddomain=tjener.intern)&#39; dNSTTL aRecord nSRecord \
  cNAMERecord sOARecord pTRRecord hInfoRecord mXRecord tXTRecord \
  rPRecord aFSDBRecord KeyRecord aAAARecord lOCRecord sRVRecord \
  nAPTRRecord kXRecord certRecord dSRecord sSHFPRecord iPSecKeyRecord \
  rRSIGRecord nSECRecord dNSKeyRecord dHCIDRecord sPFRecord modifyTimestamp

ldapsearch -h ldap -b ou=hosts,dc=skole,dc=skolelinux,dc=no -s sub -x \
  &#39;(arecord=10.0.2.2)&#39; associateddomain dnsttl modifytimestamp
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;In addition to the forward and reverse searches , there is also a
search for SOA records, which behave similar to the forward and
reverse lookups.&lt;/p&gt;

&lt;p&gt;A thing to note with the PowerDNS behaviour is that it do not
specify any objectclass names, and instead look for the attributes it
need to generate a DNS reply.  This make it able to work with any
objectclass that provide the needed attributes.&lt;/p&gt;

&lt;p&gt;The attributes are normally provided in the cosine (RFC 1274) and
dnsdomain2 schemas.  The latter is used for reverse entries like
ptrrecord and recent DNS additions like aaaarecord and srvrecord.&lt;/p&gt;

&lt;p&gt;In Debian Edu, we have created DNS objects using the object classes
dcobject (for dc), dnsdomain or dnsdomain2 (structural, for the DNS
attributes) and domainrelatedobject (for associatedDomain).  The use
of structural object classes make it impossible to combine these
classes with the object classes used by DHCP.&lt;/p&gt;

&lt;p&gt;There are other schemas that could be used too, for example the
dnszone structural object class used by Gosa and bind-sdb for the DNS
attributes combined with the domainrelatedobject object class, but in
this case some unused attributes would have to be included as well
(zonename and relativedomainname).&lt;/p&gt;

&lt;p&gt;My proposal for Debian Edu would be to switch PowerDNS to strict
mode and not use any of the existing objectclasses (dnsdomain,
dnsdomain2 and dnszone) when one want to combine the DNS information
with DHCP information, and instead create a auxiliary object class
defined something like this (using the attributes defined for
dnsdomain and dnsdomain2 or dnszone):&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
objectclass ( some-oid NAME &#39;dnsDomainAux&#39;
    SUP top
    AUXILIARY
    MAY ( ARecord $ MDRecord $ MXRecord $ NSRecord $ SOARecord $ CNAMERecord $
          DNSTTL $ DNSClass $ PTRRecord $ HINFORecord $ MINFORecord $
          TXTRecord $ SIGRecord $ KEYRecord $ AAAARecord $ LOCRecord $
          NXTRecord $ SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $
          A6Record $ DNAMERecord
    ))
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;This will allow any object to become a DNS entry when combined with
the domainrelatedobject object class, and allow any entity to include
all the attributes PowerDNS wants.  I&#39;ve sent an email to the PowerDNS
developers asking for their view on this schema and if they are
interested in providing such schema with PowerDNS, and I hope my
message will be accepted into their mailing list soon.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;ISC dhcp&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The DHCP server searches for specific objectclass and requests all
the object attributes, and then uses the attributes it want.  This
make it harder to figure out exactly what attributes are used, but
thanks to the working example in Debian Edu I can at least get an idea
what is needed without having to read the source code.&lt;/p&gt;

&lt;p&gt;In the DHCP server configuration, the LDAP base to use and the
search filter to use to locate the correct dhcpServer entity is
stored.  These are the relevant entries from
/etc/dhcp3/dhcpd.conf:&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
ldap-base-dn &quot;dc=skole,dc=skolelinux,dc=no&quot;;
ldap-dhcp-server-cn &quot;dhcp&quot;;
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;The DHCP server uses this information to nest all the DHCP
configuration it need.  The cn &quot;dhcp&quot; is located using the given LDAP
base and the filter &quot;(&amp;(objectClass=dhcpServer)(cn=dhcp))&quot;.  The
search result is this entry:&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
dn: cn=dhcp,dc=skole,dc=skolelinux,dc=no
cn: dhcp
objectClass: top
objectClass: dhcpServer
dhcpServiceDN: cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;The content of the dhcpServiceDN attribute is next used to locate the
subtree with DHCP configuration.  The DHCP configuration subtree base
is located using a base scope search with base &quot;cn=DHCP
Config,dc=skole,dc=skolelinux,dc=no&quot; and filter
&quot;(&amp;(objectClass=dhcpService)(|(dhcpPrimaryDN=cn=dhcp,dc=skole,dc=skolelinux,dc=no)(dhcpSecondaryDN=cn=dhcp,dc=skole,dc=skolelinux,dc=no)))&quot;.
The search result is this entry:&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
dn: cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
cn: DHCP Config
objectClass: top
objectClass: dhcpService
objectClass: dhcpOptions
dhcpPrimaryDN: cn=dhcp, dc=skole,dc=skolelinux,dc=no
dhcpStatements: ddns-update-style none
dhcpStatements: authoritative
dhcpOption: smtp-server code 69 = array of ip-address
dhcpOption: www-server code 72 = array of ip-address
dhcpOption: wpad-url code 252 = text
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;Next, the entire subtree is processed, one level at the time.  When
all the DHCP configuration is loaded, it is ready to receive requests.
The subtree in Debian Edu contain objects with object classes
top/dhcpService/dhcpOptions, top/dhcpSharedNetwork/dhcpOptions,
top/dhcpSubnet, top/dhcpGroup and top/dhcpHost.  These provide options
and information about netmasks, dynamic range etc.  Leaving out the
details here because it is not relevant for the focus of my
investigation, which is to see if it is possible to merge dns and dhcp
related computer objects.&lt;/p&gt;

&lt;p&gt;When a DHCP request come in, LDAP is searched for the MAC address
of the client (00:00:00:00:00:00 in this example), using a subtree
scoped search with &quot;cn=DHCP Config,dc=skole,dc=skolelinux,dc=no&quot; as
the base and &quot;(&amp;(objectClass=dhcpHost)(dhcpHWAddress=ethernet
00:00:00:00:00:00))&quot; as the filter.  This is what a host object look
like:&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
dn: cn=hostname,cn=group1,cn=THINCLIENTS,cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
cn: hostname
objectClass: top
objectClass: dhcpHost
dhcpHWAddress: ethernet 00:00:00:00:00:00
dhcpStatements: fixed-address hostname
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;There is less flexiblity in the way LDAP searches are done here.
The object classes need to have fixed names, and the configuration
need to be stored in a fairly specific LDAP structure.  On the
positive side, the invidiual dhcpHost entires can be anywhere without
the DN pointed to by the dhcpServer entries.  The latter should make
it possible to group all host entries in a subtree next to the
configuration entries, and this subtree can also be shared with the
DNS server if the schema proposed above is combined with the dhcpHost
structural object class.

&lt;p&gt;&lt;strong&gt;Conclusion&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The PowerDNS implementation seem to be very flexible when it come
to which LDAP schemas to use.  While its &quot;tree&quot; mode is rigid when it
come to the the LDAP structure, the &quot;strict&quot; mode is very flexible,
allowing DNS objects to be stored anywhere under the base cn specified
in the configuration.&lt;/p&gt;

&lt;p&gt;The DHCP implementation on the other hand is very inflexible, both
regarding which LDAP schemas to use and which LDAP structure to use.
I guess one could implement ones own schema, as long as the
objectclasses and attributes have the names used, but this do not
really help when the DHCP subtree need to have a fairly fixed
structure.&lt;/p&gt;

&lt;p&gt;Based on the observed behaviour, I suspect a LDAP structure like
this might work for Debian Edu:&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
ou=services
  cn=machine-info (dhcpService) - dhcpServiceDN points here
    cn=dhcp (dhcpServer)
    cn=dhcp-internal (dhcpSharedNetwork/dhcpOptions)
      cn=10.0.2.0 (dhcpSubnet)
        cn=group1 (dhcpGroup/dhcpOptions)
    cn=dhcp-thinclients (dhcpSharedNetwork/dhcpOptions)
      cn=192.168.0.0 (dhcpSubnet)
        cn=group1 (dhcpGroup/dhcpOptions)
    ou=machines - PowerDNS base points here
      cn=hostname (dhcpHost/domainrelatedobject/dnsDomainAux)
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;P&gt;This is not tested yet.  If the DHCP server require the dhcpHost
entries to be in the dhcpGroup subtrees, the entries can be stored
there instead of a common machines subtree, and the PowerDNS base
would have to be moved one level up to the machine-info subtree.&lt;/p&gt;

&lt;p&gt;The combined object under the machines subtree would look something
like this:&lt;/p&gt;
    
&lt;blockquote&gt;&lt;pre&gt;
dn: dc=hostname,ou=machines,cn=machine-info,dc=skole,dc=skolelinux,dc=no
dc: hostname
objectClass: top
objectClass: dhcpHost
objectclass: domainrelatedobject
objectclass: dnsDomainAux
associateddomain: hostname.intern
arecord: 10.11.12.13
dhcpHWAddress: ethernet 00:00:00:00:00:00
dhcpStatements: fixed-address hostname.intern
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;/p&gt;One could even add the LTSP configuration associated with a given
machine, as long as the required attributes are available in a
auxiliary object class.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>OpenStreetmap one step closer to having routing on its front page</title>
                <link>http://people.skolelinux.org/pere/blog/OpenStreetmap_one_step_closer_to_having_routing_on_its_front_page.html</link>        
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/OpenStreetmap_one_step_closer_to_having_routing_on_its_front_page.html</guid>
                <pubDate>Sun, 18 Jul 2010 16:45:00 +0200</pubDate>
                <description>&lt;p&gt;Thanks to
&lt;a href=&quot;http://feedproxy.google.com/~r/Opengeodata/~3/wUTCzDZk3lc/project-of-the-week-which-way-home&quot;&gt;todays
opengeodata blog entry&lt;/a&gt;, I just discovered that the
OpenStreetmap.org site have gotten
&lt;a href=&quot;http://nroets.dev.openstreetmap.org/demo/index.html?layers=B000FTFTT&quot;&gt;support
for calculating routes&lt;/a&gt;.  The support is still experimental and
only available from the development server, until more experience is
gathered on the user interface and any scalability issues.&lt;/p&gt;

&lt;p&gt;Earlier, the routing I knew about using the OpenStreetmap.org data
was provided by &lt;a href=&quot;http://maps.cloudmade.com/&quot;&gt;Cloudmade&lt;/a&gt;,
but having it on the main page is required to make everyone aware of
the issue.  I&#39;ve had people reject Openstreetmap.org as a viable
alternative for them because the front page lacked routing support,
and I hope their needs will be catered for when routing show up on the
www.openstreetmap.org front page.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Digitale restriksjonsmekanismer fikk meg til å slutte å kjøpe musikk</title>
                <link>http://people.skolelinux.org/pere/blog/Digitale_restriksjonsmekanismer_fikk_meg_til___slutte___kj_pe_musikk.html</link>        
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Digitale_restriksjonsmekanismer_fikk_meg_til___slutte___kj_pe_musikk.html</guid>
                <pubDate>Thu, 22 Jul 2010 23:50:00 +0200</pubDate>
                <description>&lt;p&gt;For mange år siden slutte jeg å kjøpe musikk-CDer. Årsaken var at
musikkbransjen var godt i gang med å selge platene sine med DRM som
gjorde at jeg ikke fikk spilt av musikken jeg kjøpte på utstyret jeg
hadde tilgjengelig, dvs. min datamaskin. Det var umulig å se på en
plate om den var ødelagt eller ikke, og jeg hadde jo allerede en
anseelig samling med plater, så jeg bestemme meg for å slutte å gi
penger til en bransje som åpenbart ikke respekterte meg.&lt;/p&gt;

&lt;p&gt;Jeg har mange titalls dager med musikk på CD i dag. Det meste er
lagt i et stort arkiv som kan spilles av fra husets datamaskiner (har
ikke rukket rippe alt). Jeg ser dermed ikke behovet for å skaffe mer
musikk. De fleste av mine favoritter er i hus, og jeg er dermed godt
fornøyd.&lt;/p&gt;

&lt;p&gt;Hvis musikkbransjen ønsker mine penger, så må de demonstrere at de
setter pris på meg som kunde, og ikke skremme meg bort med DRM og
antydninger om at kundene er kriminelle.&lt;/p&gt;

&lt;p&gt;Filmbransjen er like ille, men mens musikk gjerne varer lenge, er
filmer mer ferskvare. Har dermed ikke helt sluttet å kjøpe filmer, men
holder meg til DVD-filmer som kan spilles av på mine Linuxbokser.
Kommer neppe til å ta i bruk Blueray, og ei heller de nye DRM-greiene
«Ultraviolet» som be annonsert her om dagen.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>One step closer to single signon in Debian Edu</title>
                <link>http://people.skolelinux.org/pere/blog/One_step_closer_to_single_signon_in_Debian_Edu.html</link>        
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/One_step_closer_to_single_signon_in_Debian_Edu.html</guid>
                <pubDate>Sun, 25 Jul 2010 10:00:00 +0200</pubDate>
                <description>&lt;p&gt;The last few months me and the other Debian Edu developers have
been working hard to get the Debian/Squeeze based version of Debian
Edu/Skolelinux into shape.  This future version will use Kerberos for
authentication, and services are slowly migrated to single signon,
getting rid of password questions one at the time.&lt;/p&gt;

&lt;p&gt;It will also feature a roaming workstation profile with local home
directory, for laptops that are only some times on the Skolelinux
network, and for this profile a shortcut is created in Gnome and KDE
to gain access to the users home directory on the file server.  This
shortcut uses SMB at the moment, and yesterday I had time to test if
SMB mounting had started working in KDE after we added the cifs-utils
package.  I was pleasantly surprised how well it worked.&lt;/p&gt;

&lt;p&gt;Thanks to the recent changes to our samba configuration to get it
to use Kerberos for authentication, there were no question about user
password when mounting the SMB volume.  A simple click on the shortcut
in the KDE menu, and a window with the home directory popped
up. :)&lt;/p&gt;

&lt;p&gt;One step closer to a single signon solution out of the box in
Debian Edu.  We already had PAM, LDAP, IMAP and SMTP in place, and now
also Samba.  Next step is Cups and hopefully also NFS.&lt;/p&gt;

&lt;p&gt;We had planned a alpha0 release of Debian Edu for today, but thanks
to the autobuilder administrators for some architectures being slow to
sign packages, we are still missing the fixed LTSP package we need for
the release.  It was uploaded three days ago with urgency=high, and if
it had entered testing yesterday we would have been able to test it in
time for a alpha0 release today.  As the binaries for ia64 and powerpc
still not uploaded to the Debian archive, we need to delay the alpha
release another day.&lt;/p&gt;

&lt;p&gt;If you want to help out with implementing Kerberos for Debian Edu,
please contact us on debian-edu@lists.debian.org.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>First Debian Edu test release (alpha0) based on Squeeze is released</title>
                <link>http://people.skolelinux.org/pere/blog/First_Debian_Edu_test_release__alpha0__based_on_Squeeze_is_released.html</link>        
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/First_Debian_Edu_test_release__alpha0__based_on_Squeeze_is_released.html</guid>
                <pubDate>Tue, 27 Jul 2010 17:45:00 +0200</pubDate>
                <description>&lt;p&gt;I just posted this announcement culminating several months of work
with the next Debian Edu release.  Not nearly done, but one major step
completed.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;This is the first test release based on Squeeze. The focus of this
release is to test the user application selection. To have a look,
install the standalone profile and let the developers know if the set
of installed packages i.e. applications should be modified. If some
user application is missing, or if there are some applications that no
longer make sense to be included in Debian Edu, please let us know.
Also, if a useful application is missing the translation for your
language of choice, please let us know too.&lt;/p&gt;

&lt;p&gt;In addition, feedback and help to polish the desktop (menus,
artwork, starters, etc.) is appreciated. We would like to ship a nice
and handy KDE4 desktop targeted for schools out of the box.&lt;/p&gt;

&lt;p&gt;The other profiles should be installable, but there is a lot more
work left to be done before they are ready, so do not expect to
much.&lt;/p&gt;

&lt;p&gt;Changes compared to the lenny based version&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Everything from Debian Squeeze
&lt;ul&gt;
  &lt;li&gt;Desktop environment KDE 4.4 =&gt; the new KDE desktop in
         combination with some new artwork
  &lt;li&gt;Web browser Iceweasel 3.5
  &lt;li&gt;OpenOffice.org 3.2
  &lt;li&gt;Educational toolbox GCompris 9.3
  &lt;li&gt;Music creator Rosegarden 10.04.2
  &lt;li&gt;Image editor Gimp 2.6.10
  &lt;li&gt;Virtual universe Celestia 1.6.0
  &lt;li&gt;Virtual stargazer Stellarium 0.10.4
  &lt;li&gt;3D modeler Blender 2.49.2 (new application)
  &lt;li&gt;Video editor Kdenlive 0.7.7 (new application)
&lt;/ul&gt;&lt;/li&gt;
&lt;li&gt;Now using Kerberos for password checking (migration not finished).
    Enabled for:
&lt;ul&gt;
  &lt;li&gt;PAM
  &lt;li&gt;LDAP
  &lt;li&gt;IMAP
  &lt;li&gt;SMTP (sender verification)
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;New experimental roaming workstation profile for laptops.&lt;/li&gt;
&lt;li&gt;Show welcome page to users when they first log in. The URL is
    fetched from LDAP.&lt;/li&gt;
&lt;li&gt;New LXDE desktop option, in addition to KDE (default) and Gnome.&lt;/li&gt;
&lt;li&gt;General cleanup (not finished)&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The following features are not working as they should&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;No web based administration tool for creating users and groups. The
    scripts ldap-createuser-krb and ldap-add-user-to-group can be used
    for testing.&lt;/li&gt;
&lt;li&gt;DVD installs are missing debian-installer images for the PXE boot,
    and do not set up the PXE menu on eth0 because of this. LTSP
    clients should still boot from eth1 on thin client servers.&lt;/li&gt;
&lt;li&gt;The restructured KDE menu is not implemented.&lt;/li&gt;
&lt;li&gt;The LDAP server setup need to be reviewed for security.&lt;/li&gt;
&lt;li&gt;The LDAP directory structure need to be reworked.&lt;/li&gt;
&lt;li&gt;Different sets of packages are installed when using the DVD and the
    netinst CD. More packages are installed using the netinst CD.&lt;/li&gt;
&lt;li&gt;The jackd package fail to install. This is believed to be caused by
    some ongoing transition, and hopefully should be solved soon. The
    jackd1 package can be installed manually for those that need it.&lt;/li&gt;
&lt;li&gt;Some packages lack translations. See
    http://wiki.debian.org/DebianEdu/Status/Squeeze for updated status,
    and help out with translations.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;To download this multiarch netinstall release you can use&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso&quot;&gt;ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso&quot;&gt;http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;rsync -avzP ftp.skolelinux.org::skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;To download this multiarch dvd release you can use&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso&quot;&gt;ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso&quot;&gt;http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;rsync -avzP ftp.skolelinux.org::skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;There is no source DVD available yet. It will be prepared when we
get closer to the final release.&lt;/p&gt;

&lt;p&gt;The MD5SUM of these images are&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;3dbf45d59f42a53518b6e3c9ec3b5eb6 debian-edu-6.0.0+edua0-CD.iso&lt;/li&gt;
&lt;li&gt;22f2cbfce281d1c6e478be452638675d debian-edu-6.0.0+edua0-DVD.iso&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The SHA1SUM of these images are&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;c53d1b69b40cf37cd27aefaf33f6f6a3821bedf0 debian-edu-6.0.0+edua0-CD.iso&lt;/li&gt;
&lt;li&gt;2ec29d7db676d59d32197b05c277ffe16348376c debian-edu-6.0.0+edua0-DVD.iso&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;How to report bugs:
http://wiki.debian.org/DebianEdu/HowTo/ReportBugsInBugzilla&lt;/p&gt;

&lt;p&gt;Please direct replies to debian-edu@lists.debian.org&lt;/p&gt;
&lt;/blockquote&gt;
</description>
        </item>
        
        <item>
                <title>Circular package dependencies harms apt recovery</title>
                <link>http://people.skolelinux.org/pere/blog/Circular_package_dependencies_harms_apt_recovery.html</link>        
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Circular_package_dependencies_harms_apt_recovery.html</guid>
                <pubDate>Tue, 27 Jul 2010 23:50:00 +0200</pubDate>
                <description>&lt;p&gt;I discovered this while doing
&lt;a href=&quot;http://people.skolelinux.org/pere/blog/Automatic_upgrade_testing_from_Lenny_to_Squeeze.html&quot;&gt;automated
testing of upgrades from Debian Lenny to Squeeze&lt;/a&gt;.  A few packages
in Debian still got circular dependencies, and it is often claimed
that apt and aptitude should be able to handle this just fine, but
some times these dependency loops causes apt to fail.&lt;/p&gt;

&lt;p&gt;An example is from todays
&lt;a href=&quot;http://people.skolelinux.org/~pere/debian-upgrade-testing//test-20100727-lenny-squeeze-kde-aptitude.txt&quot;&gt;upgrade
of KDE using aptitude&lt;/a&gt;.  In it, a bug in kdebase-workspace-data
causes perl-modules to fail to upgrade.  The cause is simple.  If a
package fail to unpack, then only part of packages with the circular
dependency might end up being unpacked when unpacking aborts, and the
ones already unpacked will fail to configure in the recovery phase
because its dependencies are unavailable.&lt;/p&gt;

&lt;p&gt;In this log, the problem manifest itself with this error:&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
dpkg: dependency problems prevent configuration of perl-modules:
 perl-modules depends on perl (&gt;= 5.10.1-1); however:
  Version of perl on system is 5.10.0-19lenny2.
dpkg: error processing perl-modules (--configure):
 dependency problems - leaving unconfigured
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;The perl/perl-modules circular dependency is already
&lt;a href=&quot;http://bugs.debian.org/527917&quot;&gt;reported as a bug&lt;/a&gt;, and will
hopefully be solved as soon as possible, but it is not the only one,
and each one of these loops in the dependency tree can cause similar
failures.  Of course, they only occur when there are bugs in other
packages causing the unpacking to fail, but it is rather nasty when
the failure of one package causes the problem to become worse because
of dependency loops.&lt;/p&gt;

&lt;p&gt;Thanks to
&lt;a href=&quot;http://lists.debian.org/debian-devel/2010/06/msg00116.html&quot;&gt;the
tireless effort by Bill Allombert&lt;/a&gt;, the number of circular
dependencies
&lt;a href=&quot;http://debian.semistable.com/debgraph.out.html&quot;&gt;left in Debian
is dropping&lt;/a&gt;, and perhaps it will reach zero one day. :)&lt;/p&gt;

&lt;p&gt;Todays testing also exposed a bug in
&lt;a href=&quot;http://bugs.debian.org/590605&quot;&gt;update-notifier&lt;/a&gt; and
&lt;a href=&quot;http://bugs.debian.org/590604&quot;&gt;different behaviour&lt;/a&gt; between
apt-get and aptitude, the latter possibly caused by some circular
dependency.  Reported both to BTS to try to get someone to look at
it.&lt;/p&gt;
</description>
        </item>
        
        </channel>
</rss>