<item>
- <title>Caching password, user and group on a roaming Debian laptop</title>
- <link>http://people.skolelinux.org/pere/blog/Caching_password__user_and_group_on_a_roaming_Debian_laptop.html</link>
- <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Caching_password__user_and_group_on_a_roaming_Debian_laptop.html</guid>
- <pubDate>Thu, 1 Jul 2010 11:40:00 +0200</pubDate>
- <description><p>For a laptop, centralized user directories and password checking is
-a bit troubling. Laptops are typically used also when not connected
-to the network, and it is vital for a user to be able to log in or
-unlock the screen saver also when a central server is unavailable.
-This is possible by caching passwords and directory information (user
-and group attributes) locally, and the packages to do so are available
-in Debian. Here follow two recipes to set this up in Debian/Squeeze.
-It is also possible to set up in Debian/Lenny, but require more manual
-setup there because pam-auth-update is missing in Lenny.</p>
-
-<h2>LDAP/Kerberos + nscd + libpam-ccreds + libpam-mklocaluser/pam_mkhomedir</h2>
+ <title>Circular package dependencies harms apt recovery</title>
+ <link>http://people.skolelinux.org/pere/blog/Circular_package_dependencies_harms_apt_recovery.html</link>
+ <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Circular_package_dependencies_harms_apt_recovery.html</guid>
+ <pubDate>Tue, 27 Jul 2010 23:50:00 +0200</pubDate>
+ <description><p>I discovered this while doing
+<a href="http://people.skolelinux.org/pere/blog/Automatic_upgrade_testing_from_Lenny_to_Squeeze.html">automated
+testing of upgrades from Debian Lenny to Squeeze</a>. A few packages
+in Debian still got circular dependencies, and it is often claimed
+that apt and aptitude should be able to handle this just fine, but
+some times these dependency loops causes apt to fail.</p>
-This is the traditional method with a twist. The password caching is
-provided by libpam-ccreds (version 10-4 or later is needed on
-Squeeze), and the directory caching is done by nscd. The directory
-lookup and password checking is done using LDAP. If one want to use
-Kerberos for password checking the libpam-ldapd package can be
-replaced with libpam-krb5 or libpam-heimdal. If one is happy having a
-local home directory with the path listed in LDAP, one can use the
-pam_mkhomedir module from pam-modules to make this happen instead of
-using libpam-mklocaluser. A setup for pam-auth-update to enable
-pam_mkhomedir will have to be written until a fix for
-<a href="http://bugs.debian.org/568577">bug #568577</a> is in the
-archive. Because I believe it is a bad idea to have local home
-directories using misleading paths like /site/server/partition/, I
-prefer to create a local user with the home directory in /home/. This
-is done using the libpam-mklocaluser package.</p>
+<p>An example is from todays
+<a href="http://people.skolelinux.org/~pere/debian-upgrade-testing//test-20100727-lenny-squeeze-kde-aptitude.txt">upgrade
+of KDE using aptitude</a>. In it, a bug in kdebase-workspace-data
+causes perl-modules to fail to upgrade. The cause is simple. If a
+package fail to unpack, then only part of packages with the circular
+dependency might end up being unpacked when unpacking aborts, and the
+ones already unpacked will fail to configure in the recovery phase
+because its dependencies are unavailable.</p>
-<p>These packages need to be installed and configured</p>
+<p>In this log, the problem manifest itself with this error:</p>
<blockquote><pre>
-libnss-ldapd libpam-ldapd nscd libpam-ccreds libpam-mklocaluser
+dpkg: dependency problems prevent configuration of perl-modules:
+ perl-modules depends on perl (>= 5.10.1-1); however:
+ Version of perl on system is 5.10.0-19lenny2.
+dpkg: error processing perl-modules (--configure):
+ dependency problems - leaving unconfigured
</pre></blockquote>
-<p>The ldapd packages will ask for LDAP connection information, and
-one have to fill in the values that fits ones own site. Make sure the
-PAM part uses encrypted connections, to make sure the password is not
-sent in clear text to the LDAP server. I've been unable to get TLS
-certificate checking for a self signed certificate working, which make
-LDAP authentication unsafe for Debian Edu (nslcd is not checking if it
-is talking to the correct LDAP server), and very much welcome feedback
-on how to get this working.</p>
+<p>The perl/perl-modules circular dependency is already
+<a href="http://bugs.debian.org/527917">reported as a bug</a>, and will
+hopefully be solved as soon as possible, but it is not the only one,
+and each one of these loops in the dependency tree can cause similar
+failures. Of course, they only occur when there are bugs in other
+packages causing the unpacking to fail, but it is rather nasty when
+the failure of one package causes the problem to become worse because
+of dependency loops.</p>
-<p>Because nscd do not have a default configuration fit for offline
-caching until <a href="http://bugs.debian.org/485282">bug #485282</a>
-is fixed, this configuration should be used instead of the one
-currently in /etc/nscd.conf. The changes are in the fields
-reload-count and positive-time-to-live, and is based on the
-instructions I found in the
-<a href="http://www.flyn.org/laptopldap/">LDAP for Mobile Laptops</a>
-instructions by Flyn Computing.</p>
+<p>Thanks to
+<a href="http://lists.debian.org/debian-devel/2010/06/msg00116.html">the
+tireless effort by Bill Allombert</a>, the number of circular
+dependencies
+<a href="http://debian.semistable.com/debgraph.out.html">left in Debian
+is dropping</a>, and perhaps it will reach zero one day. :)</p>
-<blockquote><pre>
- debug-level 0
- reload-count unlimited
- paranoia no
+<p>Todays testing also exposed a bug in
+<a href="http://bugs.debian.org/590605">update-notifier</a> and
+<a href="http://bugs.debian.org/590604">different behaviour</a> between
+apt-get and aptitude, the latter possibly caused by some circular
+dependency. Reported both to BTS to try to get someone to look at
+it.</p>
+</description>
+ </item>
+
+ <item>
+ <title>First Debian Edu test release (alpha0) based on Squeeze is released</title>
+ <link>http://people.skolelinux.org/pere/blog/First_Debian_Edu_test_release__alpha0__based_on_Squeeze_is_released.html</link>
+ <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/First_Debian_Edu_test_release__alpha0__based_on_Squeeze_is_released.html</guid>
+ <pubDate>Tue, 27 Jul 2010 17:45:00 +0200</pubDate>
+ <description><p>I just posted this announcement culminating several months of work
+with the next Debian Edu release. Not nearly done, but one major step
+completed.</p>
- enable-cache passwd yes
- positive-time-to-live passwd 2592000
- negative-time-to-live passwd 20
- suggested-size passwd 211
- check-files passwd yes
- persistent passwd yes
- shared passwd yes
- max-db-size passwd 33554432
- auto-propagate passwd yes
+<blockquote>
+<p>This is the first test release based on Squeeze. The focus of this
+release is to test the user application selection. To have a look,
+install the standalone profile and let the developers know if the set
+of installed packages i.e. applications should be modified. If some
+user application is missing, or if there are some applications that no
+longer make sense to be included in Debian Edu, please let us know.
+Also, if a useful application is missing the translation for your
+language of choice, please let us know too.</p>
- enable-cache group yes
- positive-time-to-live group 2592000
- negative-time-to-live group 20
- suggested-size group 211
- check-files group yes
- persistent group yes
- shared group yes
- max-db-size group 33554432
- auto-propagate group yes
+<p>In addition, feedback and help to polish the desktop (menus,
+artwork, starters, etc.) is appreciated. We would like to ship a nice
+and handy KDE4 desktop targeted for schools out of the box.</p>
- enable-cache hosts no
- positive-time-to-live hosts 2592000
- negative-time-to-live hosts 20
- suggested-size hosts 211
- check-files hosts yes
- persistent hosts yes
- shared hosts yes
- max-db-size hosts 33554432
+<p>The other profiles should be installable, but there is a lot more
+work left to be done before they are ready, so do not expect to
+much.</p>
- enable-cache services yes
- positive-time-to-live services 2592000
- negative-time-to-live services 20
- suggested-size services 211
- check-files services yes
- persistent services yes
- shared services yes
- max-db-size services 33554432
-</pre></blockquote>
+<p>Changes compared to the lenny based version</p>
-<p>While we wait for a mechanism to update /etc/nsswitch.conf
-automatically like the one provided in
-<a href="http://bugs.debian.org/496915">bug #496915</a>, the file
-content need to be manually replaced to ensure LDAP is used as the
-directory service on the machine. /etc/nsswitch.conf should normally
-look like this:</p>
+<ul>
+<li>Everything from Debian Squeeze
+<ul>
+ <li>Desktop environment KDE 4.4 => the new KDE desktop in
+ combination with some new artwork
+ <li>Web browser Iceweasel 3.5
+ <li>OpenOffice.org 3.2
+ <li>Educational toolbox GCompris 9.3
+ <li>Music creator Rosegarden 10.04.2
+ <li>Image editor Gimp 2.6.10
+ <li>Virtual universe Celestia 1.6.0
+ <li>Virtual stargazer Stellarium 0.10.4
+ <li>3D modeler Blender 2.49.2 (new application)
+ <li>Video editor Kdenlive 0.7.7 (new application)
+</ul></li>
+<li>Now using Kerberos for password checking (migration not finished).
+ Enabled for:
+<ul>
+ <li>PAM
+ <li>LDAP
+ <li>IMAP
+ <li>SMTP (sender verification)
+</ul>
+</li>
+<li>New experimental roaming workstation profile for laptops.</li>
+<li>Show welcome page to users when they first log in. The URL is
+ fetched from LDAP.</li>
+<li>New LXDE desktop option, in addition to KDE (default) and Gnome.</li>
+<li>General cleanup (not finished)</li>
+</ul>
+<p>The following features are not working as they should</p>
-<blockquote><pre>
-passwd: files ldap
-group: files ldap
-shadow: files ldap
-hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
-networks: files
-protocols: files
-services: files
-ethers: files
-rpc: files
-netgroup: files ldap
-</pre></blockquote>
+<ul>
+<li>No web based administration tool for creating users and groups. The
+ scripts ldap-createuser-krb and ldap-add-user-to-group can be used
+ for testing.</li>
+<li>DVD installs are missing debian-installer images for the PXE boot,
+ and do not set up the PXE menu on eth0 because of this. LTSP
+ clients should still boot from eth1 on thin client servers.</li>
+<li>The restructured KDE menu is not implemented.</li>
+<li>The LDAP server setup need to be reviewed for security.</li>
+<li>The LDAP directory structure need to be reworked.</li>
+<li>Different sets of packages are installed when using the DVD and the
+ netinst CD. More packages are installed using the netinst CD.</li>
+<li>The jackd package fail to install. This is believed to be caused by
+ some ongoing transition, and hopefully should be solved soon. The
+ jackd1 package can be installed manually for those that need it.</li>
+<li>Some packages lack translations. See
+ http://wiki.debian.org/DebianEdu/Status/Squeeze for updated status,
+ and help out with translations.</li>
+</ul>
-<p>The important parts are that ldap is listed last for passwd, group,
-shadow and netgroup.</p>
+<p>To download this multiarch netinstall release you can use</p>
-<p>With these changes in place, any user in LDAP will be able to log
-in locally on the machine using for example kdm, get a local home
-directory created and have the password as well as user and group
-attributes cached.
+<ul>
+<li><a href="ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso">ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso</a></li>
+<li><a href="http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso">http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso</a></li>
+<li>rsync -avzP ftp.skolelinux.org::skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso</li>
+</ul>
+<p>To download this multiarch dvd release you can use</p>
-<h2>LDAP/Kerberos + nss-updatedb + libpam-ccreds +
- libpam-mklocaluser/pam_mkhomedir</h2>
+<ul>
+<li><a href="ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso">ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso</a></li>
+<li><a href="http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso">http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso</a></li>
+<li>rsync -avzP ftp.skolelinux.org::skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso</li>
+</ul>
-<p>Because nscd have had its share of problems, and seem to have
-problems doing proper caching, I've seen suggestions and recipes to
-use nss-updatedb to copy parts of the LDAP database locally when the
-LDAP database is available. I have not tested such setup, because I
-discovered sssd.</p>
+<p>There is no source DVD available yet. It will be prepared when we
+get closer to the final release.</p>
-<h2>LDAP/Kerberos + sssd + libpam-mklocaluser</h2>
+<p>The MD5SUM of these images are</p>
-<p>A more flexible and robust setup than the nscd combination
-mentioned earlier that has shown up recently, is the
-<a href="https://fedorahosted.org/sssd/">sssd</a> package from Redhat.
-It is part of the <a href="http://www.freeipa.org/">FreeIPA</A> project
-to provide a Active Directory like directory service for Linux
-machines. The sssd system combines the caching of passwords and user
-information into one package, and remove the need for nscd and
-libpam-ccreds. It support LDAP and Kerberos, but not NIS. Version
-1.2 do not support netgroups, but it is said that it will support this
-in version 1.5 expected to show up later in 2010. Because the
-<a href="http://packages.qa.debian.org/s/sssd.html">sssd package</a>
-was missing in Debian, I ended up co-maintaining it with Werner, and
-version 1.2 is now in testing.
-
-<p>These packages need to be installed and configured to get the
-roaming setup I want</p>
+<ul>
+<li>3dbf45d59f42a53518b6e3c9ec3b5eb6 debian-edu-6.0.0+edua0-CD.iso</li>
+<li>22f2cbfce281d1c6e478be452638675d debian-edu-6.0.0+edua0-DVD.iso</li>
+</ul>
-<blockquote><pre>
-libpam-sss libnss-sss libpam-mklocaluser
-</pre></blockquote>
+<p>The SHA1SUM of these images are</p>
+<ul>
+<li>c53d1b69b40cf37cd27aefaf33f6f6a3821bedf0 debian-edu-6.0.0+edua0-CD.iso</li>
+<li>2ec29d7db676d59d32197b05c277ffe16348376c debian-edu-6.0.0+edua0-DVD.iso</li>
+</ul>
+<p>How to report bugs:
+http://wiki.debian.org/DebianEdu/HowTo/ReportBugsInBugzilla</p>
-The complete setup of sssd is done by editing/creating
-<tt>/etc/sssd/sssd.conf</tt>.
+<p>Please direct replies to debian-edu@lists.debian.org</p>
+</blockquote>
+</description>
+ </item>
+
+ <item>
+ <title>One step closer to single signon in Debian Edu</title>
+ <link>http://people.skolelinux.org/pere/blog/One_step_closer_to_single_signon_in_Debian_Edu.html</link>
+ <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/One_step_closer_to_single_signon_in_Debian_Edu.html</guid>
+ <pubDate>Sun, 25 Jul 2010 10:00:00 +0200</pubDate>
+ <description><p>The last few months me and the other Debian Edu developers have
+been working hard to get the Debian/Squeeze based version of Debian
+Edu/Skolelinux into shape. This future version will use Kerberos for
+authentication, and services are slowly migrated to single signon,
+getting rid of password questions one at the time.</p>
-<blockquote><pre>
-[sssd]
-config_file_version = 2
-reconnection_retries = 3
-sbus_timeout = 30
-services = nss, pam
-domains = INTERN
+<p>It will also feature a roaming workstation profile with local home
+directory, for laptops that are only some times on the Skolelinux
+network, and for this profile a shortcut is created in Gnome and KDE
+to gain access to the users home directory on the file server. This
+shortcut uses SMB at the moment, and yesterday I had time to test if
+SMB mounting had started working in KDE after we added the cifs-utils
+package. I was pleasantly surprised how well it worked.</p>
-[nss]
-filter_groups = root
-filter_users = root
-reconnection_retries = 3
+<p>Thanks to the recent changes to our samba configuration to get it
+to use Kerberos for authentication, there were no question about user
+password when mounting the SMB volume. A simple click on the shortcut
+in the KDE menu, and a window with the home directory popped
+up. :)</p>
-[pam]
-reconnection_retries = 3
+<p>One step closer to a single signon solution out of the box in
+Debian Edu. We already had PAM, LDAP, IMAP and SMTP in place, and now
+also Samba. Next step is Cups and hopefully also NFS.</p>
-[domain/INTERN]
-enumerate = false
-cache_credentials = true
+<p>We had planned a alpha0 release of Debian Edu for today, but thanks
+to the autobuilder administrators for some architectures being slow to
+sign packages, we are still missing the fixed LTSP package we need for
+the release. It was uploaded three days ago with urgency=high, and if
+it had entered testing yesterday we would have been able to test it in
+time for a alpha0 release today. As the binaries for ia64 and powerpc
+still not uploaded to the Debian archive, we need to delay the alpha
+release another day.</p>
-id_provider = ldap
-auth_provider = ldap
-chpass_provider = ldap
+<p>If you want to help out with implementing Kerberos for Debian Edu,
+please contact us on debian-edu@lists.debian.org.</p>
+</description>
+ </item>
+
+ <item>
+ <title>Digitale restriksjonsmekanismer fikk meg til å slutte å kjøpe musikk</title>
+ <link>http://people.skolelinux.org/pere/blog/Digitale_restriksjonsmekanismer_fikk_meg_til___slutte___kj_pe_musikk.html</link>
+ <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Digitale_restriksjonsmekanismer_fikk_meg_til___slutte___kj_pe_musikk.html</guid>
+ <pubDate>Thu, 22 Jul 2010 23:50:00 +0200</pubDate>
+ <description><p>For mange år siden slutte jeg å kjøpe musikk-CDer. Årsaken var at
+musikkbransjen var godt i gang med å selge platene sine med DRM som
+gjorde at jeg ikke fikk spilt av musikken jeg kjøpte på utstyret jeg
+hadde tilgjengelig, dvs. min datamaskin. Det var umulig å se på en
+plate om den var ødelagt eller ikke, og jeg hadde jo allerede en
+anseelig samling med plater, så jeg bestemme meg for å slutte å gi
+penger til en bransje som åpenbart ikke respekterte meg.</p>
-ldap_uri = ldap://ldap
-ldap_search_base = dc=skole,dc=skolelinux,dc=no
-ldap_tls_reqcert = never
-ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
-</pre></blockquote>
+<p>Jeg har mange titalls dager med musikk på CD i dag. Det meste er
+lagt i et stort arkiv som kan spilles av fra husets datamaskiner (har
+ikke rukket rippe alt). Jeg ser dermed ikke behovet for å skaffe mer
+musikk. De fleste av mine favoritter er i hus, og jeg er dermed godt
+fornøyd.</p>
-<p>I got the same problem here with certificate checking. Had to set
-"ldap_tls_reqcert = never" to get it working.</p>
+<p>Hvis musikkbransjen ønsker mine penger, så må de demonstrere at de
+setter pris på meg som kunde, og ikke skremme meg bort med DRM og
+antydninger om at kundene er kriminelle.</p>
-<p>With the libnss-sss package in testing at the moment, the
-nsswitch.conf file is update automatically, so there is no need to
-modify it manually.</p>
+<p>Filmbransjen er like ille, men mens musikk gjerne varer lenge, er
+filmer mer ferskvare. Har dermed ikke helt sluttet å kjøpe filmer, men
+holder meg til DVD-filmer som kan spilles av på mine Linuxbokser.
+Kommer neppe til å ta i bruk Blueray, og ei heller de nye DRM-greiene
+«Ultraviolet» som be annonsert her om dagen.</p>
+</description>
+ </item>
+
+ <item>
+ <title>OpenStreetmap one step closer to having routing on its front page</title>
+ <link>http://people.skolelinux.org/pere/blog/OpenStreetmap_one_step_closer_to_having_routing_on_its_front_page.html</link>
+ <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/OpenStreetmap_one_step_closer_to_having_routing_on_its_front_page.html</guid>
+ <pubDate>Sun, 18 Jul 2010 16:45:00 +0200</pubDate>
+ <description><p>Thanks to
+<a href="http://feedproxy.google.com/~r/Opengeodata/~3/wUTCzDZk3lc/project-of-the-week-which-way-home">todays
+opengeodata blog entry</a>, I just discovered that the
+OpenStreetmap.org site have gotten
+<a href="http://nroets.dev.openstreetmap.org/demo/index.html?layers=B000FTFTT">support
+for calculating routes</a>. The support is still experimental and
+only available from the development server, until more experience is
+gathered on the user interface and any scalability issues.</p>
-<p>If you want to help out with implementing this for Debian Edu,
-please contact us on debian-edu@lists.debian.org.</p>
+<p>Earlier, the routing I knew about using the OpenStreetmap.org data
+was provided by <a href="http://maps.cloudmade.com/">Cloudmade</a>,
+but having it on the main page is required to make everyone aware of
+the issue. I've had people reject Openstreetmap.org as a viable
+alternative for them because the front page lacked routing support,
+and I hope their needs will be catered for when routing show up on the
+www.openstreetmap.org front page.</p>
</description>
</item>
<item>
- <title>Lenny->Squeeze upgrades, apt vs aptitude with the Gnome desktop</title>
- <link>http://people.skolelinux.org/pere/blog/Lenny__Squeeze_upgrades__apt_vs_aptitude_with_the_Gnome_desktop.html</link>
- <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Lenny__Squeeze_upgrades__apt_vs_aptitude_with_the_Gnome_desktop.html</guid>
- <pubDate>Sat, 3 Jul 2010 23:55:00 +0200</pubDate>
- <description><p>Here is a short update on my <a
-href="http://people.skolelinux.org/~pere/debian-upgrade-testing/">my
-Debian Lenny->Squeeze upgrade testing</a>. Here is a summary of the
-difference for Gnome when it is upgraded by apt-get and aptitude. I'm
-not reporting the status for KDE, because the upgrade crashes when
-aptitude try because of missing conflicts
-(<a href="http://bugs.debian.org/584861">#584861</a> and
-<a href="http://bugs.debian.org/585716">#585716</a>).</p>
+ <title>What are they searching for - PowerDNS and ISC DHCP in LDAP</title>
+ <link>http://people.skolelinux.org/pere/blog/What_are_they_searching_for___PowerDNS_and_ISC_DHCP_in_LDAP.html</link>
+ <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/What_are_they_searching_for___PowerDNS_and_ISC_DHCP_in_LDAP.html</guid>
+ <pubDate>Sat, 17 Jul 2010 21:00:00 +0200</pubDate>
+ <description><p>This is a
+<a href="http://people.skolelinux.org/pere/blog/Time_for_new__LDAP_schemas_replacing_RFC_2307_.html">followup</a>
+on my
+<a href="http://people.skolelinux.org/pere/blog/Idea_for_a_change_to_LDAP_schemas_allowing_DNS_and_DHCP_info_to_be_combined_into_one_object.html">previous
+work</a> on
+<a href="http://people.skolelinux.org/pere/blog/Combining_PowerDNS_and_ISC_DHCP_LDAP_objects.html">merging
+all</a> the computer related LDAP objects in Debian Edu.</p>
-<p>At the end of the upgrade test script, dpkg -l is executed to get a
-complete list of the installed packages. Based on this I see these
-differences when I did a test run today. As usual, I do not really
-know what the correct set of packages would be, but thought it best to
-publish the difference.</p>
+<p>As a step to try to see if it possible to merge the DNS and DHCP
+LDAP objects, I have had a look at how the packages pdns-backend-ldap
+and dhcp3-server-ldap in Debian use the LDAP server. The two
+implementations are quite different in how they use LDAP.</p>
-<p>Installed using apt-get, missing with aptitude</p>
+To get this information, I started slapd with debugging enabled and
+dumped the debug output to a file to get the LDAP searches performed
+on a Debian Edu main-server. Here is a summary.
-<blockquote><p>
- at-spi cpp-4.3 finger gnome-spell gstreamer0.10-gnomevfs
- libatspi1.0-0 libcupsys2 libeel2-data libgail-common libgdl-1-common
- libgnomeprint2.2-data libgnomeprintui2.2-common libgnomevfs2-bin
- libgtksourceview-common libpt-1.10.10-plugins-alsa
- libpt-1.10.10-plugins-v4l libservlet2.4-java libxalan2-java
- libxerces2-java openoffice.org-writer2latex openssl-blacklist p7zip
- python-4suite-xml python-eggtrayicon python-gtkhtml2
- python-gtkmozembed svgalibg1 xserver-xephyr zip
-</p></blockquote>
+<p><strong>powerdns</strong></p>
-<p>Installed using apt-get, removed with aptitude</p>
+<a href="http://www.linuxnetworks.de/doc/index.php/PowerDNS_LDAP_Backend">Clues
+on how to</a> set up PowerDNS to use a LDAP backend is available on
+the web.
-<blockquote><p>
- bluez-utils dhcdbd djvulibre-desktop epiphany-gecko
- gnome-app-install gnome-mount gnome-vfs-obexftp gnome-volume-manager
- libao2 libavahi-compat-libdnssd1 libavahi-core5 libbind9-50
- libbluetooth2 libcamel1.2-11 libcdio7 libcucul0 libcurl3
- libdirectfb-1.0-0 libdvdread3 libedata-cal1.2-6 libedataserver1.2-9
- libeel2-2.20 libepc-1.0-1 libepc-ui-1.0-1 libexchange-storage1.2-3
- libfaad0 libgd2-noxpm libgda3-3 libgda3-common libggz2 libggzcore9
- libggzmod4 libgksu1.2-0 libgksuui1.0-1 libgmyth0 libgnome-desktop-2
- libgnome-pilot2 libgnomecups1.0-1 libgnomeprint2.2-0
- libgnomeprintui2.2-0 libgpod3 libgraphviz4 libgtkhtml2-0
- libgtksourceview1.0-0 libgucharmap6 libhesiod0 libicu38 libisccc50
- libisccfg50 libiw29 libkpathsea4 libltdl3 liblwres50 libmagick++10
- libmagick10 libmalaga7 libmtp7 libmysqlclient15off libnautilus-burn4
- libneon27 libnm-glib0 libnm-util0 libopal-2.2 libosp5
- libparted1.8-10 libpisock9 libpisync1 libpoppler-glib3 libpoppler3
- libpt-1.10.10 libraw1394-8 libsensors3 libsmbios2 libsoup2.2-8
- libssh2-1 libsuitesparse-3.1.0 libswfdec-0.6-90 libtalloc1
- libtotem-plparser10 libtrackerclient0 libvoikko1 libxalan2-java-gcj
- libxerces2-java-gcj libxklavier12 libxtrap6 libxxf86misc1 libzephyr3
- mysql-common swfdec-gnome totem-gstreamer wodim
-</p></blockquote>
+<p>PowerDNS have two modes of operation using LDAP as its backend.
+One "strict" mode where the forward and reverse DNS lookups are done
+using the same LDAP objects, and a "tree" mode where the forward and
+reverse entries are in two different subtrees in LDAP with a structure
+based on the DNS names, as in tjener.intern and
+2.2.0.10.in-addr.arpa.</p>
-<p>Installed using aptitude, missing with apt-get</p>
-
-<blockquote><p>
- gnome gnome-desktop-environment hamster-applet python-gnomeapplet
- python-gnomekeyring python-wnck rhythmbox-plugins xorg
- xserver-xorg-input-all xserver-xorg-input-evdev
- xserver-xorg-input-kbd xserver-xorg-input-mouse
- xserver-xorg-input-synaptics xserver-xorg-video-all
- xserver-xorg-video-apm xserver-xorg-video-ark xserver-xorg-video-ati
- xserver-xorg-video-chips xserver-xorg-video-cirrus
- xserver-xorg-video-dummy xserver-xorg-video-fbdev
- xserver-xorg-video-glint xserver-xorg-video-i128
- xserver-xorg-video-i740 xserver-xorg-video-mach64
- xserver-xorg-video-mga xserver-xorg-video-neomagic
- xserver-xorg-video-nouveau xserver-xorg-video-nv
- xserver-xorg-video-r128 xserver-xorg-video-radeon
- xserver-xorg-video-radeonhd xserver-xorg-video-rendition
- xserver-xorg-video-s3 xserver-xorg-video-s3virge
- xserver-xorg-video-savage xserver-xorg-video-siliconmotion
- xserver-xorg-video-sis xserver-xorg-video-sisusb
- xserver-xorg-video-tdfx xserver-xorg-video-tga
- xserver-xorg-video-trident xserver-xorg-video-tseng
- xserver-xorg-video-vesa xserver-xorg-video-vmware
- xserver-xorg-video-voodoo
-</p></blockquote>
-
-<p>Installed using aptitude, removed with apt-get</p>
-
-<blockquote><p>
- deskbar-applet xserver-xorg xserver-xorg-core
- xserver-xorg-input-wacom xserver-xorg-video-intel
- xserver-xorg-video-openchrome
-</p></blockquote>
-
-<p>I was told on IRC that the xorg-xserver package was
-<a href="http://git.debian.org/?p=pkg-xorg/xserver/xorg-server.git;a=commit;h=9c8080d06c457932d3bfec021c69ac000aa60120">changed
-in git</a> today to try to get apt-get to not remove xorg completely.
-No idea when it hits Squeeze, but when it does I hope it will reduce
-the difference somewhat.
-</description>
- </item>
-
- <item>
- <title>MS Word krøller det til for politiet?</title>
- <link>http://people.skolelinux.org/pere/blog/MS_Word_kr_ller_det_til_for_politiet_.html</link>
- <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/MS_Word_kr_ller_det_til_for_politiet_.html</guid>
- <pubDate>Thu, 8 Jul 2010 14:00:00 +0200</pubDate>
- <description><p>De siste dagene har Aftenposten
-<a href="http://www.aftenposten.no/nyheter/iriks/article3718597.ece">fortalt</a>
-<a href="http://www.aftenposten.no/nyheter/iriks/article3724249.ece">hvordan</a>
-politet har brukt skriveverktøy som ikke håndterer arabisk tekst og
-tekst som skal skrives fra høyre mot venstre når de har laget
-løpeseddel for å be om informasjon fra publikum. Resultatet har vært
-en uleselig arabisk-bit på løpeseddelen. Feilen har oppstått når
-teksten har blitt "kopiert inn i programvare som ikke har støtte for
-språk som skrives fra høyre mot venstre", og jeg er ganske sikker på
-at det er snakk om Microsoft Office i dette tilfellet. Er det slik at
-MS Office i norsk språkdrakt ikke har støtte for tekst som skal
-skrives fra høyre mot venstre? Jeg tror alle utgaver av
-OpenOffice.org har slik støtte, og det er jo ikke veldig vanskelig å
-la slik støtte finnes i alle utgaver av et program hvis støtten først
-er utviklet. Aftenpostens melding får meg til å undre om problemet
-ville vært unngått hvis politiet brukte OpenOffice.org i stedet for MS
-Office.</p>
-
-<p>Mon tro om det er flere eksempler på at MS Office har ødelagt for
-offentlig myndighet?</p>
-</description>
- </item>
-
- <item>
- <title>jXplorer, a very nice LDAP GUI</title>
- <link>http://people.skolelinux.org/pere/blog/jXplorer__a_very_nice_LDAP_GUI.html</link>
- <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/jXplorer__a_very_nice_LDAP_GUI.html</guid>
- <pubDate>Fri, 9 Jul 2010 12:55:00 +0200</pubDate>
- <description><p>Since
-<a href="http://people.skolelinux.org/pere/blog/LUMA__a_very_nice_LDAP_GUI.html">my
-last post</a> about available LDAP tools in Debian, I was told about a
-LDAP GUI that is even better than luma. The java application
-<a href="http://jxplorer.org/">jXplorer</a> is claimed to be capable of
-moving LDAP objects and subtrees using drag-and-drop, and can
-authenticate using Kerberos. I have only tested the Kerberos
-authentication, but do not have a LDAP setup allowing me to rewrite
-LDAP with my test user yet. It is
-<a href="http://packages.qa.debian.org/j/jxplorer.html">available in
-Debian</a> testing and unstable at the moment. The only problem I
-have with it is how it handle errors. If something go wrong, its
-non-intuitive behaviour require me to go through some query work list
-and remove the failing query. Nothing big, but very annoying.</p>
-</description>
- </item>
-
- <item>
- <title>Idea for storing LTSP configuration in LDAP</title>
- <link>http://people.skolelinux.org/pere/blog/Idea_for_storing_LTSP_configuration_in_LDAP.html</link>
- <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Idea_for_storing_LTSP_configuration_in_LDAP.html</guid>
- <pubDate>Sun, 11 Jul 2010 22:00:00 +0200</pubDate>
- <description><p>Vagrant mentioned on IRC today that ltsp_config now support
-sourcing files from /usr/share/ltsp/ltsp_config.d/ on the thin
-clients, and that this can be used to fetch configuration from LDAP if
-Debian Edu choose to store configuration there.</p>
-
-<p>Armed with this information, I got inspired and wrote a test module
-to get configuration from LDAP. The idea is to look up the MAC
-address of the client in LDAP, and look for attributes on the form
-ltspconfigsetting=value, and use this to export SETTING=value to the
-LTSP clients.</p>
-
-<p>The goal is to be able to store the LTSP configuration attributes
-in a "computer" LDAP object used by both DNS and DHCP, and thus
-allowing us to store all information about a computer in one place.</p>
-
-<p>This is a untested draft implementation, and I welcome feedback on
-this approach. A real LDAP schema for the ltspClientAux objectclass
-need to be written. Comments, suggestions, etc?</p>
-
-<blockquote><pre>
-# Store in /opt/ltsp/$arch/usr/share/ltsp/ltsp_config.d/ldap-config
-#
-# Fetch LTSP client settings from LDAP based on MAC address
-#
-# Uses ethernet address as stored in the dhcpHost objectclass using
-# the dhcpHWAddress attribute or ethernet address stored in the
-# ieee802Device objectclass with the macAddress attribute.
-#
-# This module is written to be schema agnostic, and only depend on the
-# existence of attribute names.
-#
-# The LTSP configuration variables are saved directly using a
-# ltspConfig prefix and uppercasing the rest of the attribute name.
-# To set the SERVER variable, set the ltspConfigServer attribute.
-#
-# Some LDAP schema should be created with all the relevant
-# configuration settings. Something like this should work:
-#
-# objectclass ( 1.1.2.2 NAME 'ltspClientAux'
-# SUP top
-# AUXILIARY
-# MAY ( ltspConfigServer $ ltsConfigSound $ ... )
-
-LDAPSERVER=$(debian-edu-ldapserver)
-if [ "$LDAPSERVER" ] ; then
- LDAPBASE=$(debian-edu-ldapserver -b)
- for MAC in $(LANG=C ifconfig |grep -i hwaddr| awk '{print $5}'|sort -u) ; do
- filter="(|(dhcpHWAddress=ethernet $MAC)(macAddress=$MAC))"
- ldapsearch -h "$LDAPSERVER" -b "$LDAPBASE" -v -x "$filter" | \
- grep '^ltspConfig' | while read attr value ; do
- # Remove prefix and convert to upper case
- attr=$(echo $attr | sed 's/^ltspConfig//i' | tr a-z A-Z)
- # bass value on to clients
- eval "$attr=$value; export $attr"
- done
- done
-fi
-</pre></blockquote>
-
-<p>I'm not sure this shell construction will work, because I suspect
-the while block might end up in a subshell causing the variables set
-there to not show up in ltsp-config, but if that is the case I am sure
-the code can be restructured to make sure the variables are passed on.
-I expect that can be solved with some testing. :)</p>
-
-<p>If you want to help out with implementing this for Debian Edu,
-please contact us on debian-edu@lists.debian.org.</p>
-
-<p>Update 2010-07-17: I am aware of another effort to store LTSP
-configuration in LDAP that was created around year 2000 by
-<a href="http://www.pcxperience.com/thinclient/documentation/ldap.html">PC
-Xperience, Inc., 2000</a>. I found its
-<a href="http://people.redhat.com/alikins/ltsp/ldap/">files</a> on a
-personal home page over at redhat.com.</p>
-</description>
- </item>
-
- <item>
- <title>Combining PowerDNS and ISC DHCP LDAP objects</title>
- <link>http://people.skolelinux.org/pere/blog/Combining_PowerDNS_and_ISC_DHCP_LDAP_objects.html</link>
- <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Combining_PowerDNS_and_ISC_DHCP_LDAP_objects.html</guid>
- <pubDate>Wed, 14 Jul 2010 23:45:00 +0200</pubDate>
- <description><p>For a while now, I have wanted to find a way to change the DNS and
-DHCP services in Debian Edu to use the same LDAP objects for a given
-computer, to avoid the possibility of having a inconsistent state for
-a computer in LDAP (as in DHCP but no DNS entry or the other way
-around) and make it easier to add computers to LDAP.</p>
-
-<p>I've looked at how powerdns and dhcpd is using LDAP, and using this
-information finally found a solution that seem to work.</p>
-
-<p>The old setup required three LDAP objects for a given computer.
-One forward DNS entry, one reverse DNS entry and one DHCP entry. If
-we switch powerdns to use its strict LDAP method (ldap-method=strict
-in pdns-debian-edu.conf), the forward and reverse DNS entries are
-merged into one while making it impossible to transfer the reverse map
-to a slave DNS server.</p>
-
-<p>If we also replace the object class used to get the DNS related
-attributes to one allowing these attributes to be combined with the
-dhcphost object class, we can merge the DNS and DHCP entries into one.
-I've written such object class in the dnsdomainaux.schema file (need
-proper OIDs, but that is a minor issue), and tested the setup. It
-seem to work.</p>
-
-<p>With this test setup in place, we can get away with one LDAP object
-for both DNS and DHCP, and even the LTSP configuration I suggested in
-an earlier email. The combined LDAP object will look something like
-this:</p>
-
-<blockquote><pre>
- dn: cn=hostname,cn=group1,cn=THINCLIENTS,cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
- cn: hostname
- objectClass: dhcphost
- objectclass: domainrelatedobject
- objectclass: dnsdomainaux
- associateddomain: hostname.intern
- arecord: 10.11.12.13
- dhcphwaddress: ethernet 00:00:00:00:00:00
- dhcpstatements: fixed-address hostname
- ldapconfigsound: Y
-</pre></blockquote>
-
-<p>The DNS server uses the associateddomain and arecord entries, while
-the DHCP server uses the dhcphwaddress and dhcpstatements entries
-before asking DNS to resolve the fixed-adddress. LTSP will use
-dhcphwaddress or associateddomain and the ldapconfig* attributes.</p>
-
-<p>I am not yet sure if I can get the DHCP server to look for its
-dhcphost in a different location, to allow us to put the objects
-outside the "DHCP Config" subtree, but hope to figure out a way to do
-that. If I can't figure out a way to do that, we can still get rid of
-the hosts subtree and move all its content into the DHCP Config tree
-(which probably should be renamed to be more related to the new
-content. I suspect cn=dnsdhcp,ou=services or something like that
-might be a good place to put it.</p>
-
-<p>If you want to help out with implementing this for Debian Edu,
-please contact us on debian-edu@lists.debian.org.</p>
-</description>
- </item>
-
- <item>
- <title>What are they searching for - PowerDNS and ISC DHCP in LDAP</title>
- <link>http://people.skolelinux.org/pere/blog/What_are_they_searching_for___PowerDNS_and_ISC_DHCP_in_LDAP.html</link>
- <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/What_are_they_searching_for___PowerDNS_and_ISC_DHCP_in_LDAP.html</guid>
- <pubDate>Sat, 17 Jul 2010 21:00:00 +0200</pubDate>
- <description><p>This is a
-<a href="http://people.skolelinux.org/pere/blog/Time_for_new__LDAP_schemas_replacing_RFC_2307_.html">followup</a>
-on my
-<a href="http://people.skolelinux.org/pere/blog/Idea_for_a_change_to_LDAP_schemas_allowing_DNS_and_DHCP_info_to_be_combined_into_one_object.html">previous
-work</a> on
-<a href="http://people.skolelinux.org/pere/blog/Combining_PowerDNS_and_ISC_DHCP_LDAP_objects.html">merging
-all</a> the computer related LDAP objects in Debian Edu.</p>
-
-<p>As a step to try to see if it possible to merge the DNS and DHCP
-LDAP objects, I have had a look at how the packages pdns-backend-ldap
-and dhcp3-server-ldap in Debian use the LDAP server. The two
-implementations are quite different in how they use LDAP.</p>
-
-To get this information, I started slapd with debugging enabled and
-dumped the debug output to a file to get the LDAP searches performed
-on a Debian Edu main-server. Here is a summary.
-
-<p><strong>powerdns</strong></p>
-
-<a href="http://www.linuxnetworks.de/doc/index.php/PowerDNS_LDAP_Backend">Clues
-on how to</a> set up PowerDNS to use a LDAP backend is available on
-the web.
-
-<p>PowerDNS have two modes of operation using LDAP as its backend.
-One "strict" mode where the forward and reverse DNS lookups are done
-using the same LDAP objects, and a "tree" mode where the forward and
-reverse entries are in two different subtrees in LDAP with a structure
-based on the DNS names, as in tjener.intern and
-2.2.0.10.in-addr.arpa.</p>
-
-<p>In tree mode, the server is set up to use a LDAP subtree as its
-base, and uses a "base" scoped search for the DNS name by adding
-"dc=tjener,dc=intern," to the base with a filter for
-"(associateddomain=tjener.intern)" for the forward entry and
-"dc=2,dc=2,dc=0,dc=10,dc=in-addr,dc=arpa," with a filter for
-"(associateddomain=2.2.0.10.in-addr.arpa)" for the reverse entry. For
-forward entries, it is looking for attributes named dnsttl, arecord,
-nsrecord, cnamerecord, soarecord, ptrrecord, hinforecord, mxrecord,
-txtrecord, rprecord, afsdbrecord, keyrecord, aaaarecord, locrecord,
-srvrecord, naptrrecord, kxrecord, certrecord, dsrecord, sshfprecord,
-ipseckeyrecord, rrsigrecord, nsecrecord, dnskeyrecord, dhcidrecord,
-spfrecord and modifytimestamp. For reverse entries it is looking for
-the attributes dnsttl, arecord, nsrecord, cnamerecord, soarecord,
-ptrrecord, hinforecord, mxrecord, txtrecord, rprecord, aaaarecord,
-locrecord, srvrecord, naptrrecord and modifytimestamp. The equivalent
-ldapsearch commands could look like this:</p>
+<p>In tree mode, the server is set up to use a LDAP subtree as its
+base, and uses a "base" scoped search for the DNS name by adding
+"dc=tjener,dc=intern," to the base with a filter for
+"(associateddomain=tjener.intern)" for the forward entry and
+"dc=2,dc=2,dc=0,dc=10,dc=in-addr,dc=arpa," with a filter for
+"(associateddomain=2.2.0.10.in-addr.arpa)" for the reverse entry. For
+forward entries, it is looking for attributes named dnsttl, arecord,
+nsrecord, cnamerecord, soarecord, ptrrecord, hinforecord, mxrecord,
+txtrecord, rprecord, afsdbrecord, keyrecord, aaaarecord, locrecord,
+srvrecord, naptrrecord, kxrecord, certrecord, dsrecord, sshfprecord,
+ipseckeyrecord, rrsigrecord, nsecrecord, dnskeyrecord, dhcidrecord,
+spfrecord and modifytimestamp. For reverse entries it is looking for
+the attributes dnsttl, arecord, nsrecord, cnamerecord, soarecord,
+ptrrecord, hinforecord, mxrecord, txtrecord, rprecord, aaaarecord,
+locrecord, srvrecord, naptrrecord and modifytimestamp. The equivalent
+ldapsearch commands could look like this:</p>
<blockquote><pre>
ldapsearch -h ldap \
))
</pre></blockquote>
-<p>This will allow any object to become a DNS entry when combined with
-the domainrelatedobject object class, and allow any entity to include
-all the attributes PowerDNS wants. I've sent an email to the PowerDNS
-developers asking for their view on this schema and if they are
-interested in providing such schema with PowerDNS, and I hope my
-message will be accepted into their mailing list soon.</p>
+<p>This will allow any object to become a DNS entry when combined with
+the domainrelatedobject object class, and allow any entity to include
+all the attributes PowerDNS wants. I've sent an email to the PowerDNS
+developers asking for their view on this schema and if they are
+interested in providing such schema with PowerDNS, and I hope my
+message will be accepted into their mailing list soon.</p>
+
+<p><strong>ISC dhcp</strong></p>
+
+<p>The DHCP server searches for specific objectclass and requests all
+the object attributes, and then uses the attributes it want. This
+make it harder to figure out exactly what attributes are used, but
+thanks to the working example in Debian Edu I can at least get an idea
+what is needed without having to read the source code.</p>
+
+<p>In the DHCP server configuration, the LDAP base to use and the
+search filter to use to locate the correct dhcpServer entity is
+stored. These are the relevant entries from
+/etc/dhcp3/dhcpd.conf:</p>
+
+<blockquote><pre>
+ldap-base-dn "dc=skole,dc=skolelinux,dc=no";
+ldap-dhcp-server-cn "dhcp";
+</pre></blockquote>
+
+<p>The DHCP server uses this information to nest all the DHCP
+configuration it need. The cn "dhcp" is located using the given LDAP
+base and the filter "(&(objectClass=dhcpServer)(cn=dhcp))". The
+search result is this entry:</p>
+
+<blockquote><pre>
+dn: cn=dhcp,dc=skole,dc=skolelinux,dc=no
+cn: dhcp
+objectClass: top
+objectClass: dhcpServer
+dhcpServiceDN: cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
+</pre></blockquote>
+
+<p>The content of the dhcpServiceDN attribute is next used to locate the
+subtree with DHCP configuration. The DHCP configuration subtree base
+is located using a base scope search with base "cn=DHCP
+Config,dc=skole,dc=skolelinux,dc=no" and filter
+"(&(objectClass=dhcpService)(|(dhcpPrimaryDN=cn=dhcp,dc=skole,dc=skolelinux,dc=no)(dhcpSecondaryDN=cn=dhcp,dc=skole,dc=skolelinux,dc=no)))".
+The search result is this entry:</p>
+
+<blockquote><pre>
+dn: cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
+cn: DHCP Config
+objectClass: top
+objectClass: dhcpService
+objectClass: dhcpOptions
+dhcpPrimaryDN: cn=dhcp, dc=skole,dc=skolelinux,dc=no
+dhcpStatements: ddns-update-style none
+dhcpStatements: authoritative
+dhcpOption: smtp-server code 69 = array of ip-address
+dhcpOption: www-server code 72 = array of ip-address
+dhcpOption: wpad-url code 252 = text
+</pre></blockquote>
+
+<p>Next, the entire subtree is processed, one level at the time. When
+all the DHCP configuration is loaded, it is ready to receive requests.
+The subtree in Debian Edu contain objects with object classes
+top/dhcpService/dhcpOptions, top/dhcpSharedNetwork/dhcpOptions,
+top/dhcpSubnet, top/dhcpGroup and top/dhcpHost. These provide options
+and information about netmasks, dynamic range etc. Leaving out the
+details here because it is not relevant for the focus of my
+investigation, which is to see if it is possible to merge dns and dhcp
+related computer objects.</p>
+
+<p>When a DHCP request come in, LDAP is searched for the MAC address
+of the client (00:00:00:00:00:00 in this example), using a subtree
+scoped search with "cn=DHCP Config,dc=skole,dc=skolelinux,dc=no" as
+the base and "(&(objectClass=dhcpHost)(dhcpHWAddress=ethernet
+00:00:00:00:00:00))" as the filter. This is what a host object look
+like:</p>
+
+<blockquote><pre>
+dn: cn=hostname,cn=group1,cn=THINCLIENTS,cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
+cn: hostname
+objectClass: top
+objectClass: dhcpHost
+dhcpHWAddress: ethernet 00:00:00:00:00:00
+dhcpStatements: fixed-address hostname
+</pre></blockquote>
+
+<p>There is less flexiblity in the way LDAP searches are done here.
+The object classes need to have fixed names, and the configuration
+need to be stored in a fairly specific LDAP structure. On the
+positive side, the invidiual dhcpHost entires can be anywhere without
+the DN pointed to by the dhcpServer entries. The latter should make
+it possible to group all host entries in a subtree next to the
+configuration entries, and this subtree can also be shared with the
+DNS server if the schema proposed above is combined with the dhcpHost
+structural object class.
+
+<p><strong>Conclusion</strong></p>
+
+<p>The PowerDNS implementation seem to be very flexible when it come
+to which LDAP schemas to use. While its "tree" mode is rigid when it
+come to the the LDAP structure, the "strict" mode is very flexible,
+allowing DNS objects to be stored anywhere under the base cn specified
+in the configuration.</p>
+
+<p>The DHCP implementation on the other hand is very inflexible, both
+regarding which LDAP schemas to use and which LDAP structure to use.
+I guess one could implement ones own schema, as long as the
+objectclasses and attributes have the names used, but this do not
+really help when the DHCP subtree need to have a fairly fixed
+structure.</p>
+
+<p>Based on the observed behaviour, I suspect a LDAP structure like
+this might work for Debian Edu:</p>
+
+<blockquote><pre>
+ou=services
+ cn=machine-info (dhcpService) - dhcpServiceDN points here
+ cn=dhcp (dhcpServer)
+ cn=dhcp-internal (dhcpSharedNetwork/dhcpOptions)
+ cn=10.0.2.0 (dhcpSubnet)
+ cn=group1 (dhcpGroup/dhcpOptions)
+ cn=dhcp-thinclients (dhcpSharedNetwork/dhcpOptions)
+ cn=192.168.0.0 (dhcpSubnet)
+ cn=group1 (dhcpGroup/dhcpOptions)
+ ou=machines - PowerDNS base points here
+ cn=hostname (dhcpHost/domainrelatedobject/dnsDomainAux)
+</pre></blockquote>
+
+<P>This is not tested yet. If the DHCP server require the dhcpHost
+entries to be in the dhcpGroup subtrees, the entries can be stored
+there instead of a common machines subtree, and the PowerDNS base
+would have to be moved one level up to the machine-info subtree.</p>
+
+<p>The combined object under the machines subtree would look something
+like this:</p>
+
+<blockquote><pre>
+dn: dc=hostname,ou=machines,cn=machine-info,dc=skole,dc=skolelinux,dc=no
+dc: hostname
+objectClass: top
+objectClass: dhcpHost
+objectclass: domainrelatedobject
+objectclass: dnsDomainAux
+associateddomain: hostname.intern
+arecord: 10.11.12.13
+dhcpHWAddress: ethernet 00:00:00:00:00:00
+dhcpStatements: fixed-address hostname.intern
+</pre></blockquote>
+
+</p>One could even add the LTSP configuration associated with a given
+machine, as long as the required attributes are available in a
+auxiliary object class.</p>
+</description>
+ </item>
+
+ <item>
+ <title>Combining PowerDNS and ISC DHCP LDAP objects</title>
+ <link>http://people.skolelinux.org/pere/blog/Combining_PowerDNS_and_ISC_DHCP_LDAP_objects.html</link>
+ <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Combining_PowerDNS_and_ISC_DHCP_LDAP_objects.html</guid>
+ <pubDate>Wed, 14 Jul 2010 23:45:00 +0200</pubDate>
+ <description><p>For a while now, I have wanted to find a way to change the DNS and
+DHCP services in Debian Edu to use the same LDAP objects for a given
+computer, to avoid the possibility of having a inconsistent state for
+a computer in LDAP (as in DHCP but no DNS entry or the other way
+around) and make it easier to add computers to LDAP.</p>
+
+<p>I've looked at how powerdns and dhcpd is using LDAP, and using this
+information finally found a solution that seem to work.</p>
+
+<p>The old setup required three LDAP objects for a given computer.
+One forward DNS entry, one reverse DNS entry and one DHCP entry. If
+we switch powerdns to use its strict LDAP method (ldap-method=strict
+in pdns-debian-edu.conf), the forward and reverse DNS entries are
+merged into one while making it impossible to transfer the reverse map
+to a slave DNS server.</p>
+
+<p>If we also replace the object class used to get the DNS related
+attributes to one allowing these attributes to be combined with the
+dhcphost object class, we can merge the DNS and DHCP entries into one.
+I've written such object class in the dnsdomainaux.schema file (need
+proper OIDs, but that is a minor issue), and tested the setup. It
+seem to work.</p>
+
+<p>With this test setup in place, we can get away with one LDAP object
+for both DNS and DHCP, and even the LTSP configuration I suggested in
+an earlier email. The combined LDAP object will look something like
+this:</p>
+
+<blockquote><pre>
+ dn: cn=hostname,cn=group1,cn=THINCLIENTS,cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
+ cn: hostname
+ objectClass: dhcphost
+ objectclass: domainrelatedobject
+ objectclass: dnsdomainaux
+ associateddomain: hostname.intern
+ arecord: 10.11.12.13
+ dhcphwaddress: ethernet 00:00:00:00:00:00
+ dhcpstatements: fixed-address hostname
+ ldapconfigsound: Y
+</pre></blockquote>
+
+<p>The DNS server uses the associateddomain and arecord entries, while
+the DHCP server uses the dhcphwaddress and dhcpstatements entries
+before asking DNS to resolve the fixed-adddress. LTSP will use
+dhcphwaddress or associateddomain and the ldapconfig* attributes.</p>
-<p><strong>ISC dhcp</strong></p>
+<p>I am not yet sure if I can get the DHCP server to look for its
+dhcphost in a different location, to allow us to put the objects
+outside the "DHCP Config" subtree, but hope to figure out a way to do
+that. If I can't figure out a way to do that, we can still get rid of
+the hosts subtree and move all its content into the DHCP Config tree
+(which probably should be renamed to be more related to the new
+content. I suspect cn=dnsdhcp,ou=services or something like that
+might be a good place to put it.</p>
-<p>The DHCP server searches for specific objectclass and requests all
-the object attributes, and then uses the attributes it want. This
-make it harder to figure out exactly what attributes are used, but
-thanks to the working example in Debian Edu I can at least get an idea
-what is needed without having to read the source code.</p>
+<p>If you want to help out with implementing this for Debian Edu,
+please contact us on debian-edu@lists.debian.org.</p>
+</description>
+ </item>
+
+ <item>
+ <title>Idea for storing LTSP configuration in LDAP</title>
+ <link>http://people.skolelinux.org/pere/blog/Idea_for_storing_LTSP_configuration_in_LDAP.html</link>
+ <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Idea_for_storing_LTSP_configuration_in_LDAP.html</guid>
+ <pubDate>Sun, 11 Jul 2010 22:00:00 +0200</pubDate>
+ <description><p>Vagrant mentioned on IRC today that ltsp_config now support
+sourcing files from /usr/share/ltsp/ltsp_config.d/ on the thin
+clients, and that this can be used to fetch configuration from LDAP if
+Debian Edu choose to store configuration there.</p>
-<p>In the DHCP server configuration, the LDAP base to use and the
-search filter to use to locate the correct dhcpServer entity is
-stored. These are the relevant entries from
-/etc/dhcp3/dhcpd.conf:</p>
+<p>Armed with this information, I got inspired and wrote a test module
+to get configuration from LDAP. The idea is to look up the MAC
+address of the client in LDAP, and look for attributes on the form
+ltspconfigsetting=value, and use this to export SETTING=value to the
+LTSP clients.</p>
-<blockquote><pre>
-ldap-base-dn "dc=skole,dc=skolelinux,dc=no";
-ldap-dhcp-server-cn "dhcp";
-</pre></blockquote>
+<p>The goal is to be able to store the LTSP configuration attributes
+in a "computer" LDAP object used by both DNS and DHCP, and thus
+allowing us to store all information about a computer in one place.</p>
-<p>The DHCP server uses this information to nest all the DHCP
-configuration it need. The cn "dhcp" is located using the given LDAP
-base and the filter "(&(objectClass=dhcpServer)(cn=dhcp))". The
-search result is this entry:</p>
+<p>This is a untested draft implementation, and I welcome feedback on
+this approach. A real LDAP schema for the ltspClientAux objectclass
+need to be written. Comments, suggestions, etc?</p>
<blockquote><pre>
-dn: cn=dhcp,dc=skole,dc=skolelinux,dc=no
-cn: dhcp
-objectClass: top
-objectClass: dhcpServer
-dhcpServiceDN: cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
+# Store in /opt/ltsp/$arch/usr/share/ltsp/ltsp_config.d/ldap-config
+#
+# Fetch LTSP client settings from LDAP based on MAC address
+#
+# Uses ethernet address as stored in the dhcpHost objectclass using
+# the dhcpHWAddress attribute or ethernet address stored in the
+# ieee802Device objectclass with the macAddress attribute.
+#
+# This module is written to be schema agnostic, and only depend on the
+# existence of attribute names.
+#
+# The LTSP configuration variables are saved directly using a
+# ltspConfig prefix and uppercasing the rest of the attribute name.
+# To set the SERVER variable, set the ltspConfigServer attribute.
+#
+# Some LDAP schema should be created with all the relevant
+# configuration settings. Something like this should work:
+#
+# objectclass ( 1.1.2.2 NAME 'ltspClientAux'
+# SUP top
+# AUXILIARY
+# MAY ( ltspConfigServer $ ltsConfigSound $ ... )
+
+LDAPSERVER=$(debian-edu-ldapserver)
+if [ "$LDAPSERVER" ] ; then
+ LDAPBASE=$(debian-edu-ldapserver -b)
+ for MAC in $(LANG=C ifconfig |grep -i hwaddr| awk '{print $5}'|sort -u) ; do
+ filter="(|(dhcpHWAddress=ethernet $MAC)(macAddress=$MAC))"
+ ldapsearch -h "$LDAPSERVER" -b "$LDAPBASE" -v -x "$filter" | \
+ grep '^ltspConfig' | while read attr value ; do
+ # Remove prefix and convert to upper case
+ attr=$(echo $attr | sed 's/^ltspConfig//i' | tr a-z A-Z)
+ # bass value on to clients
+ eval "$attr=$value; export $attr"
+ done
+ done
+fi
</pre></blockquote>
-<p>The content of the dhcpServiceDN attribute is next used to locate the
-subtree with DHCP configuration. The DHCP configuration subtree base
-is located using a base scope search with base "cn=DHCP
-Config,dc=skole,dc=skolelinux,dc=no" and filter
-"(&(objectClass=dhcpService)(|(dhcpPrimaryDN=cn=dhcp,dc=skole,dc=skolelinux,dc=no)(dhcpSecondaryDN=cn=dhcp,dc=skole,dc=skolelinux,dc=no)))".
-The search result is this entry:</p>
+<p>I'm not sure this shell construction will work, because I suspect
+the while block might end up in a subshell causing the variables set
+there to not show up in ltsp-config, but if that is the case I am sure
+the code can be restructured to make sure the variables are passed on.
+I expect that can be solved with some testing. :)</p>
-<blockquote><pre>
-dn: cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
-cn: DHCP Config
-objectClass: top
-objectClass: dhcpService
-objectClass: dhcpOptions
-dhcpPrimaryDN: cn=dhcp, dc=skole,dc=skolelinux,dc=no
-dhcpStatements: ddns-update-style none
-dhcpStatements: authoritative
-dhcpOption: smtp-server code 69 = array of ip-address
-dhcpOption: www-server code 72 = array of ip-address
-dhcpOption: wpad-url code 252 = text
-</pre></blockquote>
+<p>If you want to help out with implementing this for Debian Edu,
+please contact us on debian-edu@lists.debian.org.</p>
-<p>Next, the entire subtree is processed, one level at the time. When
-all the DHCP configuration is loaded, it is ready to receive requests.
-The subtree in Debian Edu contain objects with object classes
-top/dhcpService/dhcpOptions, top/dhcpSharedNetwork/dhcpOptions,
-top/dhcpSubnet, top/dhcpGroup and top/dhcpHost. These provide options
-and information about netmasks, dynamic range etc. Leaving out the
-details here because it is not relevant for the focus of my
-investigation, which is to see if it is possible to merge dns and dhcp
-related computer objects.</p>
+<p>Update 2010-07-17: I am aware of another effort to store LTSP
+configuration in LDAP that was created around year 2000 by
+<a href="http://www.pcxperience.com/thinclient/documentation/ldap.html">PC
+Xperience, Inc., 2000</a>. I found its
+<a href="http://people.redhat.com/alikins/ltsp/ldap/">files</a> on a
+personal home page over at redhat.com.</p>
+</description>
+ </item>
+
+ <item>
+ <title>jXplorer, a very nice LDAP GUI</title>
+ <link>http://people.skolelinux.org/pere/blog/jXplorer__a_very_nice_LDAP_GUI.html</link>
+ <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/jXplorer__a_very_nice_LDAP_GUI.html</guid>
+ <pubDate>Fri, 9 Jul 2010 12:55:00 +0200</pubDate>
+ <description><p>Since
+<a href="http://people.skolelinux.org/pere/blog/LUMA__a_very_nice_LDAP_GUI.html">my
+last post</a> about available LDAP tools in Debian, I was told about a
+LDAP GUI that is even better than luma. The java application
+<a href="http://jxplorer.org/">jXplorer</a> is claimed to be capable of
+moving LDAP objects and subtrees using drag-and-drop, and can
+authenticate using Kerberos. I have only tested the Kerberos
+authentication, but do not have a LDAP setup allowing me to rewrite
+LDAP with my test user yet. It is
+<a href="http://packages.qa.debian.org/j/jxplorer.html">available in
+Debian</a> testing and unstable at the moment. The only problem I
+have with it is how it handle errors. If something go wrong, its
+non-intuitive behaviour require me to go through some query work list
+and remove the failing query. Nothing big, but very annoying.</p>
+</description>
+ </item>
+
+ <item>
+ <title>MS Word krøller det til for politiet?</title>
+ <link>http://people.skolelinux.org/pere/blog/MS_Word_kr_ller_det_til_for_politiet_.html</link>
+ <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/MS_Word_kr_ller_det_til_for_politiet_.html</guid>
+ <pubDate>Thu, 8 Jul 2010 14:00:00 +0200</pubDate>
+ <description><p>De siste dagene har Aftenposten
+<a href="http://www.aftenposten.no/nyheter/iriks/article3718597.ece">fortalt</a>
+<a href="http://www.aftenposten.no/nyheter/iriks/article3724249.ece">hvordan</a>
+politet har brukt skriveverktøy som ikke håndterer arabisk tekst og
+tekst som skal skrives fra høyre mot venstre når de har laget
+løpeseddel for å be om informasjon fra publikum. Resultatet har vært
+en uleselig arabisk-bit på løpeseddelen. Feilen har oppstått når
+teksten har blitt "kopiert inn i programvare som ikke har støtte for
+språk som skrives fra høyre mot venstre", og jeg er ganske sikker på
+at det er snakk om Microsoft Office i dette tilfellet. Er det slik at
+MS Office i norsk språkdrakt ikke har støtte for tekst som skal
+skrives fra høyre mot venstre? Jeg tror alle utgaver av
+OpenOffice.org har slik støtte, og det er jo ikke veldig vanskelig å
+la slik støtte finnes i alle utgaver av et program hvis støtten først
+er utviklet. Aftenpostens melding får meg til å undre om problemet
+ville vært unngått hvis politiet brukte OpenOffice.org i stedet for MS
+Office.</p>
-<p>When a DHCP request come in, LDAP is searched for the MAC address
-of the client (00:00:00:00:00:00 in this example), using a subtree
-scoped search with "cn=DHCP Config,dc=skole,dc=skolelinux,dc=no" as
-the base and "(&(objectClass=dhcpHost)(dhcpHWAddress=ethernet
-00:00:00:00:00:00))" as the filter. This is what a host object look
-like:</p>
+<p>Mon tro om det er flere eksempler på at MS Office har ødelagt for
+offentlig myndighet?</p>
+</description>
+ </item>
+
+ <item>
+ <title>Lenny->Squeeze upgrades, apt vs aptitude with the Gnome desktop</title>
+ <link>http://people.skolelinux.org/pere/blog/Lenny__Squeeze_upgrades__apt_vs_aptitude_with_the_Gnome_desktop.html</link>
+ <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Lenny__Squeeze_upgrades__apt_vs_aptitude_with_the_Gnome_desktop.html</guid>
+ <pubDate>Sat, 3 Jul 2010 23:55:00 +0200</pubDate>
+ <description><p>Here is a short update on my <a
+href="http://people.skolelinux.org/~pere/debian-upgrade-testing/">my
+Debian Lenny->Squeeze upgrade testing</a>. Here is a summary of the
+difference for Gnome when it is upgraded by apt-get and aptitude. I'm
+not reporting the status for KDE, because the upgrade crashes when
+aptitude try because of missing conflicts
+(<a href="http://bugs.debian.org/584861">#584861</a> and
+<a href="http://bugs.debian.org/585716">#585716</a>).</p>
-<blockquote><pre>
-dn: cn=hostname,cn=group1,cn=THINCLIENTS,cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
-cn: hostname
-objectClass: top
-objectClass: dhcpHost
-dhcpHWAddress: ethernet 00:00:00:00:00:00
-dhcpStatements: fixed-address hostname
-</pre></blockquote>
+<p>At the end of the upgrade test script, dpkg -l is executed to get a
+complete list of the installed packages. Based on this I see these
+differences when I did a test run today. As usual, I do not really
+know what the correct set of packages would be, but thought it best to
+publish the difference.</p>
-<p>There is less flexiblity in the way LDAP searches are done here.
-The object classes need to have fixed names, and the configuration
-need to be stored in a fairly specific LDAP structure. On the
-positive side, the invidiual dhcpHost entires can be anywhere without
-the DN pointed to by the dhcpServer entries. The latter should make
-it possible to group all host entries in a subtree next to the
-configuration entries, and this subtree can also be shared with the
-DNS server if the schema proposed above is combined with the dhcpHost
-structural object class.
+<p>Installed using apt-get, missing with aptitude</p>
-<p><strong>Conclusion</strong></p>
+<blockquote><p>
+ at-spi cpp-4.3 finger gnome-spell gstreamer0.10-gnomevfs
+ libatspi1.0-0 libcupsys2 libeel2-data libgail-common libgdl-1-common
+ libgnomeprint2.2-data libgnomeprintui2.2-common libgnomevfs2-bin
+ libgtksourceview-common libpt-1.10.10-plugins-alsa
+ libpt-1.10.10-plugins-v4l libservlet2.4-java libxalan2-java
+ libxerces2-java openoffice.org-writer2latex openssl-blacklist p7zip
+ python-4suite-xml python-eggtrayicon python-gtkhtml2
+ python-gtkmozembed svgalibg1 xserver-xephyr zip
+</p></blockquote>
-<p>The PowerDNS implementation seem to be very flexible when it come
-to which LDAP schemas to use. While its "tree" mode is rigid when it
-come to the the LDAP structure, the "strict" mode is very flexible,
-allowing DNS objects to be stored anywhere under the base cn specified
-in the configuration.</p>
+<p>Installed using apt-get, removed with aptitude</p>
-<p>The DHCP implementation on the other hand is very inflexible, both
-regarding which LDAP schemas to use and which LDAP structure to use.
-I guess one could implement ones own schema, as long as the
-objectclasses and attributes have the names used, but this do not
-really help when the DHCP subtree need to have a fairly fixed
-structure.</p>
+<blockquote><p>
+ bluez-utils dhcdbd djvulibre-desktop epiphany-gecko
+ gnome-app-install gnome-mount gnome-vfs-obexftp gnome-volume-manager
+ libao2 libavahi-compat-libdnssd1 libavahi-core5 libbind9-50
+ libbluetooth2 libcamel1.2-11 libcdio7 libcucul0 libcurl3
+ libdirectfb-1.0-0 libdvdread3 libedata-cal1.2-6 libedataserver1.2-9
+ libeel2-2.20 libepc-1.0-1 libepc-ui-1.0-1 libexchange-storage1.2-3
+ libfaad0 libgd2-noxpm libgda3-3 libgda3-common libggz2 libggzcore9
+ libggzmod4 libgksu1.2-0 libgksuui1.0-1 libgmyth0 libgnome-desktop-2
+ libgnome-pilot2 libgnomecups1.0-1 libgnomeprint2.2-0
+ libgnomeprintui2.2-0 libgpod3 libgraphviz4 libgtkhtml2-0
+ libgtksourceview1.0-0 libgucharmap6 libhesiod0 libicu38 libisccc50
+ libisccfg50 libiw29 libkpathsea4 libltdl3 liblwres50 libmagick++10
+ libmagick10 libmalaga7 libmtp7 libmysqlclient15off libnautilus-burn4
+ libneon27 libnm-glib0 libnm-util0 libopal-2.2 libosp5
+ libparted1.8-10 libpisock9 libpisync1 libpoppler-glib3 libpoppler3
+ libpt-1.10.10 libraw1394-8 libsensors3 libsmbios2 libsoup2.2-8
+ libssh2-1 libsuitesparse-3.1.0 libswfdec-0.6-90 libtalloc1
+ libtotem-plparser10 libtrackerclient0 libvoikko1 libxalan2-java-gcj
+ libxerces2-java-gcj libxklavier12 libxtrap6 libxxf86misc1 libzephyr3
+ mysql-common swfdec-gnome totem-gstreamer wodim
+</p></blockquote>
-<p>Based on the observed behaviour, I suspect a LDAP structure like
-this might work for Debian Edu:</p>
+<p>Installed using aptitude, missing with apt-get</p>
-<blockquote><pre>
-ou=services
- cn=machine-info (dhcpService) - dhcpServiceDN points here
- cn=dhcp (dhcpServer)
- cn=dhcp-internal (dhcpSharedNetwork/dhcpOptions)
- cn=10.0.2.0 (dhcpSubnet)
- cn=group1 (dhcpGroup/dhcpOptions)
- cn=dhcp-thinclients (dhcpSharedNetwork/dhcpOptions)
- cn=192.168.0.0 (dhcpSubnet)
- cn=group1 (dhcpGroup/dhcpOptions)
- ou=machines - PowerDNS base points here
- cn=hostname (dhcpHost/domainrelatedobject/dnsDomainAux)
-</pre></blockquote>
+<blockquote><p>
+ gnome gnome-desktop-environment hamster-applet python-gnomeapplet
+ python-gnomekeyring python-wnck rhythmbox-plugins xorg
+ xserver-xorg-input-all xserver-xorg-input-evdev
+ xserver-xorg-input-kbd xserver-xorg-input-mouse
+ xserver-xorg-input-synaptics xserver-xorg-video-all
+ xserver-xorg-video-apm xserver-xorg-video-ark xserver-xorg-video-ati
+ xserver-xorg-video-chips xserver-xorg-video-cirrus
+ xserver-xorg-video-dummy xserver-xorg-video-fbdev
+ xserver-xorg-video-glint xserver-xorg-video-i128
+ xserver-xorg-video-i740 xserver-xorg-video-mach64
+ xserver-xorg-video-mga xserver-xorg-video-neomagic
+ xserver-xorg-video-nouveau xserver-xorg-video-nv
+ xserver-xorg-video-r128 xserver-xorg-video-radeon
+ xserver-xorg-video-radeonhd xserver-xorg-video-rendition
+ xserver-xorg-video-s3 xserver-xorg-video-s3virge
+ xserver-xorg-video-savage xserver-xorg-video-siliconmotion
+ xserver-xorg-video-sis xserver-xorg-video-sisusb
+ xserver-xorg-video-tdfx xserver-xorg-video-tga
+ xserver-xorg-video-trident xserver-xorg-video-tseng
+ xserver-xorg-video-vesa xserver-xorg-video-vmware
+ xserver-xorg-video-voodoo
+</p></blockquote>
-<P>This is not tested yet. If the DHCP server require the dhcpHost
-entries to be in the dhcpGroup subtrees, the entries can be stored
-there instead of a common machines subtree, and the PowerDNS base
-would have to be moved one level up to the machine-info subtree.</p>
+<p>Installed using aptitude, removed with apt-get</p>
-<p>The combined object under the machines subtree would look something
-like this:</p>
-
-<blockquote><pre>
-dn: dc=hostname,ou=machines,cn=machine-info,dc=skole,dc=skolelinux,dc=no
-dc: hostname
-objectClass: top
-objectClass: dhcpHost
-objectclass: domainrelatedobject
-objectclass: dnsDomainAux
-associateddomain: hostname.intern
-arecord: 10.11.12.13
-dhcpHWAddress: ethernet 00:00:00:00:00:00
-dhcpStatements: fixed-address hostname.intern
-</pre></blockquote>
+<blockquote><p>
+ deskbar-applet xserver-xorg xserver-xorg-core
+ xserver-xorg-input-wacom xserver-xorg-video-intel
+ xserver-xorg-video-openchrome
+</p></blockquote>
-</p>One could even add the LTSP configuration associated with a given
-machine, as long as the required attributes are available in a
-auxiliary object class.</p>
+<p>I was told on IRC that the xorg-xserver package was
+<a href="http://git.debian.org/?p=pkg-xorg/xserver/xorg-server.git;a=commit;h=9c8080d06c457932d3bfec021c69ac000aa60120">changed
+in git</a> today to try to get apt-get to not remove xorg completely.
+No idea when it hits Squeeze, but when it does I hope it will reduce
+the difference somewhat.
</description>
</item>
<item>
- <title>OpenStreetmap one step closer to having routing on its front page</title>
- <link>http://people.skolelinux.org/pere/blog/OpenStreetmap_one_step_closer_to_having_routing_on_its_front_page.html</link>
- <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/OpenStreetmap_one_step_closer_to_having_routing_on_its_front_page.html</guid>
- <pubDate>Sun, 18 Jul 2010 16:45:00 +0200</pubDate>
- <description><p>Thanks to
-<a href="http://feedproxy.google.com/~r/Opengeodata/~3/wUTCzDZk3lc/project-of-the-week-which-way-home">todays
-opengeodata blog entry</a>, I just discovered that the
-OpenStreetmap.org site have gotten
-<a href="http://nroets.dev.openstreetmap.org/demo/index.html?layers=B000FTFTT">support
-for calculating routes</a>. The support is still experimental and
-only available from the development server, until more experience is
-gathered on the user interface and any scalability issues.</p>
+ <title>Caching password, user and group on a roaming Debian laptop</title>
+ <link>http://people.skolelinux.org/pere/blog/Caching_password__user_and_group_on_a_roaming_Debian_laptop.html</link>
+ <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Caching_password__user_and_group_on_a_roaming_Debian_laptop.html</guid>
+ <pubDate>Thu, 1 Jul 2010 11:40:00 +0200</pubDate>
+ <description><p>For a laptop, centralized user directories and password checking is
+a bit troubling. Laptops are typically used also when not connected
+to the network, and it is vital for a user to be able to log in or
+unlock the screen saver also when a central server is unavailable.
+This is possible by caching passwords and directory information (user
+and group attributes) locally, and the packages to do so are available
+in Debian. Here follow two recipes to set this up in Debian/Squeeze.
+It is also possible to set up in Debian/Lenny, but require more manual
+setup there because pam-auth-update is missing in Lenny.</p>
-<p>Earlier, the routing I knew about using the OpenStreetmap.org data
-was provided by <a href="http://maps.cloudmade.com/">Cloudmade</a>,
-but having it on the main page is required to make everyone aware of
-the issue. I've had people reject Openstreetmap.org as a viable
-alternative for them because the front page lacked routing support,
-and I hope their needs will be catered for when routing show up on the
-www.openstreetmap.org front page.</p>
-</description>
- </item>
-
- <item>
- <title>Digitale restriksjonsmekanismer fikk meg til å slutte å kjøpe musikk</title>
- <link>http://people.skolelinux.org/pere/blog/Digitale_restriksjonsmekanismer_fikk_meg_til___slutte___kj_pe_musikk.html</link>
- <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Digitale_restriksjonsmekanismer_fikk_meg_til___slutte___kj_pe_musikk.html</guid>
- <pubDate>Thu, 22 Jul 2010 23:50:00 +0200</pubDate>
- <description><p>For mange år siden slutte jeg å kjøpe musikk-CDer. Årsaken var at
-musikkbransjen var godt i gang med å selge platene sine med DRM som
-gjorde at jeg ikke fikk spilt av musikken jeg kjøpte på utstyret jeg
-hadde tilgjengelig, dvs. min datamaskin. Det var umulig å se på en
-plate om den var ødelagt eller ikke, og jeg hadde jo allerede en
-anseelig samling med plater, så jeg bestemme meg for å slutte å gi
-penger til en bransje som åpenbart ikke respekterte meg.</p>
+<h2>LDAP/Kerberos + nscd + libpam-ccreds + libpam-mklocaluser/pam_mkhomedir</h2>
-<p>Jeg har mange titalls dager med musikk på CD i dag. Det meste er
-lagt i et stort arkiv som kan spilles av fra husets datamaskiner (har
-ikke rukket rippe alt). Jeg ser dermed ikke behovet for å skaffe mer
-musikk. De fleste av mine favoritter er i hus, og jeg er dermed godt
-fornøyd.</p>
+This is the traditional method with a twist. The password caching is
+provided by libpam-ccreds (version 10-4 or later is needed on
+Squeeze), and the directory caching is done by nscd. The directory
+lookup and password checking is done using LDAP. If one want to use
+Kerberos for password checking the libpam-ldapd package can be
+replaced with libpam-krb5 or libpam-heimdal. If one is happy having a
+local home directory with the path listed in LDAP, one can use the
+pam_mkhomedir module from pam-modules to make this happen instead of
+using libpam-mklocaluser. A setup for pam-auth-update to enable
+pam_mkhomedir will have to be written until a fix for
+<a href="http://bugs.debian.org/568577">bug #568577</a> is in the
+archive. Because I believe it is a bad idea to have local home
+directories using misleading paths like /site/server/partition/, I
+prefer to create a local user with the home directory in /home/. This
+is done using the libpam-mklocaluser package.</p>
-<p>Hvis musikkbransjen ønsker mine penger, så må de demonstrere at de
-setter pris på meg som kunde, og ikke skremme meg bort med DRM og
-antydninger om at kundene er kriminelle.</p>
+<p>These packages need to be installed and configured</p>
-<p>Filmbransjen er like ille, men mens musikk gjerne varer lenge, er
-filmer mer ferskvare. Har dermed ikke helt sluttet å kjøpe filmer, men
-holder meg til DVD-filmer som kan spilles av på mine Linuxbokser.
-Kommer neppe til å ta i bruk Blueray, og ei heller de nye DRM-greiene
-«Ultraviolet» som be annonsert her om dagen.</p>
-</description>
- </item>
-
- <item>
- <title>One step closer to single signon in Debian Edu</title>
- <link>http://people.skolelinux.org/pere/blog/One_step_closer_to_single_signon_in_Debian_Edu.html</link>
- <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/One_step_closer_to_single_signon_in_Debian_Edu.html</guid>
- <pubDate>Sun, 25 Jul 2010 10:00:00 +0200</pubDate>
- <description><p>The last few months me and the other Debian Edu developers have
-been working hard to get the Debian/Squeeze based version of Debian
-Edu/Skolelinux into shape. This future version will use Kerberos for
-authentication, and services are slowly migrated to single signon,
-getting rid of password questions one at the time.</p>
+<blockquote><pre>
+libnss-ldapd libpam-ldapd nscd libpam-ccreds libpam-mklocaluser
+</pre></blockquote>
-<p>It will also feature a roaming workstation profile with local home
-directory, for laptops that are only some times on the Skolelinux
-network, and for this profile a shortcut is created in Gnome and KDE
-to gain access to the users home directory on the file server. This
-shortcut uses SMB at the moment, and yesterday I had time to test if
-SMB mounting had started working in KDE after we added the cifs-utils
-package. I was pleasantly surprised how well it worked.</p>
+<p>The ldapd packages will ask for LDAP connection information, and
+one have to fill in the values that fits ones own site. Make sure the
+PAM part uses encrypted connections, to make sure the password is not
+sent in clear text to the LDAP server. I've been unable to get TLS
+certificate checking for a self signed certificate working, which make
+LDAP authentication unsafe for Debian Edu (nslcd is not checking if it
+is talking to the correct LDAP server), and very much welcome feedback
+on how to get this working.</p>
-<p>Thanks to the recent changes to our samba configuration to get it
-to use Kerberos for authentication, there were no question about user
-password when mounting the SMB volume. A simple click on the shortcut
-in the KDE menu, and a window with the home directory popped
-up. :)</p>
+<p>Because nscd do not have a default configuration fit for offline
+caching until <a href="http://bugs.debian.org/485282">bug #485282</a>
+is fixed, this configuration should be used instead of the one
+currently in /etc/nscd.conf. The changes are in the fields
+reload-count and positive-time-to-live, and is based on the
+instructions I found in the
+<a href="http://www.flyn.org/laptopldap/">LDAP for Mobile Laptops</a>
+instructions by Flyn Computing.</p>
-<p>One step closer to a single signon solution out of the box in
-Debian Edu. We already had PAM, LDAP, IMAP and SMTP in place, and now
-also Samba. Next step is Cups and hopefully also NFS.</p>
+<blockquote><pre>
+ debug-level 0
+ reload-count unlimited
+ paranoia no
-<p>We had planned a alpha0 release of Debian Edu for today, but thanks
-to the autobuilder administrators for some architectures being slow to
-sign packages, we are still missing the fixed LTSP package we need for
-the release. It was uploaded three days ago with urgency=high, and if
-it had entered testing yesterday we would have been able to test it in
-time for a alpha0 release today. As the binaries for ia64 and powerpc
-still not uploaded to the Debian archive, we need to delay the alpha
-release another day.</p>
+ enable-cache passwd yes
+ positive-time-to-live passwd 2592000
+ negative-time-to-live passwd 20
+ suggested-size passwd 211
+ check-files passwd yes
+ persistent passwd yes
+ shared passwd yes
+ max-db-size passwd 33554432
+ auto-propagate passwd yes
+
+ enable-cache group yes
+ positive-time-to-live group 2592000
+ negative-time-to-live group 20
+ suggested-size group 211
+ check-files group yes
+ persistent group yes
+ shared group yes
+ max-db-size group 33554432
+ auto-propagate group yes
-<p>If you want to help out with implementing Kerberos for Debian Edu,
-please contact us on debian-edu@lists.debian.org.</p>
-</description>
- </item>
-
- <item>
- <title>First Debian Edu test release (alpha0) based on Squeeze is released</title>
- <link>http://people.skolelinux.org/pere/blog/First_Debian_Edu_test_release__alpha0__based_on_Squeeze_is_released.html</link>
- <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/First_Debian_Edu_test_release__alpha0__based_on_Squeeze_is_released.html</guid>
- <pubDate>Tue, 27 Jul 2010 17:45:00 +0200</pubDate>
- <description><p>I just posted this announcement culminating several months of work
-with the next Debian Edu release. Not nearly done, but one major step
-completed.</p>
+ enable-cache hosts no
+ positive-time-to-live hosts 2592000
+ negative-time-to-live hosts 20
+ suggested-size hosts 211
+ check-files hosts yes
+ persistent hosts yes
+ shared hosts yes
+ max-db-size hosts 33554432
-<blockquote>
-<p>This is the first test release based on Squeeze. The focus of this
-release is to test the user application selection. To have a look,
-install the standalone profile and let the developers know if the set
-of installed packages i.e. applications should be modified. If some
-user application is missing, or if there are some applications that no
-longer make sense to be included in Debian Edu, please let us know.
-Also, if a useful application is missing the translation for your
-language of choice, please let us know too.</p>
+ enable-cache services yes
+ positive-time-to-live services 2592000
+ negative-time-to-live services 20
+ suggested-size services 211
+ check-files services yes
+ persistent services yes
+ shared services yes
+ max-db-size services 33554432
+</pre></blockquote>
-<p>In addition, feedback and help to polish the desktop (menus,
-artwork, starters, etc.) is appreciated. We would like to ship a nice
-and handy KDE4 desktop targeted for schools out of the box.</p>
+<p>While we wait for a mechanism to update /etc/nsswitch.conf
+automatically like the one provided in
+<a href="http://bugs.debian.org/496915">bug #496915</a>, the file
+content need to be manually replaced to ensure LDAP is used as the
+directory service on the machine. /etc/nsswitch.conf should normally
+look like this:</p>
-<p>The other profiles should be installable, but there is a lot more
-work left to be done before they are ready, so do not expect to
-much.</p>
+<blockquote><pre>
+passwd: files ldap
+group: files ldap
+shadow: files ldap
+hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
+networks: files
+protocols: files
+services: files
+ethers: files
+rpc: files
+netgroup: files ldap
+</pre></blockquote>
-<p>Changes compared to the lenny based version</p>
+<p>The important parts are that ldap is listed last for passwd, group,
+shadow and netgroup.</p>
-<ul>
-<li>Everything from Debian Squeeze
-<ul>
- <li>Desktop environment KDE 4.4 => the new KDE desktop in
- combination with some new artwork
- <li>Web browser Iceweasel 3.5
- <li>OpenOffice.org 3.2
- <li>Educational toolbox GCompris 9.3
- <li>Music creator Rosegarden 10.04.2
- <li>Image editor Gimp 2.6.10
- <li>Virtual universe Celestia 1.6.0
- <li>Virtual stargazer Stellarium 0.10.4
- <li>3D modeler Blender 2.49.2 (new application)
- <li>Video editor Kdenlive 0.7.7 (new application)
-</ul></li>
-<li>Now using Kerberos for password checking (migration not finished).
- Enabled for:
-<ul>
- <li>PAM
- <li>LDAP
- <li>IMAP
- <li>SMTP (sender verification)
-</ul>
-</li>
-<li>New experimental roaming workstation profile for laptops.</li>
-<li>Show welcome page to users when they first log in. The URL is
- fetched from LDAP.</li>
-<li>New LXDE desktop option, in addition to KDE (default) and Gnome.</li>
-<li>General cleanup (not finished)</li>
-</ul>
-<p>The following features are not working as they should</p>
+<p>With these changes in place, any user in LDAP will be able to log
+in locally on the machine using for example kdm, get a local home
+directory created and have the password as well as user and group
+attributes cached.
-<ul>
-<li>No web based administration tool for creating users and groups. The
- scripts ldap-createuser-krb and ldap-add-user-to-group can be used
- for testing.</li>
-<li>DVD installs are missing debian-installer images for the PXE boot,
- and do not set up the PXE menu on eth0 because of this. LTSP
- clients should still boot from eth1 on thin client servers.</li>
-<li>The restructured KDE menu is not implemented.</li>
-<li>The LDAP server setup need to be reviewed for security.</li>
-<li>The LDAP directory structure need to be reworked.</li>
-<li>Different sets of packages are installed when using the DVD and the
- netinst CD. More packages are installed using the netinst CD.</li>
-<li>The jackd package fail to install. This is believed to be caused by
- some ongoing transition, and hopefully should be solved soon. The
- jackd1 package can be installed manually for those that need it.</li>
-<li>Some packages lack translations. See
- http://wiki.debian.org/DebianEdu/Status/Squeeze for updated status,
- and help out with translations.</li>
-</ul>
+<h2>LDAP/Kerberos + nss-updatedb + libpam-ccreds +
+ libpam-mklocaluser/pam_mkhomedir</h2>
-<p>To download this multiarch netinstall release you can use</p>
+<p>Because nscd have had its share of problems, and seem to have
+problems doing proper caching, I've seen suggestions and recipes to
+use nss-updatedb to copy parts of the LDAP database locally when the
+LDAP database is available. I have not tested such setup, because I
+discovered sssd.</p>
-<ul>
-<li><a href="ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso">ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso</a></li>
-<li><a href="http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso">http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso</a></li>
-<li>rsync -avzP ftp.skolelinux.org::skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso</li>
-</ul>
-<p>To download this multiarch dvd release you can use</p>
+<h2>LDAP/Kerberos + sssd + libpam-mklocaluser</h2>
-<ul>
-<li><a href="ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso">ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso</a></li>
-<li><a href="http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso">http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso</a></li>
-<li>rsync -avzP ftp.skolelinux.org::skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso</li>
-</ul>
+<p>A more flexible and robust setup than the nscd combination
+mentioned earlier that has shown up recently, is the
+<a href="https://fedorahosted.org/sssd/">sssd</a> package from Redhat.
+It is part of the <a href="http://www.freeipa.org/">FreeIPA</A> project
+to provide a Active Directory like directory service for Linux
+machines. The sssd system combines the caching of passwords and user
+information into one package, and remove the need for nscd and
+libpam-ccreds. It support LDAP and Kerberos, but not NIS. Version
+1.2 do not support netgroups, but it is said that it will support this
+in version 1.5 expected to show up later in 2010. Because the
+<a href="http://packages.qa.debian.org/s/sssd.html">sssd package</a>
+was missing in Debian, I ended up co-maintaining it with Werner, and
+version 1.2 is now in testing.
-<p>There is no source DVD available yet. It will be prepared when we
-get closer to the final release.</p>
+<p>These packages need to be installed and configured to get the
+roaming setup I want</p>
-<p>The MD5SUM of these images are</p>
+<blockquote><pre>
+libpam-sss libnss-sss libpam-mklocaluser
+</pre></blockquote>
-<ul>
-<li>3dbf45d59f42a53518b6e3c9ec3b5eb6 debian-edu-6.0.0+edua0-CD.iso</li>
-<li>22f2cbfce281d1c6e478be452638675d debian-edu-6.0.0+edua0-DVD.iso</li>
-</ul>
+The complete setup of sssd is done by editing/creating
+<tt>/etc/sssd/sssd.conf</tt>.
-<p>The SHA1SUM of these images are</p>
-<ul>
-<li>c53d1b69b40cf37cd27aefaf33f6f6a3821bedf0 debian-edu-6.0.0+edua0-CD.iso</li>
-<li>2ec29d7db676d59d32197b05c277ffe16348376c debian-edu-6.0.0+edua0-DVD.iso</li>
-</ul>
-<p>How to report bugs:
-http://wiki.debian.org/DebianEdu/HowTo/ReportBugsInBugzilla</p>
+<blockquote><pre>
+[sssd]
+config_file_version = 2
+reconnection_retries = 3
+sbus_timeout = 30
+services = nss, pam
+domains = INTERN
-<p>Please direct replies to debian-edu@lists.debian.org</p>
-</blockquote>
-</description>
- </item>
-
- <item>
- <title>Circular package dependencies harms apt recovery</title>
- <link>http://people.skolelinux.org/pere/blog/Circular_package_dependencies_harms_apt_recovery.html</link>
- <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Circular_package_dependencies_harms_apt_recovery.html</guid>
- <pubDate>Tue, 27 Jul 2010 23:50:00 +0200</pubDate>
- <description><p>I discovered this while doing
-<a href="http://people.skolelinux.org/pere/blog/Automatic_upgrade_testing_from_Lenny_to_Squeeze.html">automated
-testing of upgrades from Debian Lenny to Squeeze</a>. A few packages
-in Debian still got circular dependencies, and it is often claimed
-that apt and aptitude should be able to handle this just fine, but
-some times these dependency loops causes apt to fail.</p>
+[nss]
+filter_groups = root
+filter_users = root
+reconnection_retries = 3
-<p>An example is from todays
-<a href="http://people.skolelinux.org/~pere/debian-upgrade-testing//test-20100727-lenny-squeeze-kde-aptitude.txt">upgrade
-of KDE using aptitude</a>. In it, a bug in kdebase-workspace-data
-causes perl-modules to fail to upgrade. The cause is simple. If a
-package fail to unpack, then only part of packages with the circular
-dependency might end up being unpacked when unpacking aborts, and the
-ones already unpacked will fail to configure in the recovery phase
-because its dependencies are unavailable.</p>
+[pam]
+reconnection_retries = 3
-<p>In this log, the problem manifest itself with this error:</p>
+[domain/INTERN]
+enumerate = false
+cache_credentials = true
-<blockquote><pre>
-dpkg: dependency problems prevent configuration of perl-modules:
- perl-modules depends on perl (>= 5.10.1-1); however:
- Version of perl on system is 5.10.0-19lenny2.
-dpkg: error processing perl-modules (--configure):
- dependency problems - leaving unconfigured
+id_provider = ldap
+auth_provider = ldap
+chpass_provider = ldap
+
+ldap_uri = ldap://ldap
+ldap_search_base = dc=skole,dc=skolelinux,dc=no
+ldap_tls_reqcert = never
+ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
</pre></blockquote>
-<p>The perl/perl-modules circular dependency is already
-<a href="http://bugs.debian.org/527917">reported as a bug</a>, and will
-hopefully be solved as soon as possible, but it is not the only one,
-and each one of these loops in the dependency tree can cause similar
-failures. Of course, they only occur when there are bugs in other
-packages causing the unpacking to fail, but it is rather nasty when
-the failure of one package causes the problem to become worse because
-of dependency loops.</p>
+<p>I got the same problem here with certificate checking. Had to set
+"ldap_tls_reqcert = never" to get it working.</p>
-<p>Thanks to
-<a href="http://lists.debian.org/debian-devel/2010/06/msg00116.html">the
-tireless effort by Bill Allombert</a>, the number of circular
-dependencies
-<a href="http://debian.semistable.com/debgraph.out.html">left in Debian
-is dropping</a>, and perhaps it will reach zero one day. :)</p>
+<p>With the libnss-sss package in testing at the moment, the
+nsswitch.conf file is update automatically, so there is no need to
+modify it manually.</p>
-<p>Todays testing also exposed a bug in
-<a href="http://bugs.debian.org/590605">update-notifier</a> and
-<a href="http://bugs.debian.org/590604">different behaviour</a> between
-apt-get and aptitude, the latter possibly caused by some circular
-dependency. Reported both to BTS to try to get someone to look at
-it.</p>
+<p>If you want to help out with implementing this for Debian Edu,
+please contact us on debian-edu@lists.debian.org.</p>
</description>
</item>
projects / homepage.git / blobdiff