Draft to data directory.

[homepage.git] / blog / index.rss

<?xml version="1.0" encoding="utf-8"?>
<rss version='2.0' xmlns:lj='http://www.livejournal.org/rss/lj/1.0/' xmlns:atom="http://www.w3.org/2005/Atom">
        <channel>
                <title>Petter Reinholdtsen</title>
                <description></description>
                <link>http://people.skolelinux.org/pere/blog/</link>
                <atom:link href="http://people.skolelinux.org/pere/blog/index.rss" rel="self" type="application/rss+xml" />
        
        <item>
                <title>Combining PowerDNS and ISC DHCP LDAP objects</title>
                <link>http://people.skolelinux.org/pere/blog/Combining_PowerDNS_and_ISC_DHCP_LDAP_objects.html</link>
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Combining_PowerDNS_and_ISC_DHCP_LDAP_objects.html</guid>
                <pubDate>Wed, 14 Jul 2010 23:45:00 +0200</pubDate>
                <description>
&lt;p&gt;For a while now, I have wanted to find a way to change the DNS and
DHCP services in Debian Edu to use the same LDAP objects for a given
computer, to avoid the possibility of having a inconsistent state for
a computer in LDAP (as in DHCP but no DNS entry or the other way
around) and make it easier to add computers to LDAP.&lt;/p&gt;

&lt;p&gt;I&#39;ve looked at how powerdns and dhcpd is using LDAP, and using this
information finally found a solution that seem to work.&lt;/p&gt;

&lt;p&gt;The old setup required three LDAP objects for a given computer.
One forward DNS entry, one reverse DNS entry and one DHCP entry.  If
we switch powerdns to use its strict LDAP method (ldap-method=strict
in pdns-debian-edu.conf), the forward and reverse DNS entries are
merged into one while making it impossible to transfer the reverse map
to a slave DNS server.&lt;/p&gt;

&lt;p&gt;If we also replace the object class used to get the DNS related
attributes to one allowing these attributes to be combined with the
dhcphost object class, we can merge the DNS and DHCP entries into one.
I&#39;ve written such object class in the dnsdomainaux.schema file (need
proper OIDs, but that is a minor issue), and tested the setup.  It
seem to work.&lt;/p&gt;

&lt;p&gt;With this test setup in place, we can get away with one LDAP object
for both DNS and DHCP, and even the LTSP configuration I suggested in
an earlier email.  The combined LDAP object will look something like
this:&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
  dn: cn=hostname,cn=group1,cn=THINCLIENTS,cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
  cn: hostname
  objectClass: dhcphost
  objectclass: domainrelatedobject
  objectclass: dnsdomainaux
  associateddomain: hostname.intern
  arecord: 10.11.12.13
  dhcphwaddress: ethernet 00:00:00:00:00:00
  dhcpstatements: fixed-address hostname
  ldapconfigsound: Y
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;The DNS server uses the associateddomain and arecord entries, while
the DHCP server uses the dhcphwaddress and dhcpstatements entries
before asking DNS to resolve the fixed-adddress.  LTSP will use
dhcphwaddress or associateddomain and the ldapconfig* attributes.&lt;/p&gt;

&lt;p&gt;I am not yet sure if I can get the DHCP server to look for its
dhcphost in a different location, to allow us to put the objects
outside the &quot;DHCP Config&quot; subtree, but hope to figure out a way to do
that.  If I can&#39;t figure out a way to do that, we can still get rid of
the hosts subtree and move all its content into the DHCP Config tree
(which probably should be renamed to be more related to the new
content.  I suspect cn=dnsdhcp,ou=services or something like that
might be a good place to put it.&lt;/p&gt;

&lt;p&gt;If you want to help out with implementing this for Debian Edu,
please contact us on debian-edu@lists.debian.org.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Idea for storing LTSP configuration in LDAP</title>
                <link>http://people.skolelinux.org/pere/blog/Idea_for_storing_LTSP_configuration_in_LDAP.html</link>
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Idea_for_storing_LTSP_configuration_in_LDAP.html</guid>
                <pubDate>Sun, 11 Jul 2010 22:00:00 +0200</pubDate>
                <description>
&lt;p&gt;Vagrant mentioned on IRC today that ltsp_config now support
sourcing files from /usr/share/ltsp/ltsp_config.d/ on the thin
clients, and that this can be used to fetch configuration from LDAP if
Debian Edu choose to store configuration there.&lt;/p&gt;

&lt;p&gt;Armed with this information, I got inspired and wrote a test module
to get configuration from LDAP.  The idea is to look up the MAC
address of the client in LDAP, and look for attributes on the form
ltspconfigsetting=value, and use this to export SETTING=value to the
LTSP clients.&lt;/p&gt;

&lt;p&gt;The goal is to be able to store the LTSP configuration attributes
in a &quot;computer&quot; LDAP object used by both DNS and DHCP, and thus
allowing us to store all information about a computer in one place.&lt;/p&gt;

&lt;p&gt;This is a untested draft implementation, and I welcome feedback on
this approach.  A real LDAP schema for the ltspClientAux objectclass
need to be written.  Comments, suggestions, etc?&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
# Store in /opt/ltsp/$arch/usr/share/ltsp/ltsp_config.d/ldap-config
#
# Fetch LTSP client settings from LDAP based on MAC address
#
# Uses ethernet address as stored in the dhcpHost objectclass using
# the dhcpHWAddress attribute or ethernet address stored in the
# ieee802Device objectclass with the macAddress attribute.
#
# This module is written to be schema agnostic, and only depend on the
# existence of attribute names.
#
# The LTSP configuration variables are saved directly using a
# ltspConfig prefix and uppercasing the rest of the attribute name.
# To set the SERVER variable, set the ltspConfigServer attribute.
#
# Some LDAP schema should be created with all the relevant
# configuration settings.  Something like this should work:
# 
# objectclass ( 1.1.2.2 NAME &#39;ltspClientAux&#39;
#     SUP top
#     AUXILIARY
#     MAY ( ltspConfigServer $ ltsConfigSound $ ... )

LDAPSERVER=$(debian-edu-ldapserver)
if [ &quot;$LDAPSERVER&quot; ] ; then
    LDAPBASE=$(debian-edu-ldapserver -b)
    for MAC in $(LANG=C ifconfig |grep -i hwaddr| awk &#39;{print $5}&#39;|sort -u) ; do
        filter=&quot;(|(dhcpHWAddress=ethernet $MAC)(macAddress=$MAC))&quot;
        ldapsearch -h &quot;$LDAPSERVER&quot; -b &quot;$LDAPBASE&quot; -v -x &quot;$filter&quot; | \
            grep &#39;^ltspConfig&#39; | while read attr value ; do
            # Remove prefix and convert to upper case
            attr=$(echo $attr | sed &#39;s/^ltspConfig//i&#39; | tr a-z A-Z)
            # bass value on to clients
            eval &quot;$attr=$value; export $attr&quot;
        done
    done
fi
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;I&#39;m not sure this shell construction will work, because I suspect
the while block might end up in a subshell causing the variables set
there to not show up in ltsp-config, but if that is the case I am sure
the code can be restructured to make sure the variables are passed on.
I expect that can be solved with some testing. :)&lt;/p&gt;

&lt;p&gt;If you want to help out with implementing this for Debian Edu,
please contact us on debian-edu@lists.debian.org.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>jXplorer, a very nice LDAP GUI</title>
                <link>http://people.skolelinux.org/pere/blog/jXplorer__a_very_nice_LDAP_GUI.html</link>
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/jXplorer__a_very_nice_LDAP_GUI.html</guid>
                <pubDate>Fri, 9 Jul 2010 12:55:00 +0200</pubDate>
                <description>
&lt;p&gt;Since
&lt;a href=&quot;http://people.skolelinux.org/pere/blog/LUMA__a_very_nice_LDAP_GUI.html&quot;&gt;my
last post&lt;/a&gt; about available LDAP tools in Debian, I was told about a
LDAP GUI that is even better than luma.  The java application
&lt;a href=&quot;http://jxplorer.org/&quot;&gt;jXplorer&lt;/a&gt; is claimed to be capable of
moving LDAP objects and subtrees using drag-and-drop, and can
authenticate using Kerberos.  I have only tested the Kerberos
authentication, but do not have a LDAP setup allowing me to rewrite
LDAP with my test user yet.  It is
&lt;a href=&quot;http://packages.qa.debian.org/j/jxplorer.html&quot;&gt;available in
Debian&lt;/a&gt; testing and unstable at the moment.  The only problem I
have with it is how it handle errors.  If something go wrong, its
non-intuitive behaviour require me to go through some query work list
and remove the failing query.  Nothing big, but very annoying.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>MS Word krøller det til for politiet?</title>
                <link>http://people.skolelinux.org/pere/blog/MS_Word_kr__ller_det_til_for_politiet_.html</link>
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/MS_Word_kr__ller_det_til_for_politiet_.html</guid>
                <pubDate>Thu, 8 Jul 2010 14:00:00 +0200</pubDate>
                <description>
&lt;p&gt;De siste dagene har Aftenposten
&lt;a href=&quot;http://www.aftenposten.no/nyheter/iriks/article3718597.ece&quot;&gt;fortalt&lt;/a&gt;
&lt;a href=&quot;http://www.aftenposten.no/nyheter/iriks/article3724249.ece&quot;&gt;hvordan&lt;/a&gt;
politet har brukt skriveverktøy som ikke håndterer arabisk tekst og
tekst som skal skrives fra høyre mot venstre når de har laget
løpeseddel for å be om informasjon fra publikum.  Resultatet har vært
en uleselig arabisk-bit på løpeseddelen.  Feilen har oppstått når
teksten har blitt &quot;kopiert inn i programvare som ikke har støtte for
språk som skrives fra høyre mot venstre&quot;, og jeg er ganske sikker på
at det er snakk om Microsoft Office i dette tilfellet.  Er det slik at
MS Office i norsk språkdrakt ikke har støtte for tekst som skal
skrives fra høyre mot venstre?  Jeg tror alle utgaver av
OpenOffice.org har slik støtte, og det er jo ikke veldig vanskelig å
la slik støtte finnes i alle utgaver av et program hvis støtten først
er utviklet.  Aftenpostens melding får meg til å undre om problemet
ville vært unngått hvis politiet brukte OpenOffice.org i stedet for MS
Office.&lt;/p&gt;

&lt;p&gt;Mon tro om det er flere eksempler på at MS Office har ødelagt for
offentlig myndighet?&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Lenny-&gt;Squeeze upgrades, apt vs aptitude with the Gnome desktop</title>
                <link>http://people.skolelinux.org/pere/blog/Lenny__Squeeze_upgrades__apt_vs_aptitude_with_the_Gnome_desktop.html</link>
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Lenny__Squeeze_upgrades__apt_vs_aptitude_with_the_Gnome_desktop.html</guid>
                <pubDate>Sat, 3 Jul 2010 23:55:00 +0200</pubDate>
                <description>
&lt;p&gt;Here is a short update on my &lt;a
href=&quot;http://people.skolelinux.org/~pere/debian-upgrade-testing/&quot;&gt;my
Debian Lenny-&gt;Squeeze upgrade testing&lt;/a&gt;.  Here is a summary of the
difference for Gnome when it is upgraded by apt-get and aptitude.  I&#39;m
not reporting the status for KDE, because the upgrade crashes when
aptitude try because of missing conflicts
(&lt;a href=&quot;http://bugs.debian.org/584861&quot;&gt;#584861&lt;/a&gt; and
&lt;a href=&quot;http://bugs.debian.org/585716&quot;&gt;#585716&lt;/a&gt;).&lt;/p&gt;

&lt;p&gt;At the end of the upgrade test script, dpkg -l is executed to get a
complete list of the installed packages.  Based on this I see these
differences when I did a test run today.  As usual, I do not really
know what the correct set of packages would be, but thought it best to
publish the difference.&lt;/p&gt;

&lt;p&gt;Installed using apt-get, missing with aptitude&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;
  at-spi cpp-4.3 finger gnome-spell gstreamer0.10-gnomevfs
  libatspi1.0-0 libcupsys2 libeel2-data libgail-common libgdl-1-common
  libgnomeprint2.2-data libgnomeprintui2.2-common libgnomevfs2-bin
  libgtksourceview-common libpt-1.10.10-plugins-alsa
  libpt-1.10.10-plugins-v4l libservlet2.4-java libxalan2-java
  libxerces2-java openoffice.org-writer2latex openssl-blacklist p7zip
  python-4suite-xml python-eggtrayicon python-gtkhtml2
  python-gtkmozembed svgalibg1 xserver-xephyr zip
&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;Installed using apt-get, removed with aptitude&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;
  bluez-utils dhcdbd djvulibre-desktop epiphany-gecko
  gnome-app-install gnome-mount gnome-vfs-obexftp gnome-volume-manager
  libao2 libavahi-compat-libdnssd1 libavahi-core5 libbind9-50
  libbluetooth2 libcamel1.2-11 libcdio7 libcucul0 libcurl3
  libdirectfb-1.0-0 libdvdread3 libedata-cal1.2-6 libedataserver1.2-9
  libeel2-2.20 libepc-1.0-1 libepc-ui-1.0-1 libexchange-storage1.2-3
  libfaad0 libgd2-noxpm libgda3-3 libgda3-common libggz2 libggzcore9
  libggzmod4 libgksu1.2-0 libgksuui1.0-1 libgmyth0 libgnome-desktop-2
  libgnome-pilot2 libgnomecups1.0-1 libgnomeprint2.2-0
  libgnomeprintui2.2-0 libgpod3 libgraphviz4 libgtkhtml2-0
  libgtksourceview1.0-0 libgucharmap6 libhesiod0 libicu38 libisccc50
  libisccfg50 libiw29 libkpathsea4 libltdl3 liblwres50 libmagick++10
  libmagick10 libmalaga7 libmtp7 libmysqlclient15off libnautilus-burn4
  libneon27 libnm-glib0 libnm-util0 libopal-2.2 libosp5
  libparted1.8-10 libpisock9 libpisync1 libpoppler-glib3 libpoppler3
  libpt-1.10.10 libraw1394-8 libsensors3 libsmbios2 libsoup2.2-8
  libssh2-1 libsuitesparse-3.1.0 libswfdec-0.6-90 libtalloc1
  libtotem-plparser10 libtrackerclient0 libvoikko1 libxalan2-java-gcj
  libxerces2-java-gcj libxklavier12 libxtrap6 libxxf86misc1 libzephyr3
  mysql-common swfdec-gnome totem-gstreamer wodim
&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;Installed using aptitude, missing with apt-get&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;
  gnome gnome-desktop-environment hamster-applet python-gnomeapplet
  python-gnomekeyring python-wnck rhythmbox-plugins xorg
  xserver-xorg-input-all xserver-xorg-input-evdev
  xserver-xorg-input-kbd xserver-xorg-input-mouse
  xserver-xorg-input-synaptics xserver-xorg-video-all
  xserver-xorg-video-apm xserver-xorg-video-ark xserver-xorg-video-ati
  xserver-xorg-video-chips xserver-xorg-video-cirrus
  xserver-xorg-video-dummy xserver-xorg-video-fbdev
  xserver-xorg-video-glint xserver-xorg-video-i128
  xserver-xorg-video-i740 xserver-xorg-video-mach64
  xserver-xorg-video-mga xserver-xorg-video-neomagic
  xserver-xorg-video-nouveau xserver-xorg-video-nv
  xserver-xorg-video-r128 xserver-xorg-video-radeon
  xserver-xorg-video-radeonhd xserver-xorg-video-rendition
  xserver-xorg-video-s3 xserver-xorg-video-s3virge
  xserver-xorg-video-savage xserver-xorg-video-siliconmotion
  xserver-xorg-video-sis xserver-xorg-video-sisusb
  xserver-xorg-video-tdfx xserver-xorg-video-tga
  xserver-xorg-video-trident xserver-xorg-video-tseng
  xserver-xorg-video-vesa xserver-xorg-video-vmware
  xserver-xorg-video-voodoo
&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;Installed using aptitude, removed with apt-get&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;
  deskbar-applet xserver-xorg xserver-xorg-core
  xserver-xorg-input-wacom xserver-xorg-video-intel
  xserver-xorg-video-openchrome
&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;I was told on IRC that the xorg-xserver package was
&lt;a href=&quot;http://git.debian.org/?p=pkg-xorg/xserver/xorg-server.git;a=commit;h=9c8080d06c457932d3bfec021c69ac000aa60120&quot;&gt;changed
in git&lt;/a&gt; today to try to get apt-get to not remove xorg completely.
No idea when it hits Squeeze, but when it does I hope it will reduce
the difference somewhat.
</description>
        </item>
        
        <item>
                <title>Caching password, user and group on a roaming Debian laptop</title>
                <link>http://people.skolelinux.org/pere/blog/Caching_password__user_and_group_on_a_roaming_Debian_laptop.html</link>
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Caching_password__user_and_group_on_a_roaming_Debian_laptop.html</guid>
                <pubDate>Thu, 1 Jul 2010 11:40:00 +0200</pubDate>
                <description>
&lt;p&gt;For a laptop, centralized user directories and password checking is
a bit troubling.  Laptops are typically used also when not connected
to the network, and it is vital for a user to be able to log in or
unlock the screen saver also when a central server is unavailable.
This is possible by caching passwords and directory information (user
and group attributes) locally, and the packages to do so are available
in Debian.  Here follow two recipes to set this up in Debian/Squeeze.
It is also possible to set up in Debian/Lenny, but require more manual
setup there because pam-auth-update is missing in Lenny.&lt;/p&gt;

&lt;h2&gt;LDAP/Kerberos + nscd + libpam-ccreds + libpam-mklocaluser/pam_mkhomedir&lt;/h2&gt;

This is the traditional method with a twist.  The password caching is
provided by libpam-ccreds (version 10-4 or later is needed on
Squeeze), and the directory caching is done by nscd.  The directory
lookup and password checking is done using LDAP.  If one want to use
Kerberos for password checking the libpam-ldapd package can be
replaced with libpam-krb5 or libpam-heimdal.  If one is happy having a
local home directory with the path listed in LDAP, one can use the
pam_mkhomedir module from pam-modules to make this happen instead of
using libpam-mklocaluser.  A setup for pam-auth-update to enable
pam_mkhomedir will have to be written until a fix for
&lt;a href=&quot;http://bugs.debian.org/568577&quot;&gt;bug #568577&lt;/a&gt; is in the
archive.  Because I believe it is a bad idea to have local home
directories using misleading paths like /site/server/partition/, I
prefer to create a local user with the home directory in /home/.  This
is done using the libpam-mklocaluser package.&lt;/p&gt;

&lt;p&gt;These packages need to be installed and configured&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
libnss-ldapd libpam-ldapd nscd libpam-ccreds libpam-mklocaluser
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;The ldapd packages will ask for LDAP connection information, and
one have to fill in the values that fits ones own site.  Make sure the
PAM part uses encrypted connections, to make sure the password is not
sent in clear text to the LDAP server.  I&#39;ve been unable to get TLS
certificate checking for a self signed certificate working, which make
LDAP authentication unsafe for Debian Edu (nslcd is not checking if it
is talking to the correct LDAP server), and very much welcome feedback
on how to get this working.&lt;/p&gt;

&lt;p&gt;Because nscd do not have a default configuration fit for offline
caching until &lt;a href=&quot;http://bugs.debian.org/485282&quot;&gt;bug #485282&lt;/a&gt;
is fixed, this configuration should be used instead of the one
currently in /etc/nscd.conf.  The changes are in the fields
reload-count and positive-time-to-live, and is based on the
instructions I found in the
&lt;a href=&quot;http://www.flyn.org/laptopldap/&quot;&gt;LDAP for Mobile Laptops&lt;/a&gt;
instructions by Flyn Computing.&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
        debug-level             0
        reload-count            unlimited
        paranoia                no

        enable-cache            passwd          yes
        positive-time-to-live   passwd          2592000
        negative-time-to-live   passwd          20
        suggested-size          passwd          211
        check-files             passwd          yes
        persistent              passwd          yes
        shared                  passwd          yes
        max-db-size             passwd          33554432
        auto-propagate          passwd          yes

        enable-cache            group           yes
        positive-time-to-live   group           2592000
        negative-time-to-live   group           20
        suggested-size          group           211
        check-files             group           yes
        persistent              group           yes
        shared                  group           yes
        max-db-size             group           33554432
        auto-propagate          group           yes

        enable-cache            hosts           no
        positive-time-to-live   hosts           2592000
        negative-time-to-live   hosts           20
        suggested-size          hosts           211
        check-files             hosts           yes
        persistent              hosts           yes
        shared                  hosts           yes
        max-db-size             hosts           33554432

        enable-cache            services        yes
        positive-time-to-live   services        2592000
        negative-time-to-live   services        20
        suggested-size          services        211
        check-files             services        yes
        persistent              services        yes
        shared                  services        yes
        max-db-size             services        33554432
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;While we wait for a mechanism to update /etc/nsswitch.conf
automatically like the one provided in
&lt;a href=&quot;http://bugs.debian.org/496915&quot;&gt;bug #496915&lt;/a&gt;, the file
content need to be manually replaced to ensure LDAP is used as the
directory service on the machine.  /etc/nsswitch.conf should normally
look like this:&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
passwd:         files ldap
group:          files ldap
shadow:         files ldap
hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files
protocols:      files
services:       files
ethers:         files
rpc:            files
netgroup:       files ldap
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;The important parts are that ldap is listed last for passwd, group,
shadow and netgroup.&lt;/p&gt;

&lt;p&gt;With these changes in place, any user in LDAP will be able to log
in locally on the machine using for example kdm, get a local home
directory created and have the password as well as user and group
attributes cached.

&lt;h2&gt;LDAP/Kerberos + nss-updatedb + libpam-ccreds +
  libpam-mklocaluser/pam_mkhomedir&lt;/h2&gt;

&lt;p&gt;Because nscd have had its share of problems, and seem to have
problems doing proper caching, I&#39;ve seen suggestions and recipes to
use nss-updatedb to copy parts of the LDAP database locally when the
LDAP database is available.  I have not tested such setup, because I
discovered sssd.&lt;/p&gt;

&lt;h2&gt;LDAP/Kerberos + sssd + libpam-mklocaluser&lt;/h2&gt;

&lt;p&gt;A more flexible and robust setup than the nscd combination
mentioned earlier that has shown up recently, is the
&lt;a href=&quot;https://fedorahosted.org/sssd/&quot;&gt;sssd&lt;/a&gt; package from Redhat.
It is part of the &lt;a href=&quot;http://www.freeipa.org/&quot;&gt;FreeIPA&lt;/A&gt; project
to provide a Active Directory like directory service for Linux
machines.  The sssd system combines the caching of passwords and user
information into one package, and remove the need for nscd and
libpam-ccreds.  It support LDAP and Kerberos, but not NIS.  Version
1.2 do not support netgroups, but it is said that it will support this
in version 1.5 expected to show up later in 2010.  Because the
&lt;a href=&quot;http://packages.qa.debian.org/s/sssd.html&quot;&gt;sssd package&lt;/a&gt;
was missing in Debian, I ended up co-maintaining it with Werner, and
version 1.2 is now in testing.

&lt;p&gt;These packages need to be installed and configured to get the
roaming setup I want&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
libpam-sss libnss-sss libpam-mklocaluser
&lt;/pre&gt;&lt;/blockquote&gt;

The complete setup of sssd is done by editing/creating
&lt;tt&gt;/etc/sssd/sssd.conf&lt;/tt&gt;.

&lt;blockquote&gt;&lt;pre&gt;
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = INTERN

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/INTERN]
enumerate = false
cache_credentials = true

id_provider = ldap
auth_provider = ldap
chpass_provider = ldap

ldap_uri = ldap://ldap
ldap_search_base = dc=skole,dc=skolelinux,dc=no
ldap_tls_reqcert = never
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;I got the same problem here with certificate checking.  Had to set
&quot;ldap_tls_reqcert = never&quot; to get it working.&lt;/p&gt;

&lt;p&gt;With the libnss-sss package in testing at the moment, the
nsswitch.conf file is update automatically, so there is no need to
modify it manually.&lt;/p&gt;

&lt;p&gt;If you want to help out with implementing this for Debian Edu,
please contact us on debian-edu@lists.debian.org.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>LUMA, a very nice LDAP GUI</title>
                <link>http://people.skolelinux.org/pere/blog/LUMA__a_very_nice_LDAP_GUI.html</link>
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/LUMA__a_very_nice_LDAP_GUI.html</guid>
                <pubDate>Mon, 28 Jun 2010 00:30:00 +0200</pubDate>
                <description>
&lt;p&gt;The last few days I have been looking into the status of the LDAP
directory in Debian Edu, and in the process I started to miss a GUI
tool to browse the LDAP tree.  The only one I was able to find in
Debian/Squeeze and Lenny is
&lt;a href=&quot;http://luma.sourceforge.net/&quot;&gt;LUMA&lt;/a&gt;, which has proved to
be a great tool to get a overview of the current LDAP directory
populated by default in Skolelinux.  Thanks to it, I have been able to
find empty and obsolete subtrees, misplaced objects and duplicate
objects.  It will be installed by default in Debian/Squeeze.  If you
are working with LDAP, give it a go. :)&lt;/p&gt;

&lt;p&gt;I did notice one problem with it I have not had time to report to
the BTS yet.  There is no .desktop file in the package, so the tool do
not show up in the Gnome and KDE menus, but only deep down in in the
Debian submenu in KDE.  I hope that can be fixed before Squeeze is
released.&lt;/p&gt;

&lt;p&gt;I have not yet been able to get it to modify the tree yet.  I would
like to move objects and remove subtrees directly in the GUI, but have
not found a way to do that with LUMA yet.  So in the mean time, I use
&lt;a href=&quot;http://www.lichteblau.com/ldapvi/&quot;&gt;ldapvi&lt;/a&gt; for that.&lt;/p&gt;

&lt;p&gt;If you have tips on other GUI tools for LDAP that might be useful
in Debian Edu, please contact us on debian-edu@lists.debian.org.&lt;/p&gt;

&lt;p&gt;Update 2010-06-29: Ross Reedstrom tipped us about the
&lt;a href=&quot;http://packages.qa.debian.org/g/gq.html&quot;&gt;gq&lt;/a&gt; package as a
useful GUI alternative.  It seem like a good tool, but is unmaintained
in Debian and got a RC bug keeping it out of Squeeze.  Unless that
changes, it will not be an option for Debian Edu based on Squeeze.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Idea for a change to LDAP schemas allowing DNS and DHCP info to be combined into one object</title>
                <link>http://people.skolelinux.org/pere/blog/Idea_for_a_change_to_LDAP_schemas_allowing_DNS_and_DHCP_info_to_be_combined_into_one_object.html</link>
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Idea_for_a_change_to_LDAP_schemas_allowing_DNS_and_DHCP_info_to_be_combined_into_one_object.html</guid>
                <pubDate>Thu, 24 Jun 2010 00:35:00 +0200</pubDate>
                <description>
&lt;p&gt;A while back, I
&lt;a href=&quot;http://people.skolelinux.org/pere/blog/Time_for_new__LDAP_schemas_replacing_RFC_2307_.html&quot;&gt;complained
about the fact&lt;/a&gt; that it is not possible with the provided schemas
for storing DNS and DHCP information in LDAP to combine the two sets
of information into one LDAP object representing a computer.&lt;/p&gt;

&lt;p&gt;In the mean time, I discovered that a simple fix would be to make
the dhcpHost object class auxiliary, to allow it to be combined with
the dNSDomain object class, and thus forming one object for one
computer when storing both DHCP and DNS information in LDAP.&lt;/p&gt;

&lt;p&gt;If I understand this correctly, it is not safe to do this change
without also changing the assigned number for the object class, and I
do not know enough about LDAP schema design to do that properly for
Debian Edu.&lt;/p&gt;

&lt;p&gt;Anyway, for future reference, this is how I believe we could change
the
&lt;a href=&quot;http://tools.ietf.org/html/draft-ietf-dhc-ldap-schema-00&quot;&gt;DHCP
schema&lt;/a&gt; to solve at least part of the problem with the LDAP schemas
available today from IETF.&lt;/p&gt;

&lt;pre&gt;
--- dhcp.schema    (revision 65192)
+++ dhcp.schema    (working copy)
@@ -376,7 +376,7 @@
 objectclass ( 2.16.840.1.113719.1.203.6.6
        NAME &#39;dhcpHost&#39;
        DESC &#39;This represents information about a particular client&#39;
-       SUP top
+       SUP top AUXILIARY
        MUST cn
        MAY  (dhcpLeaseDN $ dhcpHWAddress $ dhcpOptionsDN $ dhcpStatements $ dhcpComments $ dhcpOption)
        X-NDS_CONTAINMENT (&#39;dhcpService&#39; &#39;dhcpSubnet&#39; &#39;dhcpGroup&#39;) )
&lt;/pre&gt;

&lt;p&gt;I very much welcome clues on how to do this properly for Debian
Edu/Squeeze.  We provide the DHCP schema in our debian-edu-config
package, and should thus be free to rewrite it as we see fit.&lt;/p&gt;

&lt;p&gt;If you want to help out with implementing this for Debian Edu,
please contact us on debian-edu@lists.debian.org.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Calling tasksel like the installer, while still getting useful output</title>
                <link>http://people.skolelinux.org/pere/blog/Calling_tasksel_like_the_installer__while_still_getting_useful_output.html</link>
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Calling_tasksel_like_the_installer__while_still_getting_useful_output.html</guid>
                <pubDate>Wed, 16 Jun 2010 14:55:00 +0200</pubDate>
                <description>
&lt;p&gt;A few times I have had the need to simulate the way tasksel
installs packages during the normal debian-installer run.  Until now,
I have ended up letting tasksel do the work, with the annoying problem
of not getting any feedback at all when something fails (like a
conffile question from dpkg or a download that fails), using code like
this:

&lt;blockquote&gt;&lt;pre&gt;
export DEBIAN_FRONTEND=noninteractive
tasksel --new-install
&lt;/pre&gt;&lt;/blockquote&gt;

This would invoke tasksel, let its automatic task selection pick the
tasks to install, and continue to install the requested tasks without
any output what so ever.

Recently I revisited this problem while working on the automatic
package upgrade testing, because tasksel would some times hang without
any useful feedback, and I want to see what is going on when it
happen.  Then it occured to me, I can parse the output from tasksel
when asked to run in test mode, and use that aptitude command line
printed by tasksel then to simulate the tasksel run.  I ended up using
code like this:

&lt;blockquote&gt;&lt;pre&gt;
export DEBIAN_FRONTEND=noninteractive
cmd=&quot;$(in_target tasksel -t --new-install | sed &#39;s/debconf-apt-progress -- //&#39;)&quot;
$cmd
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;The content of $cmd is typically something like &quot;&lt;tt&gt;aptitude -q
--without-recommends -o APT::Install-Recommends=no -y install
~t^desktop$ ~t^gnome-desktop$ ~t^laptop$ ~pstandard ~prequired
~pimportant&lt;/tt&gt;&quot;, which will install the gnome desktop task, the
laptop task and all packages with priority standard , required and
important, just like tasksel would have done it during
installation.&lt;/p&gt;

&lt;p&gt;A better approach is probably to extend tasksel to be able to
install packages without using debconf-apt-progress, for use cases
like this.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Vinmonopolet bryter loven åpenlyst - og flere planlegger å gjøre det samme</title>
                <link>http://people.skolelinux.org/pere/blog/Vinmonopolet_bryter_loven___penlyst___og_flere_planlegger____gj__re_det_samme.html</link>
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Vinmonopolet_bryter_loven___penlyst___og_flere_planlegger____gj__re_det_samme.html</guid>
                <pubDate>Wed, 16 Jun 2010 11:00:00 +0200</pubDate>
                <description>
&lt;p&gt;&lt;a href=&quot;http://www.dagbladet.no/2010/06/16/nyheter/innenriks/streik/arbeidsliv/12157858/&quot;&gt;Dagbladet
melder&lt;/a&gt; at Vinmonopolet med bakgrunn i vekterstreiken som pågår i
Norge for tiden, har bestemt seg for med vitende og vilje å bryte
sentralbanklovens paragraf 14 ved å nekte folk å betale med
kontanter, og at flere butikker planlegger å følge deres eksempel.
Jeg synes det er hårreisende hvis de slipper unna med et slikt
soleklart lovbrudd, og lurer på hva slags muligheter jeg vil ha hvis
jeg blir nektet å handle med kontanter.  Jeg handler i hovedsak med
kontanter selv, da jeg anser det som en borgerrett å kunne handle
anonymt uten at det blir registrert.  For meg er det et angrep på mitt
personvern å nekte å ta imot kontant betaling.&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;http://www.lovdata.no/all/tl-19850524-028-003.html#14&quot;&gt;Paragrafen
i sentralbankloven&lt;/a&gt; lyder:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;§ 14. Tvungent betalingsmiddel&lt;/p&gt;

&lt;p&gt;Bankens sedler og mynter er tvungent betalingsmiddel i Norge. Ingen
er pliktig til i én betaling å ta imot mer enn femogtyve mynter av
hver enhet.&lt;/p&gt;

&lt;p&gt;Sterkt skadde sedler og mynter er ikke tvungent
betalingsmiddel. Banken gir nærmere forskrifter om erstatning for
bortkomne, brente eller skadde sedler og mynter.&lt;/p&gt;

&lt;p&gt;Selv om en avtale inneholder klausul om betaling av en
pengeforpliktelse i gullverdi, kan skyldneren frigjøre seg med tvungne
betalingsmidler uten hensyn til denne klausul.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Det er med bakgrunn i denne lovet ikke tillatt å nekte å ta imot
kontakt betaling.  Det er en lov jeg har sans for, og som jeg mener må
håndheves strengt.&lt;/p&gt;
</description>
        </item>
        
        </channel>
</rss>