Re: UDS Maverick: Call for Blueprints for Ubuntu Server

[Andreas Hasenack]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 04/29/2010 10:59 AM, Javier Palacios wrote:
> Yes, the ACLs, because I'm not thinking on a single user with full
> privileges and many users without any privileges.
> 
> Let say, I would like the DNS admins to modify their entries, and the
> "user" administrator to create or modify user entries. That means
> giving any of them only partial privileges. If you use any kind of
> 'proxy' (as phpldapadmin) it must be aware of existing ACL and the
> most sensible way to acomplish that is to let the ldap server evaluate
> them, using direct identification against the ldap server.
> The phpldapadmin I remember (it might have evolved) has a single user
> and wasn't capable to do this.

True. So it's not that phpldapadmin "doesn't work" or "breaks" with
these ACLs, it's just that it bypasses them entirely. So we can say it
doesn't take advantage of them. It's a choice.

Maybe at some point it could work in such a way that it would use the
user's credentials to access the directory instead of the rootdn or some
other proxy user.

I wonder if sasl authorization could be more widely used and how it
could help. It was meant to be used by such proxy agents I believe.

- -- 
Andreas Hasenack
andr...@canonical.com

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvZlJUACgkQeEJZs/PdwpDa5wCfWcacFrHYeq4QScJDGaXUJtIa
kTUAn3rKr9blZnBIYUk6IK5ax1EfFN5u
=2ZWz
-END PGP SIGNATURE-

-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: UDS Maverick: Call for Blueprints for Ubuntu Server

[Javier Palacios]

On Thu, Apr 29, 2010 at 2:17 PM, Andreas Hasenack  wrote:
>>> - - basic ACLs to protect content that is not even there yet (like
>>> userPassword, krb5key, samba hashes, etc)
>>> - - basic ACLs to allow for group-delegated based administration
>>
>> The two points above probably discard using phpldapadmin (and most web
>
> The ACLs?
>
>> tools). I haven't looked for long, but it used a special user with
>> global privileges, so once you log in the web, you can do (nearly)
>> anything.
>
> They probably ask for the rootdn. In that case, just give them the DN of
> a user that is a member of the ldap admin group, it has the exact same
> effect.

Yes, the ACLs, because I'm not thinking on a single user with full
privileges and many users without any privileges.

Let say, I would like the DNS admins to modify their entries, and the
"user" administrator to create or modify user entries. That means
giving any of them only partial privileges. If you use any kind of
'proxy' (as phpldapadmin) it must be aware of existing ACL and the
most sensible way to acomplish that is to let the ldap server evaluate
them, using direct identification against the ldap server.
The phpldapadmin I remember (it might have evolved) has a single user
and wasn't capable to do this.

Javier Palacios

-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: UDS Maverick: Call for Blueprints for Ubuntu Server

[Nikolai K. Bochev]

While we're at it, why not use/adopt the 389 directory server ?
Isn't it better to get something that's been built to work as a complete 
solution, than to tie different independent projects to work together to 
achieve the same thing. This and that FreeIPA is getting better and better ( 
and it requires 389 ).
Just my thoughts.

- Original Message -
> > Lately I've been involved in creating OpenLDAP DIT for schools
> > running on Lucid and one thing that I've been wondering is whether
> > it would be
> > possible to define one standard structure for Ubuntu that all tools
> > would be configured to use by default. That wouldn't take away the
> > possibility of configuring everything differently, but all tools and
> > tutorials would follow this one model.
> >
> > Out of curiosity I checked what the defaults are in different
> > systems. If I got things written down correctly, the different
> > default structures
> > I could find were:
> >
> > Hardy slapd package init script and OpenDS:
> > * ou=People
> > * ou=Groups
> >
> > smbldap-tools: * ou=Users
> > * ou=Groups
> > * ou=Computers
> > * ou=Idmap
> >
> > openldap-dit and openldap-mandriva-dit are based on RFC2307bis:
> > * ou=People
> > * ou=Group
> > * ou=Hosts
> > * ou=System Accounts
> > * ou=System Groups
> > * ou=Kerberos Realms
> > * ou=Idmap
> > * ou=Address Book
> >
> > Fedora / FreeIPA uses something completely different:
> > * cn=users,cn=accounts
> > * cn=groups,cn=accounts
> > * cn=computers,cn=accounts
> > * cn=services,cn=accounts
> > * cn=account inactivation,cn=accounts
> > * cn=Kerberos
> >
> > Now different tools have different defaults and tutorials use
> > randomly some names that probably confuse many people.
> >
> > Having one standard DIT that is installed by default would help a
> > lot with external applications that are not packaged for Ubuntu. For
> > example Moodle that is used in schools can use LDAP, but it needs to
> > be configured properly. Writing a guide for that gets a lot easier
> > if standard structure is available.
> 
> 
> > As I wasn't aware of openldap-dit until recently, I've been working
> > on a script to initialise slapd w/ssl and mit kerberos. The idea is
> > that the script first checks which schemas and modules are installed
> > and then adds the missing schemas and modules and configures them.
> > It makes also
> > possible to dump current configuration and check for common problems
> > with ssl certificates and such. I try to get it uploaded somewhere
> > soon so that others can see if it'd be helpful.
> >
> > Automatically loading the schemas sounds good, but how to configure
> > overlays and ACLs for everything is something that would probably
> > need some other solution. E.g. we have some needs for ACLs that
> > probably don't make sense outside schools, but are needed for us as
> > we have
> > school districts, schools, superusers, school admins, teachers,
> > pupils, etc..
> >
> > Veli-Matti

-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: UDS Maverick: Call for Blueprints for Ubuntu Server

[Andreas Hasenack]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 04/29/2010 06:21 AM, Javier Palacios wrote:
>> I think the goal should be to get a starting point that helps newbies to
>> at least *see* something when they point an ldap client to the server,
>> and also allow more seasoned admins to build upon that tree.
>>
>> For me, that means:
>> - - we need a database configured (indexes, checkpoints, caches,
>> DB_CONFIG, etc)
>> - - we need a tree root
>> - - seems like ou=People and ou=Group are pretty common and we should also
>> have them at least
>> - - basic ACLs to protect content that is not even there yet (like
>> userPassword, krb5key, samba hashes, etc)
>> - - basic ACLs to allow for group-delegated based administration
> 
> The two points above probably discard using phpldapadmin (and most web

The ACLs?

> tools). I haven't looked for long, but it used a special user with
> global privileges, so once you log in the web, you can do (nearly)
> anything.

They probably ask for the rootdn. In that case, just give them the DN of
a user that is a member of the ldap admin group, it has the exact same
effect.

> I might add jxplorer as possible client (hopefully it's still alive)

I think Apache Directory Studio is eating jxplorer's user base ;)

> To this list I would add policies and associated ACL about what can be
> changed by users (for example, select a different login shell).
> 
> Maybe you can have a look at
> http://kad.sourceforge.net/?action=slapd
> where many of those points are covered. In the source repository of
> the project, there are also some patches to be applied after
> installing the slapd package and before configuring it (patchs built
> against debian etch, as far as I remember).
> Although the project is quite a bit abandoned, I'm more than glad to
> contribute, or even revive it if useful.

Thanks for the pointer, I'll take a look

- -- 
Andreas Hasenack
andr...@canonical.com

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvZePUACgkQeEJZs/PdwpCruQCeJ4fFuIp/RgyWfBVC3cUo9gNa
+hkAn36+n7MBSAgnnR7nEMNHtaCcBV0p
=DPlL
-END PGP SIGNATURE-

-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: UDS Maverick: Call for Blueprints for Ubuntu Server

[Javier Palacios]

> I think the goal should be to get a starting point that helps newbies to
> at least *see* something when they point an ldap client to the server,
> and also allow more seasoned admins to build upon that tree.
>
> For me, that means:
> - - we need a database configured (indexes, checkpoints, caches,
> DB_CONFIG, etc)
> - - we need a tree root
> - - seems like ou=People and ou=Group are pretty common and we should also
> have them at least
> - - basic ACLs to protect content that is not even there yet (like
> userPassword, krb5key, samba hashes, etc)
> - - basic ACLs to allow for group-delegated based administration

The two points above probably discard using phpldapadmin (and most web
tools). I haven't looked for long, but it used a special user with
global privileges, so once you log in the web, you can do (nearly)
anything.
I might add jxplorer as possible client (hopefully it's still alive)

> - - an admin group, with a member for whom we have a password. This member
> is what the user should use. This concept of administration group
> resonates quite nicely with the default ubuntu sudo setup.
>

To this list I would add policies and associated ACL about what can be
changed by users (for example, select a different login shell).

Maybe you can have a look at
http://kad.sourceforge.net/?action=slapd
where many of those points are covered. In the source repository of
the project, there are also some patches to be applied after
installing the slapd package and before configuring it (patchs built
against debian etch, as far as I remember).
Although the project is quite a bit abandoned, I'm more than glad to
contribute, or even revive it if useful.

Javier Palacios

-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: UDS Maverick: Call for Blueprints for Ubuntu Server

[Javier Palacios]

On Mon, Apr 26, 2010 at 4:08 PM, Adam Sommer  wrote:
>
> On Sat, Apr 24, 2010 at 9:24 AM, Veli-Matti Lintu
>  wrote:
>>
>> Are there plans regarding ldap/kerberos user management and
>> authentication? Launchpad has quite a few old blueprints around these, but I
>> haven't been able to find information about long term plans.
>>
>
> I would like to propose a blueprint for a base directory setup tool based on
> the OpenLDAP-DIT project: https://launchpad.net/openldap-dit.  The current
> branch adds schemas and objects for DNS, DHCP, etc and these may be more
> work than I have time for.

Although related, these are two different targets with two different
scopes and probably two different audiences and possible contributors.
One is services configuration, which need tight collaboration with
packagers and even upstream developers.

The other one is user management, which many will consider useless
within datacenters, but a must when there are many (users & nodes)
around.

To these 1/2 topics, I would add provisioning to the wishlist, which
is not a new item. Either cobbler based or not, in my opinion it
should address both iron and virtual deployments.

Javier Palacios

-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: UDS Maverick: Call for Blueprints for Ubuntu Server

[Jean-Michel Dault]

On Wed, 2010-04-28 at 16:24 -0300, Andreas Hasenack wrote:
> On 04/28/2010 03:58 PM, Jean-Michel Dault wrote:
> > The only downside is that it uses extended schemas to store the
> > information. To work with Andréas's DIT structure, we would need to
> > convert everything to cn=config format. That's on my medium-term TODO
> > list, but if anyone is interested in helping, that could be ready for
> > Maverick...
> If you already have GOSA in place, I don't see why you would need
> openldap-dit.

Both DITs have features that are missing in the other. And I like the
way cn=config works ;-)


-- 
Jean-Michel Dault
Technology Architect
j...@rlnx.com
Révolution Linux inc
http://www.revolutionlinux.com


-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: UDS Maverick: Call for Blueprints for Ubuntu Server

[Veli-Matti Lintu]

ke, 2010-04-28 kello 14:32 -0300, Andreas Hasenack kirjoitti:

> Having said that, I would certainly be interested in problems with my
> DIT and phpldapadmin or any other tool out there. I can think of one
> already which might break stuff out there, and that is the choosing of
> groups I made which follows RFC2307bis, and not RFC2307. Not all tools
> can cope with that (like smbldaptools, although it's trivial to fix it).

Lately I've been involved in creating OpenLDAP DIT for schools running
on Lucid and one thing that I've been wondering is whether it would be
possible to define one standard structure for Ubuntu that all tools
would be configured to use by default. That wouldn't take away the
possibility of configuring everything differently, but all tools and
tutorials would follow this one model.

Out of curiosity I checked what the defaults are in different systems.
If I got things written down correctly, the different default structures
I could find were:

Hardy slapd package init script and OpenDS:
* ou=People
* ou=Groups

smbldap-tools:
* ou=Users
* ou=Groups
* ou=Computers
* ou=Idmap

openldap-dit and openldap-mandriva-dit are based on RFC2307bis:
* ou=People
* ou=Group
* ou=Hosts
* ou=System Accounts
* ou=System Groups
* ou=Kerberos Realms
* ou=Idmap
* ou=Address Book

Fedora / FreeIPA uses something completely different:
* cn=users,cn=accounts
* cn=groups,cn=accounts
* cn=computers,cn=accounts
* cn=services,cn=accounts
* cn=account inactivation,cn=accounts
* cn=Kerberos

Now different tools have different defaults and tutorials use randomly
some names that probably confuse many people.

Having one standard DIT that is installed by default would help a lot
with external applications that are not packaged for Ubuntu. For example
Moodle that is used in schools can use LDAP, but it needs to be
configured properly. Writing a guide for that gets a lot easier if
standard structure is available.

> In fact, one of the things we talked about in the past UDSs, and which
> was done on the slapd package, is to make it so that other packages
> could hook into slapd and fill it with their schema and trees. This is
> possible because of the LDAPI authentication we have in place, which
> maps root (unix id 0) to the ldap admin, so any client that runs as root
> and connects to the LDAPI socket will be the ldap admin. Thus a package
> would be able to, say, inspect the existing schema, upload its own, etc.
> Think about that pdns-backend-ldap package asking in its postinst
> permission to configure the locally running ldap server for its needs,
> for example (with the default answer being "no, don't do that").

> While some (most?) seasoned ldap admins would run away crying just by
> the thought of that, surely LDAP newbies would appreciate it.

As I wasn't aware of openldap-dit until recently, I've been working on a
script to initialise slapd w/ssl and mit kerberos. The idea is that the
script first checks which schemas and modules are installed and then
adds the missing schemas and modules and configures them. It makes also
possible to dump current configuration and check for common problems
with ssl certificates and such. I try to get it uploaded somewhere soon
so that others can see if it'd be helpful.

Automatically loading the schemas sounds good, but how to configure
overlays and ACLs for everything is something that would probably need
some other solution. E.g. we have some needs for ACLs that probably
don't make sense outside schools, but are needed for us as we have
school districts, schools, superusers, school admins, teachers, pupils,
etc..

Veli-Matti


-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: UDS Maverick: Call for Blueprints for Ubuntu Server

[Andreas Hasenack]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 04/28/2010 03:58 PM, Jean-Michel Dault wrote:
> The only downside is that it uses extended schemas to store the
> information. To work with Andréas's DIT structure, we would need to
> convert everything to cn=config format. That's on my medium-term TODO
> list, but if anyone is interested in helping, that could be ready for
> Maverick...

If you already have GOSA in place, I don't see why you would need
openldap-dit.

- -- 
Andreas Hasenack
andr...@canonical.com

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvYi3QACgkQeEJZs/PdwpBOoQCfb3EJ/gNMLUfhFF4KXwGnPuNs
ijwAnivD80WdOXptdMtsR5apmSwJfyim
=OiHV
-END PGP SIGNATURE-

-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: UDS Maverick: Call for Blueprints for Ubuntu Server

[Jean-Michel Dault]

On Wed, 2010-04-28 at 13:31 -0500, Jorge Armando Medina wrote:
> > thats a quite good idea, at the moment I prefer Apache Directory Studio.
> > When you have got a client system to manage the server, its imo the
> > better solution to administer your DIT.
> > Its available for lnx, win and mac. Therefore it covers the most
> > platforms. :)
> Me and some customers prefere Apache Directory Studio over gq,
> ldapbrowser and other GUI ldap client and editors, it requieres java,
> but who doesnt have java already installed?

We use GOsa for all of our customers and are really happy with the
results.

It's a web interface built in PHP with smarty templates and
internationalization, that lets you manage users, groups, departments,
sudo roles, and can even do dhcp/dns, and other nice stuff.

I'm currently migrating a chinese manufacturing company with over 800
accounts. They're getting rid of their Active Directory and moving to
Linux thin clients with LTSP and some Windows Terminal Servers for
legacy apps. GOsa handles all the SID generation for Samba so that
everything is seamless.

The only downside is that it uses extended schemas to store the
information. To work with Andréas's DIT structure, we would need to
convert everything to cn=config format. That's on my medium-term TODO
list, but if anyone is interested in helping, that could be ready for
Maverick...

-- 
Jean-Michel Dault
Technology Architect
j...@rlnx.com
Révolution Linux inc
http://www.revolutionlinux.com


-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: UDS Maverick: Call for Blueprints for Ubuntu Server

[Mathias Gug]

Hi Andreas,

On Wed, Apr 28, 2010 at 02:32:27PM -0300, Andreas Hasenack wrote:
> 
> In fact, one of the things we talked about in the past UDSs, and which
> was done on the slapd package, is to make it so that other packages
> could hook into slapd and fill it with their schema and trees. This is
> possible because of the LDAPI authentication we have in place, which
> maps root (unix id 0) to the ldap admin, so any client that runs as root
> and connects to the LDAPI socket will be the ldap admin. Thus a package
> would be able to, say, inspect the existing schema, upload its own, etc.

I've slightly changed the behavior in Lucid: there isn't a mapping anymore (and
thus cn=localroot,cn=config has gone away). 

The actual sasl dn is used in the olcAccess for cn=config and the frontend 
database:

 olcAccess: {0}to * by 
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * 
break

> Think about that pdns-backend-ldap package asking in its postinst
> permission to configure the locally running ldap server for its needs,
> for example (with the default answer being "no, don't do that").
> 

Exactly. That's the main goal of moving to cn=config and adding an olcAccess
for the local root user:

  any package will be able to stick schemas and configure things in the local
  slapd instance.

-- 
Mathias Gug
Ubuntu Developer  http://www.ubuntu.com

-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: UDS Maverick: Call for Blueprints for Ubuntu Server

[Jorge Armando Medina]

Benjamin Griese wrote:
> Hi Mark,
>
> thats a quite good idea, at the moment I prefer Apache Directory Studio.
> When you have got a client system to manage the server, its imo the
> better solution to administer your DIT.
> Its available for lnx, win and mac. Therefore it covers the most
> platforms. :)
Me and some customers prefere Apache Directory Studio over gq,
ldapbrowser and other GUI ldap client and editors, it requieres java,
but who doesnt have java already installed?


>
> Bye.
>
> On Wed, Apr 28, 2010 at 19:16, Mark Foster  wrote:
>
> On 04/28/2010 09:45 AM, Andreas Hasenack wrote:
> > with reasonable default ACLs, on which new LDAP
> > administrators could build on and have a starting place for whatever
> > setup they wanted
> Do you or will you consider having phpldapadmin as part of this
> "starting place"
> Because, administering LDAP from the command line can have quite steep
> learning curve vs. using the (web) gui once the dir servers is
> ready for
> that.
>
> Also, if LDAP is to be integrated for the DNS, powerdns
> (pdns-backend-ldap) does pretty well.
>
> --
> I hate racists.  Mark D. Foster
> http://mark.foster.cc/ |  http://www.freegeekseattle.org/
>
>
>
> --
> ubuntu-server mailing list
> ubuntu-server@lists.ubuntu.com 
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
> More info: https://wiki.ubuntu.com/ServerTeam
>
>
>
>
> -- 
> To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To
> be is to do -- Sartre | Do be do be do -- Sinatra
>


-- 
Jorge Armando Medina
Computación Gráfica de México
Web: http://www.e-compugraf.com
Tel: 55 51 40 72, Ext: 124
Email: jmed...@e-compugraf.com
GPG Key: 1024D/28E40632 2007-07-26
GPG Fingerprint: 59E2 0C7C F128 B550 B3A6  D3AF C574 8422 28E4 0632




signature.asc
Description: OpenPGP digital signature
-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: UDS Maverick: Call for Blueprints for Ubuntu Server

[Adam Sommer]

On Wed, Apr 28, 2010 at 1:55 PM, Andreas Hasenack wrote:

>
> I think the goal should be to get a starting point that helps newbies to
> at least *see* something when they point an ldap client to the server,
> and also allow more seasoned admins to build upon that tree.
>
> For me, that means:
> - - we need a database configured (indexes, checkpoints, caches,
> DB_CONFIG, etc)
> - - we need a tree root
> - - seems like ou=People and ou=Group are pretty common and we should also
> have them at least
> - - basic ACLs to protect content that is not even there yet (like
> userPassword, krb5key, samba hashes, etc)
> - - basic ACLs to allow for group-delegated based administration
> - - an admin group, with a member for whom we have a password. This member
> is what the user should use. This concept of administration group
> resonates quite nicely with the default ubuntu sudo setup.
>
> It's because of this group based administration that I chose RFC2307bis,
> because it allows me to use the refint overlay and automatically update
> the group memberships if the user is removed from the tree, or has
> his/her name changed, etc.
>
> We can build upon that. A sudo-ldap package, for example, could detect
> that this tree is in place and offer to:
> - - add the sudo schema (assuming it was not added by the openldap-dit
> base package)
> - - create ou=sudoers and add the group based administration acls (if not
> part of the default dit)
> - - perhaps even migrate an existing /etc/sudoers to ldap if so desired
> (there are scripts for that)
>
> The above can all be done dynamically at postinst, because we have
> cn=config, if the package is installed on the same machine as the ldap
> server. If not, then it would need ldap credentials to make these
> changes over the network, but even so it could work.
>


I totally agree I think doing all that for Lucid would be a great thing for
new users to OpenLDAP and Ubuntu.



>
> In karmic, openldap-dit triggers a bug in slapd which starts consuming
> 100% cpu and hangs. I filed a LP bug with a patch, and it was applied to
> lucid, but not to the karmic package yet (#485026). It's one of the
> problems (or risks, should I say) of using these many overlays.
> Sometimes a specific combination of them triggers a bug, like that case.
>
>
>

Ya, it gets complicated pretty quick once you start adding multiple schemas
and acls :-).  I guess when that happens the tool should fail gracefully and
maybe point to documentation on how to manually add the required objects to
your tree.

I would really like to see OpenLDAP be a great selling point for Ubuntu
Server, and should have time this cycle to help out developing, testing, or
whatever needs to be done.

-- 
Party On,
Adam
-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: UDS Maverick: Call for Blueprints for Ubuntu Server

[Andreas Hasenack]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 04/28/2010 02:25 PM, Adam Sommer wrote:
> Thanks Andreas for creating openldap-dit.  For the last couple of days
> I've been testing it, and after a few updates was able to get it to work
> on Lucid.  As you mentioned there are a lot of ways to create a

Cool!

I think the goal should be to get a starting point that helps newbies to
at least *see* something when they point an ldap client to the server,
and also allow more seasoned admins to build upon that tree.

For me, that means:
- - we need a database configured (indexes, checkpoints, caches,
DB_CONFIG, etc)
- - we need a tree root
- - seems like ou=People and ou=Group are pretty common and we should also
have them at least
- - basic ACLs to protect content that is not even there yet (like
userPassword, krb5key, samba hashes, etc)
- - basic ACLs to allow for group-delegated based administration
- - an admin group, with a member for whom we have a password. This member
is what the user should use. This concept of administration group
resonates quite nicely with the default ubuntu sudo setup.

It's because of this group based administration that I chose RFC2307bis,
because it allows me to use the refint overlay and automatically update
the group memberships if the user is removed from the tree, or has
his/her name changed, etc.

We can build upon that. A sudo-ldap package, for example, could detect
that this tree is in place and offer to:
- - add the sudo schema (assuming it was not added by the openldap-dit
base package)
- - create ou=sudoers and add the group based administration acls (if not
part of the default dit)
- - perhaps even migrate an existing /etc/sudoers to ldap if so desired
(there are scripts for that)

The above can all be done dynamically at postinst, because we have
cn=config, if the package is installed on the same machine as the ldap
server. If not, then it would need ldap credentials to make these
changes over the network, but even so it could work.

In karmic, openldap-dit triggers a bug in slapd which starts consuming
100% cpu and hangs. I filed a LP bug with a patch, and it was applied to
lucid, but not to the karmic package yet (#485026). It's one of the
problems (or risks, should I say) of using these many overlays.
Sometimes a specific combination of them triggers a bug, like that case.

- -- 
Andreas Hasenack
andr...@canonical.com

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvYdpsACgkQeEJZs/PdwpBZNQCgo637Pw4z/0GHAPIqQnP8T/DH
C34AoKAL3ptQ/QxQxHHSR9MYxbA+JifZ
=+keB
-END PGP SIGNATURE-

-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: UDS Maverick: Call for Blueprints for Ubuntu Server

[Andreas Hasenack]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 04/28/2010 02:16 PM, Mark Foster wrote:
> On 04/28/2010 09:45 AM, Andreas Hasenack wrote:
>> with reasonable default ACLs, on which new LDAP
>> administrators could build on and have a starting place for whatever
>> setup they wanted
> Do you or will you consider having phpldapadmin as part of this 
> "starting place"

I don't know, I kind of think that phpldapadmin could have its own
bootstrapping/dit if it were pointed to a clean directory. I would like
to stay as frontend-agnostic as possible.

> Because, administering LDAP from the command line can have quite steep 
> learning curve vs. using the (web) gui once the dir servers is ready for 
> that.

Having said that, I would certainly be interested in problems with my
DIT and phpldapadmin or any other tool out there. I can think of one
already which might break stuff out there, and that is the choosing of
groups I made which follows RFC2307bis, and not RFC2307. Not all tools
can cope with that (like smbldaptools, although it's trivial to fix it).

> Also, if LDAP is to be integrated for the DNS, powerdns 
> (pdns-backend-ldap) does pretty well.

Could be. I guess I could have a different ldif for each dns
implementation, with its own schema.

In fact, one of the things we talked about in the past UDSs, and which
was done on the slapd package, is to make it so that other packages
could hook into slapd and fill it with their schema and trees. This is
possible because of the LDAPI authentication we have in place, which
maps root (unix id 0) to the ldap admin, so any client that runs as root
and connects to the LDAPI socket will be the ldap admin. Thus a package
would be able to, say, inspect the existing schema, upload its own, etc.
Think about that pdns-backend-ldap package asking in its postinst
permission to configure the locally running ldap server for its needs,
for example (with the default answer being "no, don't do that").

While some (most?) seasoned ldap admins would run away crying just by
the thought of that, surely LDAP newbies would appreciate it.

- -- 
Andreas Hasenack
andr...@canonical.com

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvYcSkACgkQeEJZs/PdwpBroACfbQbqBPtax4HhAyuZJ5wM2dAI
6jUAnRpmlB+C3d22VMOjFuSwzWKrQQrm
=McG6
-END PGP SIGNATURE-

-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: UDS Maverick: Call for Blueprints for Ubuntu Server

[Adam Sommer]

Hello,

On Wed, Apr 28, 2010 at 12:58 PM, Mathias Gug  wrote:

>
> I think this is a great idea. Basing the work on the openldap-dit project
> is a
> good start.
>
> I would focus on:
>
>  1. Identifying which use cases should be covered:
>* user and group management.
>  2. Creating a DIT that can be used to cover the use cases:
>* openldap-dit is a good starting point.
>  3. Creating a package that asks basic questions and setup the DIT.
>  4. Looking into administration tools:
>* CLI to cover the basic use cases - ldapscripts is useful.
>
> I'd suggest to file a blueprint and discuss it at UDS if you wanna hash out
> the
> plan for Maverick.
>
> --
>


Thanks Andreas for creating openldap-dit.  For the last couple of days I've
been testing it, and after a few updates was able to get it to work on
Lucid.  As you mentioned there are a lot of ways to create a directory tree,
and everyone does it differently.  I created a branch to attempt to
modularize the  openldap-dit-setup.sh script based on which services an
admin would like.  It's probably pretty crude, but I was able to apply all
the different schemas, and tested the sudo items.

Mathias I created a blueprint here:
https://blueprints.launchpad.net/openldap-dit/+spec/server-maverick-openldap-dit
and
I agree that another UDS discussion would be great :-).

Thanks again.

-- 
Party On,
Adam
-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: UDS Maverick: Call for Blueprints for Ubuntu Server

[Benjamin Griese]

Hi Mark,

thats a quite good idea, at the moment I prefer Apache Directory Studio.
When you have got a client system to manage the server, its imo the better
solution to administer your DIT.
Its available for lnx, win and mac. Therefore it covers the most platforms.
:)

Bye.

On Wed, Apr 28, 2010 at 19:16, Mark Foster  wrote:

> On 04/28/2010 09:45 AM, Andreas Hasenack wrote:
> > with reasonable default ACLs, on which new LDAP
> > administrators could build on and have a starting place for whatever
> > setup they wanted
> Do you or will you consider having phpldapadmin as part of this
> "starting place"
> Because, administering LDAP from the command line can have quite steep
> learning curve vs. using the (web) gui once the dir servers is ready for
> that.
>
> Also, if LDAP is to be integrated for the DNS, powerdns
> (pdns-backend-ldap) does pretty well.
>
> --
> I hate racists.  Mark D. Foster
> http://mark.foster.cc/ |  http://www.freegeekseattle.org/
>
>
>
> --
> ubuntu-server mailing list
> ubuntu-server@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
> More info: https://wiki.ubuntu.com/ServerTeam
>



-- 
To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To be is
to do -- Sartre | Do be do be do -- Sinatra
-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: UDS Maverick: Call for Blueprints for Ubuntu Server

[Mark Foster]

On 04/28/2010 09:45 AM, Andreas Hasenack wrote:
> with reasonable default ACLs, on which new LDAP
> administrators could build on and have a starting place for whatever
> setup they wanted
Do you or will you consider having phpldapadmin as part of this 
"starting place"
Because, administering LDAP from the command line can have quite steep 
learning curve vs. using the (web) gui once the dir servers is ready for 
that.

Also, if LDAP is to be integrated for the DNS, powerdns 
(pdns-backend-ldap) does pretty well.

-- 
I hate racists.  Mark D. Foster
http://mark.foster.cc/ |  http://www.freegeekseattle.org/



-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: UDS Maverick: Call for Blueprints for Ubuntu Server

[Benjamin Griese]

Hi Andreas,

i just took a look on your your work and I agree to Mathia[sz] thats a good
start.
I think of a debconf menu similar to the nss_ldap and openldap-client one's,
that is asking you for your needs to build some ldifs from a base.
I havn't tested your script, maybe its already doing this in your scripting
way. That should be as system-compliant as possible, in the way it uses the
given tools.

Just my small opinion.

Anyway, you did good work by collecting the information and building the
different ldif's for the diferent purposes.
Sometime when I search for some Information about OpenLDAP, its major pain
in the ass to find anything useful on the net or on the mailing list that
fits your needs.

Hopefully, this is getting integrated to make the really interesting stuff
of ldap a really useful stuff, even in small networks where the admin hasn't
heard about central user/whatever management.

Glad that you made such a step on your own. :)

Bye, Benjamin.

On Wed, Apr 28, 2010 at 18:45, Andreas Hasenack wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 04/27/2010 04:47 PM, Roderick B. Greening wrote:
> > I second this.
> >
> > I am attempting (unsuccessfully) to get an Open LDAP setup so that I can
> > perform authentication across systems and services.
> >
> > It would be ideal if there were an easy way to setup LDAP and via some
> basic
> > questions, get you up an running.
> >
> > I'm all for helping out on such an endevour (from the "what I need it to
> do"
> > department and not the technical of LDAP.. which I am weak on).
>
> Hi, I created openldap-dit.
>
> The goal of the openldap-dit project was never to create a set of tools
> to create users and other objects in the directory, but rather setup a
> basic tree, with reasonable default ACLs, on which new LDAP
> administrators could build on and have a starting place for whatever
> setup they wanted. I know trees can take many shapes and forms.
>
> It can surely be simplified by removing dns and dhcp, which are the most
> complex branches in there I think, specially since bind in ubuntu
> doesn't work with ldap so well.
>
> I also think that the move to cn=config made it more difficult, if not
> impossible, for people not familiar with ldap to get to a starting
> point, at least without something like a default dit with an admin and
> some basic ACLs. The DIT I created I think helps, and I would love to
> hear some feedback about people who tried to use it. I know some of its
> pain points, but without people complaining or using it I don't have
> much motivation to fix it. And I'm at fault with that, because I never
> exactly made it very public.
>
> - --
> Andreas Hasenack
> andr...@canonical.com
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkvYZjMACgkQeEJZs/PdwpCkpgCfeK46PCXwtBcax3bSJEIbsbO/
> tjIAoMim4vfjAuiIu97eOCKGChTktTZh
> =aJi9
> -END PGP SIGNATURE-
>
> --
> ubuntu-server mailing list
> ubuntu-server@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
> More info: https://wiki.ubuntu.com/ServerTeam
>



-- 
To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To be is
to do -- Sartre | Do be do be do -- Sinatra
-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: UDS Maverick: Call for Blueprints for Ubuntu Server

[Benjamin Griese]

Hi Andreas,

i just took a look on your your work and I agree to Mathia[sz] thats a good
start.
I think of a debconf menu similar to the nss_ldap and openldap-client one's,
that is asking you for your needs to build some ldifs from a base.
I havn't tested your script, maybe its already doing this in your scripting
way. That should be as system-compliant as possible, in the way it uses the
given tools.

Just my small opinion.

Anyway, you did good work by collecting the information and building the
different ldif's for the diferent purposes.
Sometime when I search for some Information about OpenLDAP, its major pain
in the ass to find anything useful on the net or on the mailing list that
fits your needs.

Hopefully, this is getting integrated to make the really interesting stuff
of ldap a really useful stuff, even in small networks where the admin hasn't
heard about central user/whatever management ever.

Glad to see you active here.

Bye, Benjamin.

On Wed, Apr 28, 2010 at 18:45, Andreas Hasenack wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 04/27/2010 04:47 PM, Roderick B. Greening wrote:
> > I second this.
> >
> > I am attempting (unsuccessfully) to get an Open LDAP setup so that I can
> > perform authentication across systems and services.
> >
> > It would be ideal if there were an easy way to setup LDAP and via some
> basic
> > questions, get you up an running.
> >
> > I'm all for helping out on such an endevour (from the "what I need it to
> do"
> > department and not the technical of LDAP.. which I am weak on).
>
> Hi, I created openldap-dit.
>
> The goal of the openldap-dit project was never to create a set of tools
> to create users and other objects in the directory, but rather setup a
> basic tree, with reasonable default ACLs, on which new LDAP
> administrators could build on and have a starting place for whatever
> setup they wanted. I know trees can take many shapes and forms.
>
> It can surely be simplified by removing dns and dhcp, which are the most
> complex branches in there I think, specially since bind in ubuntu
> doesn't work with ldap so well.
>
> I also think that the move to cn=config made it more difficult, if not
> impossible, for people not familiar with ldap to get to a starting
> point, at least without something like a default dit with an admin and
> some basic ACLs. The DIT I created I think helps, and I would love to
> hear some feedback about people who tried to use it. I know some of its
> pain points, but without people complaining or using it I don't have
> much motivation to fix it. And I'm at fault with that, because I never
> exactly made it very public.
>
> - --
> Andreas Hasenack
> andr...@canonical.com
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkvYZjMACgkQeEJZs/PdwpCkpgCfeK46PCXwtBcax3bSJEIbsbO/
> tjIAoMim4vfjAuiIu97eOCKGChTktTZh
> =aJi9
> -END PGP SIGNATURE-
>
> --
> ubuntu-server mailing list
> ubuntu-server@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
> More info: https://wiki.ubuntu.com/ServerTeam
>



-- 
To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To be is
to do -- Sartre | Do be do be do -- Sinatra
-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: UDS Maverick: Call for Blueprints for Ubuntu Server

[Mathias Gug]

Hi,

On Tue, Apr 27, 2010 at 05:17:00PM -0230, Roderick B. Greening wrote:
> > > 
> > > Are there plans regarding ldap/kerberos user management and
> > > authentication? Launchpad has quite a few old blueprints around these,
> > > but I haven't been able to find information about long term plans.
> > 
> > I would like to propose a blueprint for a base directory setup tool based
> > on the OpenLDAP-DIT project: https://launchpad.net/openldap-dit.  The
> > current branch adds schemas and objects for DNS, DHCP, etc and these may
> > be more work than I have time for.
> > 
> > As many have noted there is a need for a tool/process to get a base
> > directory created for those users who don't know a lot about LDAP.  As a
> > starting place using a simpler version of the openldap-dit-setup.sh script
> > that just creates the base DC, OUs, admin user, etc is a reasonable goal
> > for Maverick.
> > 
>
> It would be ideal if there were an easy way to setup LDAP and via some basic 
> questions, get you up an running.
> 
> I'm all for helping out on such an endevour (from the "what I need it to do" 
> department and not the technical of LDAP.. which I am weak on).
> 

I think this is a great idea. Basing the work on the openldap-dit project is a
good start.

I would focus on:

 1. Identifying which use cases should be covered:
* user and group management.
 2. Creating a DIT that can be used to cover the use cases:
* openldap-dit is a good starting point.
 3. Creating a package that asks basic questions and setup the DIT.
 4. Looking into administration tools:
* CLI to cover the basic use cases - ldapscripts is useful.

I'd suggest to file a blueprint and discuss it at UDS if you wanna hash out the
plan for Maverick.

-- 
Mathias Gug
Ubuntu Developer  http://www.ubuntu.com


signature.asc
Description: Digital signature
-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: UDS Maverick: Call for Blueprints for Ubuntu Server

[Andreas Hasenack]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 04/27/2010 04:47 PM, Roderick B. Greening wrote:
> I second this.
> 
> I am attempting (unsuccessfully) to get an Open LDAP setup so that I can 
> perform authentication across systems and services.
> 
> It would be ideal if there were an easy way to setup LDAP and via some basic 
> questions, get you up an running.
> 
> I'm all for helping out on such an endevour (from the "what I need it to do" 
> department and not the technical of LDAP.. which I am weak on).

Hi, I created openldap-dit.

The goal of the openldap-dit project was never to create a set of tools
to create users and other objects in the directory, but rather setup a
basic tree, with reasonable default ACLs, on which new LDAP
administrators could build on and have a starting place for whatever
setup they wanted. I know trees can take many shapes and forms.

It can surely be simplified by removing dns and dhcp, which are the most
complex branches in there I think, specially since bind in ubuntu
doesn't work with ldap so well.

I also think that the move to cn=config made it more difficult, if not
impossible, for people not familiar with ldap to get to a starting
point, at least without something like a default dit with an admin and
some basic ACLs. The DIT I created I think helps, and I would love to
hear some feedback about people who tried to use it. I know some of its
pain points, but without people complaining or using it I don't have
much motivation to fix it. And I'm at fault with that, because I never
exactly made it very public.

- -- 
Andreas Hasenack
andr...@canonical.com

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvYZjMACgkQeEJZs/PdwpCkpgCfeK46PCXwtBcax3bSJEIbsbO/
tjIAoMim4vfjAuiIu97eOCKGChTktTZh
=aJi9
-END PGP SIGNATURE-

-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: UDS Maverick: Call for Blueprints for Ubuntu Server

[Roderick B. Greening]

I second this.

I am attempting (unsuccessfully) to get an Open LDAP setup so that I can 
perform authentication across systems and services.

It would be ideal if there were an easy way to setup LDAP and via some basic 
questions, get you up an running.

I'm all for helping out on such an endevour (from the "what I need it to do" 
department and not the technical of LDAP.. which I am weak on).

> On Sat, Apr 24, 2010 at 9:24 AM, Veli-Matti Lintu <
> 
> veli-matti.li...@opinsys.fi> wrote:
> > > Lähettäjä: "Jos Boumans" 
> > > 
> > > with the Lucid release cycle nearing its completion, it's
> > > time to start looking forward to our next release: Maverick
> > > Meerkat.
> > 
> > Hello,
> > 
> > Are there plans regarding ldap/kerberos user management and
> > authentication? Launchpad has quite a few old blueprints around these,
> > but I haven't been able to find information about long term plans.
> 
> I would like to propose a blueprint for a base directory setup tool based
> on the OpenLDAP-DIT project: https://launchpad.net/openldap-dit.  The
> current branch adds schemas and objects for DNS, DHCP, etc and these may
> be more work than I have time for.
> 
> As many have noted there is a need for a tool/process to get a base
> directory created for those users who don't know a lot about LDAP.  As a
> starting place using a simpler version of the openldap-dit-setup.sh script
> that just creates the base DC, OUs, admin user, etc is a reasonable goal
> for Maverick.
> 
> I know directory services are not a hugely high priority for the full time
> members of the Server Team, but are of great interest to many of the same
> members.  I should have time this cycle to work on such a blueprint to
> hopefully have an easier way to get starting using OpenLDAP on Ubuntu
> Server.
> 
> Please let me know your ideas and if this is a worth while project for a
> community member.
___
Roderick B. Greening, B.Sc.
Paradise, NL Canada
E-mail/MSN: roderick.green...@gmail.com 
LP: launchpad.net/~roderick-greening 
Wiki: wiki.ubuntu.com/rgreening 
Blog: roderick-greening.blogspot.com 
Twitter: twitter.com/rgreening
Identica: identi.ca/rgreening



signature.asc
Description: This is a digitally signed message part.
-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: UDS Maverick: Call for Blueprints for Ubuntu Server

[Adam Sommer]

On Sat, Apr 24, 2010 at 9:24 AM, Veli-Matti Lintu <
veli-matti.li...@opinsys.fi> wrote:

> > Lähettäjä: "Jos Boumans" 
>
> > with the Lucid release cycle nearing its completion, it's
> > time to start looking forward to our next release: Maverick
> > Meerkat.
>
> Hello,
>
> Are there plans regarding ldap/kerberos user management and authentication?
> Launchpad has quite a few old blueprints around these, but I haven't been
> able to find information about long term plans.
>
>

I would like to propose a blueprint for a base directory setup tool based on
the OpenLDAP-DIT project: https://launchpad.net/openldap-dit.  The current
branch adds schemas and objects for DNS, DHCP, etc and these may be more
work than I have time for.

As many have noted there is a need for a tool/process to get a base
directory created for those users who don't know a lot about LDAP.  As a
starting place using a simpler version of the openldap-dit-setup.sh script
that just creates the base DC, OUs, admin user, etc is a reasonable goal for
Maverick.

I know directory services are not a hugely high priority for the full time
members of the Server Team, but are of great interest to many of the same
members.  I should have time this cycle to work on such a blueprint to
hopefully have an easier way to get starting using OpenLDAP on Ubuntu
Server.

Please let me know your ideas and if this is a worth while project for a
community member.

-- 
Party On,
Adam
-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: UDS Maverick: Call for Blueprints for Ubuntu Server

[Veli-Matti Lintu]

> Lähettäjä: "Jos Boumans" 

> with the Lucid release cycle nearing its completion, it's
> time to start looking forward to our next release: Maverick
> Meerkat.

Hello,

Are there plans regarding ldap/kerberos user management and authentication? 
Launchpad has quite a few old blueprints around these, but I haven't been able 
to find information about long term plans.

I've been using ldap/kerberos to run school networks and it certainly is 
possible to get these working for production, but it's not always easy. 
Especially now that schools are integrating more and more web based 
applications that integrate with ldap, it is becoming a critical piece in the 
setup. There are often quite a few parties involved running the setups and 
usually there are also non-Ubuntu systems involved.

I wrote more about the issues on the edubuntu-devel mailing list:
https://lists.ubuntu.com/archives/edubuntu-devel/2010-April/003431.html

As I really haven't been involved in Ubuntu development, I do not know what the 
plans are and how to get involved. Schools have several domain specific needs 
that are probably not useful elsewhere, but having a solid common ground could 
help building the tools for schools. I hope I can help with something if there 
are plans on this front. Lucid is looking really good and I can only imagine 
what could be built on it.

Veli-Matti

-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam