Generated.

[homepage.git] / blog / tags / ldap / index.html

diff --git a/blog/tags/ldap/index.html b/blog/tags/ldap/index.html
index e438cb9440c4caf487047f72137de70c5f725a0d..fe9b0825117f976492ea122593756237083300af 100644 (file)
--- a/blog/tags/ldap/index.html
+++ b/blog/tags/ldap/index.html
@@ -1,463 +1,442 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"

-        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html>
- <head>
-  <title>Petter Reinholdtsen: Entries Tagged ldap</title> 
-  <link rel="stylesheet" type="text/css" media="screen" href="http://people.skolelinux.org/pere/blog/style.css">
-  <link rel="alternate" title="RSS Feed" href="ldap.rss" type="application/rss+xml">
- </head>
- <body>
-
- <div class="title">
-  <h1>
-       <a href="http://people.skolelinux.org/pere/blog/">Petter Reinholdtsen</a>
-      
-  </h1>
-  
- </div>
-
- <p>Entries tagged "ldap".</p>
+          "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
+    <title>Petter Reinholdtsen: Entries Tagged ldap</title>
+    <link rel="stylesheet" type="text/css" media="screen" href="http://people.skolelinux.org/pere/blog/style.css" />
+    <link rel="stylesheet" type="text/css" media="screen" href="http://people.skolelinux.org/pere/blog/vim.css" />
+    <link rel="alternate" title="RSS Feed" href="ldap.rss" type="application/rss+xml" />
+  </head>
+  <body>
+    <div class="title">
+ <h1>
+     <a href="http://people.skolelinux.org/pere/blog/">Petter Reinholdtsen</a>
+     
+ </h1>
+ 
+</div>

 
 
 
 

+    <h3>Entries tagged "ldap".</h3>
+    
+    <div class="entry">
+      <div class="title">
+        <a href="http://people.skolelinux.org/pere/blog/What_are_they_searching_for___PowerDNS_and_ISC_DHCP_in_LDAP.html">What are they searching for - PowerDNS and ISC DHCP in LDAP</a>
+      </div>
+      <div class="date">
+        17th July 2010
+      </div>
+      <div class="body">
+        <p>This is a
+<a href="http://people.skolelinux.org/pere/blog/Time_for_new__LDAP_schemas_replacing_RFC_2307_.html">followup</a>
+on my
+<a href="http://people.skolelinux.org/pere/blog/Idea_for_a_change_to_LDAP_schemas_allowing_DNS_and_DHCP_info_to_be_combined_into_one_object.html">previous
+work</a> on
+<a href="http://people.skolelinux.org/pere/blog/Combining_PowerDNS_and_ISC_DHCP_LDAP_objects.html">merging
+all</a> the computer related LDAP objects in Debian Edu.</p>

 
 

+<p>As a step to try to see if it possible to merge the DNS and DHCP
+LDAP objects, I have had a look at how the packages pdns-backend-ldap
+and dhcp3-server-ldap in Debian use the LDAP server.  The two
+implementations are quite different in how they use LDAP.</p>

 
 

-<div class="entry">
- <div class="title">
- <a href="http://people.skolelinux.org/pere/blog/Time_for_new__LDAP_schemas_replacing_RFC_2307_.html">Time for new  LDAP schemas replacing RFC 2307?</a>
- </div>
- <div class="date">
-  2009-03-29 20:30
- </div>
+To get this information, I started slapd with debugging enabled and
+dumped the debug output to a file to get the LDAP searches performed
+on a Debian Edu main-server.  Here is a summary.

 
 

- <div class="body">
-  
-<p>The state of standardized LDAP schemas on Linux is far from
-optimal.  There is RFC 2307 documenting one way to store NIS maps in
-LDAP, and a modified version of this normally called RFC 2307bis, with
-some modifications to be compatible with Active Directory.  The RFC
-specification handle the content of a lot of system databases, but do
-not handle DNS zones and DHCP configuration.</p>
+<p><strong>powerdns</strong></p>

 
 

-<p>In <a href="http://www.skolelinux.org/">Debian Edu/Skolelinux</a>,
-we would like to store information about users, SMB clients/hosts,
-filegroups, netgroups (users and hosts), DHCP and DNS configuration,
-and LTSP configuration in LDAP.  These objects have a lot in common,
-but with the current LDAP schemas it is not possible to have one
-object per entity.  For example, one need to have at least three LDAP
-objects for a given computer, one with the SMB related stuff, one with
-DNS information and another with DHCP information.  The schemas
-provided for DNS and DHCP are impossible to combine into one LDAP
-object.  In addition, it is impossible to implement quick queries for
-netgroup membership, because of the way NIS triples are implemented.
-It just do not scale.  I believe it is time for a few RFC
-specifications to cleam up this mess.</p>
+<a href="http://www.linuxnetworks.de/doc/index.php/PowerDNS_LDAP_Backend">Clues
+on how to</a> set up PowerDNS to use a LDAP backend is available on
+the web.

 
 

-<p>I would like to have one LDAP object representing each computer in
-the network, and this object can then keep the SMB (ie host key), DHCP
-(mac address/name) and DNS (name/IP address) settings in one place.
-It need to be efficently stored to make sure it scale well.</p>
+<p>PowerDNS have two modes of operation using LDAP as its backend.
+One "strict" mode where the forward and reverse DNS lookups are done
+using the same LDAP objects, and a "tree" mode where the forward and
+reverse entries are in two different subtrees in LDAP with a structure
+based on the DNS names, as in tjener.intern and
+2.2.0.10.in-addr.arpa.</p>

 
 

-<p>I would also like to have a quick way to map from a user or
-computer and to the net group this user or computer is a member.</p>
+<p>In tree mode, the server is set up to use a LDAP subtree as its
+base, and uses a "base" scoped search for the DNS name by adding
+"dc=tjener,dc=intern," to the base with a filter for
+"(associateddomain=tjener.intern)" for the forward entry and
+"dc=2,dc=2,dc=0,dc=10,dc=in-addr,dc=arpa," with a filter for
+"(associateddomain=2.2.0.10.in-addr.arpa)" for the reverse entry.  For
+forward entries, it is looking for attributes named dnsttl, arecord,
+nsrecord, cnamerecord, soarecord, ptrrecord, hinforecord, mxrecord,
+txtrecord, rprecord, afsdbrecord, keyrecord, aaaarecord, locrecord,
+srvrecord, naptrrecord, kxrecord, certrecord, dsrecord, sshfprecord,
+ipseckeyrecord, rrsigrecord, nsecrecord, dnskeyrecord, dhcidrecord,
+spfrecord and modifytimestamp.  For reverse entries it is looking for
+the attributes dnsttl, arecord, nsrecord, cnamerecord, soarecord,
+ptrrecord, hinforecord, mxrecord, txtrecord, rprecord, aaaarecord,
+locrecord, srvrecord, naptrrecord and modifytimestamp.  The equivalent
+ldapsearch commands could look like this:</p>

 
 

-<p>Active Directory have done a better job than unix heads like myself
-in this regard, and the unix side need to catch up.  Time to start a
-new IETF work group?</p>
+<blockquote><pre>
+ldapsearch -h ldap \
+  -b dc=tjener,dc=intern,ou=hosts,dc=skole,dc=skolelinux,dc=no \
+  -s base -x '(associateddomain=tjener.intern)' dNSTTL aRecord nSRecord \
+  cNAMERecord sOARecord pTRRecord hInfoRecord mXRecord tXTRecord \
+  rPRecord aFSDBRecord KeyRecord aAAARecord lOCRecord sRVRecord \
+  nAPTRRecord kXRecord certRecord dSRecord sSHFPRecord iPSecKeyRecord \
+  rRSIGRecord nSECRecord dNSKeyRecord dHCIDRecord sPFRecord modifyTimestamp

 
 

- </div>
- <div class="tags">
- 
+ldapsearch -h ldap \
+  -b dc=2,dc=2,dc=0,dc=10,dc=in-addr,dc=arpa,ou=hosts,dc=skole,dc=skolelinux,dc=no \
+  -s base -x '(associateddomain=2.2.0.10.in-addr.arpa)'
+  dnsttl, arecord, nsrecord, cnamerecord soarecord ptrrecord \
+  hinforecord mxrecord txtrecord rprecord aaaarecord locrecord \
+  srvrecord naptrrecord modifytimestamp
+</pre></blockquote>

 
 

- 
-  Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/ldap">ldap</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
- 
- </div>
-</div>
-<div class="padding"></div>
-
-<div class="entry">
- <div class="title">
- <a href="http://people.skolelinux.org/pere/blog/Idea_for_a_change_to_LDAP_schemas_allowing_DNS_and_DHCP_info_to_be_combined_into_one_object.html">Idea for a change to LDAP schemas allowing DNS and DHCP info to be combined into one object</a>
- </div>
- <div class="date">
-  2010-06-24 00:35
- </div>
-
- <div class="body">
-  
-<p>A while back, I
-<a href="http://people.skolelinux.org/pere/blog/Time_for_new__LDAP_schemas_replacing_RFC_2307_.html">complained
-about the fact</a> that it is not possible with the provided schemas
-for storing DNS and DHCP information in LDAP to combine the two sets
-of information into one LDAP object representing a computer.</p>
+<p>In Debian Edu/Lenny, the PowerDNS tree mode is used with
+ou=hosts,dc=skole,dc=skolelinux,dc=no as the base, and these are two
+example LDAP objects used there.  In addition to these objects, the
+parent objects all th way up to ou=hosts,dc=skole,dc=skolelinux,dc=no
+also exist.</p>

 
 

-<p>In the mean time, I discovered that a simple fix would be to make
-the dhcpHost object class auxiliary, to allow it to be combined with
-the dNSDomain object class, and thus forming one object for one
-computer when storing both DHCP and DNS information in LDAP.</p>
+<blockquote><pre>
+dn: dc=tjener,dc=intern,ou=hosts,dc=skole,dc=skolelinux,dc=no
+objectclass: top
+objectclass: dnsdomain
+objectclass: domainrelatedobject
+dc: tjener
+arecord: 10.0.2.2
+associateddomain: tjener.intern

 
 

-<p>If I understand this correctly, it is not safe to do this change
-without also changing the assigned number for the object class, and I
-do not know enough about LDAP schema design to do that properly for
-Debian Edu.</p>
+dn: dc=2,dc=2,dc=0,dc=10,dc=in-addr,dc=arpa,ou=hosts,dc=skole,dc=skolelinux,dc=no
+objectclass: top
+objectclass: dnsdomain2
+objectclass: domainrelatedobject
+dc: 2
+ptrrecord: tjener.intern
+associateddomain: 2.2.0.10.in-addr.arpa
+</pre></blockquote>

 
 

-<p>Anyway, for future reference, this is how I believe we could change
-the
-<a href="http://tools.ietf.org/html/draft-ietf-dhc-ldap-schema-00">DHCP
-schema</a> to solve at least part of the problem with the LDAP schemas
-available today from IETF.</p>
+<p>In strict mode, the server behaves differently.  When looking for
+forward DNS entries, it is doing a "subtree" scoped search with the
+same base as in the tree mode for a object with filter
+"(associateddomain=tjener.intern)" and requests the attributes dnsttl,
+arecord, nsrecord, cnamerecord, soarecord, ptrrecord, hinforecord,
+mxrecord, txtrecord, rprecord, aaaarecord, locrecord, srvrecord,
+naptrrecord and modifytimestamp.  For reverse entires it also do a
+subtree scoped search but this time the filter is "(arecord=10.0.2.2)"
+and the requested attributes are associateddomain, dnsttl and
+modifytimestamp.  In short, in strict mode the objects with ptrrecord
+go away, and the arecord attribute in the forward object is used
+instead.</p>

 
 

-<pre>
---- dhcp.schema    (revision 65192)
-+++ dhcp.schema    (working copy)
-@@ -376,7 +376,7 @@
- objectclass ( 2.16.840.1.113719.1.203.6.6
-        NAME 'dhcpHost'
-        DESC 'This represents information about a particular client'
--       SUP top
-+       SUP top AUXILIARY
-        MUST cn
-        MAY  (dhcpLeaseDN $ dhcpHWAddress $ dhcpOptionsDN $ dhcpStatements $ dhcpComments $ dhcpOption)
-        X-NDS_CONTAINMENT ('dhcpService' 'dhcpSubnet' 'dhcpGroup') )
-</pre>
+<p>The forward and reverse searches can be simulated using ldapsearch
+like this:</p>

 
 

-<p>I very much welcome clues on how to do this properly for Debian
-Edu/Squeeze.  We provide the DHCP schema in our debian-edu-config
-package, and should thus be free to rewrite it as we see fit.</p>
+<blockquote><pre>
+ldapsearch -h ldap -b ou=hosts,dc=skole,dc=skolelinux,dc=no -s sub -x \
+  '(associateddomain=tjener.intern)' dNSTTL aRecord nSRecord \
+  cNAMERecord sOARecord pTRRecord hInfoRecord mXRecord tXTRecord \
+  rPRecord aFSDBRecord KeyRecord aAAARecord lOCRecord sRVRecord \
+  nAPTRRecord kXRecord certRecord dSRecord sSHFPRecord iPSecKeyRecord \
+  rRSIGRecord nSECRecord dNSKeyRecord dHCIDRecord sPFRecord modifyTimestamp

 
 

-<p>If you want to help out with implementing this for Debian Edu,
-please contact us on debian-edu@lists.debian.org.</p>
+ldapsearch -h ldap -b ou=hosts,dc=skole,dc=skolelinux,dc=no -s sub -x \
+  '(arecord=10.0.2.2)' associateddomain dnsttl modifytimestamp
+</pre></blockquote>

 
 

- </div>
- <div class="tags">
- 
+<p>In addition to the forward and reverse searches , there is also a
+search for SOA records, which behave similar to the forward and
+reverse lookups.</p>

 
 

- 
-  Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/ldap">ldap</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
- 
- </div>
-</div>
-<div class="padding"></div>
-
-<div class="entry">
- <div class="title">
- <a href="http://people.skolelinux.org/pere/blog/LUMA__a_very_nice_LDAP_GUI.html">LUMA, a very nice LDAP GUI</a>
- </div>
- <div class="date">
-  2010-06-28 00:30
- </div>
-
- <div class="body">
-  
-<p>The last few days I have been looking into the status of the LDAP
-directory in Debian Edu, and in the process I started to miss a GUI
-tool to browse the LDAP tree.  The only one I was able to find in
-Debian/Squeeze and Lenny is
-<a href="http://luma.sourceforge.net/">LUMA</a>, which has proved to
-be a great tool to get a overview of the current LDAP directory
-populated by default in Skolelinux.  Thanks to it, I have been able to
-find empty and obsolete subtrees, misplaced objects and duplicate
-objects.  It will be installed by default in Debian/Squeeze.  If you
-are working with LDAP, give it a go. :)</p>
+<p>A thing to note with the PowerDNS behaviour is that it do not
+specify any objectclass names, and instead look for the attributes it
+need to generate a DNS reply.  This make it able to work with any
+objectclass that provide the needed attributes.</p>

 
 

-<p>I did notice one problem with it I have not had time to report to
-the BTS yet.  There is no .desktop file in the package, so the tool do
-not show up in the Gnome and KDE menus, but only deep down in in the
-Debian submenu in KDE.  I hope that can be fixed before Squeeze is
-released.</p>
+<p>The attributes are normally provided in the cosine (RFC 1274) and
+dnsdomain2 schemas.  The latter is used for reverse entries like
+ptrrecord and recent DNS additions like aaaarecord and srvrecord.</p>

 
 

-<p>I have not yet been able to get it to modify the tree yet.  I would
-like to move objects and remove subtrees directly in the GUI, but have
-not found a way to do that with LUMA yet.  So in the mean time, I use
-<a href="http://www.lichteblau.com/ldapvi/">ldapvi</a> for that.</p>
+<p>In Debian Edu, we have created DNS objects using the object classes
+dcobject (for dc), dnsdomain or dnsdomain2 (structural, for the DNS
+attributes) and domainrelatedobject (for associatedDomain).  The use
+of structural object classes make it impossible to combine these
+classes with the object classes used by DHCP.</p>

 
 

-<p>If you have tips on other GUI tools for LDAP that might be useful
-in Debian Edu, please contact us on debian-edu@lists.debian.org.</p>
+<p>There are other schemas that could be used too, for example the
+dnszone structural object class used by Gosa and bind-sdb for the DNS
+attributes combined with the domainrelatedobject object class, but in
+this case some unused attributes would have to be included as well
+(zonename and relativedomainname).</p>

 
 

-<p>Update 2010-06-29: Ross Reedstrom tipped us about the
-<a href="http://packages.qa.debian.org/g/gq.html">gq</a> package as a
-useful GUI alternative.  It seem like a good tool, but is unmaintained
-in Debian and got a RC bug keeping it out of Squeeze.  Unless that
-changes, it will not be an option for Debian Edu based on Squeeze.</p>
+<p>My proposal for Debian Edu would be to switch PowerDNS to strict
+mode and not use any of the existing objectclasses (dnsdomain,
+dnsdomain2 and dnszone) when one want to combine the DNS information
+with DHCP information, and instead create a auxiliary object class
+defined something like this (using the attributes defined for
+dnsdomain and dnsdomain2 or dnszone):</p>

 
 

- </div>
- <div class="tags">
- 
+<blockquote><pre>
+objectclass ( some-oid NAME 'dnsDomainAux'
+    SUP top
+    AUXILIARY
+    MAY ( ARecord $ MDRecord $ MXRecord $ NSRecord $ SOARecord $ CNAMERecord $
+          DNSTTL $ DNSClass $ PTRRecord $ HINFORecord $ MINFORecord $
+          TXTRecord $ SIGRecord $ KEYRecord $ AAAARecord $ LOCRecord $
+          NXTRecord $ SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $
+          A6Record $ DNAMERecord
+    ))
+</pre></blockquote>

 
 

- 
-  Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/ldap">ldap</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
- 
- </div>
-</div>
-<div class="padding"></div>
-
-<div class="entry">
- <div class="title">
- <a href="http://people.skolelinux.org/pere/blog/Caching_password__user_and_group_on_a_roaming_Debian_laptop.html">Caching password, user and group on a roaming Debian laptop</a>
- </div>
- <div class="date">
-  2010-07-01 11:40
- </div>
-
- <div class="body">
-  
-<p>For a laptop, centralized user directories and password checking is
-a bit troubling.  Laptops are typically used also when not connected
-to the network, and it is vital for a user to be able to log in or
-unlock the screen saver also when a central server is unavailable.
-This is possible by caching passwords and directory information (user
-and group attributes) locally, and the packages to do so are available
-in Debian.  Here follow two recipes to set this up in Debian/Squeeze.
-It is also possible to set up in Debian/Lenny, but require more manual
-setup there because pam-auth-update is missing in Lenny.</p>
+<p>This will allow any object to become a DNS entry when combined with
+the domainrelatedobject object class, and allow any entity to include
+all the attributes PowerDNS wants.  I've sent an email to the PowerDNS
+developers asking for their view on this schema and if they are
+interested in providing such schema with PowerDNS, and I hope my
+message will be accepted into their mailing list soon.</p>

 
 

-<h2>LDAP/Kerberos + nscd + libpam-ccreds + libpam-mklocaluser/pam_mkhomedir</h2>
+<p><strong>ISC dhcp</strong></p>

 
 

-This is the traditional method with a twist.  The password caching is
-provided by libpam-ccreds (version 10-4 or later is needed on
-Squeeze), and the directory caching is done by nscd.  The directory
-lookup and password checking is done using LDAP.  If one want to use
-Kerberos for password checking the libpam-ldapd package can be
-replaced with libpam-krb5 or libpam-heimdal.  If one is happy having a
-local home directory with the path listed in LDAP, one can use the
-pam_mkhomedir module from pam-modules to make this happen instead of
-using libpam-mklocaluser.  A setup for pam-auth-update to enable
-pam_mkhomedir will have to be written until a fix for
-<a href="http://bugs.debian.org/568577">bug #568577</a> is in the
-archive.  Because I believe it is a bad idea to have local home
-directories using misleading paths like /site/server/partition/, I
-prefer to create a local user with the home directory in /home/.  This
-is done using the libpam-mklocaluser package.</p>
+<p>The DHCP server searches for specific objectclass and requests all
+the object attributes, and then uses the attributes it want.  This
+make it harder to figure out exactly what attributes are used, but
+thanks to the working example in Debian Edu I can at least get an idea
+what is needed without having to read the source code.</p>

 
 

-<p>These packages need to be installed and configured</p>
+<p>In the DHCP server configuration, the LDAP base to use and the
+search filter to use to locate the correct dhcpServer entity is
+stored.  These are the relevant entries from
+/etc/dhcp3/dhcpd.conf:</p>

 
 <blockquote><pre>
 
 <blockquote><pre>

-libnss-ldapd libpam-ldapd nscd libpam-ccreds libpam-mklocaluser
+ldap-base-dn "dc=skole,dc=skolelinux,dc=no";
+ldap-dhcp-server-cn "dhcp";

 </pre></blockquote>
 
 </pre></blockquote>
 

-<p>The ldapd packages will ask for LDAP connection information, and
-one have to fill in the values that fits ones own site.  Make sure the
-PAM part uses encrypted connections, to make sure the password is not
-sent in clear text to the LDAP server.  I've been unable to get TLS
-certificate checking for a self signed certificate working, which make
-LDAP authentication unsafe for Debian Edu (nslcd is not checking if it
-is talking to the correct LDAP server), and very much welcome feedback
-on how to get this working.</p>
-
-<p>Because nscd do not have a default configuration fit for offline
-caching until <a href="http://bugs.debian.org/485282">bug #485282</a>
-is fixed, this configuration should be used instead of the one
-currently in /etc/nscd.conf.  The changes are in the fields
-reload-count and positive-time-to-live, and is based on the
-instructions I found in the
-<a href="http://www.flyn.org/laptopldap/">LDAP for Mobile Laptops</a>
-instructions by Flyn Computing.</p>
+<p>The DHCP server uses this information to nest all the DHCP
+configuration it need.  The cn "dhcp" is located using the given LDAP
+base and the filter "(&(objectClass=dhcpServer)(cn=dhcp))".  The
+search result is this entry:</p>

 
 <blockquote><pre>
 
 <blockquote><pre>

-       debug-level             0
-       reload-count            unlimited
-       paranoia                no
-
-       enable-cache            passwd          yes
-       positive-time-to-live   passwd          2592000
-       negative-time-to-live   passwd          20
-       suggested-size          passwd          211
-       check-files             passwd          yes
-       persistent              passwd          yes
-       shared                  passwd          yes
-       max-db-size             passwd          33554432
-       auto-propagate          passwd          yes
-
-       enable-cache            group           yes
-       positive-time-to-live   group           2592000
-       negative-time-to-live   group           20
-       suggested-size          group           211
-       check-files             group           yes
-       persistent              group           yes
-       shared                  group           yes
-       max-db-size             group           33554432
-       auto-propagate          group           yes
-
-       enable-cache            hosts           no
-       positive-time-to-live   hosts           2592000
-       negative-time-to-live   hosts           20
-       suggested-size          hosts           211
-       check-files             hosts           yes
-       persistent              hosts           yes
-       shared                  hosts           yes
-       max-db-size             hosts           33554432
-
-       enable-cache            services        yes
-       positive-time-to-live   services        2592000
-       negative-time-to-live   services        20
-       suggested-size          services        211
-       check-files             services        yes
-       persistent              services        yes
-       shared                  services        yes
-       max-db-size             services        33554432
+dn: cn=dhcp,dc=skole,dc=skolelinux,dc=no
+cn: dhcp
+objectClass: top
+objectClass: dhcpServer
+dhcpServiceDN: cn=DHCP Config,dc=skole,dc=skolelinux,dc=no

 </pre></blockquote>
 
 </pre></blockquote>
 

-<p>While we wait for a mechanism to update /etc/nsswitch.conf
-automatically like the one provided in
-<a href="http://bugs.debian.org/496915">bug #496915</a>, the file
-content need to be manually replaced to ensure LDAP is used as the
-directory service on the machine.  /etc/nsswitch.conf should normally
-look like this:</p>
+<p>The content of the dhcpServiceDN attribute is next used to locate the
+subtree with DHCP configuration.  The DHCP configuration subtree base
+is located using a base scope search with base "cn=DHCP
+Config,dc=skole,dc=skolelinux,dc=no" and filter
+"(&(objectClass=dhcpService)(|(dhcpPrimaryDN=cn=dhcp,dc=skole,dc=skolelinux,dc=no)(dhcpSecondaryDN=cn=dhcp,dc=skole,dc=skolelinux,dc=no)))".
+The search result is this entry:</p>

 
 <blockquote><pre>
 
 <blockquote><pre>

-passwd:         files ldap
-group:          files ldap
-shadow:         files ldap
-hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
-networks:       files
-protocols:      files
-services:       files
-ethers:         files
-rpc:            files
-netgroup:       files ldap
+dn: cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
+cn: DHCP Config
+objectClass: top
+objectClass: dhcpService
+objectClass: dhcpOptions
+dhcpPrimaryDN: cn=dhcp, dc=skole,dc=skolelinux,dc=no
+dhcpStatements: ddns-update-style none
+dhcpStatements: authoritative
+dhcpOption: smtp-server code 69 = array of ip-address
+dhcpOption: www-server code 72 = array of ip-address
+dhcpOption: wpad-url code 252 = text

 </pre></blockquote>
 
 </pre></blockquote>
 

-<p>The important parts are that ldap is listed last for passwd, group,
-shadow and netgroup.</p>
+<p>Next, the entire subtree is processed, one level at the time.  When
+all the DHCP configuration is loaded, it is ready to receive requests.
+The subtree in Debian Edu contain objects with object classes
+top/dhcpService/dhcpOptions, top/dhcpSharedNetwork/dhcpOptions,
+top/dhcpSubnet, top/dhcpGroup and top/dhcpHost.  These provide options
+and information about netmasks, dynamic range etc.  Leaving out the
+details here because it is not relevant for the focus of my
+investigation, which is to see if it is possible to merge dns and dhcp
+related computer objects.</p>

 
 

-<p>With these changes in place, any user in LDAP will be able to log
-in locally on the machine using for example kdm, get a local home
-directory created and have the password as well as user and group
-attributes cached.
+<p>When a DHCP request come in, LDAP is searched for the MAC address
+of the client (00:00:00:00:00:00 in this example), using a subtree
+scoped search with "cn=DHCP Config,dc=skole,dc=skolelinux,dc=no" as
+the base and "(&(objectClass=dhcpHost)(dhcpHWAddress=ethernet
+00:00:00:00:00:00))" as the filter.  This is what a host object look
+like:</p>

 
 

-<h2>LDAP/Kerberos + nss-updatedb + libpam-ccreds +
-  libpam-mklocaluser/pam_mkhomedir</h2>
+<blockquote><pre>
+dn: cn=hostname,cn=group1,cn=THINCLIENTS,cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
+cn: hostname
+objectClass: top
+objectClass: dhcpHost
+dhcpHWAddress: ethernet 00:00:00:00:00:00
+dhcpStatements: fixed-address hostname
+</pre></blockquote>

 
 

-<p>Because nscd have had its share of problems, and seem to have
-problems doing proper caching, I've seen suggestions and recipes to
-use nss-updatedb to copy parts of the LDAP database locally when the
-LDAP database is available.  I have not tested such setup, because I
-discovered sssd.</p>
+<p>There is less flexiblity in the way LDAP searches are done here.
+The object classes need to have fixed names, and the configuration
+need to be stored in a fairly specific LDAP structure.  On the
+positive side, the invidiual dhcpHost entires can be anywhere without
+the DN pointed to by the dhcpServer entries.  The latter should make
+it possible to group all host entries in a subtree next to the
+configuration entries, and this subtree can also be shared with the
+DNS server if the schema proposed above is combined with the dhcpHost
+structural object class.

 
 

-<h2>LDAP/Kerberos + sssd + libpam-mklocaluser</h2>
+<p><strong>Conclusion</strong></p>

 
 

-<p>A more flexible and robust setup than the nscd combination
-mentioned earlier that has shown up recently, is the
-<a href="https://fedorahosted.org/sssd/">sssd</a> package from Redhat.
-It is part of the <a href="http://www.freeipa.org/">FreeIPA</A> project
-to provide a Active Directory like directory service for Linux
-machines.  The sssd system combines the caching of passwords and user
-information into one package, and remove the need for nscd and
-libpam-ccreds.  It support LDAP and Kerberos, but not NIS.  Version
-1.2 do not support netgroups, but it is said that it will support this
-in version 1.5 expected to show up later in 2010.  Because the
-<a href="http://packages.qa.debian.org/s/sssd.html">sssd package</a>
-was missing in Debian, I ended up co-maintaining it with Werner, and
-version 1.2 is now in testing.
+<p>The PowerDNS implementation seem to be very flexible when it come
+to which LDAP schemas to use.  While its "tree" mode is rigid when it
+come to the the LDAP structure, the "strict" mode is very flexible,
+allowing DNS objects to be stored anywhere under the base cn specified
+in the configuration.</p>

 
 

-<p>These packages need to be installed and configured to get the
-roaming setup I want</p>
+<p>The DHCP implementation on the other hand is very inflexible, both
+regarding which LDAP schemas to use and which LDAP structure to use.
+I guess one could implement ones own schema, as long as the
+objectclasses and attributes have the names used, but this do not
+really help when the DHCP subtree need to have a fairly fixed
+structure.</p>
+
+<p>Based on the observed behaviour, I suspect a LDAP structure like
+this might work for Debian Edu:</p>

 
 <blockquote><pre>
 
 <blockquote><pre>

-libpam-sss libnss-sss libpam-mklocaluser
+ou=services
+  cn=machine-info (dhcpService) - dhcpServiceDN points here
+    cn=dhcp (dhcpServer)
+    cn=dhcp-internal (dhcpSharedNetwork/dhcpOptions)
+      cn=10.0.2.0 (dhcpSubnet)
+        cn=group1 (dhcpGroup/dhcpOptions)
+    cn=dhcp-thinclients (dhcpSharedNetwork/dhcpOptions)
+      cn=192.168.0.0 (dhcpSubnet)
+        cn=group1 (dhcpGroup/dhcpOptions)
+    ou=machines - PowerDNS base points here
+      cn=hostname (dhcpHost/domainrelatedobject/dnsDomainAux)

 </pre></blockquote>
 
 </pre></blockquote>
 

-The complete setup of sssd is done by editing/creating
-<tt>/etc/sssd/sssd.conf</tt>.
+<P>This is not tested yet.  If the DHCP server require the dhcpHost
+entries to be in the dhcpGroup subtrees, the entries can be stored
+there instead of a common machines subtree, and the PowerDNS base
+would have to be moved one level up to the machine-info subtree.</p>

 
 

+<p>The combined object under the machines subtree would look something
+like this:</p>
+    

 <blockquote><pre>
 <blockquote><pre>

-[sssd]
-config_file_version = 2
-reconnection_retries = 3
-sbus_timeout = 30
-services = nss, pam
-domains = INTERN
+dn: dc=hostname,ou=machines,cn=machine-info,dc=skole,dc=skolelinux,dc=no
+dc: hostname
+objectClass: top
+objectClass: dhcpHost
+objectclass: domainrelatedobject
+objectclass: dnsDomainAux
+associateddomain: hostname.intern
+arecord: 10.11.12.13
+dhcpHWAddress: ethernet 00:00:00:00:00:00
+dhcpStatements: fixed-address hostname.intern
+</pre></blockquote>

 
 

-[nss]
-filter_groups = root
-filter_users = root
-reconnection_retries = 3
+</p>One could even add the LTSP configuration associated with a given
+machine, as long as the required attributes are available in a
+auxiliary object class.</p>

 
 

-[pam]
-reconnection_retries = 3
+      </div>
+      <div class="tags">
+        
+        
+        Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/ldap">ldap</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
+        
+        
+      </div>
+    </div>
+    <div class="padding"></div>
+    
+    <div class="entry">
+      <div class="title">
+        <a href="http://people.skolelinux.org/pere/blog/Combining_PowerDNS_and_ISC_DHCP_LDAP_objects.html">Combining PowerDNS and ISC DHCP LDAP objects</a>
+      </div>
+      <div class="date">
+        14th July 2010
+      </div>
+      <div class="body">
+        <p>For a while now, I have wanted to find a way to change the DNS and
+DHCP services in Debian Edu to use the same LDAP objects for a given
+computer, to avoid the possibility of having a inconsistent state for
+a computer in LDAP (as in DHCP but no DNS entry or the other way
+around) and make it easier to add computers to LDAP.</p>

 
 

-[domain/INTERN]
-enumerate = false
-cache_credentials = true
+<p>I've looked at how powerdns and dhcpd is using LDAP, and using this
+information finally found a solution that seem to work.</p>

 
 

-id_provider = ldap
-auth_provider = ldap
-chpass_provider = ldap
+<p>The old setup required three LDAP objects for a given computer.
+One forward DNS entry, one reverse DNS entry and one DHCP entry.  If
+we switch powerdns to use its strict LDAP method (ldap-method=strict
+in pdns-debian-edu.conf), the forward and reverse DNS entries are
+merged into one while making it impossible to transfer the reverse map
+to a slave DNS server.</p>

 
 

-ldap_uri = ldap://ldap
-ldap_search_base = dc=skole,dc=skolelinux,dc=no
-ldap_tls_reqcert = never
-ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
+<p>If we also replace the object class used to get the DNS related
+attributes to one allowing these attributes to be combined with the
+dhcphost object class, we can merge the DNS and DHCP entries into one.
+I've written such object class in the dnsdomainaux.schema file (need
+proper OIDs, but that is a minor issue), and tested the setup.  It
+seem to work.</p>
+
+<p>With this test setup in place, we can get away with one LDAP object
+for both DNS and DHCP, and even the LTSP configuration I suggested in
+an earlier email.  The combined LDAP object will look something like
+this:</p>
+
+<blockquote><pre>
+  dn: cn=hostname,cn=group1,cn=THINCLIENTS,cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
+  cn: hostname
+  objectClass: dhcphost
+  objectclass: domainrelatedobject
+  objectclass: dnsdomainaux
+  associateddomain: hostname.intern
+  arecord: 10.11.12.13
+  dhcphwaddress: ethernet 00:00:00:00:00:00
+  dhcpstatements: fixed-address hostname
+  ldapconfigsound: Y

 </pre></blockquote>
 
 </pre></blockquote>
 

-<p>I got the same problem here with certificate checking.  Had to set
-"ldap_tls_reqcert = never" to get it working.</p>
+<p>The DNS server uses the associateddomain and arecord entries, while
+the DHCP server uses the dhcphwaddress and dhcpstatements entries
+before asking DNS to resolve the fixed-adddress.  LTSP will use
+dhcphwaddress or associateddomain and the ldapconfig* attributes.</p>

 
 

-<p>With the libnss-sss package in testing at the moment, the
-nsswitch.conf file is update automatically, so there is no need to
-modify it manually.</p>
+<p>I am not yet sure if I can get the DHCP server to look for its
+dhcphost in a different location, to allow us to put the objects
+outside the "DHCP Config" subtree, but hope to figure out a way to do
+that.  If I can't figure out a way to do that, we can still get rid of
+the hosts subtree and move all its content into the DHCP Config tree
+(which probably should be renamed to be more related to the new
+content.  I suspect cn=dnsdhcp,ou=services or something like that
+might be a good place to put it.</p>

 
 <p>If you want to help out with implementing this for Debian Edu,
 please contact us on debian-edu@lists.debian.org.</p>
 
 
 <p>If you want to help out with implementing this for Debian Edu,
 please contact us on debian-edu@lists.debian.org.</p>
 

- </div>
- <div class="tags">
- 
-
- 
-  Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/ldap">ldap</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
- 
- </div>
-</div>
-<div class="padding"></div>
-
-<div class="entry">
- <div class="title">
- <a href="http://people.skolelinux.org/pere/blog/jXplorer__a_very_nice_LDAP_GUI.html">jXplorer, a very nice LDAP GUI</a>
- </div>
- <div class="date">
-  2010-07-09 12:55
- </div>
-
- <div class="body">
-  
-<p>Since
-<a href="http://people.skolelinux.org/pere/blog/LUMA__a_very_nice_LDAP_GUI.html">my
-last post</a> about available LDAP tools in Debian, I was told about a
-LDAP GUI that is even better than luma.  The java application
-<a href="http://jxplorer.org/">jXplorer</a> is claimed to be capable of
-moving LDAP objects and subtrees using drag-and-drop, and can
-authenticate using Kerberos.  I have only tested the Kerberos
-authentication, but do not have a LDAP setup allowing me to rewrite
-LDAP with my test user yet.  It is
-<a href="http://packages.qa.debian.org/j/jxplorer.html">available in
-Debian</a> testing and unstable at the moment.  The only problem I
-have with it is how it handle errors.  If something go wrong, its
-non-intuitive behaviour require me to go through some query work list
-and remove the failing query.  Nothing big, but very annoying.</p>
-
- </div>
- <div class="tags">
- 
-
- 
-  Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/ldap">ldap</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
- 
- </div>
-</div>
-<div class="padding"></div>
-
-<div class="entry">
- <div class="title">
- <a href="http://people.skolelinux.org/pere/blog/Idea_for_storing_LTSP_configuration_in_LDAP.html">Idea for storing LTSP configuration in LDAP</a>
- </div>
- <div class="date">
-  2010-07-11 22:00
- </div>
-
- <div class="body">
-  
-<p>Vagrant mentioned on IRC today that ltsp_config now support
+      </div>
+      <div class="tags">
+        
+        
+        Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/ldap">ldap</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
+        
+        
+      </div>
+    </div>
+    <div class="padding"></div>
+    
+    <div class="entry">
+      <div class="title">
+        <a href="http://people.skolelinux.org/pere/blog/Idea_for_storing_LTSP_configuration_in_LDAP.html">Idea for storing LTSP configuration in LDAP</a>
+      </div>
+      <div class="date">
+        11th July 2010
+      </div>
+      <div class="body">
+        <p>Vagrant mentioned on IRC today that ltsp_config now support

 sourcing files from /usr/share/ltsp/ltsp_config.d/ on the thin
 clients, and that this can be used to fetch configuration from LDAP if
 Debian Edu choose to store configuration there.</p>
 sourcing files from /usr/share/ltsp/ltsp_config.d/ on the thin
 clients, and that this can be used to fetch configuration from LDAP if
 Debian Edu choose to store configuration there.</p>


@@ -532,438 +511,463 @@ Xperience, Inc., 2000</a>.  I found its
 <a href="http://people.redhat.com/alikins/ltsp/ldap/">files</a> on a
 personal home page over at redhat.com.</p>
 
 <a href="http://people.redhat.com/alikins/ltsp/ldap/">files</a> on a
 personal home page over at redhat.com.</p>
 

- </div>
- <div class="tags">
- 
-
- 
-  Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/ldap">ldap</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
- 
- </div>
-</div>
-<div class="padding"></div>
-
-<div class="entry">
- <div class="title">
- <a href="http://people.skolelinux.org/pere/blog/Combining_PowerDNS_and_ISC_DHCP_LDAP_objects.html">Combining PowerDNS and ISC DHCP LDAP objects</a>
- </div>
- <div class="date">
-  2010-07-14 23:45
- </div>
-
- <div class="body">
-  
-<p>For a while now, I have wanted to find a way to change the DNS and
-DHCP services in Debian Edu to use the same LDAP objects for a given
-computer, to avoid the possibility of having a inconsistent state for
-a computer in LDAP (as in DHCP but no DNS entry or the other way
-around) and make it easier to add computers to LDAP.</p>
+      </div>
+      <div class="tags">
+        
+        
+        Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/ldap">ldap</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
+        
+        
+      </div>
+    </div>
+    <div class="padding"></div>
+    
+    <div class="entry">
+      <div class="title">
+        <a href="http://people.skolelinux.org/pere/blog/jXplorer__a_very_nice_LDAP_GUI.html">jXplorer, a very nice LDAP GUI</a>
+      </div>
+      <div class="date">
+         9th July 2010
+      </div>
+      <div class="body">
+        <p>Since
+<a href="http://people.skolelinux.org/pere/blog/LUMA__a_very_nice_LDAP_GUI.html">my
+last post</a> about available LDAP tools in Debian, I was told about a
+LDAP GUI that is even better than luma.  The java application
+<a href="http://jxplorer.org/">jXplorer</a> is claimed to be capable of
+moving LDAP objects and subtrees using drag-and-drop, and can
+authenticate using Kerberos.  I have only tested the Kerberos
+authentication, but do not have a LDAP setup allowing me to rewrite
+LDAP with my test user yet.  It is
+<a href="http://packages.qa.debian.org/j/jxplorer.html">available in
+Debian</a> testing and unstable at the moment.  The only problem I
+have with it is how it handle errors.  If something go wrong, its
+non-intuitive behaviour require me to go through some query work list
+and remove the failing query.  Nothing big, but very annoying.</p>

 
 

-<p>I've looked at how powerdns and dhcpd is using LDAP, and using this
-information finally found a solution that seem to work.</p>
+      </div>
+      <div class="tags">
+        
+        
+        Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/ldap">ldap</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
+        
+        
+      </div>
+    </div>
+    <div class="padding"></div>
+    
+    <div class="entry">
+      <div class="title">
+        <a href="http://people.skolelinux.org/pere/blog/Caching_password__user_and_group_on_a_roaming_Debian_laptop.html">Caching password, user and group on a roaming Debian laptop</a>
+      </div>
+      <div class="date">
+         1st July 2010
+      </div>
+      <div class="body">
+        <p>For a laptop, centralized user directories and password checking is
+a bit troubling.  Laptops are typically used also when not connected
+to the network, and it is vital for a user to be able to log in or
+unlock the screen saver also when a central server is unavailable.
+This is possible by caching passwords and directory information (user
+and group attributes) locally, and the packages to do so are available
+in Debian.  Here follow two recipes to set this up in Debian/Squeeze.
+It is also possible to set up in Debian/Lenny, but require more manual
+setup there because pam-auth-update is missing in Lenny.</p>

 
 

-<p>The old setup required three LDAP objects for a given computer.
-One forward DNS entry, one reverse DNS entry and one DHCP entry.  If
-we switch powerdns to use its strict LDAP method (ldap-method=strict
-in pdns-debian-edu.conf), the forward and reverse DNS entries are
-merged into one while making it impossible to transfer the reverse map
-to a slave DNS server.</p>
+<h2>LDAP/Kerberos + nscd + libpam-ccreds + libpam-mklocaluser/pam_mkhomedir</h2>

 
 

-<p>If we also replace the object class used to get the DNS related
-attributes to one allowing these attributes to be combined with the
-dhcphost object class, we can merge the DNS and DHCP entries into one.
-I've written such object class in the dnsdomainaux.schema file (need
-proper OIDs, but that is a minor issue), and tested the setup.  It
-seem to work.</p>
+This is the traditional method with a twist.  The password caching is
+provided by libpam-ccreds (version 10-4 or later is needed on
+Squeeze), and the directory caching is done by nscd.  The directory
+lookup and password checking is done using LDAP.  If one want to use
+Kerberos for password checking the libpam-ldapd package can be
+replaced with libpam-krb5 or libpam-heimdal.  If one is happy having a
+local home directory with the path listed in LDAP, one can use the
+pam_mkhomedir module from pam-modules to make this happen instead of
+using libpam-mklocaluser.  A setup for pam-auth-update to enable
+pam_mkhomedir will have to be written until a fix for
+<a href="http://bugs.debian.org/568577">bug #568577</a> is in the
+archive.  Because I believe it is a bad idea to have local home
+directories using misleading paths like /site/server/partition/, I
+prefer to create a local user with the home directory in /home/.  This
+is done using the libpam-mklocaluser package.</p>

 
 

-<p>With this test setup in place, we can get away with one LDAP object
-for both DNS and DHCP, and even the LTSP configuration I suggested in
-an earlier email.  The combined LDAP object will look something like
-this:</p>
+<p>These packages need to be installed and configured</p>

 
 <blockquote><pre>
 
 <blockquote><pre>

-  dn: cn=hostname,cn=group1,cn=THINCLIENTS,cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
-  cn: hostname
-  objectClass: dhcphost
-  objectclass: domainrelatedobject
-  objectclass: dnsdomainaux
-  associateddomain: hostname.intern
-  arecord: 10.11.12.13
-  dhcphwaddress: ethernet 00:00:00:00:00:00
-  dhcpstatements: fixed-address hostname
-  ldapconfigsound: Y
+libnss-ldapd libpam-ldapd nscd libpam-ccreds libpam-mklocaluser

 </pre></blockquote>
 
 </pre></blockquote>
 

-<p>The DNS server uses the associateddomain and arecord entries, while
-the DHCP server uses the dhcphwaddress and dhcpstatements entries
-before asking DNS to resolve the fixed-adddress.  LTSP will use
-dhcphwaddress or associateddomain and the ldapconfig* attributes.</p>
+<p>The ldapd packages will ask for LDAP connection information, and
+one have to fill in the values that fits ones own site.  Make sure the
+PAM part uses encrypted connections, to make sure the password is not
+sent in clear text to the LDAP server.  I've been unable to get TLS
+certificate checking for a self signed certificate working, which make
+LDAP authentication unsafe for Debian Edu (nslcd is not checking if it
+is talking to the correct LDAP server), and very much welcome feedback
+on how to get this working.</p>
+
+<p>Because nscd do not have a default configuration fit for offline
+caching until <a href="http://bugs.debian.org/485282">bug #485282</a>
+is fixed, this configuration should be used instead of the one
+currently in /etc/nscd.conf.  The changes are in the fields
+reload-count and positive-time-to-live, and is based on the
+instructions I found in the
+<a href="http://www.flyn.org/laptopldap/">LDAP for Mobile Laptops</a>
+instructions by Flyn Computing.</p>
+
+<blockquote><pre>
+       debug-level             0
+       reload-count            unlimited
+       paranoia                no
+
+       enable-cache            passwd          yes
+       positive-time-to-live   passwd          2592000
+       negative-time-to-live   passwd          20
+       suggested-size          passwd          211
+       check-files             passwd          yes
+       persistent              passwd          yes
+       shared                  passwd          yes
+       max-db-size             passwd          33554432
+       auto-propagate          passwd          yes
+
+       enable-cache            group           yes
+       positive-time-to-live   group           2592000
+       negative-time-to-live   group           20
+       suggested-size          group           211
+       check-files             group           yes
+       persistent              group           yes
+       shared                  group           yes
+       max-db-size             group           33554432
+       auto-propagate          group           yes

 
 

-<p>I am not yet sure if I can get the DHCP server to look for its
-dhcphost in a different location, to allow us to put the objects
-outside the "DHCP Config" subtree, but hope to figure out a way to do
-that.  If I can't figure out a way to do that, we can still get rid of
-the hosts subtree and move all its content into the DHCP Config tree
-(which probably should be renamed to be more related to the new
-content.  I suspect cn=dnsdhcp,ou=services or something like that
-might be a good place to put it.</p>
+       enable-cache            hosts           no
+       positive-time-to-live   hosts           2592000
+       negative-time-to-live   hosts           20
+       suggested-size          hosts           211
+       check-files             hosts           yes
+       persistent              hosts           yes
+       shared                  hosts           yes
+       max-db-size             hosts           33554432

 
 

-<p>If you want to help out with implementing this for Debian Edu,
-please contact us on debian-edu@lists.debian.org.</p>
+       enable-cache            services        yes
+       positive-time-to-live   services        2592000
+       negative-time-to-live   services        20
+       suggested-size          services        211
+       check-files             services        yes
+       persistent              services        yes
+       shared                  services        yes
+       max-db-size             services        33554432
+</pre></blockquote>

 
 

- </div>
- <div class="tags">
- 
+<p>While we wait for a mechanism to update /etc/nsswitch.conf
+automatically like the one provided in
+<a href="http://bugs.debian.org/496915">bug #496915</a>, the file
+content need to be manually replaced to ensure LDAP is used as the
+directory service on the machine.  /etc/nsswitch.conf should normally
+look like this:</p>

 
 

- 
-  Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/ldap">ldap</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
- 
- </div>
-</div>
-<div class="padding"></div>
-
-<div class="entry">
- <div class="title">
- <a href="http://people.skolelinux.org/pere/blog/What_are_they_searching_for___PowerDNS_and_ISC_DHCP_in_LDAP.html">What are they searching for - PowerDNS and ISC DHCP in LDAP</a>
- </div>
- <div class="date">
-  2010-07-17 21:00
- </div>
-
- <div class="body">
-  
-<p>This is a
-<a href="http://people.skolelinux.org/pere/blog/Time_for_new__LDAP_schemas_replacing_RFC_2307_.html">followup</a>
-on my
-<a href="http://people.skolelinux.org/pere/blog/Idea_for_a_change_to_LDAP_schemas_allowing_DNS_and_DHCP_info_to_be_combined_into_one_object.html">previous
-work</a> on
-<a href="http://people.skolelinux.org/pere/blog/Combining_PowerDNS_and_ISC_DHCP_LDAP_objects.html">merging
-all</a> the computer related LDAP objects in Debian Edu.</p>
+<blockquote><pre>
+passwd:         files ldap
+group:          files ldap
+shadow:         files ldap
+hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
+networks:       files
+protocols:      files
+services:       files
+ethers:         files
+rpc:            files
+netgroup:       files ldap
+</pre></blockquote>

 
 

-<p>As a step to try to see if it possible to merge the DNS and DHCP
-LDAP objects, I have had a look at how the packages pdns-backend-ldap
-and dhcp3-server-ldap in Debian use the LDAP server.  The two
-implementations are quite different in how they use LDAP.</p>
+<p>The important parts are that ldap is listed last for passwd, group,
+shadow and netgroup.</p>

 
 

-To get this information, I started slapd with debugging enabled and
-dumped the debug output to a file to get the LDAP searches performed
-on a Debian Edu main-server.  Here is a summary.
+<p>With these changes in place, any user in LDAP will be able to log
+in locally on the machine using for example kdm, get a local home
+directory created and have the password as well as user and group
+attributes cached.

 
 

-<p><strong>powerdns</strong></p>
+<h2>LDAP/Kerberos + nss-updatedb + libpam-ccreds +
+  libpam-mklocaluser/pam_mkhomedir</h2>

 
 

-<a href="http://www.linuxnetworks.de/doc/index.php/PowerDNS_LDAP_Backend">Clues
-on how to</a> set up PowerDNS to use a LDAP backend is available on
-the web.
+<p>Because nscd have had its share of problems, and seem to have
+problems doing proper caching, I've seen suggestions and recipes to
+use nss-updatedb to copy parts of the LDAP database locally when the
+LDAP database is available.  I have not tested such setup, because I
+discovered sssd.</p>

 
 

-<p>PowerDNS have two modes of operation using LDAP as its backend.
-One "strict" mode where the forward and reverse DNS lookups are done
-using the same LDAP objects, and a "tree" mode where the forward and
-reverse entries are in two different subtrees in LDAP with a structure
-based on the DNS names, as in tjener.intern and
-2.2.0.10.in-addr.arpa.</p>
+<h2>LDAP/Kerberos + sssd + libpam-mklocaluser</h2>

 
 

-<p>In tree mode, the server is set up to use a LDAP subtree as its
-base, and uses a "base" scoped search for the DNS name by adding
-"dc=tjener,dc=intern," to the base with a filter for
-"(associateddomain=tjener.intern)" for the forward entry and
-"dc=2,dc=2,dc=0,dc=10,dc=in-addr,dc=arpa," with a filter for
-"(associateddomain=2.2.0.10.in-addr.arpa)" for the reverse entry.  For
-forward entries, it is looking for attributes named dnsttl, arecord,
-nsrecord, cnamerecord, soarecord, ptrrecord, hinforecord, mxrecord,
-txtrecord, rprecord, afsdbrecord, keyrecord, aaaarecord, locrecord,
-srvrecord, naptrrecord, kxrecord, certrecord, dsrecord, sshfprecord,
-ipseckeyrecord, rrsigrecord, nsecrecord, dnskeyrecord, dhcidrecord,
-spfrecord and modifytimestamp.  For reverse entries it is looking for
-the attributes dnsttl, arecord, nsrecord, cnamerecord, soarecord,
-ptrrecord, hinforecord, mxrecord, txtrecord, rprecord, aaaarecord,
-locrecord, srvrecord, naptrrecord and modifytimestamp.  The equivalent
-ldapsearch commands could look like this:</p>
+<p>A more flexible and robust setup than the nscd combination
+mentioned earlier that has shown up recently, is the
+<a href="https://fedorahosted.org/sssd/">sssd</a> package from Redhat.
+It is part of the <a href="http://www.freeipa.org/">FreeIPA</A> project
+to provide a Active Directory like directory service for Linux
+machines.  The sssd system combines the caching of passwords and user
+information into one package, and remove the need for nscd and
+libpam-ccreds.  It support LDAP and Kerberos, but not NIS.  Version
+1.2 do not support netgroups, but it is said that it will support this
+in version 1.5 expected to show up later in 2010.  Because the
+<a href="http://packages.qa.debian.org/s/sssd.html">sssd package</a>
+was missing in Debian, I ended up co-maintaining it with Werner, and
+version 1.2 is now in testing.

 
 

-<blockquote><pre>
-ldapsearch -h ldap \
-  -b dc=tjener,dc=intern,ou=hosts,dc=skole,dc=skolelinux,dc=no \
-  -s base -x '(associateddomain=tjener.intern)' dNSTTL aRecord nSRecord \
-  cNAMERecord sOARecord pTRRecord hInfoRecord mXRecord tXTRecord \
-  rPRecord aFSDBRecord KeyRecord aAAARecord lOCRecord sRVRecord \
-  nAPTRRecord kXRecord certRecord dSRecord sSHFPRecord iPSecKeyRecord \
-  rRSIGRecord nSECRecord dNSKeyRecord dHCIDRecord sPFRecord modifyTimestamp
+<p>These packages need to be installed and configured to get the
+roaming setup I want</p>

 
 

-ldapsearch -h ldap \
-  -b dc=2,dc=2,dc=0,dc=10,dc=in-addr,dc=arpa,ou=hosts,dc=skole,dc=skolelinux,dc=no \
-  -s base -x '(associateddomain=2.2.0.10.in-addr.arpa)'
-  dnsttl, arecord, nsrecord, cnamerecord soarecord ptrrecord \
-  hinforecord mxrecord txtrecord rprecord aaaarecord locrecord \
-  srvrecord naptrrecord modifytimestamp
+<blockquote><pre>
+libpam-sss libnss-sss libpam-mklocaluser

 </pre></blockquote>
 
 </pre></blockquote>
 

-<p>In Debian Edu/Lenny, the PowerDNS tree mode is used with
-ou=hosts,dc=skole,dc=skolelinux,dc=no as the base, and these are two
-example LDAP objects used there.  In addition to these objects, the
-parent objects all th way up to ou=hosts,dc=skole,dc=skolelinux,dc=no
-also exist.</p>
+The complete setup of sssd is done by editing/creating
+<tt>/etc/sssd/sssd.conf</tt>.

 
 <blockquote><pre>
 
 <blockquote><pre>

-dn: dc=tjener,dc=intern,ou=hosts,dc=skole,dc=skolelinux,dc=no
-objectclass: top
-objectclass: dnsdomain
-objectclass: domainrelatedobject
-dc: tjener
-arecord: 10.0.2.2
-associateddomain: tjener.intern
+[sssd]
+config_file_version = 2
+reconnection_retries = 3
+sbus_timeout = 30
+services = nss, pam
+domains = INTERN

 
 

-dn: dc=2,dc=2,dc=0,dc=10,dc=in-addr,dc=arpa,ou=hosts,dc=skole,dc=skolelinux,dc=no
-objectclass: top
-objectclass: dnsdomain2
-objectclass: domainrelatedobject
-dc: 2
-ptrrecord: tjener.intern
-associateddomain: 2.2.0.10.in-addr.arpa
-</pre></blockquote>
+[nss]
+filter_groups = root
+filter_users = root
+reconnection_retries = 3

 
 

-<p>In strict mode, the server behaves differently.  When looking for
-forward DNS entries, it is doing a "subtree" scoped search with the
-same base as in the tree mode for a object with filter
-"(associateddomain=tjener.intern)" and requests the attributes dnsttl,
-arecord, nsrecord, cnamerecord, soarecord, ptrrecord, hinforecord,
-mxrecord, txtrecord, rprecord, aaaarecord, locrecord, srvrecord,
-naptrrecord and modifytimestamp.  For reverse entires it also do a
-subtree scoped search but this time the filter is "(arecord=10.0.2.2)"
-and the requested attributes are associateddomain, dnsttl and
-modifytimestamp.  In short, in strict mode the objects with ptrrecord
-go away, and the arecord attribute in the forward object is used
-instead.</p>
+[pam]
+reconnection_retries = 3

 
 

-<p>The forward and reverse searches can be simulated using ldapsearch
-like this:</p>
+[domain/INTERN]
+enumerate = false
+cache_credentials = true

 
 

-<blockquote><pre>
-ldapsearch -h ldap -b ou=hosts,dc=skole,dc=skolelinux,dc=no -s sub -x \
-  '(associateddomain=tjener.intern)' dNSTTL aRecord nSRecord \
-  cNAMERecord sOARecord pTRRecord hInfoRecord mXRecord tXTRecord \
-  rPRecord aFSDBRecord KeyRecord aAAARecord lOCRecord sRVRecord \
-  nAPTRRecord kXRecord certRecord dSRecord sSHFPRecord iPSecKeyRecord \
-  rRSIGRecord nSECRecord dNSKeyRecord dHCIDRecord sPFRecord modifyTimestamp
+id_provider = ldap
+auth_provider = ldap
+chpass_provider = ldap

 
 

-ldapsearch -h ldap -b ou=hosts,dc=skole,dc=skolelinux,dc=no -s sub -x \
-  '(arecord=10.0.2.2)' associateddomain dnsttl modifytimestamp
+ldap_uri = ldap://ldap
+ldap_search_base = dc=skole,dc=skolelinux,dc=no
+ldap_tls_reqcert = never
+ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt

 </pre></blockquote>
 
 </pre></blockquote>
 

-<p>In addition to the forward and reverse searches , there is also a
-search for SOA records, which behave similar to the forward and
-reverse lookups.</p>
-
-<p>A thing to note with the PowerDNS behaviour is that it do not
-specify any objectclass names, and instead look for the attributes it
-need to generate a DNS reply.  This make it able to work with any
-objectclass that provide the needed attributes.</p>
-
-<p>The attributes are normally provided in the cosine (RFC 1274) and
-dnsdomain2 schemas.  The latter is used for reverse entries like
-ptrrecord and recent DNS additions like aaaarecord and srvrecord.</p>
+<p>I got the same problem here with certificate checking.  Had to set
+"ldap_tls_reqcert = never" to get it working.</p>

 
 

-<p>In Debian Edu, we have created DNS objects using the object classes
-dcobject (for dc), dnsdomain or dnsdomain2 (structural, for the DNS
-attributes) and domainrelatedobject (for associatedDomain).  The use
-of structural object classes make it impossible to combine these
-classes with the object classes used by DHCP.</p>
+<p>With the libnss-sss package in testing at the moment, the
+nsswitch.conf file is update automatically, so there is no need to
+modify it manually.</p>

 
 

-<p>There are other schemas that could be used too, for example the
-dnszone structural object class used by Gosa and bind-sdb for the DNS
-attributes combined with the domainrelatedobject object class, but in
-this case some unused attributes would have to be included as well
-(zonename and relativedomainname).</p>
+<p>If you want to help out with implementing this for Debian Edu,
+please contact us on debian-edu@lists.debian.org.</p>

 
 

-<p>My proposal for Debian Edu would be to switch PowerDNS to strict
-mode and not use any of the existing objectclasses (dnsdomain,
-dnsdomain2 and dnszone) when one want to combine the DNS information
-with DHCP information, and instead create a auxiliary object class
-defined something like this (using the attributes defined for
-dnsdomain and dnsdomain2 or dnszone):</p>
+      </div>
+      <div class="tags">
+        
+        
+        Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/ldap">ldap</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
+        
+        
+      </div>
+    </div>
+    <div class="padding"></div>
+    
+    <div class="entry">
+      <div class="title">
+        <a href="http://people.skolelinux.org/pere/blog/LUMA__a_very_nice_LDAP_GUI.html">LUMA, a very nice LDAP GUI</a>
+      </div>
+      <div class="date">
+        28th June 2010
+      </div>
+      <div class="body">
+        <p>The last few days I have been looking into the status of the LDAP
+directory in Debian Edu, and in the process I started to miss a GUI
+tool to browse the LDAP tree.  The only one I was able to find in
+Debian/Squeeze and Lenny is
+<a href="http://luma.sourceforge.net/">LUMA</a>, which has proved to
+be a great tool to get a overview of the current LDAP directory
+populated by default in Skolelinux.  Thanks to it, I have been able to
+find empty and obsolete subtrees, misplaced objects and duplicate
+objects.  It will be installed by default in Debian/Squeeze.  If you
+are working with LDAP, give it a go. :)</p>

 
 

-<blockquote><pre>
-objectclass ( some-oid NAME 'dnsDomainAux'
-    SUP top
-    AUXILIARY
-    MAY ( ARecord $ MDRecord $ MXRecord $ NSRecord $ SOARecord $ CNAMERecord $
-          DNSTTL $ DNSClass $ PTRRecord $ HINFORecord $ MINFORecord $
-          TXTRecord $ SIGRecord $ KEYRecord $ AAAARecord $ LOCRecord $
-          NXTRecord $ SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $
-          A6Record $ DNAMERecord
-    ))
-</pre></blockquote>
+<p>I did notice one problem with it I have not had time to report to
+the BTS yet.  There is no .desktop file in the package, so the tool do
+not show up in the Gnome and KDE menus, but only deep down in in the
+Debian submenu in KDE.  I hope that can be fixed before Squeeze is
+released.</p>

 
 

-<p>This will allow any object to become a DNS entry when combined with
-the domainrelatedobject object class, and allow any entity to include
-all the attributes PowerDNS wants.  I've sent an email to the PowerDNS
-developers asking for their view on this schema and if they are
-interested in providing such schema with PowerDNS, and I hope my
-message will be accepted into their mailing list soon.</p>
+<p>I have not yet been able to get it to modify the tree yet.  I would
+like to move objects and remove subtrees directly in the GUI, but have
+not found a way to do that with LUMA yet.  So in the mean time, I use
+<a href="http://www.lichteblau.com/ldapvi/">ldapvi</a> for that.</p>

 
 

-<p><strong>ISC dhcp</strong></p>
+<p>If you have tips on other GUI tools for LDAP that might be useful
+in Debian Edu, please contact us on debian-edu@lists.debian.org.</p>

 
 

-<p>The DHCP server searches for specific objectclass and requests all
-the object attributes, and then uses the attributes it want.  This
-make it harder to figure out exactly what attributes are used, but
-thanks to the working example in Debian Edu I can at least get an idea
-what is needed without having to read the source code.</p>
+<p>Update 2010-06-29: Ross Reedstrom tipped us about the
+<a href="http://packages.qa.debian.org/g/gq.html">gq</a> package as a
+useful GUI alternative.  It seem like a good tool, but is unmaintained
+in Debian and got a RC bug keeping it out of Squeeze.  Unless that
+changes, it will not be an option for Debian Edu based on Squeeze.</p>

 
 

-<p>In the DHCP server configuration, the LDAP base to use and the
-search filter to use to locate the correct dhcpServer entity is
-stored.  These are the relevant entries from
-/etc/dhcp3/dhcpd.conf:</p>
+      </div>
+      <div class="tags">
+        
+        
+        Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/ldap">ldap</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
+        
+        
+      </div>
+    </div>
+    <div class="padding"></div>
+    
+    <div class="entry">
+      <div class="title">
+        <a href="http://people.skolelinux.org/pere/blog/Idea_for_a_change_to_LDAP_schemas_allowing_DNS_and_DHCP_info_to_be_combined_into_one_object.html">Idea for a change to LDAP schemas allowing DNS and DHCP info to be combined into one object</a>
+      </div>
+      <div class="date">
+        24th June 2010
+      </div>
+      <div class="body">
+        <p>A while back, I
+<a href="http://people.skolelinux.org/pere/blog/Time_for_new__LDAP_schemas_replacing_RFC_2307_.html">complained
+about the fact</a> that it is not possible with the provided schemas
+for storing DNS and DHCP information in LDAP to combine the two sets
+of information into one LDAP object representing a computer.</p>

 
 

-<blockquote><pre>
-ldap-base-dn "dc=skole,dc=skolelinux,dc=no";
-ldap-dhcp-server-cn "dhcp";
-</pre></blockquote>
+<p>In the mean time, I discovered that a simple fix would be to make
+the dhcpHost object class auxiliary, to allow it to be combined with
+the dNSDomain object class, and thus forming one object for one
+computer when storing both DHCP and DNS information in LDAP.</p>

 
 

-<p>The DHCP server uses this information to nest all the DHCP
-configuration it need.  The cn "dhcp" is located using the given LDAP
-base and the filter "(&(objectClass=dhcpServer)(cn=dhcp))".  The
-search result is this entry:</p>
+<p>If I understand this correctly, it is not safe to do this change
+without also changing the assigned number for the object class, and I
+do not know enough about LDAP schema design to do that properly for
+Debian Edu.</p>

 
 

-<blockquote><pre>
-dn: cn=dhcp,dc=skole,dc=skolelinux,dc=no
-cn: dhcp
-objectClass: top
-objectClass: dhcpServer
-dhcpServiceDN: cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
-</pre></blockquote>
+<p>Anyway, for future reference, this is how I believe we could change
+the
+<a href="http://tools.ietf.org/html/draft-ietf-dhc-ldap-schema-00">DHCP
+schema</a> to solve at least part of the problem with the LDAP schemas
+available today from IETF.</p>

 
 

-<p>The content of the dhcpServiceDN attribute is next used to locate the
-subtree with DHCP configuration.  The DHCP configuration subtree base
-is located using a base scope search with base "cn=DHCP
-Config,dc=skole,dc=skolelinux,dc=no" and filter
-"(&(objectClass=dhcpService)(|(dhcpPrimaryDN=cn=dhcp,dc=skole,dc=skolelinux,dc=no)(dhcpSecondaryDN=cn=dhcp,dc=skole,dc=skolelinux,dc=no)))".
-The search result is this entry:</p>
+<pre>
+--- dhcp.schema    (revision 65192)
++++ dhcp.schema    (working copy)
+@@ -376,7 +376,7 @@
+ objectclass ( 2.16.840.1.113719.1.203.6.6
+        NAME 'dhcpHost'
+        DESC 'This represents information about a particular client'
+-       SUP top
++       SUP top AUXILIARY
+        MUST cn
+        MAY  (dhcpLeaseDN $ dhcpHWAddress $ dhcpOptionsDN $ dhcpStatements $ dhcpComments $ dhcpOption)
+        X-NDS_CONTAINMENT ('dhcpService' 'dhcpSubnet' 'dhcpGroup') )
+</pre>

 
 

-<blockquote><pre>
-dn: cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
-cn: DHCP Config
-objectClass: top
-objectClass: dhcpService
-objectClass: dhcpOptions
-dhcpPrimaryDN: cn=dhcp, dc=skole,dc=skolelinux,dc=no
-dhcpStatements: ddns-update-style none
-dhcpStatements: authoritative
-dhcpOption: smtp-server code 69 = array of ip-address
-dhcpOption: www-server code 72 = array of ip-address
-dhcpOption: wpad-url code 252 = text
-</pre></blockquote>
+<p>I very much welcome clues on how to do this properly for Debian
+Edu/Squeeze.  We provide the DHCP schema in our debian-edu-config
+package, and should thus be free to rewrite it as we see fit.</p>

 
 

-<p>Next, the entire subtree is processed, one level at the time.  When
-all the DHCP configuration is loaded, it is ready to receive requests.
-The subtree in Debian Edu contain objects with object classes
-top/dhcpService/dhcpOptions, top/dhcpSharedNetwork/dhcpOptions,
-top/dhcpSubnet, top/dhcpGroup and top/dhcpHost.  These provide options
-and information about netmasks, dynamic range etc.  Leaving out the
-details here because it is not relevant for the focus of my
-investigation, which is to see if it is possible to merge dns and dhcp
-related computer objects.</p>
+<p>If you want to help out with implementing this for Debian Edu,
+please contact us on debian-edu@lists.debian.org.</p>

 
 

-<p>When a DHCP request come in, LDAP is searched for the MAC address
-of the client (00:00:00:00:00:00 in this example), using a subtree
-scoped search with "cn=DHCP Config,dc=skole,dc=skolelinux,dc=no" as
-the base and "(&(objectClass=dhcpHost)(dhcpHWAddress=ethernet
-00:00:00:00:00:00))" as the filter.  This is what a host object look
-like:</p>
+      </div>
+      <div class="tags">
+        
+        
+        Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/ldap">ldap</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
+        
+        
+      </div>
+    </div>
+    <div class="padding"></div>
+    
+    <div class="entry">
+      <div class="title">
+        <a href="http://people.skolelinux.org/pere/blog/Time_for_new__LDAP_schemas_replacing_RFC_2307_.html">Time for new  LDAP schemas replacing RFC 2307?</a>
+      </div>
+      <div class="date">
+        29th March 2009
+      </div>
+      <div class="body">
+        <p>The state of standardized LDAP schemas on Linux is far from
+optimal.  There is RFC 2307 documenting one way to store NIS maps in
+LDAP, and a modified version of this normally called RFC 2307bis, with
+some modifications to be compatible with Active Directory.  The RFC
+specification handle the content of a lot of system databases, but do
+not handle DNS zones and DHCP configuration.</p>

 
 

-<blockquote><pre>
-dn: cn=hostname,cn=group1,cn=THINCLIENTS,cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
-cn: hostname
-objectClass: top
-objectClass: dhcpHost
-dhcpHWAddress: ethernet 00:00:00:00:00:00
-dhcpStatements: fixed-address hostname
-</pre></blockquote>
+<p>In <a href="http://www.skolelinux.org/">Debian Edu/Skolelinux</a>,
+we would like to store information about users, SMB clients/hosts,
+filegroups, netgroups (users and hosts), DHCP and DNS configuration,
+and LTSP configuration in LDAP.  These objects have a lot in common,
+but with the current LDAP schemas it is not possible to have one
+object per entity.  For example, one need to have at least three LDAP
+objects for a given computer, one with the SMB related stuff, one with
+DNS information and another with DHCP information.  The schemas
+provided for DNS and DHCP are impossible to combine into one LDAP
+object.  In addition, it is impossible to implement quick queries for
+netgroup membership, because of the way NIS triples are implemented.
+It just do not scale.  I believe it is time for a few RFC
+specifications to cleam up this mess.</p>

 
 

-<p>There is less flexiblity in the way LDAP searches are done here.
-The object classes need to have fixed names, and the configuration
-need to be stored in a fairly specific LDAP structure.  On the
-positive side, the invidiual dhcpHost entires can be anywhere without
-the DN pointed to by the dhcpServer entries.  The latter should make
-it possible to group all host entries in a subtree next to the
-configuration entries, and this subtree can also be shared with the
-DNS server if the schema proposed above is combined with the dhcpHost
-structural object class.
+<p>I would like to have one LDAP object representing each computer in
+the network, and this object can then keep the SMB (ie host key), DHCP
+(mac address/name) and DNS (name/IP address) settings in one place.
+It need to be efficently stored to make sure it scale well.</p>

 
 

-<p><strong>Conclusion</strong></p>
+<p>I would also like to have a quick way to map from a user or
+computer and to the net group this user or computer is a member.</p>

 
 

-<p>The PowerDNS implementation seem to be very flexible when it come
-to which LDAP schemas to use.  While its "tree" mode is rigid when it
-come to the the LDAP structure, the "strict" mode is very flexible,
-allowing DNS objects to be stored anywhere under the base cn specified
-in the configuration.</p>
+<p>Active Directory have done a better job than unix heads like myself
+in this regard, and the unix side need to catch up.  Time to start a
+new IETF work group?</p>

 
 

-<p>The DHCP implementation on the other hand is very inflexible, both
-regarding which LDAP schemas to use and which LDAP structure to use.
-I guess one could implement ones own schema, as long as the
-objectclasses and attributes have the names used, but this do not
-really help when the DHCP subtree need to have a fairly fixed
-structure.</p>
+      </div>
+      <div class="tags">
+        
+        
+        Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/ldap">ldap</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
+        
+        
+      </div>
+    </div>
+    <div class="padding"></div>
+    
+    <p style="text-align: right;"><a href="ldap.rss"><img src="http://people.skolelinux.org/pere/blog/xml.gif" alt="RSS Feed" width="36" height="14" /></a></p>
+    <div id="sidebar">
+      

 
 

-<p>Based on the observed behaviour, I suspect a LDAP structure like
-this might work for Debian Edu:</p>

 
 

-<blockquote><pre>
-ou=services
-  cn=machine-info (dhcpService) - dhcpServiceDN points here
-    cn=dhcp (dhcpServer)
-    cn=dhcp-internal (dhcpSharedNetwork/dhcpOptions)
-      cn=10.0.2.0 (dhcpSubnet)
-        cn=group1 (dhcpGroup/dhcpOptions)
-    cn=dhcp-thinclients (dhcpSharedNetwork/dhcpOptions)
-      cn=192.168.0.0 (dhcpSubnet)
-        cn=group1 (dhcpGroup/dhcpOptions)
-    ou=machines - PowerDNS base points here
-      cn=hostname (dhcpHost/domainrelatedobject/dnsDomainAux)
-</pre></blockquote>
+<h2>Archive</h2>
+<ul>

 
 

-<P>This is not tested yet.  If the DHCP server require the dhcpHost
-entries to be in the dhcpGroup subtrees, the entries can be stored
-there instead of a common machines subtree, and the PowerDNS base
-would have to be moved one level up to the machine-info subtree.</p>
+<li>2012
+<ul>

 
 

-<p>The combined object under the machines subtree would look something
-like this:</p>
-    
-<blockquote><pre>
-dn: dc=hostname,ou=machines,cn=machine-info,dc=skole,dc=skolelinux,dc=no
-dc: hostname
-objectClass: top
-objectClass: dhcpHost
-objectclass: domainrelatedobject
-objectclass: dnsDomainAux
-associateddomain: hostname.intern
-arecord: 10.11.12.13
-dhcpHWAddress: ethernet 00:00:00:00:00:00
-dhcpStatements: fixed-address hostname.intern
-</pre></blockquote>
+<li><a href="http://people.skolelinux.org/pere/blog/archive/2012/01/">January (7)</a></li>

 
 

-</p>One could even add the LTSP configuration associated with a given
-machine, as long as the required attributes are available in a
-auxiliary object class.</p>
+<li><a href="http://people.skolelinux.org/pere/blog/archive/2012/02/">February (10)</a></li>

 
 

- </div>
- <div class="tags">
- 
+<li><a href="http://people.skolelinux.org/pere/blog/archive/2012/03/">March (17)</a></li>

 
 

- 
-  Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/ldap">ldap</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
- 
- </div>
-</div>
-<div class="padding"></div>
+<li><a href="http://people.skolelinux.org/pere/blog/archive/2012/04/">April (12)</a></li>

 
 

- <p style="text-align: right;"><a href="ldap.rss"><img src="http://people.skolelinux.org/pere/blog/xml.gif" alt="RSS Feed" width="36" height="14"></a></p>
+<li><a href="http://people.skolelinux.org/pere/blog/archive/2012/05/">May (12)</a></li>

 
 

+<li><a href="http://people.skolelinux.org/pere/blog/archive/2012/06/">June (20)</a></li>

 
 

+<li><a href="http://people.skolelinux.org/pere/blog/archive/2012/07/">July (17)</a></li>

 
 

+<li><a href="http://people.skolelinux.org/pere/blog/archive/2012/08/">August (6)</a></li>

 
 

-<div id="sidebar">
+<li><a href="http://people.skolelinux.org/pere/blog/archive/2012/09/">September (9)</a></li>

 
 

-<h2>Archive</h2>
-<ul>
+</ul></li>

 
 <li>2011
 <ul>
 
 <li>2011
 <ul>


@@ -982,7 +986,15 @@ auxiliary object class.</p>
 
 <li><a href="http://people.skolelinux.org/pere/blog/archive/2011/07/">July (7)</a></li>
 
 
 <li><a href="http://people.skolelinux.org/pere/blog/archive/2011/07/">July (7)</a></li>
 

-<li><a href="http://people.skolelinux.org/pere/blog/archive/2011/08/">August (2)</a></li>
+<li><a href="http://people.skolelinux.org/pere/blog/archive/2011/08/">August (6)</a></li>
+
+<li><a href="http://people.skolelinux.org/pere/blog/archive/2011/09/">September (4)</a></li>
+
+<li><a href="http://people.skolelinux.org/pere/blog/archive/2011/10/">October (2)</a></li>
+
+<li><a href="http://people.skolelinux.org/pere/blog/archive/2011/11/">November (3)</a></li>
+
+<li><a href="http://people.skolelinux.org/pere/blog/archive/2011/12/">December (1)</a></li>

 
 </ul></li>
 
 
 </ul></li>
 


@@ -1068,23 +1080,33 @@ auxiliary object class.</p>
 
  <li><a href="http://people.skolelinux.org/pere/blog/tags/bitcoin">bitcoin (2)</a></li>
 
 
  <li><a href="http://people.skolelinux.org/pere/blog/tags/bitcoin">bitcoin (2)</a></li>
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/bootsystem">bootsystem (11)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/bootsystem">bootsystem (12)</a></li>
+
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/bsa">bsa (2)</a></li>
+
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/debian">debian (57)</a></li>

 
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/debian">debian (52)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu (112)</a></li>

 
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu (64)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/digistan">digistan (9)</a></li>

 
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/digistan">digistan (7)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/docbook">docbook (7)</a></li>

 
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/english">english (94)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/drivstoffpriser">drivstoffpriser (4)</a></li>

 
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/fiksgatami">fiksgatami (12)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/english">english (152)</a></li>

 
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/fildeling">fildeling (11)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/fiksgatami">fiksgatami (17)</a></li>

 
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/intervju">intervju (10)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/fildeling">fildeling (12)</a></li>

 
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/kart">kart (15)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/freeculture">freeculture (8)</a></li>
+
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/frikanalen">frikanalen (8)</a></li>
+
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/intervju">intervju (31)</a></li>
+
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/kart">kart (17)</a></li>

 
  <li><a href="http://people.skolelinux.org/pere/blog/tags/ldap">ldap (8)</a></li>
 
 
  <li><a href="http://people.skolelinux.org/pere/blog/tags/ldap">ldap (8)</a></li>
 


@@ -1092,17 +1114,21 @@ auxiliary object class.</p>
 
  <li><a href="http://people.skolelinux.org/pere/blog/tags/ltsp">ltsp (1)</a></li>
 
 
  <li><a href="http://people.skolelinux.org/pere/blog/tags/ltsp">ltsp (1)</a></li>
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/multimedia">multimedia (13)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/multimedia">multimedia (25)</a></li>
+
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/norsk">norsk (197)</a></li>

 
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/norsk">norsk (131)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug (143)</a></li>

 
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug (118)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/offentlig innsyn">offentlig innsyn (4)</a></li>

 
  <li><a href="http://people.skolelinux.org/pere/blog/tags/open311">open311 (2)</a></li>
 
 
  <li><a href="http://people.skolelinux.org/pere/blog/tags/open311">open311 (2)</a></li>
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/opphavsrett">opphavsrett (21)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/opphavsrett">opphavsrett (35)</a></li>

 
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/personvern">personvern (42)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/personvern">personvern (49)</a></li>
+
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/raid">raid (1)</a></li>

 
  <li><a href="http://people.skolelinux.org/pere/blog/tags/reprap">reprap (11)</a></li>
 
 
  <li><a href="http://people.skolelinux.org/pere/blog/tags/reprap">reprap (11)</a></li>
 


@@ -1112,26 +1138,39 @@ auxiliary object class.</p>
 
  <li><a href="http://people.skolelinux.org/pere/blog/tags/rss">rss (1)</a></li>
 
 
  <li><a href="http://people.skolelinux.org/pere/blog/tags/rss">rss (1)</a></li>
 

+ <li><a href="http://people.skolelinux.org/pere/blog/tags/ruter">ruter (4)</a></li>
+
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/scraperwiki">scraperwiki (2)</a></li>
+

  <li><a href="http://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet (23)</a></li>
 
  <li><a href="http://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet (23)</a></li>
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/sitesummary">sitesummary (3)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/sitesummary">sitesummary (4)</a></li>
+
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/skepsis">skepsis (2)</a></li>

 
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/standard">standard (24)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/standard">standard (37)</a></li>

 
  <li><a href="http://people.skolelinux.org/pere/blog/tags/stavekontroll">stavekontroll (1)</a></li>
 
 
  <li><a href="http://people.skolelinux.org/pere/blog/tags/stavekontroll">stavekontroll (1)</a></li>
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/stortinget">stortinget (2)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/stortinget">stortinget (4)</a></li>

 
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/surveillance">surveillance (9)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/surveillance">surveillance (10)</a></li>

 
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/video">video (20)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/valg">valg (7)</a></li>

 
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/vitenskap">vitenskap (1)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/video">video (34)</a></li>

 
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/web">web (16)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/vitenskap">vitenskap (3)</a></li>
+
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/web">web (25)</a></li>

 
 </ul>
 
 
 </ul>
 

-</div>
-</body>
+
+    </div>
+    <p style="text-align: right">
+ Created by <a href="http://steve.org.uk/Software/chronicle">Chronicle v4.4</a>
+</p>
+
+  </body>

 </html>
 </html>