Re: DMA?
Thomas -Balu- Walter wrote: I thought that myself, but got curious, why the #debian.de FAQ told me that it could be possible that the BIOS activated the UDMA-mode already (marked with *). You don't have to do anything in this case. If not you have to enable it using hdparm afterwards. Well, there's a kernel option to automatically enable DMA if it's detected, at least in 2.4.18. I don't recall exactly where, and alas, I can't access my box from here :-/. But I compiled the kernel to support my motherboard's chipset, enabled the option in the kernel to automatically enable DMA if detected, and now it detects and enables it when I boot :) -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DMA?
Thomas -Balu- Walter wrote: I thought that myself, but got curious, why the #debian.de FAQ told me that it could be possible that the BIOS activated the UDMA-mode already (marked with *). You don't have to do anything in this case. If not you have to enable it using hdparm afterwards. Well, there's a kernel option to automatically enable DMA if it's detected, at least in 2.4.18. I don't recall exactly where, and alas, I can't access my box from here :-/. But I compiled the kernel to support my motherboard's chipset, enabled the option in the kernel to automatically enable DMA if detected, and now it detects and enables it when I boot :) -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
SOT: reiserfs enabled netinst image?
Hey guys, I used to have one of these images, but the CD is scratched beyond repair now, and the host I used to get it from is no longer serving the file. I've been searching in vain for the past week now, and I just wanted to know if any of you know where I can grab this ISO image. I found it grossly useful, and wish to call upon its services again :) Thanks. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re[2]: virtual hosting methods
Hey Martin, Saturday, November 24, 2001, 5:30:41 PM, you wrote: MpP Actually there is a very nice and nifty feature in apache 1.3.19+ (or was MpP it 20+) that allows an include filename to be a directory what will MpP include all directories and subdirs of the named direcotry, and load all MpP files in those dirs as config files. With some maintenance scripts it MpP allows very easy maintenance of virtual hosts (configuration...) MpP and grouping of configuration. I'll have to look into this. This sounds very interesting. MpP For simple masshosting I still suggest mod_vhost. Which brings me back to my original question. For simple masshosting, I would agree. But what about a system where some vhosts have CGI or SSI access for example, and some don't. Would the former setup be better, or the latter? -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
virtual hosting methods
Hey guys, What are people doing for virtual hosting? I'm trying to figure what would be best for me. Would running a vhost module be a good way of doing things? My only problem with this is I'd have to parse the single log file for each host. Not a huge deal, but I'd like to have them separated without my intervention. And I'd have to throw config lines for each vhost into the .htpasswd file, but even that would be acceptable. I've recently read about people just doing stuff with mod_rewrite (I think). I really don't know much about this. And I was thinking just have a separate vhost.conf file and modifying that, then restarting apache with graceful. Any info would be great. Thanks. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
virtual hosting methods
Hey guys, What are people doing for virtual hosting? I'm trying to figure what would be best for me. Would running a vhost module be a good way of doing things? My only problem with this is I'd have to parse the single log file for each host. Not a huge deal, but I'd like to have them separated without my intervention. And I'd have to throw config lines for each vhost into the .htpasswd file, but even that would be acceptable. I've recently read about people just doing stuff with mod_rewrite (I think). I really don't know much about this. And I was thinking just have a separate vhost.conf file and modifying that, then restarting apache with graceful. Any info would be great. Thanks. -- Kevin
Re[2]: virtual hosting methods
Hey Martin, Saturday, November 24, 2001, 5:30:41 PM, you wrote: MpP Actually there is a very nice and nifty feature in apache 1.3.19+ (or was MpP it 20+) that allows an include filename to be a directory what will MpP include all directories and subdirs of the named direcotry, and load all MpP files in those dirs as config files. With some maintenance scripts it MpP allows very easy maintenance of virtual hosts (configuration...) MpP and grouping of configuration. I'll have to look into this. This sounds very interesting. MpP For simple masshosting I still suggest mod_vhost. Which brings me back to my original question. For simple masshosting, I would agree. But what about a system where some vhosts have CGI or SSI access for example, and some don't. Would the former setup be better, or the latter? -- Kevin
Re[2]: Apache/PHP
Hey Jeff, Thursday, August 16, 2001, 10:05:35 AM, you wrote: JW Backport to potato, and have a platform you can rely on. Running sid on a JW production server is system administration crack smoking at its finest. I find using woody to be pretty good. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re[2]: change NIC after install
Hey Peter, Thursday, August 16, 2001, 3:39:01 PM, you wrote: PB Andrew Kaplan wrote: How would I change my NIC from a 3COM to say a Kingstone (Tulip) card after the box was running with the 3com card. PB Re-compile your kernel with support for the new NIC card and reboot. Don't forget to run lilo again. You'll shoot yourself in the foot that way :-P -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Clustering mail servers - Cyrus or Courier ?
Hey Przemyslaw, Sunday, August 05, 2001, 10:10:13 AM, you wrote: PW However, AFAIK it can be done only with Cyrus with its IMAP Aggregator, or PW with qmail-ldap + Courier-IMAP... Perdition (http://www.ca.us.vergenet.net/linux/perdition/) should allow you to do the same thing as Cyrus murder, on other mail systems. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re[2]: Clustering mail servers - Cyrus or Courier ?
Hey Jeff, Monday, August 06, 2001, 6:32:47 AM, you wrote: JW quote who=Przemyslaw Wegrzyn However, AFAIK it can be done only with Cyrus with its IMAP Aggregator, or with qmail-ldap + Courier-IMAP... JW You ought to check out Scalemail, which is being developed expressly for JW this purpose. It is a combination of Courier POP/IMAP and postfix. Very JW powerful combo. JW - Jeff Is there any plans to offer a version with Cyrus IMAPd? There's a fair number of us that like this better than Courier, so I think it would be a nice suggestion :) Btw, anyone know if the Cyrus IMAPd maintainer plans on maintaining the package anymore? It is seriously out of date, and he hasn't responded to a bug report filed about it being such. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re[2]: Clustering mail servers - Cyrus or Courier ?
Hey Przemyslaw, Monday, August 06, 2001, 11:59:53 AM, you wrote: PW Hmmm, I can see it's in early stage of developement. PW Does postfix support ldap nativly ? Yeap (not sure going how far back though). And you can set up SASL to do SMTP AUTH via LDAP with postfix as well. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re[2]: Cyrus-imapd install problems
Hey Haim, Wednesday, August 01, 2001, 2:40:16 PM, you wrote: HD http://dudle.linuxroot.org HD Please give me some feedback. I wouldn't put the cyrus user into the mail group. Postfix doesn't like to share. You should create a separate cyrus group. And Cyrus Imapd 2.0.16 is out now. No biggie, but might want to update your links. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
LDAP + quotas
Hey guys, Well, I think this was talked about a little before in the past, but I can't get the archive search to work. So, if it was, sorry for asking again. If not, I'd like to see some nice responses :) I'm trying to build a complete web hosting solution. All accounts are stored in LDAP. I just set up NSS LDAP today figuring I might need that (apt-get install libnss-ldap didn't give me the problems most people building by source were having ;)). All mailboxes are created in cyrus imapd 2.0.15-HIERSEP, with lookups done through SASL through LDAP. Now, I know cyrus-imapd has a system for mailbox quotas, but I want a system-wide policy. What I ideally want to be able to do is assign each virtual host a group, and set that quota of that group to whatever their max allowed disk space is (for instance, 50 MB), and then have their web folder and all user mailboxes in that group be restricted to that 50 MB limit. Anyone know if this is possible? And if so, how to do it? Also, anyway to get ls to output the full username? I think it truncates at 8 characters by default, which is sort of a pain, since all my uids are of the form user.domain.com. I mean, it's not that bad, because the users are restricted to their web folder, so only seeing the first 8 characters is usually good enough, but ideally, the other way would be best. Or perhaps I have to roll my own with perl or something? Thanks. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re[2]: Postfix + Cyrus IMAPd + LDAP
Hey Haim, Friday, July 20, 2001, 3:20:27 PM, you wrote: HD Hey Kevin, HD I have been working on the same exact thing for the past 2 months. The only HD thing is I do not use LDAP. HD I tought about doing the same exact thing, creating mailboxes named like HD the email address. I ran into the same problems. I personnally use the HD following schema: HD [EMAIL PROTECTED] - username~domain-com I've opted to do username.domain.com using the HIERSEP distribution. HD In the postfix virtual table I put HD domain.com: anything HD [EMAIL PROTECTED]: username~domain-com HD And it works like that. I would love to do it differently (go explain the HD users that they have to put a ~ instead of an @ and you'll see how much HD fun this is). If you find a way to do, please let us know. Some kind of HD howto would be great! I think I'll be writing a HOWTO for what I've done in the near future. And I agree, customers aren't happy :-P Problem is right now, that the Cyrus LMTPd splits on '@' for SASL/Kerberos realms or something. Devdas Bhagat is working on a virtual domain patch for Cyrus IMAPd, and hopefully this issue will be addressed. HD Haim. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Postfix + Cyrus IMAPd + LDAP
Hey guys, I've emailed the postfix-users list with this, and really haven't gotten any replies, so I'm hoping someone here might be able to help. I see there's a lot of people good with this kinda stuff (Craig, Russ, and so on) :) I'm using the Cyrus-IMAPd 2.0.15-HIERSEP release. Reason I mention this is because with this release, it is possible to use a '.' as a valid part of a user name. So, I log into cyradm as an admin from /etc/imapd.conf and localhost cm [EMAIL PROTECTED] (Note, I have no affiliation with WPI other than attending the school. The email admins there are big sendmail buffs. Just doing this as an illustration) and the mailbox [EMAIL PROTECTED] is created (in reality, it's kmenard@wpi^edu, in order to preserve on-disk structure). Now, I want to set up postfix to query my OpenLDAP 2.0.11 server, and get all the info it needs. I'm using the misc.schema file that comes with openldap, which I believe is based off of http://www.watersprings.org/pub/id/draft-lachman-laser-ldap-mail-routing-02.txt. Most of the postfix docs with ldap, including the LDAP_README, use the maildrop and mailacceptinggeneralid attributes. I use the mailLocalAddress and mailRoutingAddress attributes. So, now my question is, how do I receive mail and then forward it to the mailbox by the same name? I was thinking have a mailLocalAddress: wpi.edu (to notify postfix of the virtual domain) and a mailLocalAddress: [EMAIL PROTECTED] (to notify it of the email address), and then a mailRoutingAddress: [EMAIL PROTECTED]@localhost. Alas, I am running into some difficulties. Is this even possible? Or do I need to change my nomenclature from cyrus mailboxes such as [EMAIL PROTECTED] to something like kmenard.wpi.edu. I've been recommended to do the latter, but I prefer the former, and want to know if it's possible. As usual, thanks for the help in advance. PS -- Following recent discussion, would it be recommended to use a ReiserFS for an entire server? In this case, following my thread on partition schemes, a / and a /home partition. Thanks again. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re[2]: help with site+database
Hey Craig, Thursday, July 19, 2001, 6:55:34 AM, you wrote: CS if i was running a news spool or a large Maildir/ spool, i think i'd CS stick with reiserfs but this is my workstation, where i have lots of CS large files (incl. huge mbox files) so i think i'll be switching to XFS. But don't you want synchronous writes for your mail spool? I was under the impression that journaling filesystems don't support this (yet?). -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: asp visual basic on linux
Hey Matt, Thursday, July 19, 2001, 4:48:13 PM, you wrote: MF Hello, MF I have some asp software that is written in visual basic. All I have is MF linux machines for servers and I do not want to get a windows machine just to MF run this ASP application. Is there a way were I could get this to work on a MF apache and debian linux? MF I have seen Apache::ASP, but I believe that is just for ASP applications MF written in perl. MF Ideas sugestions? MF Thanks, MF Matt Oh yeah, there's an asp2php script out there somewhere. Check out freshmeat. Don't know how well that works though, never used it before. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Debian: PAM LDAP + OpenLDAP 2.x solution
Hey guys, Sorry for the massive post here, but I asked very similar questions on all these lists. I finally got my problem fixed, and figured I would share my results with each of the lists, in case anyone else asks. You're all probably gonna laugh when you here what I did to fix the problem: # apt-get source libpam-ldap; cd libpam-ldap-VERSION; debian/rules binary. Yeap, I recompiled just about everything (postfix, cyrus-sasl, etc. etc.), but I never thought to recompile pam-ldap. My best guess is that the .deb was built from openldap 1.x files. Thanks to all that helped. I still have a couple kinks to work out, but I'll take those problems to the appropriate lists. Hope this info can help someone in the future. -- Kevin
Debian: PAM LDAP + OpenLDAP 2.x solution
Hey guys, Sorry for the massive post here, but I asked very similar questions on all these lists. I finally got my problem fixed, and figured I would share my results with each of the lists, in case anyone else asks. You're all probably gonna laugh when you here what I did to fix the problem: # apt-get source libpam-ldap; cd libpam-ldap-VERSION; debian/rules binary. Yeap, I recompiled just about everything (postfix, cyrus-sasl, etc. etc.), but I never thought to recompile pam-ldap. My best guess is that the .deb was built from openldap 1.x files. Thanks to all that helped. I still have a couple kinks to work out, but I'll take those problems to the appropriate lists. Hope this info can help someone in the future. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
postfix + sasl + pam
Hey guys, Anyone here have all this working together? I apt-get'ed the source for postfix and altered the debian/rules file to add SASL support for SMTP auth. The build went fine, but it apparently always tries to use the sasldb, even though I set up my /usr/lib/sasl/smtpd.conf file to use PAM as the pwcheck_method. Anyone know what gives? Thanks. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
postfix + sasl + pam
Hey guys, Anyone here have all this working together? I apt-get'ed the source for postfix and altered the debian/rules file to add SASL support for SMTP auth. The build went fine, but it apparently always tries to use the sasldb, even though I set up my /usr/lib/sasl/smtpd.conf file to use PAM as the pwcheck_method. Anyone know what gives? Thanks. -- Kevin
Re[2]: postfix + sasl + pam
Hey Haim, Friday, June 29, 2001, 1:13:42 PM, you wrote: HD Kevin, HD AFAIK, you can use PAM directly from Postfix without having to go through HD SASL. The book fro R. Blum fails to mention it. HD Haim. Umm . . . how? And still, that doesn't fix this odd behaviour :-/ Btw, I don't have the Blum book, after the not-so-good reviews it got from people on the postfix-users list. -- Kevin
Re: Virtual Domains Email: How do you do it?
Hey Haim, Thursday, June 28, 2001, 4:24:06 PM, you wrote: HD Hi all, HD I need to do email hosting for a large number of domains. My solution HD consists in Postfix for the MTA, Cyrus for the LDA and IMP for the MUA. HD Emails have to be accessible by POP as well. HD After some research, I came to the conclusion that each individual needed HD to have an account under Cyrus as a local user. Let me explain. Let's say I HD host email for [EMAIL PROTECTED] The string [EMAIL PROTECTED] is not a HD valid Cyrus username (mailbox in fact but you see my point). A translation HD needs to takes place. If you apply Dave Fuchs' patch to make a '.' a valid character (but making '/' and invalid one), then that becomes a valid Cyrus username. Search the Cyrus IMAP mailing list archives for it. He sent it out for 2.0.14 some time last week when I requested it (but I don't have it on me here) :) -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re[2]: Virtual Domains Email: How do you do it?
Hey Haim, Thursday, June 28, 2001, 4:42:46 PM, you wrote: HD Kevin, If you apply Dave Fuchs' patch to make a '.' a valid character (but making '/' and invalid one), then that becomes a valid Cyrus username. Search the Cyrus IMAP mailing list archives for it. He sent it out for 2.0.14 some time last week when I requested it (but I don't have it on me here) :) HD So using that patch makes the . part of a valid username. What do I do HD about the '@' in the email address? AFAIK, the '@' is already a valid character in the Cyrus mailbox namespace. Taken from an email to the cyrus list: cyrus-imapd-2.0.12 - imap/mboxname.c - line #187: I believe this is what you're looking for... #define GOODCHARS +,-.0123456789:=@ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz~ -David Fuchs Technically, the '.' is already a legal character in mailbox names, but it does something funky (I don't recall quite what it is/was), but the patch curbs that behaviour. HD Thanks a lot (especially for answering so fast) Np. I've been doing a lot of research into this lately. You caught me at a good time ;) Btw, I have to agree with the LDAP recommendation. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re[2]: Virtual Domains Email: How do you do it?
Hey Haim, Thursday, June 28, 2001, 5:16:05 PM, you wrote: HD So using that patch makes the . part of a valid username. What do I do HD about the '@' in the email address? AFAIK, the '@' is already a valid character in the Cyrus mailbox namespace. HD Great! HD Now I have another question :-)) How do I manage to tell Postfix to treat HD [EMAIL PROTECTED] as a local username? HD What I mean by that is that right now I have translation done at the HD virtual table level under Postfix. [EMAIL PROTECTED] becomes something else HD (john~example.com let's say). I want to tell Postfix to accept all mails for HD [EMAIL PROTECTED] and relay them to Cyrus. Since Cyrus will have a HD [EMAIL PROTECTED], everything should be good. I haven't done this all out myself yet, but I have an itching feeling that postfix is gonna strip everything off after the '@', '@' inclusive. I could be wrong though, it may just pass it over the lmtp socket, though I doubt it. So, you'll more than likely still need some sort of transport map. That could all be held in LDAP though, if you were willing to set it up, so the administration of the maps would be quite trivial. Like I said, I haven't done this much yet though. HD Please tell me if I am confusing you. I really wonder how I can achieve the HD result I want. Nope, it's exactly what I wanted too :-P Btw, I have to agree with the LDAP recommendation. HD P.S. : I agree 100%. I have no experience with LDAP and right now I really HD don't have the time. It will come, just not yet. Too bad. It'd be a very nice addition :) -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Virtual Domains Email: How do you do it?
Hey Haim, Thursday, June 28, 2001, 4:24:06 PM, you wrote: HD Hi all, HD I need to do email hosting for a large number of domains. My solution HD consists in Postfix for the MTA, Cyrus for the LDA and IMP for the MUA. HD Emails have to be accessible by POP as well. HD After some research, I came to the conclusion that each individual needed HD to have an account under Cyrus as a local user. Let me explain. Let's say I HD host email for [EMAIL PROTECTED] The string [EMAIL PROTECTED] is not a HD valid Cyrus username (mailbox in fact but you see my point). A translation HD needs to takes place. If you apply Dave Fuchs' patch to make a '.' a valid character (but making '/' and invalid one), then that becomes a valid Cyrus username. Search the Cyrus IMAP mailing list archives for it. He sent it out for 2.0.14 some time last week when I requested it (but I don't have it on me here) :) -- Kevin
Re[2]: Virtual Domains Email: How do you do it?
Hey Haim, Thursday, June 28, 2001, 4:42:46 PM, you wrote: HD Kevin, If you apply Dave Fuchs' patch to make a '.' a valid character (but making '/' and invalid one), then that becomes a valid Cyrus username. Search the Cyrus IMAP mailing list archives for it. He sent it out for 2.0.14 some time last week when I requested it (but I don't have it on me here) :) HD So using that patch makes the . part of a valid username. What do I do HD about the '@' in the email address? AFAIK, the '@' is already a valid character in the Cyrus mailbox namespace. Taken from an email to the cyrus list: cyrus-imapd-2.0.12 - imap/mboxname.c - line #187: I believe this is what you're looking for... #define GOODCHARS +,-.0123456789:[EMAIL PROTECTED] -David Fuchs Technically, the '.' is already a legal character in mailbox names, but it does something funky (I don't recall quite what it is/was), but the patch curbs that behaviour. HD Thanks a lot (especially for answering so fast) Np. I've been doing a lot of research into this lately. You caught me at a good time ;) Btw, I have to agree with the LDAP recommendation. -- Kevin
Re[2]: Virtual Domains Email: How do you do it?
Hey Haim, Thursday, June 28, 2001, 5:16:05 PM, you wrote: HD So using that patch makes the . part of a valid username. What do I do HD about the '@' in the email address? AFAIK, the '@' is already a valid character in the Cyrus mailbox namespace. HD Great! HD Now I have another question :-)) How do I manage to tell Postfix to treat HD [EMAIL PROTECTED] as a local username? HD What I mean by that is that right now I have translation done at the HD virtual table level under Postfix. [EMAIL PROTECTED] becomes something else HD (john~example.com let's say). I want to tell Postfix to accept all mails for HD [EMAIL PROTECTED] and relay them to Cyrus. Since Cyrus will have a HD [EMAIL PROTECTED], everything should be good. I haven't done this all out myself yet, but I have an itching feeling that postfix is gonna strip everything off after the '@', '@' inclusive. I could be wrong though, it may just pass it over the lmtp socket, though I doubt it. So, you'll more than likely still need some sort of transport map. That could all be held in LDAP though, if you were willing to set it up, so the administration of the maps would be quite trivial. Like I said, I haven't done this much yet though. HD Please tell me if I am confusing you. I really wonder how I can achieve the HD result I want. Nope, it's exactly what I wanted too :-P Btw, I have to agree with the LDAP recommendation. HD P.S. : I agree 100%. I have no experience with LDAP and right now I really HD don't have the time. It will come, just not yet. Too bad. It'd be a very nice addition :) -- Kevin
Re[2]: disk partition schemes
Hey Russell, Friday, June 22, 2001, 9:17:12 AM, you wrote: RC On Friday 15 June 2001 16:13, Kevin J. Menard, Jr. wrote: This system would be used mostly for web-hosting, so I was figuring a large /home partition. Likewise only one or two kernels max, so I figured a small /boot. And finally, and this is really where I'm RC Why do you need a separate partition for /boot? Why not just have it in RC the root fs? Dunno. Figured for disk failure or something. RC Problems with booting from partitions 2G were solved ages ago, your root RC file system should fit into 8G (although even that limit doesn't apply if RC your BIOS is new enough). Yeap, I don't have this limitation. looking for help, it will be used as an IMAP/SMTP machine. So, should I create a separate /var partition? I'm hesitant because I don't want to a) not create a large enough partition, or b) create too large of RC I suggest having your email stored on the same file system as /home. RC Then you have all of your customer data on the same file system for easy RC backup. Also it saves juggling space. Would a symlink from /var to /home/var be sufficient? one and waste space. Do the performance gains outweigh this? (I'm not terribly worried about the redundancy with the RAID 10 and all). RC What performance gains are you referring to? Any that might occur from having separate partitions. So, if you recommend /boot be with / and /var with /home, why not just have / and everything in there? Is this reliable enough? Today's hard drives have come a long way, and with a RAID 10, would I be safe in doing this? Or should I just have a coulple gig / and the rest for /home? Thanks. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re[4]: disk partition schemes
Hey Russell, Friday, June 22, 2001, 11:07:37 AM, you wrote: RC What exactly will that save you from? If the root FS gets messed up then RC having a separate /boot won't gain you much... I was thinking the other way around actually. If /boot were to get messed up, it wouldn't affect /. RC I suggest creating /home/mail and linking /var/spool/mail to it. However RC if you want decent performance for email you want to use Maildir. By RC default maildir storage goes into user's home directories which solves RC this issue. Well, I'll be using Cyrus IMAPd. Doesn't use Maildir, but does create separate folders per user. Thus, the spool is really not going to hold data much. However long it takes to rip data off incoming (using postfix) and send it out, or however long to hand it off to lmtpd and let cyrus deliver it. RC If you have two partitions on the same physical media (in this case a RC RAID-10) then expect to lose performance. If you make it all one large RC partition then the file system drivers can optimise things more. Oh. Guess I didn't quite understand how disk I/O functioned. I figured something like /var, which will have a lot of synchronous writes, would get better performance outside of / or /home. RC I recommend having a separate /home to limit the things that can go RC wrong. I recommend leaving /var on the root file system unless you need RC a lot of space in /var. Just from a performance point of view or for other reasons? RC Also consider a separate file system for RC /var/tmp and make /tmp a sym-linke to /var/tmp/tmp . Once again . . . just for stability? security? drives have come a long way, and with a RAID 10, would I be safe in doing this? Or should I just have a coulple gig / and the rest for /home? RC RAID has no relevance to the issue of partitioning in this sense. Well, my point here was, with the RAID 10, I already have a pretty good amount of reliability, as if one drive fails, the system can still function. And with disks that are pretty reliable to begin with, I wasn't sure if the combination of all these would merit just one large / fs. Thanks again. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re[6]: disk partition schemes
Hey Russell, Friday, June 22, 2001, 7:22:41 PM, you wrote: I was thinking the other way around actually. If /boot were to get messed up, it wouldn't affect /. I guess I'm off here. By getting messed up, I mean more by say a sudden jolt in the power supply (of course, I do have a line conditioning UPS) and mess up the partition table or something. RC OK. So you want Cyrus storage on the file system used for user data. That's the idea. Let's see if I can get it to work :-P RC IFF you have separate physical hardware for the different file systems RC that will be true. However you only have one physical device (the RAID RC device) so this will not be a benefit. Ahh, ok. Thanks for correcting me here. RC Having /home and /tmp on separate devices to / gives some security RC benefits by limiting the ability to produce hard links. Hard linking RC /etc/passwd or /etc/shadow to a name under /tmp or the user's home RC directory has been step 1 of a number of security attacks... I didn't realize hard links couldn't cross partition boundaries. I tend to just use symlinks anyway. RC Having /tmp and /home on separate devices to the root FS limits the RC ability of hostile users to perform such attacks. So I see. RC Also consider a separate file system for RC /var/tmp and make /tmp a sym-linke to /var/tmp/tmp . Once again . . . just for stability? security? RC Security as described above and stability regarding issues of lack of RC space and/or Inodes. Ok. RC How will one partition or two partitions affect reliability? Disk RC failures tend to be boolean things, if a disk starts dieing then all data RC seems to rapidly disappear from it. So in you don't have RAID then RC having separate partitions is unlikely to save you. Once again, I guess I was thinking messed up partition tables or something. Perhaps my logic was flawed. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re[2]: disk partition schemes
Hey Russell, Friday, June 22, 2001, 9:17:12 AM, you wrote: RC On Friday 15 June 2001 16:13, Kevin J. Menard, Jr. wrote: This system would be used mostly for web-hosting, so I was figuring a large /home partition. Likewise only one or two kernels max, so I figured a small /boot. And finally, and this is really where I'm RC Why do you need a separate partition for /boot? Why not just have it in RC the root fs? Dunno. Figured for disk failure or something. RC Problems with booting from partitions 2G were solved ages ago, your root RC file system should fit into 8G (although even that limit doesn't apply if RC your BIOS is new enough). Yeap, I don't have this limitation. looking for help, it will be used as an IMAP/SMTP machine. So, should I create a separate /var partition? I'm hesitant because I don't want to a) not create a large enough partition, or b) create too large of RC I suggest having your email stored on the same file system as /home. RC Then you have all of your customer data on the same file system for easy RC backup. Also it saves juggling space. Would a symlink from /var to /home/var be sufficient? one and waste space. Do the performance gains outweigh this? (I'm not terribly worried about the redundancy with the RAID 10 and all). RC What performance gains are you referring to? Any that might occur from having separate partitions. So, if you recommend /boot be with / and /var with /home, why not just have / and everything in there? Is this reliable enough? Today's hard drives have come a long way, and with a RAID 10, would I be safe in doing this? Or should I just have a coulple gig / and the rest for /home? Thanks. -- Kevin
Re[2]: disk partition schemes
Hey Russell, Friday, June 22, 2001, 9:17:12 AM, you wrote: RC On Friday 15 June 2001 16:13, Kevin J. Menard, Jr. wrote: This system would be used mostly for web-hosting, so I was figuring a large /home partition. Likewise only one or two kernels max, so I figured a small /boot. And finally, and this is really where I'm RC Why do you need a separate partition for /boot? Why not just have it in RC the root fs? Dunno. Figured for disk failure or something. RC Problems with booting from partitions 2G were solved ages ago, your root RC file system should fit into 8G (although even that limit doesn't apply if RC your BIOS is new enough). Yeap, I don't have this limitation. looking for help, it will be used as an IMAP/SMTP machine. So, should I create a separate /var partition? I'm hesitant because I don't want to a) not create a large enough partition, or b) create too large of RC I suggest having your email stored on the same file system as /home. RC Then you have all of your customer data on the same file system for easy RC backup. Also it saves juggling space. Would a symlink from /var to /home/var be sufficient? one and waste space. Do the performance gains outweigh this? (I'm not terribly worried about the redundancy with the RAID 10 and all). RC What performance gains are you referring to? Any that might occur from having separate partitions. So, if you recommend /boot be with / and /var with /home, why not just have / and everything in there? Is this reliable enough? Today's hard drives have come a long way, and with a RAID 10, would I be safe in doing this? Or should I just have a coulple gig / and the rest for /home? Thanks. -- Kevin
Re[4]: disk partition schemes
Hey Russell, Friday, June 22, 2001, 11:07:37 AM, you wrote: RC What exactly will that save you from? If the root FS gets messed up then RC having a separate /boot won't gain you much... I was thinking the other way around actually. If /boot were to get messed up, it wouldn't affect /. RC I suggest creating /home/mail and linking /var/spool/mail to it. However RC if you want decent performance for email you want to use Maildir. By RC default maildir storage goes into user's home directories which solves RC this issue. Well, I'll be using Cyrus IMAPd. Doesn't use Maildir, but does create separate folders per user. Thus, the spool is really not going to hold data much. However long it takes to rip data off incoming (using postfix) and send it out, or however long to hand it off to lmtpd and let cyrus deliver it. RC If you have two partitions on the same physical media (in this case a RC RAID-10) then expect to lose performance. If you make it all one large RC partition then the file system drivers can optimise things more. Oh. Guess I didn't quite understand how disk I/O functioned. I figured something like /var, which will have a lot of synchronous writes, would get better performance outside of / or /home. RC I recommend having a separate /home to limit the things that can go RC wrong. I recommend leaving /var on the root file system unless you need RC a lot of space in /var. Just from a performance point of view or for other reasons? RC Also consider a separate file system for RC /var/tmp and make /tmp a sym-linke to /var/tmp/tmp . Once again . . . just for stability? security? drives have come a long way, and with a RAID 10, would I be safe in doing this? Or should I just have a coulple gig / and the rest for /home? RC RAID has no relevance to the issue of partitioning in this sense. Well, my point here was, with the RAID 10, I already have a pretty good amount of reliability, as if one drive fails, the system can still function. And with disks that are pretty reliable to begin with, I wasn't sure if the combination of all these would merit just one large / fs. Thanks again. -- Kevin
Re[6]: disk partition schemes
Hey Russell, Friday, June 22, 2001, 7:22:41 PM, you wrote: I was thinking the other way around actually. If /boot were to get messed up, it wouldn't affect /. I guess I'm off here. By getting messed up, I mean more by say a sudden jolt in the power supply (of course, I do have a line conditioning UPS) and mess up the partition table or something. RC OK. So you want Cyrus storage on the file system used for user data. That's the idea. Let's see if I can get it to work :-P RC IFF you have separate physical hardware for the different file systems RC that will be true. However you only have one physical device (the RAID RC device) so this will not be a benefit. Ahh, ok. Thanks for correcting me here. RC Having /home and /tmp on separate devices to / gives some security RC benefits by limiting the ability to produce hard links. Hard linking RC /etc/passwd or /etc/shadow to a name under /tmp or the user's home RC directory has been step 1 of a number of security attacks... I didn't realize hard links couldn't cross partition boundaries. I tend to just use symlinks anyway. RC Having /tmp and /home on separate devices to the root FS limits the RC ability of hostile users to perform such attacks. So I see. RC Also consider a separate file system for RC /var/tmp and make /tmp a sym-linke to /var/tmp/tmp . Once again . . . just for stability? security? RC Security as described above and stability regarding issues of lack of RC space and/or Inodes. Ok. RC How will one partition or two partitions affect reliability? Disk RC failures tend to be boolean things, if a disk starts dieing then all data RC seems to rapidly disappear from it. So in you don't have RAID then RC having separate partitions is unlikely to save you. Once again, I guess I was thinking messed up partition tables or something. Perhaps my logic was flawed. -- Kevin
SASL + MD5
Hey guys, Ok. This is driving me nuts. I created a new deb for the latest Postfix snapshot, with SASL support. No matter how hard I try (download non-us source, fooled around with debian/rules file, etc. etc.), I cannot get CRAM-MD5 or DIGEST-MD5 to show up in the list of available methods when I telnet and issue a EHLO. Anyone have this working? And please share if you do :) -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: off site assistance
Hey Allen, Wednesday, June 20, 2001, 8:27:53 AM, you wrote: AA I need at least 640.b480 but would like 1024x768 resolution and 30fps. AA 4 or 5 fps would do really for this application. AA remember this has to be usable for only one screen but that screen gets AA connected to many systems during its lifetime. VNC might do what you need. -- Kevin
SASL + MD5
Hey guys, Ok. This is driving me nuts. I created a new deb for the latest Postfix snapshot, with SASL support. No matter how hard I try (download non-us source, fooled around with debian/rules file, etc. etc.), I cannot get CRAM-MD5 or DIGEST-MD5 to show up in the list of available methods when I telnet and issue a EHLO. Anyone have this working? And please share if you do :) -- Kevin
disk partition schemes
Hey guys (and gals), I'm redoing a machine of mine. Was a Mandrake system, but now it's going to be a debian one ;) Basically, I have 20 gigs of space to tinker with (well, there's really 40 there, but I run a hardware RAID 10). I also have half a gig of SDRAM (sure this would matter with swap space). Now, I have no problem running fdisk or anything, but I wanted to get a feel for what people are doing for various types of systems. This system would be used mostly for web-hosting, so I was figuring a large /home partition. Likewise only one or two kernels max, so I figured a small /boot. And finally, and this is really where I'm looking for help, it will be used as an IMAP/SMTP machine. So, should I create a separate /var partition? I'm hesitant because I don't want to a) not create a large enough partition, or b) create too large of one and waste space. Do the performance gains outweigh this? (I'm not terribly worried about the redundancy with the RAID 10 and all). I'd really be interested in what you guys think. TIA. -- Thanks, Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
disk partition schemes
Hey guys (and gals), I'm redoing a machine of mine. Was a Mandrake system, but now it's going to be a debian one ;) Basically, I have 20 gigs of space to tinker with (well, there's really 40 there, but I run a hardware RAID 10). I also have half a gig of SDRAM (sure this would matter with swap space). Now, I have no problem running fdisk or anything, but I wanted to get a feel for what people are doing for various types of systems. This system would be used mostly for web-hosting, so I was figuring a large /home partition. Likewise only one or two kernels max, so I figured a small /boot. And finally, and this is really where I'm looking for help, it will be used as an IMAP/SMTP machine. So, should I create a separate /var partition? I'm hesitant because I don't want to a) not create a large enough partition, or b) create too large of one and waste space. Do the performance gains outweigh this? (I'm not terribly worried about the redundancy with the RAID 10 and all). I'd really be interested in what you guys think. TIA. -- Thanks, Kevin
Re[4]: Virtual Domains LDAP
Hey Russell, Wednesday, June 13, 2001, 8:21:36 AM, you wrote: RC Firstly I've replied to this with the list CC'd as I think that other RC people are likely to benefit from the answers and it seems that there is RC nothing secret being discussed. I hope you don't mind. No problem. I was just trying to cut down on the list traffic. RC The OpenLDAP server uses some sort of hash, it uses the GNU DBM library or RC equivalent libraries for indexing each attribute separately. Nifty. RC Other LDAP servers may do things differently, but most LDAP servers have RC taken code from the University of Michigan LDAP server (which is what RC OpenLDAP was based on). That's okay. I really only care about how OpenLDAP works ;) RC @ sign has no inherant problems, but some software might not like it. This does work with ProFTPd. I tried it out. I have still yet to try it out with either Cyrus IMAPd or Postfix. RC Proftpd will do a search of attribute=$1 where $1 is what the user enters RC at the Name: prompt. Then it will read the userPassword attribute of that RC entry or bind as that DN depending on how it's configured. I see this now. Is one method better than the other? The ProFTPd docs say that by binding as the user, different encryption methods could be supported (not a big deal since I just user SSHA per RFC 2307). But is this manner more secure than binding as the LDAP manager to get the userPassword attribute? RC Searching for uid=user_company.com with a search base of RC ou=company.com, o=my_org requires searching through two indexes which RC isn't as fast. But if the uid attribute has a unique value (which it RC will have if it is the user-name concatenated with the company name) then RC you can just search by the attribute value. Ok. This is where I lose you, unless you meant uid=user. And then to RC No. I mean making the UID include the company. So within the RC company.com domain we have an account named user. This is the only RC way to do it with proftpd! Ok. Sorry for my density. Usually the simplest of things are the hardest for me to understand :-P So what is the account named: user or user_company.com? And what are these two search indexes? What performance loss would I suffer by setting my search base to just o=my_org rather than ou=company.com, o=my_org? search within the base of ou=company.com, o=my_org. Because with the uid=user_company.com, I'm still searching on a single attribute. I would think if anything, it would be quicker, because I would already be searching within the correct ou. If you could elaborate a little more, I would be most gracious. Likewise, I don't have a great understanding of how index eq and index pres, and what have you works. I realize it's pretty LDAP distrib specific, but I don't see much documentation for OpenLDAP in this regards. Btw, sorry you got the cross-post. I've scoured the archives for debian-isp. Has the debian schema files been produced yet? I was looking at using the allowedService attribute you drafted up quickly, to give users access to different services (duh?). RC I've produced a few drafts but so far no-one has responded to my requests RC for comments on them. So we are all waiting for some input from people RC who know about LDAP and schema... Any chance you could post them here if you haven't done so already? If so, I'll just go search the posts. Also, do you use proftpd by chance? I would like to do virt hosting, RC Yes. One of my clients recently paid for enhancements to Proftpd for RC better support of this. I realize you won't be able to share this work, but what sort of enhancements? And how do you manage uids and gids? but I don't feel like killing the IP pool :-P I suppose a user_company.com system would work, but that'd be unnatural to users, RC Why? I've worked for two ISPs doing bulk commercial hosting with that RC scheme and no problems... I would just think that people would like to remove the trailing _company.com, and just have user names, with the namespace inferred. I know you don't use the '@' in an email address like system I proposed, but which would you see being better? With my method, the user only has to use his email address and password for auth, which I think would be nice, but I don't know if that would become too ambiguous with mail attributes. whereas an email address like naming scheme wouldn't be too bad. But RC Not sure if an @ sign will be accepted by proftpd. Never tried it. It worked for me, in case anyone else was wondering. realistically, should I just follow in the steps of ISPMan, and allow ftp access to one user per domain? RC No, that sucks. That's what I was thinking :-P Thanks a lot for all the info. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re[8]: Virtual Domains LDAP
Hey Russell, Wednesday, June 13, 2001, 4:05:22 PM, you wrote: Well, even if you have the user himself bind, you would need an entry with sufficient enough permissions to access any other entry. Are you proposing adding another entry, like a lesser LDAP Admin, that simply doesn't have access to the userPassword attribute of other entries? RC I am not sure what you are saying here. Well, if I understood you correctly, you said that having the LDAP manager retrieve the userPassword attribute, rather than having the user bind himself, was a security issue because if someone were to recover the proftpd.conf file, they would have the password of the LDAP manager. But even if the user binds himself, won't the LDAP manager need to be specified in LDAPDNInfo? RC I believe that the usual proceedure is to allow a user to have write RC access to their own userPassword attribute and to have anonymous have RC auth access. auth means that anyone who has the password can bind as RC any entry. If the user supplies a password that allows binding to the RC entry indicated by their user-name then they are authenticated. RC The server MAY need privs to search the directory to find the DN, but RC even that may not be necessary depending on the application. Ok. Maybe I'm incorrect in my previous assertion of needing LDAPDNInfo. RC Consider the case of users having the DN RC uid=USER@COMPANY,ou=COMPANY,o=ISP where ISP is the name of the ISP, RC COMPANY is wpi.edu, coker.com.au, debian.org or whatever the RC domain name is, and USER is the user name. If I logged on as RC [EMAIL PROTECTED] then the server could know that it should try RC binding as [EMAIL PROTECTED],ou=coker.com.au,o=isp and therefore RC the server wouldn't even need search access! How would it know the ou=coker.com, o=isp? Is that info filled in after the uid is found and the dn retrieved? RC If the ProFTPd server binds to the directory then it needs no special RC LDAP access, however it has to send the password to the server and this RC may be intercepted (I believe that the way it's setup in the standard RC Debian packages has it all in clear-text always). This can also be RC considered a security problem. :( Well, wouldn't the password have to be sent over in clear text anyway? That's the nature of FTP without an SSL tunnel. The FTP - LDAP connection is on a localhost anyway. I wonder if you could configure it to use SSL LDAP. Probably RC Proftpd has code to allow SSL LDAP, but it is not enabled in the Debian RC package because of license issues. You should be able to change a single RC line in a header file and recompile to get it. What sort of license issues? The whole strong encryption exportation thing? RC As for FTP SSL, this can be done, there are already ftpd-ssl and ftp-ssl RC packages in Debian. I don't think that proftpd supports that (yet). I don't think so either, but couldn't proftpd be sent over stunnel or something? RC It should not make any noticable difference where you put your search RC base. However I have not done any performance testing. It may make a RC small difference but certainly won't make a large difference. I would imagine this would make a difference with a search scope of one level or something though :-P RC Last time I looked at the OpenLDAP setup in detail regarding this issue RC (which was some time ago) it seemed to have a database of objects to RC sub-objects which would make one-level searches quite fast. I have RC checked now on my 2.0.11 OpenLDAP installation and it's not there. I had RC not intentionally turned that off so I'm not sure what's happened. Hmm . . . RC The work is supposed to have gone into Debian and be shared to save having RC the work of independantly maintaining it. It appears not to have gone into RC Debian yet though. RC Incidentally I recommend writing a policy document specifying the above RC whenever you do a Linux installation at a corporate site. It's easy to RC get staff or consultants to produce custom versions of Debian packages, RC but having the skills to keep updating them with every version is beyond RC most corporate sites. Things such as minor security enhancements to a RC FTP server offer no significant competitive advantage and are best RC published so that new versions can just be installed by APT. Agreed. But would the more proper avenue be to submit security enhancements to the proper software maintainer (in this case, the proftpd team), and see if they'll implement it? RC But just specifying the user name and having the domain inferred is a bad RC idea as you can't have two users with the same account name in different RC domains. [EMAIL PROTECTED] has to be different from [EMAIL PROTECTED]! Well, I was figuring all look ups would have to search for uid=user and domain=company.com. But two searches would probably be slower anyway. RC Two searches would probably be slower and would
Re[4]: Virtual Domains LDAP
Hey Russell, Wednesday, June 13, 2001, 8:21:36 AM, you wrote: RC Firstly I've replied to this with the list CC'd as I think that other RC people are likely to benefit from the answers and it seems that there is RC nothing secret being discussed. I hope you don't mind. No problem. I was just trying to cut down on the list traffic. RC The OpenLDAP server uses some sort of hash, it uses the GNU DBM library or RC equivalent libraries for indexing each attribute separately. Nifty. RC Other LDAP servers may do things differently, but most LDAP servers have RC taken code from the University of Michigan LDAP server (which is what RC OpenLDAP was based on). That's okay. I really only care about how OpenLDAP works ;) RC @ sign has no inherant problems, but some software might not like it. This does work with ProFTPd. I tried it out. I have still yet to try it out with either Cyrus IMAPd or Postfix. RC Proftpd will do a search of attribute=$1 where $1 is what the user enters RC at the Name: prompt. Then it will read the userPassword attribute of that RC entry or bind as that DN depending on how it's configured. I see this now. Is one method better than the other? The ProFTPd docs say that by binding as the user, different encryption methods could be supported (not a big deal since I just user SSHA per RFC 2307). But is this manner more secure than binding as the LDAP manager to get the userPassword attribute? RC Searching for uid=user_company.com with a search base of RC ou=company.com, o=my_org requires searching through two indexes which RC isn't as fast. But if the uid attribute has a unique value (which it RC will have if it is the user-name concatenated with the company name) then RC you can just search by the attribute value. Ok. This is where I lose you, unless you meant uid=user. And then to RC No. I mean making the UID include the company. So within the RC company.com domain we have an account named user. This is the only RC way to do it with proftpd! Ok. Sorry for my density. Usually the simplest of things are the hardest for me to understand :-P So what is the account named: user or user_company.com? And what are these two search indexes? What performance loss would I suffer by setting my search base to just o=my_org rather than ou=company.com, o=my_org? search within the base of ou=company.com, o=my_org. Because with the uid=user_company.com, I'm still searching on a single attribute. I would think if anything, it would be quicker, because I would already be searching within the correct ou. If you could elaborate a little more, I would be most gracious. Likewise, I don't have a great understanding of how index eq and index pres, and what have you works. I realize it's pretty LDAP distrib specific, but I don't see much documentation for OpenLDAP in this regards. Btw, sorry you got the cross-post. I've scoured the archives for debian-isp. Has the debian schema files been produced yet? I was looking at using the allowedService attribute you drafted up quickly, to give users access to different services (duh?). RC I've produced a few drafts but so far no-one has responded to my requests RC for comments on them. So we are all waiting for some input from people RC who know about LDAP and schema... Any chance you could post them here if you haven't done so already? If so, I'll just go search the posts. Also, do you use proftpd by chance? I would like to do virt hosting, RC Yes. One of my clients recently paid for enhancements to Proftpd for RC better support of this. I realize you won't be able to share this work, but what sort of enhancements? And how do you manage uids and gids? but I don't feel like killing the IP pool :-P I suppose a user_company.com system would work, but that'd be unnatural to users, RC Why? I've worked for two ISPs doing bulk commercial hosting with that RC scheme and no problems... I would just think that people would like to remove the trailing _company.com, and just have user names, with the namespace inferred. I know you don't use the '@' in an email address like system I proposed, but which would you see being better? With my method, the user only has to use his email address and password for auth, which I think would be nice, but I don't know if that would become too ambiguous with mail attributes. whereas an email address like naming scheme wouldn't be too bad. But RC Not sure if an @ sign will be accepted by proftpd. Never tried it. It worked for me, in case anyone else was wondering. realistically, should I just follow in the steps of ISPMan, and allow ftp access to one user per domain? RC No, that sucks. That's what I was thinking :-P Thanks a lot for all the info. -- Kevin
Re[6]: Virtual Domains LDAP
Hey Russell, Wednesday, June 13, 2001, 12:24:42 PM, you wrote: RC OK, let us know how it goes. Will do. RC The REAL difference is that if the ProFTPd server can read the userPassword RC attribute then anyone who can get access to that configuration for the RC server has access to all the passwords. This can be considered a security RC problem. Well, even if you have the user himself bind, you would need an entry with sufficient enough permissions to access any other entry. Are you proposing adding another entry, like a lesser LDAP Admin, that simply doesn't have access to the userPassword attribute of other entries? RC If the ProFTPd server binds to the directory then it needs no special RC LDAP access, however it has to send the password to the server and this RC may be intercepted (I believe that the way it's setup in the standard RC Debian packages has it all in clear-text always). This can also be RC considered a security problem. :( Well, wouldn't the password have to be sent over in clear text anyway? That's the nature of FTP without an SSL tunnel. The FTP - LDAP connection is on a localhost anyway. I wonder if you could configure it to use SSL LDAP. Probably :) RC It should not make any noticable difference where you put your search RC base. However I have not done any performance testing. It may make a RC small difference but certainly won't make a large difference. I would imagine this would make a difference with a search scope of one level or something though :-P RC I suggest giving the user the DN of uid=user_company.com, RC ou=company.com, o=my_org and the uid attribute will have the value of RC user_company.com. Ok. Glad we're on the same page ;) RC I'll send my latest work here again soon. Great. I can't wait. RC The work is supposed to have gone into Debian and be shared to save having RC the work of independantly maintaining it. It appears not to have gone into RC Debian yet though. RC It is to use LDAP settings to specify which IP addresses are permissable RC as source addresses per user. So if you know the IP address of a user RC you can prevent access from other IP addresses. That could be useful ;) RC Email address should be fine. Great. Like I said, I'll have to see how Cyrus IMAP and Postfix like it :-p RC But just specifying the user name and having the domain inferred is a bad RC idea as you can't have two users with the same account name in different RC domains. [EMAIL PROTECTED] has to be different from [EMAIL PROTECTED] Well, I was figuring all look ups would have to search for uid=user and domain=company.com. But two searches would probably be slower anyway. Thanks again for the help/info. -- Kevin
Re[8]: Virtual Domains LDAP
Hey Russell, Wednesday, June 13, 2001, 4:05:22 PM, you wrote: Well, even if you have the user himself bind, you would need an entry with sufficient enough permissions to access any other entry. Are you proposing adding another entry, like a lesser LDAP Admin, that simply doesn't have access to the userPassword attribute of other entries? RC I am not sure what you are saying here. Well, if I understood you correctly, you said that having the LDAP manager retrieve the userPassword attribute, rather than having the user bind himself, was a security issue because if someone were to recover the proftpd.conf file, they would have the password of the LDAP manager. But even if the user binds himself, won't the LDAP manager need to be specified in LDAPDNInfo? RC I believe that the usual proceedure is to allow a user to have write RC access to their own userPassword attribute and to have anonymous have RC auth access. auth means that anyone who has the password can bind as RC any entry. If the user supplies a password that allows binding to the RC entry indicated by their user-name then they are authenticated. RC The server MAY need privs to search the directory to find the DN, but RC even that may not be necessary depending on the application. Ok. Maybe I'm incorrect in my previous assertion of needing LDAPDNInfo. RC Consider the case of users having the DN RC [EMAIL PROTECTED],ou=COMPANY,o=ISP where ISP is the name of the ISP, RC COMPANY is wpi.edu, coker.com.au, debian.org or whatever the RC domain name is, and USER is the user name. If I logged on as RC [EMAIL PROTECTED] then the server could know that it should try RC binding as [EMAIL PROTECTED],ou=coker.com.au,o=isp and therefore RC the server wouldn't even need search access! How would it know the ou=coker.com, o=isp? Is that info filled in after the uid is found and the dn retrieved? RC If the ProFTPd server binds to the directory then it needs no special RC LDAP access, however it has to send the password to the server and this RC may be intercepted (I believe that the way it's setup in the standard RC Debian packages has it all in clear-text always). This can also be RC considered a security problem. :( Well, wouldn't the password have to be sent over in clear text anyway? That's the nature of FTP without an SSL tunnel. The FTP - LDAP connection is on a localhost anyway. I wonder if you could configure it to use SSL LDAP. Probably RC Proftpd has code to allow SSL LDAP, but it is not enabled in the Debian RC package because of license issues. You should be able to change a single RC line in a header file and recompile to get it. What sort of license issues? The whole strong encryption exportation thing? RC As for FTP SSL, this can be done, there are already ftpd-ssl and ftp-ssl RC packages in Debian. I don't think that proftpd supports that (yet). I don't think so either, but couldn't proftpd be sent over stunnel or something? RC It should not make any noticable difference where you put your search RC base. However I have not done any performance testing. It may make a RC small difference but certainly won't make a large difference. I would imagine this would make a difference with a search scope of one level or something though :-P RC Last time I looked at the OpenLDAP setup in detail regarding this issue RC (which was some time ago) it seemed to have a database of objects to RC sub-objects which would make one-level searches quite fast. I have RC checked now on my 2.0.11 OpenLDAP installation and it's not there. I had RC not intentionally turned that off so I'm not sure what's happened. Hmm . . . RC The work is supposed to have gone into Debian and be shared to save having RC the work of independantly maintaining it. It appears not to have gone into RC Debian yet though. RC Incidentally I recommend writing a policy document specifying the above RC whenever you do a Linux installation at a corporate site. It's easy to RC get staff or consultants to produce custom versions of Debian packages, RC but having the skills to keep updating them with every version is beyond RC most corporate sites. Things such as minor security enhancements to a RC FTP server offer no significant competitive advantage and are best RC published so that new versions can just be installed by APT. Agreed. But would the more proper avenue be to submit security enhancements to the proper software maintainer (in this case, the proftpd team), and see if they'll implement it? RC But just specifying the user name and having the domain inferred is a bad RC idea as you can't have two users with the same account name in different RC domains. [EMAIL PROTECTED] has to be different from [EMAIL PROTECTED] Well, I was figuring all look ups would have to search for uid=user and domain=company.com. But two searches would probably be slower anyway. RC Two searches would probably be slower and would
Re[2]: CGI Errors
Hey Marcel, print Content-Type: text/html\n\n; is the one you want. -- Kevin
Virtual Domains LDAP
Hey guys, I'm fairly new to the LDAP game. I've read the list archives a bit, and found a lot of good info. One thing that is still eluding me is the the directory structure itself. I am trying to set up LDAP as my backend for several services: SMTP (Postfix), IMAP/POP (Cyrus + pw_check patch), FTP (ProFTPd + mod_ldap), and HTTP (Apache + PHP + LDAP + mod_auth_ldap). I obviously would like to host more than one domain g. (I know this could be accomplished with ISPMan, but I'm trying to learn how to use the technology itself). What would be the best structure for this? I was thinking something like: o = my_organization -- domain1 -- domain2 -- domainN -- Admins -- LDAP Admin -- Users I figured lumping all the users together would make it easier for searches, since there would only be one base. However, I was also thinking of something like this: o = my_organization -- domain1 -- Users -- domain2 -- Users -- domainN -- Users -- Admins -- LDAP Admin With this system, I figured each domain could be within its own namespace, and I like this approach better, due to the more natural organization of things. However, being split up like that, I would think searches would be agonizingly slow. Anyone out there do something similar? Please share any insight (structures, sample LDIF, config files, etc.) Thanks a lot. -- Kevin
