/srv/irclogs.ubuntu.com/2006/11/13/#ubuntu-directory.txt

=== fernando_ [n=fernando@200.96.251.210] has joined #ubuntu-directory
=== wasabi [n=wasabi@ubuntu/member/wasabi] has joined #ubuntu-directory
=== wasabi [n=wasabi@ubuntu/member/wasabi] has joined #ubuntu-directory
=== wasabi_ [n=wasabi@ubuntu/member/wasabi] has joined #ubuntu-directory
=== Burgundavia [n=corey@S0106000fb085cc63.gv.shawcable.net] has joined #ubuntu-directory
=== Fujitsu [n=Fujitsu@ubuntu/member/fujitsu] has joined #ubuntu-directory
=== fernando [n=fernando@unaffiliated/musb] has joined #ubuntu-directory
=== zch [n=zach@213-229-48-187.sdsl-line.inode.at] has joined #ubuntu-directory
=== zch [n=zach@213-229-48-187.sdsl-line.inode.at] has joined #ubuntu-directory
zchhi02:09
zchhi ajmitch, I want try your authtool app, but I have a dependency problem02:11
zch"ImportError: No module named Version"02:11
=== SimonAnibal [n=sruiz@66.244.123.100] has joined #ubuntu-directory
=== wasabi [n=wasabi@ubuntu/member/wasabi] has joined #ubuntu-directory
zchhi03:25
zchdoes someone know the dependecies from ajmitch's authtool?03:26
=== cliebow_ [n=cliebow@smoothwallkludge.ellsworth-hs.ellsworth.k12.me.us] has joined #ubuntu-directory
=== nkinder [i=nkinder@nat/redhat/x-ef51a32ed9bdf8f4] has joined #ubuntu-directory
=== wasabi [n=wasabi@ubuntu/member/wasabi] has joined #ubuntu-directory
=== zch [n=manuel@85-124-232-237.work.xdsl-line.inode.at] has joined #ubuntu-directory
=== Burgwork [n=corey@ubuntu/member/burgundavia] has joined #ubuntu-directory
=== oconfig [i=forgue@2001:5c0:8fff:ffff:8000:0:8dd2:914] has joined #Ubuntu-Directory
=== oconfig is now known as ajforgue
ajforgueSo I want to use LDAP to mantain lists of users that have access to servers.  Right now we do |(uid=...)(uid=...) which is a pain in the ass.  Would it make sense to do |(eduPersonAccess=unix)(eduPersonHostAccess=FQDN) and add those attributes to users or is there a better way?07:12
fernando(&(eduPersonAccess=unix)(eduPersonHostAccess=FQDN)) this?07:13
ajforguewell, it has to be or, because eduPersonAccess=unix would get access to ALL unix/lunix hosts.07:14
ajforgueforgot to explain that... heh07:14
ajforguewe have 100 something servers, so potentially someone could have an attribute with that many entries07:19
ajforgueIdeally I want pam_ldap to do something better ;_;07:23
wasabimorning07:40
ajforguehey jerry07:42
wasabihi07:45
=== nkassi [n=nkassi@yoda.tcc.fl.edu] has joined #ubuntu-directory
zchhi08:10
zchajforgue: I do not really understand you08:16
zchajforgue: what is your current solution?08:16
zch"|(uid=...)(uid=...)" means what? is this your "pam_filter" string?08:18
ajforgueyeah08:21
ajforgueI guess I suck at explaining things08:21
zchajforgue: are you looking for a better pam-filter?08:22
ajforguesomething more centrally maintainable than what I have now08:23
ajforguenot really ubuntu-directory specific, just general ldap/linux question08:24
ajforgueI'd rather use groups, but pam_filter doesn't really make that easy08:25
zchI do not know the eduPerson* attributes, but what about: (&(uid=*)(eduPersonAccess=unix)(eduPersonHostAccess=FQDN)) ?08:26
zchfrom which schema is eduPerson*08:27
ajforgueeducause.. http://www.educause.edu/content.asp?PAGE_ID=949&bhcp=108:28
ajforguealmost every university uses it08:28
zchoh thanks, for the info08:28
zchdo I understand it right: you have a lot of users, but not every user should have access do every server, is that right?08:31
ajforgueyup08:35
ajforgueso I'm creating an attribute that's set if they should have access to all Servers. and one for specific hosts08:36
ajforguesince we have 35000 users, only some of them will have access to some servers08:36
ajforgueand only a few people with access to all of them08:36
ajforgueldapsearch -Y GSSAPI -h rhds1.sys.oakland.edu '(|(ouEduPersonHostAccess=anthracite.sys.oakland.edu)(ouEduPersonGlobalAccess=unix))'08:37
ajforgueso that says allow people with specific access to this host OR users with access to all unix hosts08:37
ajforguewhich I think will work08:37
zchwhat is wrong with this filter?08:41
ajforguenothing -- just asking if this seems like a good idea08:42
zchare this attributes indexed?08:43
ajforgueyup08:43
zchI think this filter is ok08:46
zchbut I am not an LDAP-guru08:46
fernandoajforgue: | is right? OR08:47
zchpam-ldap has an extra option for host access control, it uses the "host" attribute, perhaps it uses a more intelligent mechanism08:48
ajforgueyeah, "|" is right08:51
zchajforgue: why are you not so happy with this filter?08:52
ajforgueIt feels like a hack08:52
ajforguebut it's linux, so I guess I should get used to it08:52
ajforguepam_check_host_attr?08:53
zchyes, but you can't use it08:53
zchI only think it does something special because a (&($filter)(host=FQDN)) would not be so hard08:55
ajforgueI want to use ouEduPersonGlobalAccess for other stuff like web applications and such, so I'll not use pam's thing08:58
zchbtw, for pam_check_host_attr: http://www.nabble.com/Regarding-%22pam_check_host_attr%22-t1127306.html09:00
zchajforgue: why do you use (|(uid=...)(uid=...)) and not '(|(ouEduPersonHostAccess=anthracite.sys.oakland.edu)(ouEduPersonGlobalAccess=unix)) ?09:05
ajforguethat's what we're moving to09:17
zchajforgue: I think I get it09:18
zchajforgue: which LDAP server do you have?09:20
ajforgueRHDS09:20
ajforgueaka FDS09:20
zchfor how long?09:21
ajforgueit's not in production yet09:22
ajforgueit will be by the end of the year09:22
=== cliebow_ [n=cliebow@smoothwallkludge.ellsworth-hs.ellsworth.k12.me.us] has joined #ubuntu-directory
zchajforgue: and how do you manage 35000 users?09:24
ajforguelots of perl and php09:26
ajforguethat thankfully I don't have to maintain09:26
zch:)09:26
ajforguewe have an ERP that the data comes out of, so we just sync from there09:27
zchajforgue: own perl and php apps?09:27
ajforgueyeah09:29
ajforguewith a web interface09:30
ajforgue@_@09:30
=== robertj [n=robertj@68-117-213-120.dhcp.athn.ga.charter.com] has joined #ubuntu-directory
ajforgueajmitch: can you send me the pictures you took?10:41
ajmitchyeah, I probably can10:43
zchhi ajmitch10:46
zchajmitch: can I help with authtool?11:05
zchhmm, no? :(11:12
Burgworkit is currently very early in ajmitch's morning11:14
zchhm, ok11:16
zchgood night11:46

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!