Re: [GOsa] Netgroups and ACL's
Le Friday 07 May 2010 22:13:18 Cajus Pollmeier, vous avez écrit : Am 07.05.10 16:30, schrieb Andreas B. Mundt: Hello, (cc debian-edu to allow for comments/discussion/additions) On Fri, May 07, 2010 at 12:41:26PM +0200, Benoit Mortier wrote: Le Friday 07 May 2010 12:03:00 Andreas B. Mundt, vous avez écrit : On Wed, May 05, 2010 at 02:08:00PM +0200, Cajus Pollmeier wrote: Am Mittwoch 05 Mai 2010 13:55:35 schrieb Gerrard Geldenhuis: [...] An email thread in April stated that Netgroups were not supported. Is that a not yet or is the view that you can achieve the same result by using ACL's. They are not supported means: if someone has time or wants to start a payed project, netgroups are not yet supported ;-) [...] you can find an experimental hack (probably horrible for someone who knows php) to add some support here: http://lists.debian.org/debian-edu/2010/04/msg00124.html [...] - First there will be a GOsa² in squeeze, currently working on it, it will be 2.6.10 i think - Second i'am interested in making GOsa² work with skolelinux could you enter a whislist in the gosa tracker with a you findings and explaning what should be done - Third of course you are welcome on the #gosa on freenode to discuss it ;-) Hello Benoit, first, I am really happy about you offering support! (I've seen you are involved in the debian ldap package aswell: #512360, so that's exactly the competence we need here :)). Not beeing Benoit, I hope I'm allowed to answer, too ;-) No you are not ;-) Perhaps I start with describing the current situation from my point of view (others please add/correct what's missing or I got wrong): In debian-edu lenny we use lwat for administration of the System. Lwat has been written especially for skolelinux/debian-edu, this means it's targeted at the basics you need to add/remove users (students and teachers) (posix-) groups and machines. The machines have to be added to LDAP to use their (static) IP addresses for access control. The major advantage of LWAT is it's simplicity: At many schools there is a teacher who rarely knows about ldap at all and is easily overwhelmed by hundreds of attributes and features. (The job has to be done often by maths-, or physics- teacher because their colleagues from history or languages expect them to understand technology best). So there is no professional sysadmin, and the teacher's standard workload is reduced by one or two hours per week if reduced at all, i.e. he cannot spend much time learning how to get the system started. (And school starts already just after the vacations... ;-) ). Unfortunately LWAT seems to retire upstream as well as in debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=578345. For sure this can be fixed (again), but I already spent some amount of time and energy on LWAT and by now prefer to put this time into something that promises more returned value in the long run. At this point GOsa² comes into play. So far, I tried to kind of strip it down to the basics needed at school. I did this by simply not installing plugins or commenting them in gosa.config. I guess user and group management should work out of box, what's missing compared to LWAT is the machine management: We can assign netgroups to machines: For example when a machine is member of the shutdown-at-nigth netgroup, a script halts that machine in the evening. More important netgroups allow mounting the home directory etc. Currently this is essential, therefore the hack mentioned above. The good news is, as pointed out by Petter ( http://lists.debian.org/debian-edu/2010/05/msg00025.html ) that this might not be needed in the future where we plan to use kerberos. Of course grouping of machines would be nice, to define shutdown-at-nigth and fsautoresize-hosts. (I would expect that something like that is already somewhere in gosa, but perhaps in combination with a hundred other features :( ). In combination with gosa-si, you can plan shutdown, wakeup, reinstall, etc. tasks for your workstations and group of workstations. GOsa allows bare metal installs for FAI and OPSI based installs (preseed|autoyast|kickstart + puppet comming soon). The GOsa style process is like this: i would add that GOsa² integrate with LTSP5 who is running here in several school. * Unpack your hardware, place it somewhere and plug it into the network * Start the machine, configure it for network boot * Network boot will not work, because the system is not known to GOsa and will not get anything via tftp (works in combination with fts) * gosa-si's arp module (or the contributed dhcp hook) detects a new machine and adds it to ou=incoming in your LDAP as a new system The dhcp hook is helpfull when you have multihomed network machines and you want the correct machine / ip / mac to appears in GOsa²
configuring gosa during system installation
Hi,
many thanks for all the answers and hints so far! I will reply to them
soon, but first a technical question that just came up when I
excitedly started to make a first draft implementation:
To avoid having the user to click through the gosa builtin
configurator after installing the system, it would be nice to
prepare gosa already during system installation of our main-server.
The idea is to prepare a gosa.ldif which contains all needed to start
(dropped into ldap) in combination with the coresponding configuration
gosa.config.
In gosa.config, timezone and language have to be modified during
install, as well as ldap and gosa-admin password(-hashes).
For the ldap tree, I guess most parts are straight forward, but how
can I create the gosaAclEntry? I suspect it has to correspond to the
gosa-admin (called ldapadmin below). Below you find a draft
ldif. $ROOTPW is replaced by the password hash during installation.
Regards,
Andi
dc=skole,dc=skolelinux,dc=no
dc: skole
o: skole.skolelinux.no
ou: skole
description: skole
objectClass: gosaAcl
objectClass: top
objectClass: dcObject
objectClass: organization
objectClass: gosaDepartment
gosaAclEntry:
0:psub:Y249U3lzdGVtIEFkbWluaXN0cmF0b3ItbGRhcGFkbWluLG91PXBlb3BsZSxkYz1za29sZSxkYz1za29sZWxpbnV4LGRjPW5v:all;cmdrw
## ? ^
## gosa-admin:
uid=ldapadmin,ou=people,dc=skole,dc=skolelinux,dc=no
objectClass: top
objectClass: person
objectClass: gosaAccount
objectClass: organizationalPerson
objectClass: inetOrgPerson
givenName: System
sn: Administrator
cn: System Administrator-ldapadmin
uid: ldapadmin
userPassword: {crypt}$ROOTPW
## students #
## predefine template newstudent:
uid=newstudent,ou=people,ou=Students,dc=skole,dc=skolelinux,dc=no
sn: NewStudent
givenName: NewStudent
uid: newstudent
cn: NewStudent NewStudent
userPassword: {crypt}
homeDirectory: /skole/tjener/home0/%uid
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
gecos: NewStudent NewStudent
shadowLastChange: 14737
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: gosaAccount
objectClass: gosaUserTemplate
objectClass: posixAccount
objectClass: shadowAccount
objectClass: gosaAdministrativeUnitTag
gosaUnitTag: 1273308526072077400
cn=newstudent,ou=groups,ou=Students,dc=skole,dc=skolelinux,dc=no
objectClass: top
objectClass: posixGroup
objectClass: gosaAdministrativeUnitTag
cn: newstudent
description: Group of user newstudent newstudent
gidNumber: 1000
gosaUnitTag: 1273308526072077400
## teachers #
## predefine template newteacher:
uid=newteacher,ou=people,ou=Teachers,dc=skole,dc=skolelinux,dc=no
sn: NewTeacher
givenName: NewTeacher
uid: newteacher
cn: NewTeacher NewTeacher
userPassword: {crypt}
homeDirectory: /skole/tjener/home0/%uid
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
gecos: NewTeacher NewTeacher
shadowLastChange: 14737
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: gosaAccount
objectClass: gosaUserTemplate
objectClass: posixAccount
objectClass: shadowAccount
objectClass: gosaAdministrativeUnitTag
gosaUnitTag: 1273308526072077400
cn=newteacher,ou=groups,ou=Teachers,dc=skole,dc=skolelinux,dc=no
objectClass: top
objectClass: posixGroup
objectClass: gosaAdministrativeUnitTag
cn: newteacher
description: Group of user newteacher newteacher
gidNumber: 1000
gosaUnitTag: 1273308526072077400
--
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20100508124248.ga7...@flashgordon
Re: [GOsa] configuring gosa during system installation
Am Samstag 08 Mai 2010, 14:42:48 schrieb Andreas B. Mundt: Hi, many thanks for all the answers and hints so far! I will reply to them soon, but first a technical question that just came up when I excitedly started to make a first draft implementation: To avoid having the user to click through the gosa builtin configurator after installing the system, it would be nice to prepare gosa already during system installation of our main-server. The idea is to prepare a gosa.ldif which contains all needed to start (dropped into ldap) in combination with the coresponding configuration gosa.config. In gosa.config, timezone and language have to be modified during install, as well as ldap and gosa-admin password(-hashes). For the ldap tree, I guess most parts are straight forward, but how can I create the gosaAclEntry? I suspect it has to correspond to the gosa-admin (called ldapadmin below). Below you find a draft ldif. $ROOTPW is replaced by the password hash during installation. The ACL entry below keeps a comma separated list of base64 encoded dn's and the final access rights that this one gets. If the dn never changes (i.e. it is always a fixed user inside of your skolelinux tree, you never have to change that. We do it the same way with FAI based initial installs. All you need is a working gosa.conf, slapd.conf, schema in the right place and a slapadd for the minimalistic base ldif. You can go further and make the base configurable, too. But this is a bit more complicated in case of unicode bases. It would be a good idea to add some acl roles to this base ldif, so that users don't have to bother with creating ACLs directly. They can just choose from a predefined ACL set. This is shown in the ACL screencast of https://oss.gonicus.de/labs/gosa. I mean: students should be able to change their passwords, teachers may not be able to do too much and superadmins are the most skilled teachers ;-) Cheers, Cajus -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201005081739.58131.pollme...@gonicus.de
Re: [GOsa] configuring gosa during system installation
On Sat, May 08, 2010 at 05:39:57PM +0200, Cajus Pollmeier wrote: Am Samstag 08 Mai 2010, 14:42:48 schrieb Andreas B. Mundt: [...] The ACL entry below keeps a comma separated list of base64 encoded dn's and the final access rights that this one gets. If the dn never changes (i.e. it is always a fixed user inside of your skolelinux tree, you never have to change that. ok. We do it the same way with FAI based initial installs. All you need is a working gosa.conf, slapd.conf, schema in the right place and a slapadd for the minimalistic base ldif. You can go further and make the base configurable, too. But this is a bit more complicated in case of unicode bases. It would be a good idea to add some acl roles to this base ldif, so that users don't have to bother with creating ACLs directly. They can just choose from a predefined ACL set. This is shown in the ACL screencast of https://oss.gonicus.de/labs/gosa. Yeah, I'm just looking into that, ... I mean: students should be able to change their passwords, teachers may not be able to do too much and superadmins are the most skilled teachers ;-) right, hehe ;-) Thanks Cajus, I played a bit today and all in all this looks very promising to me. I have the impression that it should be possible to start with a basic implemention not overwhelming the the guy setting up a single classroom with 10 PCs in his limited spare time. And on the other hand allow for further development up to managing the schools in a large town centrally by a full time admin. Great. Enjoy the weekend, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100508160749.ga8...@flashgordon
Re: Qsynth 0.3.5
[Xavier Oswald] I just have uploaded the latest qsynth version to debian sid. It now recommends fluid-soundfont-gm to have at least one sound font file installed. And it opens /usr/share/sounds/sf2 as the default soundfont directory. Feel free to tell me if everything works as expected. Great. :) I lack the set setup where I am at the moment, so I can test it this week. Hope to test it next week. :) Will qsynth now autoselect a sound found if none is configured and there is a sound font present in /usr/share/sounds/sf2/, to allow qsynth to work out of the box without any configuration in Debian Edu? Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100508161137.ga32...@login2.uio.no
Re: Qsynth 0.3.5
On 18:11 Sat 08 May , Petter Reinholdtsen wrote: [Xavier Oswald] I just have uploaded the latest qsynth version to debian sid. It now recommends fluid-soundfont-gm to have at least one sound font file installed. And it opens /usr/share/sounds/sf2 as the default soundfont directory. Feel free to tell me if everything works as expected. Great. :) I lack the set setup where I am at the moment, so I can test it this week. Hope to test it next week. :) Will qsynth now autoselect a sound found if none is configured and there is a sound font present in /usr/share/sounds/sf2/, to allow qsynth to work out of the box without any configuration in Debian Edu? No. That's the latest point I didn't add. Im wondering if this is a good idea to do such an automatic selection. Greetings, -- ,''`. Xavier Oswald (xosw...@debian.org) : :' : GNU/LINUX Debian Developer http://www.debian.org `. `' GPG Key: 1024D/88BBB51E `- 938D D715 6915 8860 9679 4A0C A430 C6AA 88BB B51E -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100508171053.ga3...@gmail.com
Re: [GOsa] configuring gosa during system installation
Am Samstag, den 08.05.2010, 18:07 +0200 schrieb Andreas B. Mundt: [...] Thanks Cajus, I played a bit today and all in all this looks very promising to me. I have the impression that it should be possible to start with a basic implemention not overwhelming the the guy setting up a single classroom with 10 PCs in his limited spare time. And on the other hand allow for further development up to managing the schools in a large town centrally by a full time admin. Great. Enjoy the weekend, Same to you. The weather will be better tomorrow. This was a lazy day at home ;-) Questions are welcome. Cheers, Cajus -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1273341097.20486.43.ca...@frost
Re: Qsynth 0.3.5
That will be a good idea, to make thing more user friendly. Regards Alf Tonny On Sat, May 8, 2010 at 7:10 PM, Xavier Oswald xosw...@gmail.com wrote: On 18:11 Sat 08 May , Petter Reinholdtsen wrote: [Xavier Oswald] I just have uploaded the latest qsynth version to debian sid. It now recommends fluid-soundfont-gm to have at least one sound font file installed. And it opens /usr/share/sounds/sf2 as the default soundfont directory. Feel free to tell me if everything works as expected. Great. :) I lack the set setup where I am at the moment, so I can test it this week. Hope to test it next week. :) Will qsynth now autoselect a sound found if none is configured and there is a sound font present in /usr/share/sounds/sf2/, to allow qsynth to work out of the box without any configuration in Debian Edu? No. That's the latest point I didn't add. Im wondering if this is a good idea to do such an automatic selection. Greetings, -- ,''`. Xavier Oswald (xosw...@debian.org) : :' : GNU/LINUX Debian Developer http://www.debian.org `. `' GPG Key: 1024D/88BBB51E `- 938D D715 6915 8860 9679 4A0C A430 C6AA 88BB B51E -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100508171053.ga3...@gmail.com -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktikepy6vs_eciggvwdhr7antetxn1j7lnjigw...@mail.gmail.com
Re: Qsynth 0.3.5
[Xavier Oswald] No. That's the latest point I didn't add. Im wondering if this is a good idea to do such an automatic selection. Why? I assume it only will be enabled when no soundfound is already enabled, and thus will only help first time users to get started. :) Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100508182030.gb32...@login2.uio.no
Re: Qsynth 0.3.5
On 20:20 Sat 08 May , Petter Reinholdtsen wrote: [Xavier Oswald] No. That's the latest point I didn't add. Im wondering if this is a good idea to do such an automatic selection. Why? I assume it only will be enabled when no soundfound is already enabled, and thus will only help first time users to get started. :) Right. Well yes, I was to tired today to think clearly ;) So what we can do is that I wait feedback of the current uploaded qsynth. And do the needed hack to have this feature. Im wondering if there are good C++/Qt developers here on the list, if yes, someone could review my patch since Im not that friendly with them ? ;) Greetings, -- ,''`. Xavier Oswald (xosw...@debian.org) : :' : GNU/LINUX Debian Developer http://www.debian.org `. `' GPG Key: 1024D/88BBB51E `- 938D D715 6915 8860 9679 4A0C A430 C6AA 88BB B51E -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100508182947.ga3...@gmail.com
Content and translation status for the debian-edu-lenny manual
The (translated) debian-edu-lenny manual as PDF or HTML is available at http://maintainer.skolelinux.org/debian-edu-doc/ To understand this mail better, please read /usr/share/doc/debian-edu-doc/README. This mail is automatically send by a cronjob run by Holger Levsen every two weeks. Please send feedback, suggestions, flames and cookies via this list. debian-edu-lenny-manual.de.po: 1141 translated messages. debian-edu-lenny-manual.es.po: 233 translated messages, 223 fuzzy translations, 685 untranslated messages. debian-edu-lenny-manual.fr.po: 418 translated messages, 330 fuzzy translations, 393 untranslated messages. debian-edu-lenny-manual.it.po: 1141 translated messages. debian-edu-lenny-manual.nb.po: 953 translated messages, 172 fuzzy translations, 16 untranslated messages. debian-edu-lenny-manual.zh.po: 62 translated messages, 53 fuzzy translations, 1026 untranslated messages. -- http://wiki.debian.org/DebianEdu/Documentation/Lenny//GettingStarted FIXME: explain what to do when printconf does not accomplish anything. -- http://wiki.debian.org/DebianEdu/Documentation/Lenny//Maintainance FIXME: Explain how to use kde-update-notifier, best with screenshots. FIXME: continue description of slbackup-php usage, maybe with screenshots -- http://wiki.debian.org/DebianEdu/Documentation/Lenny//HowTo/Administration FIXME: paragraph about access from outside need to be completed and tested. FIXME: this is so generic its almost useless FIXME: Compare with ulink url='http://wiki.debian.org/DebianEdu/Documentation/Lenny/HowTo/NetworkClients#'DebianEdu/Documentation/Lenny/HowTo/NetworkClients/ulink and get rid of redundant information. -- http://wiki.debian.org/DebianEdu/Documentation/Lenny//HowTo/Desktop FIXME: this is broken and a bug should be filed: kiosktool upgrades restore default desktop icons -- http://wiki.debian.org/DebianEdu/Documentation/Lenny//HowTo/NetworkClients FIXME: This need to be changed as DHCP configuration is in LDAP. FIXME: should user groups in windows better be explained with lwat first, and then with an example for the command line? FIXME explain how to use profiles from global policies for windows machines in the skolelinux network FIXME: describe roaming profile key for the global policy editor here -- http://wiki.debian.org/DebianEdu/Documentation/Lenny//HowTo/TeachAndLearn FIXME: explain how to install and use italc - ulink url='http://bugs.debian.org/511387'511387/ulink explains this quite well actually. FIXME: explain how to install and use squidguard and/or dansguardian 13 FIXMEs left to fix -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1oavex-oa...@ravel.debian.org
Content and translation status for the rosegarden manual
The (translated) rosegarden manual as PDF or HTML is available at http://maintainer.skolelinux.org/debian-edu-doc/ To understand this mail better, please read /usr/share/doc/debian-edu-doc/README. This mail is automatically send by a cronjob run by Holger Levsen every two weeks. Please send feedback, suggestions, flames and cookies via this list. rosegarden-manual.fr.po: 103 translated messages, 79 fuzzy translations, 426 untranslated messages. rosegarden-manual.nb.po: 591 translated messages, 17 fuzzy translations. -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1oavey-or...@ravel.debian.org
