#ubuntu-directory 2006-11-13
<zch> hi
<zch> hi ajmitch, I want try your authtool app, but I have a dependency problem
<zch> "ImportError: No module named Version"
<zch> hi
<zch> does someone know the dependecies from ajmitch's authtool?
<ajforgue> So I want to use LDAP to mantain lists of users that have access to servers.  Right now we do |(uid=...)(uid=...) which is a pain in the ass.  Would it make sense to do |(eduPersonAccess=unix)(eduPersonHostAccess=FQDN) and add those attributes to users or is there a better way?
<fernando> (&(eduPersonAccess=unix)(eduPersonHostAccess=FQDN)) this?
<ajforgue> well, it has to be or, because eduPersonAccess=unix would get access to ALL unix/lunix hosts.
<ajforgue> forgot to explain that... heh
<ajforgue> we have 100 something servers, so potentially someone could have an attribute with that many entries
<ajforgue> Ideally I want pam_ldap to do something better ;_;
<wasabi> morning
<ajforgue> hey jerry
<wasabi> hi
<zch> hi
<zch> ajforgue: I do not really understand you
<zch> ajforgue: what is your current solution?
<zch> "|(uid=...)(uid=...)" means what? is this your "pam_filter" string?
<ajforgue> yeah
<ajforgue> I guess I suck at explaining things
<zch> ajforgue: are you looking for a better pam-filter?
<ajforgue> something more centrally maintainable than what I have now
<ajforgue> not really ubuntu-directory specific, just general ldap/linux question
<ajforgue> I'd rather use groups, but pam_filter doesn't really make that easy
<zch> I do not know the eduPerson* attributes, but what about: (&(uid=*)(eduPersonAccess=unix)(eduPersonHostAccess=FQDN)) ?
<zch> from which schema is eduPerson*
<ajforgue> educause.. http://www.educause.edu/content.asp?PAGE_ID=949&bhcp=1
<ajforgue> almost every university uses it
<zch> oh thanks, for the info
<zch> do I understand it right: you have a lot of users, but not every user should have access do every server, is that right?
<ajforgue> yup
<ajforgue> so I'm creating an attribute that's set if they should have access to all Servers. and one for specific hosts
<ajforgue> since we have 35000 users, only some of them will have access to some servers
<ajforgue> and only a few people with access to all of them
<ajforgue> ldapsearch -Y GSSAPI -h rhds1.sys.oakland.edu '(|(ouEduPersonHostAccess=anthracite.sys.oakland.edu)(ouEduPersonGlobalAccess=unix))'
<ajforgue> so that says allow people with specific access to this host OR users with access to all unix hosts
<ajforgue> which I think will work
<zch> what is wrong with this filter?
<ajforgue> nothing -- just asking if this seems like a good idea
<zch> are this attributes indexed?
<ajforgue> yup
<zch> I think this filter is ok
<zch> but I am not an LDAP-guru
<fernando> ajforgue: | is right? OR
<zch> pam-ldap has an extra option for host access control, it uses the "host" attribute, perhaps it uses a more intelligent mechanism
<ajforgue> yeah, "|" is right
<zch> ajforgue: why are you not so happy with this filter?
<ajforgue> It feels like a hack
<ajforgue> but it's linux, so I guess I should get used to it
<ajforgue> pam_check_host_attr?
<zch> yes, but you can't use it
<zch> I only think it does something special because a (&($filter)(host=FQDN)) would not be so hard
<ajforgue> I want to use ouEduPersonGlobalAccess for other stuff like web applications and such, so I'll not use pam's thing
<zch> btw, for pam_check_host_attr: http://www.nabble.com/Regarding-%22pam_check_host_attr%22-t1127306.html
<zch> ajforgue: why do you use (|(uid=...)(uid=...)) and not '(|(ouEduPersonHostAccess=anthracite.sys.oakland.edu)(ouEduPersonGlobalAccess=unix)) ?
<ajforgue> that's what we're moving to
<zch> ajforgue: I think I get it
<zch> ajforgue: which LDAP server do you have?
<ajforgue> RHDS
<ajforgue> aka FDS
<zch> for how long?
<ajforgue> it's not in production yet
<ajforgue> it will be by the end of the year
<zch> ajforgue: and how do you manage 35000 users?
<ajforgue> lots of perl and php
<ajforgue> that thankfully I don't have to maintain
<zch> :)
<ajforgue> we have an ERP that the data comes out of, so we just sync from there
<zch> ajforgue: own perl and php apps?
<ajforgue> yeah
<ajforgue> with a web interface
<ajforgue> @_@
<ajforgue> ajmitch: can you send me the pictures you took?
<ajmitch> yeah, I probably can
<zch> hi ajmitch
<zch> ajmitch: can I help with authtool?
<zch> hmm, no? :(
<Burgwork> it is currently very early in ajmitch's morning
<zch> hm, ok
<zch> good night
#ubuntu-directory 2006-11-14
<Burgundavia> ajmitch: zch is looking to help you with authtool, but you keep missing each other
<ajmitch> ok
<zch> hi
<fernando> zch: hi
#ubuntu-directory 2006-11-16
<zch> hi
<robertj> is there a list of stuff that needs to be added to EDSAdmin?
<robertj> <crickets />
<Burgwork> robertj: I have not looked at it, so I cannot comment
<Burgwork> rather than figure that out, why not compile a needs list and match it up
<robertj> Burgwork: is there such a list?
<robertj> Burgwork: I looked at EDSAdmin ~9 months back
<robertj> and have since learned something of python
<zch> robertj: I miss a "browse view" like lat has it
<zch> robertj: do you know lat?
<robertj> zch: no, sorry
<robertj> zch: I've heard of it
<robertj> zch: browse view == tree view?
<zch> robertj: perhaps you should look at it, it's not bad, with a nice UI
<zch> robertj: yes tree view, with all attributes
<zch> I don't know what the scope of edsadmin is
<zch> perhaps it shouldn't become yet an other LDAP Browser
<robertj> zch: probably not, but I doubt it could be a significant amount of owrk
<robertj> well relative to the rest of the task at hand
<robertj> EDS had its last commit 23 months ago
<zch> robertj: make edsadmin look like lat :)
<zch> but much more stable
<robertj> edsadmin still depends on howl
<Burgwork> yes, lat has stability issues
<robertj> it seems like it would be a good ideal to ask nicely if we should fork EDSAdmin
<Burgwork> is upstream dead?
<robertj> like I said, 23 months
<Burgwork> in that case, email the creator asking for you to take it over
<robertj> oh no, i'm not falling for that one :)
<Burgwork> somebodies got to
<robertj> so who's getting paid :)
<robertj> but seriously, I don't have the time
<robertj> brb
* robertj checks out edsadmin
<zch> robertj: have a look at this:  https://lists.ubuntu.com/archives/ubuntu-devel/2004-December/002391.html
<zch> mark roach (author of edsadmin) wrote:
<zch> Hi, Manuel. I want to mention a program I have been working on: EDS
<zch> Admin (http://edsadmin.sourceforge.net). It is a gtk + python app for
<zch> managing LDAP user directories. Unlike other LDAP programs, it doesn't
<zch> try to be a swiss army knife; it tries to manage users and groups well.
<zch> The current version auto-detects LDAP servers using either DNS SRV
<zch> records or rendezvous. As soon as I can get some strange bugs squashed
<zch> in the openldap/kerberos/sasl combo, it will also support auto-login to
<zch> the directory server for the domain(realm). It also supports samba
<zch> accounts and groups, and I plan to support Lorikeet (Samba + Heimdal +
<zch> LDAP SSO solution) as soon as possible.
<robertj> thats' check into sf as EDSRealmsAssistant
<robertj> .the linked url there seems kaput though
<zch> is EDSRealmsAssistant, edsadmin + more? or an own tool?
<robertj> I think its a seperate tool, never looked into that htough
<zch> hmm, is mark at the moment active in the ubuntu community?
<robertj> dunno
<robertj> I wonder where it is getting its images module from
<robertj> it's not in cvs
<robertj> and there is nothing like it in google's code search
#ubuntu-directory 2006-11-19
<SimonAnibal> Anyone familiar with SystemImager?
<SimonAnibal> Good stuff
<SimonAnibal> Helping me get away from reliance on Norton Ghost
