+ <div class="entry">
+ <div class="title"><a href="http://people.skolelinux.org/pere/blog/Autodetecting_Client_setup_for_roaming_workstations_in_Debian_Edu.html">Autodetecting Client setup for roaming workstations in Debian Edu</a></div>
+ <div class="date">2010-08-07 14:45</div>
+ <div class="body">
+<p>A few days ago, I
+<a href="http://people.skolelinux.org/pere/blog/Debian_Edu_roaming_workstation___at_the_university_of_Oslo.html">tried
+to install</a> a Roaming workation profile from Debian Edu/Squeeze
+while on the university network here at the University of Oslo, and
+noticed how much had to change to get it operational using the
+university infrastructure. It was fairly easy, but it occured to me
+that Debian Edu would improve a lot if I could get the client to
+connect without any changes at all, and thus let the client configure
+itself during installation and first boot to use the infrastructure
+around it. Now I am a huge step further along that road.</p>
+
+<p>With our current squeeze-test packages, I can select the roaming
+workstation profile and get a working laptop connecting to the
+university LDAP server for user and group and our active directory
+servers for Kerberos authentication. All this without any
+configuration at all during installation. My users home directory got
+a bookmark in the KDE menu to mount it via SMB, with the correct URL.
+In short, openldap and sssd is correctly configured. In addition to
+this, the client look for http://wpad/wpad.dat to configure a web
+proxy, and when it fail to find it no proxy settings are stored in
+/etc/environment and /etc/apt/apt.conf. Iceweasel and KDE is
+configured to look for the same wpad configuration and also do not use
+a proxy when at the university network. If the machine is moved to a
+network with such wpad setup, it would automatically use it when DHCP
+gave it a IP address.</p>
+
+<p>The LDAP server is located using DNS, by first looking for the DNS
+entry ldap.$domain. If this do not exist, it look for the
+_ldap._tcp.$domain SRV records and use the first one as the LDAP
+server. Next, it connects to the LDAP server and search all
+namingContexts entries for posixAccount or posixGroup objects, and
+pick the first one as the LDAP base. For Kerberos, a similar
+algorithm is used to locate the LDAP server, and the realm is the
+uppercase version of $domain.</p>
+
+<p>So, what is not working, you might ask. SMB mounting my home
+directory do not work. No idea why, but suspected the incorrect
+Kerberos settings in /etc/krb5.conf and /etc/samba/smb.conf might be
+the cause. These are not properly configured during installation, and
+had to be hand-edited to get the correct Kerberos realm and server,
+but SMB mounting still do not work. :(</p>
+
+<p>With this automatic configuration in place, I expect a Debian Edu
+roaming profile installation would be able to automatically detect and
+connect to any site using LDAP and Kerberos for NSS directory and PAM
+authentication. It should also work out of the box in a Active
+Directory environment providing posixAccount and posixGroup objects
+with UID and GID values.</p>
+
+<p>If you want to help out with implementing these things for Debian
+Edu, please contact us on debian-edu@lists.debian.org.</p>
+</div>
+ <div class="tags">
+
+
+
+ Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
+
+ </div>
+ </div>
+ <div class="padding"></div>
+
<div class="entry">
<div class="title"><a href="http://people.skolelinux.org/pere/blog/Debian_Edu_roaming_workstation___at_the_university_of_Oslo.html">Debian Edu roaming workstation - at the university of Oslo</a></div>
<div class="date">2010-08-03 23:30</div>
- Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/ldap">ldap</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
-
- </div>
- </div>
- <div class="padding"></div>
-
- <div class="entry">
- <div class="title"><a href="http://people.skolelinux.org/pere/blog/jXplorer__a_very_nice_LDAP_GUI.html">jXplorer, a very nice LDAP GUI</a></div>
- <div class="date">2010-07-09 12:55</div>
- <div class="body">
-<p>Since
-<a href="http://people.skolelinux.org/pere/blog/LUMA__a_very_nice_LDAP_GUI.html">my
-last post</a> about available LDAP tools in Debian, I was told about a
-LDAP GUI that is even better than luma. The java application
-<a href="http://jxplorer.org/">jXplorer</a> is claimed to be capable of
-moving LDAP objects and subtrees using drag-and-drop, and can
-authenticate using Kerberos. I have only tested the Kerberos
-authentication, but do not have a LDAP setup allowing me to rewrite
-LDAP with my test user yet. It is
-<a href="http://packages.qa.debian.org/j/jxplorer.html">available in
-Debian</a> testing and unstable at the moment. The only problem I
-have with it is how it handle errors. If something go wrong, its
-non-intuitive behaviour require me to go through some query work list
-and remove the failing query. Nothing big, but very annoying.</p>
-</div>
- <div class="tags">
-
-
-
Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/ldap">ldap</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
</div>
<li><a href="http://people.skolelinux.org/pere/blog/archive/2010/07/">July (12)</a></li>
-<li><a href="http://people.skolelinux.org/pere/blog/archive/2010/08/">August (1)</a></li>
+<li><a href="http://people.skolelinux.org/pere/blog/archive/2010/08/">August (2)</a></li>
</ul></li>
<li><a href="http://people.skolelinux.org/pere/blog/tags/debian">debian (35)</a></li>
- <li><a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu (37)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu (38)</a></li>
- <li><a href="http://people.skolelinux.org/pere/blog/tags/english">english (52)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/english">english (53)</a></li>
<li><a href="http://people.skolelinux.org/pere/blog/tags/fiksgatami">fiksgatami (1)</a></li>
<li><a href="http://people.skolelinux.org/pere/blog/tags/norsk">norsk (71)</a></li>
- <li><a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug (89)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug (90)</a></li>
<li><a href="http://people.skolelinux.org/pere/blog/tags/opphavsrett">opphavsrett (14)</a></li>
</div>
<p style="text-align: right">
-Created by <a href="http://steve.org.uk/Software/chronicle">Chronicle v3.7</a>
+Created by <a href="http://steve.org.uk/Software/chronicle">Chronicle v3.2</a>
</p>
</body>
</html>
projects / homepage.git / blobdiff