=== tuxub [n=maufeiti@87-196-24-71.net.novis.pt] has joined #ubuntu-directory [12:17] .. [12:35] who declined it? === wasabi [n=wasabi@ubuntu/member/wasabi] has joined #ubuntu-directory [01:07] Hey y'all [01:07] hiya [01:07] I reposting a question from ubuntu-server cause the channel seems dead [01:08] I can't find the answer to why the slapd package in ubuntu and debian doesn't include SSL. Anyone knows ? [01:08] It should. [01:08] You of course have to enable and configure it with a certificate. [01:08] It's not enabled by default [01:08] Of course not. Ubuntu doesn't distribute a cert for you. [01:08] From what I gather, it's not enable in the build [01:09] It is. [01:09] checking though. [01:09] hum, weird, after setting the TLS* config params and all and starting the ldap server, 636 is unused. [01:09] TLS != SSL. [01:09] port 636 I mean [01:09] Oh yeah sorry. [01:10] TLS is Transport Layer Security. [01:10] ie a socket is transformed to SSL on the fly. [01:10] Isn't TLS the SSL replacement ? [01:10] After an unsecured hand shake. [01:10] oh ok. [01:10] Yes, but it doesn't require a new port. [01:10] Me stupid. [01:10] ;-) [01:10] The handshake happens in plain text, over the normal port. [01:11] thanks for the info. [01:11] I'm going to guess since libssl-dev is a build-dep, that it's enabled. [01:11] And also, that I use it. [01:12] hehe [01:12] that would be a give away ;-) [01:12] I was wondering because I saw a lot of issues documents about enabling this in debian [01:13] Well, plain ol' SSL isn't really needed or desired anymore. [01:13] And TLS requires you creating a cert. [01:13] So it's not really something that can work out of the box. [01:13] That makes sens. [01:14] And I'm all for using Kerberos anyways. [01:14] How hard would it be to create one automagically when the openldap server is installed ? [01:14] Which provides transport encryption on it's own. [01:14] I guess that would be another option. [01:14] nkassi: Could create a self signed one, but that is completely unoptimal. [01:14] I'd rather have the creation of a proper CA be part of our LDAP server plans. [01:14] Except I would like to use it to allow thunderbird to look up contacts [01:15] sound decent. [01:15] sounds decent. I mean [01:15] All of this is pretty far off imo [01:15] Unless mark gets a hankering and pays for it [01:17] Well that was something I was hoping to work on. ;-) I'm tired of hearing my friends complain about how AD is so much easier ;0) [01:19] I was really happy when I saw the ubuntu movement towards this. [01:19] We need C coders. =) [01:20] Hehe, I thought the project would mostly be in python seeing the Ubuntu commitment to python. === Fujitsu [n=Fujitsu@ubuntu/member/fujitsu] has joined #ubuntu-directory [01:22] The project consists of pam/nss modules and stuff. =) [01:22] Dusting off my C programming language book right now :0) [01:22] All the really big stuff imo, from the client side, is fixing up the pam/nss infrastructure. [01:22] and nscd [01:22] and then, yeah, a nice python wizard to configure it all. [01:22] But still, all the heavy actual work is in C. [01:23] What needs to be done in C? [01:23] Yeah is there going to be a sort of todo list somewhere ? [01:23] I'm working on a plan. [01:23] http://wiki.ubuntu.com/NetworkAuthentication/Client. [01:23] Client comes first, unless somebody else starts working on the server independently. [01:25] Hmm, not subscribed to that one, which is odd, seeing as how I need this spec implemented for the LTSP side of things. [01:25] Was there any discussion about adapting the already existing tools on fedora ? [01:25] I may be of use here, as I was the fellow who originally added openldap support for shadow components into pam_ldap :) [01:27] There was, but we don't really like their tools I don't think. [01:27] And have some good ideas of our own. [01:27] And ajmitch already has a codebase that works. [01:28] sbalneav: Sounds super insecure. ;) [01:28] Check out that wiki page then, change what you think. [01:29] I'm going to add a new table to NSS. [01:29] "realm" [01:29] And do it right. [01:29] So, it'll be a lot of work to do it right. =) [01:30] Also I've been thinking about new async getpwent and such APIs [01:38] wasabi: a lot of the work can be done in python [01:39] Sure, the wizard, which spits out a pam and nss file. [01:39] And creates the remote objects and all that cool stuff. [01:39] But that's not the hard part. That's scripting. [01:40] The hard part is reducing blocking in nss, or coming up with a good cache stragity, or putting cross realm support into libnss-ldap, or fallback, recover, walking the SRV records. [01:40] I've been using LDAP+Kerberos for awhile now, and the PAM and NSS code needs some updating [01:40] Yup. [01:41] there is essentially no viable caching as far as I'm concerned [01:41] Right now there isn't. [01:41] Right now I use nss-updatedb =) [01:41] ncsd doesn't seem to work at all, and I can't figure out why it doesn't cache any of my users or groups from the LDAP server [01:41] I didn't know the whole spec was so extensive. So you really want to make this similar to the windows way. [01:41] nkassi: I want it to work right, anyways. [01:41] hehe [01:42] Yeah nscd is broken. [01:42] nkassi: that is how I read it.... [01:42] i.e. LDAP+Kerberos [01:42] Well, obviously, the most important goal from a marketing point is joining AD. [01:42] Since they are so prevailant. [01:42] true. [01:43] But luckily it's a super-set of Kerberos+LDAP. [01:43] wasabi: can't you already join an AD with samba? [01:43] I think using NTLM [01:43] Yeah, but it's not really integrated. [01:43] We really want pam_krb5. [01:43] I've had my share of head ache trying to do this exact thing ;-) We had to buy a commercial set of pam modules [01:43] I agree [01:43] And server-based UIDs [01:44] has anyone thought about which kerberos server Ubuntu is going to use? Heimdal or MIT? [01:44] Not really. [01:45] I suspect when the dust clears we'll be using Heimdal. [01:45] Simlpy because the Samba guys are pushing so much new stuff into it. [01:45] supposedly the MIT server will be able to use LDAP for its user database in the near future [01:45] Yeah, and Heimdal can now. [01:45] I am totally convinced that server work is far off. [01:45] A server without a good client is useless. [01:45] does the existing pam-krb5 work with heimdal? [01:45] bmonty: There's a heimdal compile of it. [01:46] wasabi: don't you think that the server should be worked out before you get the client side going? [01:46] Not really. [01:46] We know what we're targetting. [01:46] wasabi: the main goal is to get an AD-compliant client, right? [01:46] The first goal, yes. [01:46] I figured [01:46] An AD compliant client that relies as much as possible on Krb5/LDAP [01:47] So the client works with whatever we choose for our own server. [01:47] I thought the goal was to have the server architecture for AD-like authentication and authorization as well as an update server [01:47] THat's massive long term. [01:47] obviously you need a client side for that as well [01:47] If you've used AD you know the issues involved with that. [01:48] I use LDAP+Kerberos and I know there are plenty of issues there [01:48] The scope of work with AD is huge. [01:48] I wish the SSO howto on the wiki wasn't half done [01:48] I mean, what, it took MS 4 years and a 100 person team? [01:49] working full time, no less [01:49] Kerb5 at every level, LDAP schema defiinition, third party integration. [01:49] Long term support, upgradability. [01:49] Replication of schema. [01:49] A custom CA. [01:49] Domains, forests. [01:49] indeed [01:49] ..figuring out how to lock customers into their solution [01:49] Pssh. That took them 2 minutes. [01:50] haha [01:50] "oh lets add 1 field to krb5" [01:50] hehe. [01:50] Other than that, it's plain LDAP/Kerberos. [01:50] lophyte: which sso howto? [01:50] http://help.ubuntu.com/community/SingleSignOn [01:51] I started writing that SSO howto, but I ran out of time to document all of the issues I was running in to [01:51] lophyte: didn't even know that existed [01:51] https://help.ubuntu.com/community/LDAPClientAuthentication [01:51] I used that one [01:51] need to update it [01:51] I wanna set up a server, though [01:51] ldap+krb5 [01:51] Go for it. [01:52] I don't know how.. that's the problem :P [01:52] I do it for all my client machines. [01:52] lophyte: the server part is mosty complete [01:52] I have two KDCs, two LDAP servers. [01:52] except for how to add users [01:52] Replicating over the inet. ;) [01:53] ergh.. [01:53] Heh. If you're telling me slapd can replicate between 500 peers, you've suprised me. [01:53] Until it can do that, it can't comprae to AD. ;) [01:53] my computer sucks with 2 Xen guests.. === lophyte thinks he needs more RAM [01:53] lophyte: vmware. [01:53] oh just ram? [01:53] You get xen working? [01:53] it sucks just as bad with vmware, lol [01:53] yeah, works fine now [01:53] my biggest issue was networking.. using NAT, it works fine [01:54] I haven't seen it documented anywhere, but there is a big issue with udev and having group info on the LDAP server [01:54] especially with edgy [01:54] Should be fine... you just need to know how to configure nss right. [01:54] ie NSS *must never block ever* [01:55] Since all apps make an assumption that it never will. [01:55] wasabi: that is one issue [01:55] The only way to accomplush that is to drive NSS from a pure cache. [01:55] the second is that the network isn't available when udev assigns groups to the devices it creates [01:55] You should't need the network for local groups. [01:55] try this: [01:55] passwd: compat db [01:55] group: compat db [01:56] And use nss_updatedb (package nss-updatedb) to update teh DB files from the ldap module. [01:56] bmonty: there's no instructions for configuring OpenLDAP.. I think that's the biggest issue [01:56] wasabi: I want to have those groups stored in LDAP directly [01:56] They are. [01:57] cronjob, runs once an hour, that refreshes the cache. [01:57] lophyte: good point, I have an OpenLDAP config file if you are interested [01:57] lophyte: I am going to write some openLDAP stuff coming up next week or so [01:57] wasabi: then you have a consistency issue [01:57] bmonty: where do you configure the sasl binds, in the slapd config? [01:57] bmonty: Yup. Until nss gets an async API, there is no solution. [01:57] bmonty: But this one makes the box work. ;) [01:58] lophyte: yes, you have to configure SASL in slapd.conf [01:58] You cannot have a network query go out for every group lookup. NSS is always used single threaded. [01:58] bmonty: ah, alright.. [01:58] The best option I have is a daemon which keeps the local cache uptodate, by subscribing to LDAP notifications. [01:59] ANd that daemon's name might be nscd in the future. heh [01:59] lophyte: the two directives are sasl-secprops and sasl-regexp [02:00] wasabi: can I get a copy of your nss config file? [02:00] I need to get more RAM, so I can create a virtual network of computers to tinker with this stuff [02:00] I've never been able to solve the issues with nss, or find good info on the net [02:00] lophyte: www.newegg.com [02:00] american site.. costs for shipping :P [02:01] its probably cheaper to shop locally [02:01] its isn't here :) [02:02] hehe === wasabi [n=wasabi@ubuntu/member/wasabi] has joined #ubuntu-directory [02:02] lophyte: you can use a pretty much stock LDAP config, but you have to add a couple of things for SASL to work correctly [02:02] yeah, there nothing local around here that is cheaper than newegg + shipping ;-) [02:02] oi.. [02:03] I've also found that SASL binds do not work on 64-bot machines [02:03] $60 for 512mb [02:03] not bad [02:04] I still have to check and see if that is true with edgy though [02:04] I have a 64 bit machine which binds using SASL just fine. [02:04] It's not a server though. [02:04] alright, i gotta go.. [02:05] perhaps later tonight I'll have some time to set this up [02:05] wasabi: what is the architecture of your server machine? [02:05] bbl [02:05] em64t [02:05] But it's windows. =) [02:05] ok, I'm running OpenLDAP on i386, and SASL binds cause a segfault on the 64-bit machines [02:06] 64bit clients? [02:06] wasabi: yes [02:07] Hmm. [02:07] dapper? [02:07] yeah with dapper [02:07] oh well. core dump, post a bug. [02:07] I haven't tested with edgy yet [02:07] dist upgrading to edgy completly hosed my machine due to the LDAP/Kerberos setup I had [02:08] heh [02:08] it wouldn't boot even in "safe mode" [02:08] Just set up NSS differently. [02:09] wasabi: yeah, I wish I had known that [02:09] once I did the dist upgrade though it was too late [02:09] livecd + fix [02:09] or init=/bin/bash [02:09] where can I find info about setting up nss? [02:09] Not really anywhere. [02:09] me =) [02:09] wasabi: too late, I already rebuilt the box :) [02:10] ahh. you neve rhave to rebuild a linux box. [02:10] You can always just boot with init=/bin/bash, get a shell, fix the problem, and reboot. [02:10] do you have a working nss config file I can copy? [02:10] soon, I am going to rewrite the LDAPclient stuff [02:10] bmonty: Use libnss-db + nss-updatedb [02:10] which will fix all the issues [02:10] It's the only reasonable way to remove the issue. [02:10] BTW, other stuff I have been working on is a python binding for libkrb5 [02:10] Oh that's you? [02:10] I saw somebody post about that someplace. [02:11] and I also started a python-based LDAP user config utility [02:11] both are still very experimental [02:11] isn't the latter just n-a? [02:11] my python-krb5 is based on MIT's code, so it will require some modification if the decision is to use heimdal [02:12] bmonty: What's your goal with that? [02:12] What are you binding? [02:12] GSSAPI or ? [02:12] wasabi: so you can use the krb5 library directly from python [02:12] To do what? [02:12] kadmin? [02:12] whatever you want [02:13] Just wondering what sort of program you would build that uses that. [02:13] kadmin uses the krb5 lib to do its functions [02:13] I have a rewrite of klist in python using my bindings [02:13] I don't have enough of the API to do kadmin...yet [02:14] for a lot of client side stuff you probably want to use GSSAPI [02:14] but I think if you want to have a tool that can manage a LDAP+Kerberos server you need to use the krb5 lib [02:15] ...and if you want to write in C there is no problem with that [02:15] if you want to use python do develop your solution you are stuck since there is currently no binding to the krb5 libs that python can use [02:16] Well, doesn't help much with AD. [02:16] That I can see. [02:16] interesting: http://lists.debian.org/debian-devel/2006/10/msg01177.html [02:16] why do you say that? [02:16] Since you don't use anything resembling kadmin to manage principals. [02:17] krb5 tools can talk to AD [02:17] And there's no need for client management of kerberos at all. [02:17] It should work silently and transparently. [02:17] wasabi: you are assuming that I'm running AD on a windows box, correct? [02:17] No. [02:17] I'm just comparing MS's solution to our potential one. [02:18] Which is that I don't want our users dealing with krb5 principals. ;) [02:18] New User, type the name, done. [02:18] The only interface component we should need on the desktop is a notification tray that says "You're authentication has expired. Please click here to renew. *button*" [02:19] wasabi: ajforgue has a little ticket applet thing he wrote. [02:19] Yeah. I hope we don' thave to show it to users ever. ;0 === bmonty [n=bmonty@ubuntu/member/bmonty] has joined #ubuntu-directory [02:20] wasabi: do we have pieces of software in universe that needs to migrate to main? [02:20] wasabi: what are you using to manage users and groups in your setup? [02:20] GQ mostly. [02:21] Burgundavia: Probably will. [02:21] which is a decent tool, but can't manage kerberos principals [02:21] Yeah. I don't want to expose kerberos princs to users. [02:22] I sort of want them to be stored in LDAP. [02:22] I was thinking that eventually we need a tool that can manage users in the LDAP directory and the krb5 database [02:22] Also I'd be worried about the security/policy issues of seperating the two. [02:22] wasabi: I want that as well [02:22] ie an admin user could potentially compromise the integrity of the relation between the two. [02:22] Once, again, pulling another example from windows. THey have discrete APIs to create a user... which handes the kerberos part and ldap part together. [02:22] ANd makes sure all suceeds. [02:23] is there an open source solution that can do that? [02:23] Not yet. [02:23] hence the need for tools to manage those [02:23] Yes, new tools... which don't use kadmin. [02:23] Consider this. Im my company, HR creates users. [02:23] Because HR hires and fires them. [02:24] yup, which requires that you can link in the krb5 lib... [02:24] Nope. [02:24] So, the HR users have permissions to create users. Not permissions to create principals. [02:24] Does this tool require a seperate spec ? Cause work on that could be started pretty much now. It would be extremely useful currently. [02:24] Not permissions to create LDAP objects. [02:24] but discrete permissions to issue a CreateUser RPC call to the server. [02:24] The logic of that lives on the server, where it can't be subverted. [02:24] If the user himself could create a principal, he could create one, and link it to any object. [02:25] Or rename it independently. [02:25] Or assign permissiosn to it he didn't otherwise have the permission to assign. [02:25] HR can create users, but they cannot touch anything critical. THey are not systems admins. [02:25] that all makes sense to me [02:25] It's something we're missing. [02:25] Completely. [02:26] we are missing it in that there are currently no tools that implement that process [02:26] I think the software that is available has features that could be used to make that work [02:26] without rewriting a whole ton of stuff [02:27] Sure, but I don't htink allow kadmin access from a client machine solves it. [02:28] wasabi: I agree, I never proposed that [02:29] BTW, can I take a look at your nss config file? [02:29] and what were the other nss packages you said I needed to install? [02:31] nss-updatedb [02:31] my config file is "passwd: compat db" [02:32] group: compat db [02:32] nothing else [02:32] and this basically copies the users and groups from the LDAP server to the local machine? [02:36] hey bmonty [02:37] hi ajmitch [02:39] whiprush: you around? [02:39] bmonty: coming to MV? [02:39] ajmitch: no [02:39] unfortunate [02:40] yeah...I'm way too busy at work [02:42] ajmitch: is this going to get discussed at MV? [02:43] definitely [02:44] write up anything else you think we need [02:44] ok [02:48] bmonty: I have been using lat instead of gq [02:48] a little crashy, but a much nicer UI [02:48] ajmitch: yeah [02:48] whiprush: got the hotel details? [02:48] dang, not on me, I did it old school. (pen and paper) === ajmitch will need to give these details to the friendly people in customs :) [02:48] ok [02:48] oh [02:49] let me find it on the map [02:49] I just lie [02:49] mainly just the address [02:49] Burgundavia: I also want to know where it is === bmonty [n=bmonty@ubuntu/member/bmonty] has left #ubuntu-directory [] [02:49] http://www.choicehotels.com/ires/en-us/html/HotelInfo?hotel=CA679&promo=gglocal [02:49] booya [02:49] nice, I wonder how dodgy it is [02:50] one of my friends works at google and said that it was nice. === bmonty [n=bmonty@ubuntu/member/bmonty] has joined #ubuntu-directory [02:50] not like, omg nice. but a nice normal hotel for a decent price [02:50] that's excellent [02:51] aha, found it on google maps [02:51] nice & close to google HQ [02:51] yep [02:52] learned my lesson after staying all far at the boston summit [02:52] right by the freeway though [02:52] like *right* beside it, by the look of the map [02:53] are you concerned about the noise? [02:54] it shouldn't be too bad, I guess [02:54] ajmitch: whiprush's melodious snoring will drown out all [02:54] bmonty: "nss-updatedb ldap" will retrieve the entire passwd/group tables from the libnss-ldap module, and store them in a bdb database. [02:54] bmonty: the "db" nss module will read from those. [02:54] whiprush: that's what I expect [02:54] You schedule nss-updatedb to be run, using GSSAPI/SASL binding, every hour or something reasonable. [02:54] As root. [02:54] whiprush: looks like we get free google wifi [02:55] ajmitch: don't worry, it's california, the cars don't actually move on the freeway [02:55] it's more of a parking lot. [02:55] I wish I could drive. [02:55] wasabi: ok, thanks [02:56] haha [02:56] whiprush: what are the arrangements for the airport? shall I try & get a shuttle in? [02:57] ajmitch: I recommend the train [02:57] the BART [02:58] but the BART doesn't go down that way, does it? [02:58] but we should probably ask someone from mountain view [02:58] it goes to mountain view [02:58] then you can cab from there === ajmitch really hopes he gets paid before saturday :) [02:01] either that or if I catch a shuttle in, mpt & infinity are on the same flight as I am [02:02] from sfo there is a train [02:02] whiprush: we caught that [02:02] caltrain [02:02] however, google runs buses from downtown [02:02] and I presume the airport [02:02] they may be running buses for us [02:02] canonical sponsored people have been told that there's a shuttle [02:02] not google-provided [02:03] ah [02:03] Supershuttle http://www.supershuttle.com/. >From San Francisco, it would [02:03] be about $40-45.00 one way. [02:03] expensive [02:05] you are landing at sfo? [02:05] yeah [02:06] sfo is on the caltrain run [02:06] so I saw [02:06] I would take that to mtv, and then take a taxi from there [02:06] I'd have to check where it stops in MV [02:06] downtown [02:06] about 20 minutes from google [02:06] ok [02:06] this is the train we took for ubucon === Burgundavia whips whiprush for being useless about this sort of stuff [02:07] how much does it cost? [02:07] caltrain? $10? [02:07] k [02:08] whiprush: when do you get to the hotel? [02:08] damn, all these questions! [02:08] sec [02:08] heh [02:09] we like to plan ahead :) [02:11] probably 8-ish on Saturday the 4th. [02:11] 8pm [02:12] I'll have your name on the room if you get there before we do. [02:12] much earlier [02:12] flight lands at 11:15AM [02:12] ok [02:12] when I finalize the reservation I'll let them know you'll be coming in first [02:13] I can probably fill in the time :) [02:13] thanks [02:13] I am sure there will be people around to hang out with [02:13] google is open on the weekends, I wonder if people will be hanging out there. [02:13] I wonder how long it'll take to walk to google [02:14] ajmitch: hopefully my friend will be our ride in everyday, heh. [02:14] yeah, but I may go for a walk anyway [02:15] oh [02:17] besides, I need to wander into MV about 5pm or so [02:20] I wouldn't mind walking everyday if it's like, less than 45 minutes or something [02:20] looks like it may be, but the tricky part is where to cross the freeway [02:21] I am trying to remember if it's an elevated freeway [02:21] let me ask my google friend [02:22] got a linky to the map? [02:22] I might be able to remember [02:22] http://maps.google.com/maps?f=q&hl=en&q=hotel+Mountain+View,+CA&ie=UTF8&z=14&ll=37.40746,-122.082739&spn=0.04568,0.114326&om=1&iwloc=H [02:22] just looking at google maps [02:23] I remember driving by that airbase multiple times [02:23] we're at H on that map === lophyte has never been to Cali === ajmitch has only been in airports there [02:24] actually I've never been out of Canada... [02:24] or Ontario at that === lophyte is sheltered :( [02:25] took me awhile to get out of NZ [02:26] just clicked on the map link...I've actually been there before :) [02:26] alrighty.. I'm gonna go through the SSO howto [02:26] bmonty: the hotel, or the area? [02:26] the area [02:27] I think the hotel I stayed at was right down the street [02:27] I remember thinking that the place was set up to get around really easy without a car === lophyte looks at his bank account and sighs [02:28] lophyte: I know how it is [02:28] bread & water for me for the week :) [02:29] lol [02:29] I really need to find a job.. [02:30] ajmitch: my friend says it's 10-20 minute walk! [02:30] oh if I get paid this week I'd have about $2K USD by the weekend, and I'd be fine [02:30] I don't get paid.. so.. [02:30] this is all I have [02:30] whiprush: wonderful :) [02:30] whiprush: I could probably walk from the train station too :) [02:31] that was like a 15 minute drive [02:31] but the area down there is nice [02:31] ok [02:31] you could probably walk around the shopping areas and whatnot if you're bored [02:32] the train station looks closer than google does [02:32] it's a walk straight down moffett blvd [02:33] yeah, since I can't get to mass on the sunday, I'll be going on saturday, so that'll take some time [02:33] conveniently that's right beside the train station === cliebow [n=cliebow@smoothwallkludge.ellsworth-hs.ellsworth.k12.me.us] has joined #ubuntu-directory [03:49] Burgundavia: where can I find channel logs? [03:49] is it still on people.something? [03:49] whiprush: for this channel? [03:49] ya [03:49] people.ubuntu.com/~fabbione/irclogs [03:49] ta === Shish [n=shish@raptor.ukc.ac.uk] has joined #ubuntu-directory === sbalneav [n=sbalneav@S0106000b6a5631f9.wp.shawcable.net] has left #ubuntu-directory [] [06:21] So I've been thinking about the caching problem. [06:21] Number of different solutions. [06:22] either fix nscd, or use/write something else. [06:22] The db idea is pretty appealing. [06:27] Guess I'd be worried about db corruption though. [06:27] hmmmmmmmmmmm [06:34] I guess it would be reasonable for remote users to simply not exist until nscd starts. [06:34] wasabi: also I thought about something while driving around today [06:34] that RH cert server isn't oss. [06:36] They have a cert server? [06:36] yep [06:36] I've heard some good things about OpenCA. [06:36] I was driving around and was like "oh shit, we're going to need one of those." [06:36] Yeah. [06:36] Thought about it earlier. [06:36] Again, this is why server-side is a huge project. ;) [06:37] So many pieces that all tie in together. [06:37] And are huge on their own. [06:38] I've sort of got a game plan for where I will start work at. I've already got a broken patch to add a realm table to nss. [06:38] I'll get that done, then start digging into libnss. [06:38] -ldap that is [06:40] Or whatever. To be honest, I don't have enought time for this. [06:41] me->bed === alp [n=alp@host-87-74-40-238.bulldogdsl.com] has joined #ubuntu-directory === robertj [n=robertj@68-114-40-215.dhcp.athn.ga.charter.com] has joined #ubuntu-directory === MagnusR [n=magru@c83-250-59-127.bredband.comhem.se] has joined #ubuntu-directory [03:47] morning all [04:03] moni [04:15] Does anybody want to be responsible for seperating server stuff out of NetworkAuthentication? [04:16] you mean in the specification? [04:16] just the wiki. [04:16] it needs cleanup [04:17] I can give it a try. Shall I create a new page NetworkAuthenticationServer to put things that are cleand out until we now where to put it? [04:18] https://wiki.ubuntu.com/NetworkAuthentication/Client is client stuff [04:18] So, I'd imagine /Server would be server stuff. [04:20] Hmm seams that we have three diferent pages today: https://wiki.ubuntu.com/NetworkAuthentication https://wiki.ubuntu.com/NetworkAuthentication/Client https://wiki.ubuntu.com/NetworkAuthentication/ScratchPad [04:20] ScratchPad was some stuff I was just braindumping too [04:20] It can be ignored. =) === bmonty [n=bmontgom@ubuntu/member/bmonty] has joined #ubuntu-directory [04:23] wasabi: was it you that had some ideas about an offline "cache" (using bzr) for a networked filesystem? [04:24] yeah [04:24] do you know about FS-Cache? it only provides the basic support for caching stuff but the offline-use is left to the fs itself [04:24] Not a networked file system. [04:25] What about using ifolders? [04:26] anyone familiar with the novell ldap stuff? [04:26] Not really. Never had a chance to touch it. [04:26] i think we have a good c# ldap stack [04:27] that should be "they" [04:28] don't know if their directory services are based on that, think it's all new [04:30] ald: do you mean eDirectory? [04:30] alp: ^^ [04:30] I think the c#-bindings are used to connect new things to the old NDS stuff. [04:33] http://developer.novell.com/wiki/index.php/Ldapcsharp <- looks standards based and pretty active [04:43] wtf :\ [04:43] kadmin: Improper format of Kerberos configuration file while initializing krb5 library [04:45] Novell's LDAP C# libraries are fine. [04:45] But I suspect nobody here is going to use them. [04:45] lophyte: check your krb5.conf file, especially the part that tells the lib how to contact the kadmin server [04:46] why do I get the feeling these locale errors are reeking havoc [04:48] wasabi: oh, what's the game plan? [04:49] when i put together the mono debian packages and policy all those years ago this is exactly the kind of neat project i had in mind :-) [04:50] i am unfamiliar with the python libraries though, it's quite possible they're more suitable [04:52] I think Apple have released Python Bindings for parts of kerberos. [04:53] MagnusR: do you have a link? === wasabi [n=wasabi@ubuntu/member/wasabi] has joined #ubuntu-directory [04:54] i have done some work with managed pam plugins and nss [04:55] Yeah, but whatever we do, I want to have uptake on every distro. [04:55] And there's a political situation that matters. [04:55] Managed NSS sounds sorta wonky too. A CLR in every process instance? [04:56] Unless it's a shim to an out of process CLR or something. [04:57] the nss stuff was just for configuration [04:59] I think we've got a pretty good plan on where to go from here for client side stuff. I think now I'll just do some little work before UMV to make sure it's reasonable, then have the full conversation at UMV. [04:59] Unless mark pays some people, it's not going to happen... I suspect. =) [05:00] i think it would be doable in a few months if it didn't aim to interoperate with AD, use ldap properly and so on [05:00] ALl that's needed to interoperate with AD is LDAP. [05:00] And Kerberos. [05:00] AD isn't very special. [05:01] bmonty: It is called python-kerberos in debian unstable. It's under Apachel License [05:01] MagnusR: thanks [05:02] apparently integrating the c# ldap libraries with kerberos is on the novell todo list, though that means it's not around now (http://forge.novell.com/modules/xfmod/newsportal/article.php?group_id=1318&msg_id=981&group=novell.devsup.ldapcsharp) [05:04] ergh.. why won't the kdc run.. [05:04] Error? [05:04] nothing at all [05:04] Well, it has logs. =) [05:05] yeah, but there's no logs either [05:05] /var/log/krb5kdc i think [05:05] yeah nothing there [05:05] well, try to start it without the init script. [05:06] then strace it. [05:10] krb5kdc: cannot initialize realm BLINDUTOPIA.COM - see log file for details [05:10] but there's no log file [05:10] Heh. [05:11] that's helpful [05:11] stupid kdc [05:12] Interesting. Looks like Heimdal and MIT both have PKINIT support, and so does pam_krb5. [05:12] I think our pam-krb5 is diverged. [05:15] Yeah. Completely. [05:18] pam_krb5 from redhat? [05:18] Yeah. Looks like the two bases diveraged years ago. [05:19] Ours seems to be maintained still, theirs is only maintained internally. [05:19] yep [05:19] oi. [05:19] http://www.stacken.kth.se/lists/heimdal-discuss/2006-10/msg00034.html [05:19] oh, there are tools in fedora/rhel that notify about expired tickets [05:20] We got PKINIT patches just a few days ago. [05:20] Looks like Nalin from RH is participating in the conversation (I talked to him a few years ago, he mainted libpam-krb5 internallt) [05:20] so I bet they'll merge again [05:21] this is silly [05:22] I have started to move server things from https://wiki.ubuntu.com/NetworkAuthentication to https://wiki.ubuntu.com/NetworkAuthentication/Server. Please add and comment. [05:22] Nice. Thanks. [05:23] slapd is from openldap? how about fedora directory server? [05:24] oh, it was mentioned [05:24] =) [05:24] (on the wiki) [05:25] Fedora DS has alot of nice webbinterfaces. So I think it should be evaluated. Unfoutunately it takes more resources. [05:25] I remember seeing an ITP of it [05:25] Any one knows if there are any deb:s for it. [05:25] There aren't. [05:25] Few people here were workingon it [05:26] The interfaces require Sun's JRE. [05:26] That's bad [05:26] hrm [05:26] but we have that now :) [05:26] so I got the kdc to start.. [05:26] but now kadmin fails [05:30] Think I'm going to try to migrate my kerberos to LDAP [05:30] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=315297 [05:30] that's the ITP [05:31] wasabi: But with only ldap you do not get the SSO possibility. [05:31] Huh? [05:31] magnusR: does fds have a kdc as well? [05:32] Didn't say replace Kerberos. [05:32] Store keys in LDAP [05:32] wasabi: ok, missunderstod you [05:32] tepsipakki: no === lophyte [n=dsulliva@ubuntu/member/lophyte] has joined #ubuntu-directory [05:34] ugh.. okay, I give up === bmonty is now known as bmonty_away [06:01] Anybody aware how to enable simple bind in slapd only over ldapi? [06:11] Interesting. When creating a new principal, it doesn't search for existing objects. [06:11] THat's not so good. === lophyte [n=dsulliva@ubuntu/member/lophyte] has left #ubuntu-directory [] === lophyte [n=dsulliva@ubuntu/member/lophyte] has joined #ubuntu-directory === lophyt1 [n=dsulliva@bas5-toronto63-1096730685.dsl.bell.ca] has joined #ubuntu-directory === lophyt1 is now known as lophyte [06:41] hrm.. [06:45] yay, more errors === wasabi [n=wasabi@ubuntu/member/wasabi] has joined #ubuntu-directory [06:56] how do I add a host principal in krb5? [07:01] kadmin [07:01] host/fqdn [07:01] how do you use kadmin without already having a principal set up, though? [07:01] kadmin -l [07:01] ah. [07:02] ..eh, there is no l option [07:02] kadmin.local then with MIT [07:02] hehe, no kadmin.local either :P [07:02] Beats me then. ;) [07:03] one of the two should be present. [07:03] or do I need krb5-admin-server installed [07:04] meh.. i have to go [07:05] I'll look for a complete howto later === SimonAnibal [n=sruiz@adsl-68-251-147-250.dsl.bltnin.ameritech.net] has joined #ubuntu-directory === wasabi [n=wasabi@ubuntu/member/wasabi] has joined #ubuntu-directory === SimonAnibal [n=sruiz@adsl-68-251-147-250.dsl.bltnin.ameritech.net] has joined #ubuntu-directory === chuckyp [n=chuckyp@adsl-75-36-112-138.dsl.bcvloh.sbcglobal.net] has joined #ubuntu-directory === darkpixel [n=darkpixe@longview-cuda1-g2-70-36-101-183.losaca.adelphia.net] has joined #ubuntu-directory === SimonAnibal [n=sruiz@adsl-68-251-147-250.dsl.bltnin.ameritech.net] has joined #ubuntu-directory === SimonAnibal [n=sruiz@adsl-68-251-147-250.dsl.bltnin.ameritech.net] has joined #ubuntu-directory [10:21] can you guys recommend a tutorial and/or good documentation for MIT Kerberos in edgy? === ajmitch would have to dig through his bookmarks at home [10:23] Nope. [10:39] ajmitch, wasabi: would one of you mind responding to that -directory announce post on -devel and answer those peoples questions? [10:40] looking [10:40] oh. missed all that [10:41] I tried tp3 a week ago [10:42] shared libraries are broken, so I couldn't run the provisioning script [10:42] or program, actually [10:43] that's samba-4.0.0tp3 I was talking about :) [10:44] yep [10:44] I saw your post on the samba list :) === ajmitch was trying it out as well [10:45] oh :) [10:46] the packaging needed some tweaks to get through [10:46] yes === ajmitch was looking at that also [10:47] anyway, I'm looking forward to the beta [10:48] whenever that is released.. [10:48] yep [10:58] What do I want to respond to? heh [11:07] What do I want to respond to? heh [11:14] Burgundavia: I don't think I have time now to finish up the -ca approval.. I've got some things that need to be taken care of offline at the moment === lophyte [n=dsulliva@ubuntu/member/lophyte] has joined #ubuntu-directory === netjoined: irc.freenode.net -> brown.freenode.net === bmonty_away [n=bmontgom@ubuntu/member/bmonty] has joined #ubuntu-directory === MagnusR_away [n=magru@c83-250-59-127.bredband.comhem.se] has joined #ubuntu-directory === robertj [n=robertj@68-114-40-215.dhcp.athn.ga.charter.com] has joined #ubuntu-directory === alp [n=alp@host-87-74-40-238.bulldogdsl.com] has joined #ubuntu-directory === Shish [n=shish@raptor.ukc.ac.uk] has joined #ubuntu-directory === cliebow [n=cliebow@smoothwallkludge.ellsworth-hs.ellsworth.k12.me.us] has joined #ubuntu-directory === siretart [i=siretart@ubuntu/member/siretart] has joined #ubuntu-directory === lionelp [n=lionel@ip-128.net-82-216-65.rev.numericable.fr] has joined #ubuntu-directory === whiprush [n=jorge@2001:5c0:8fff:fffe:0:0:0:2fad] has joined #ubuntu-directory === Toadstool [n=jcorbier@ubuntu/member/toadstool] has joined #ubuntu-directory === ajmitch [n=ajmitch@ubuntu/member/ajmitch] has joined #ubuntu-directory === wasabi_ [n=wasabi@ubuntu/member/wasabi] has joined #ubuntu-directory