| === fernando_ [n=fernando@200.96.251.210] has joined #ubuntu-directory | ||
| === wasabi [n=wasabi@ubuntu/member/wasabi] has joined #ubuntu-directory | ||
| === wasabi [n=wasabi@ubuntu/member/wasabi] has joined #ubuntu-directory | ||
| === wasabi_ [n=wasabi@ubuntu/member/wasabi] has joined #ubuntu-directory | ||
| === Burgundavia [n=corey@S0106000fb085cc63.gv.shawcable.net] has joined #ubuntu-directory | ||
| === Fujitsu [n=Fujitsu@ubuntu/member/fujitsu] has joined #ubuntu-directory | ||
| === fernando [n=fernando@unaffiliated/musb] has joined #ubuntu-directory | ||
| === zch [n=zach@213-229-48-187.sdsl-line.inode.at] has joined #ubuntu-directory | ||
| === zch [n=zach@213-229-48-187.sdsl-line.inode.at] has joined #ubuntu-directory | ||
| zch | hi | 02:09 |
|---|---|---|
| zch | hi ajmitch, I want try your authtool app, but I have a dependency problem | 02:11 |
| zch | "ImportError: No module named Version" | 02:11 |
| === SimonAnibal [n=sruiz@66.244.123.100] has joined #ubuntu-directory | ||
| === wasabi [n=wasabi@ubuntu/member/wasabi] has joined #ubuntu-directory | ||
| zch | hi | 03:25 |
| zch | does someone know the dependecies from ajmitch's authtool? | 03:26 |
| === cliebow_ [n=cliebow@smoothwallkludge.ellsworth-hs.ellsworth.k12.me.us] has joined #ubuntu-directory | ||
| === nkinder [i=nkinder@nat/redhat/x-ef51a32ed9bdf8f4] has joined #ubuntu-directory | ||
| === wasabi [n=wasabi@ubuntu/member/wasabi] has joined #ubuntu-directory | ||
| === zch [n=manuel@85-124-232-237.work.xdsl-line.inode.at] has joined #ubuntu-directory | ||
| === Burgwork [n=corey@ubuntu/member/burgundavia] has joined #ubuntu-directory | ||
| === oconfig [i=forgue@2001:5c0:8fff:ffff:8000:0:8dd2:914] has joined #Ubuntu-Directory | ||
| === oconfig is now known as ajforgue | ||
| ajforgue | So I want to use LDAP to mantain lists of users that have access to servers. Right now we do |(uid=...)(uid=...) which is a pain in the ass. Would it make sense to do |(eduPersonAccess=unix)(eduPersonHostAccess=FQDN) and add those attributes to users or is there a better way? | 07:12 |
| fernando | (&(eduPersonAccess=unix)(eduPersonHostAccess=FQDN)) this? | 07:13 |
| ajforgue | well, it has to be or, because eduPersonAccess=unix would get access to ALL unix/lunix hosts. | 07:14 |
| ajforgue | forgot to explain that... heh | 07:14 |
| ajforgue | we have 100 something servers, so potentially someone could have an attribute with that many entries | 07:19 |
| ajforgue | Ideally I want pam_ldap to do something better ;_; | 07:23 |
| wasabi | morning | 07:40 |
| ajforgue | hey jerry | 07:42 |
| wasabi | hi | 07:45 |
| === nkassi [n=nkassi@yoda.tcc.fl.edu] has joined #ubuntu-directory | ||
| zch | hi | 08:10 |
| zch | ajforgue: I do not really understand you | 08:16 |
| zch | ajforgue: what is your current solution? | 08:16 |
| zch | "|(uid=...)(uid=...)" means what? is this your "pam_filter" string? | 08:18 |
| ajforgue | yeah | 08:21 |
| ajforgue | I guess I suck at explaining things | 08:21 |
| zch | ajforgue: are you looking for a better pam-filter? | 08:22 |
| ajforgue | something more centrally maintainable than what I have now | 08:23 |
| ajforgue | not really ubuntu-directory specific, just general ldap/linux question | 08:24 |
| ajforgue | I'd rather use groups, but pam_filter doesn't really make that easy | 08:25 |
| zch | I do not know the eduPerson* attributes, but what about: (&(uid=*)(eduPersonAccess=unix)(eduPersonHostAccess=FQDN)) ? | 08:26 |
| zch | from which schema is eduPerson* | 08:27 |
| ajforgue | educause.. http://www.educause.edu/content.asp?PAGE_ID=949&bhcp=1 | 08:28 |
| ajforgue | almost every university uses it | 08:28 |
| zch | oh thanks, for the info | 08:28 |
| zch | do I understand it right: you have a lot of users, but not every user should have access do every server, is that right? | 08:31 |
| ajforgue | yup | 08:35 |
| ajforgue | so I'm creating an attribute that's set if they should have access to all Servers. and one for specific hosts | 08:36 |
| ajforgue | since we have 35000 users, only some of them will have access to some servers | 08:36 |
| ajforgue | and only a few people with access to all of them | 08:36 |
| ajforgue | ldapsearch -Y GSSAPI -h rhds1.sys.oakland.edu '(|(ouEduPersonHostAccess=anthracite.sys.oakland.edu)(ouEduPersonGlobalAccess=unix))' | 08:37 |
| ajforgue | so that says allow people with specific access to this host OR users with access to all unix hosts | 08:37 |
| ajforgue | which I think will work | 08:37 |
| zch | what is wrong with this filter? | 08:41 |
| ajforgue | nothing -- just asking if this seems like a good idea | 08:42 |
| zch | are this attributes indexed? | 08:43 |
| ajforgue | yup | 08:43 |
| zch | I think this filter is ok | 08:46 |
| zch | but I am not an LDAP-guru | 08:46 |
| fernando | ajforgue: | is right? OR | 08:47 |
| zch | pam-ldap has an extra option for host access control, it uses the "host" attribute, perhaps it uses a more intelligent mechanism | 08:48 |
| ajforgue | yeah, "|" is right | 08:51 |
| zch | ajforgue: why are you not so happy with this filter? | 08:52 |
| ajforgue | It feels like a hack | 08:52 |
| ajforgue | but it's linux, so I guess I should get used to it | 08:52 |
| ajforgue | pam_check_host_attr? | 08:53 |
| zch | yes, but you can't use it | 08:53 |
| zch | I only think it does something special because a (&($filter)(host=FQDN)) would not be so hard | 08:55 |
| ajforgue | I want to use ouEduPersonGlobalAccess for other stuff like web applications and such, so I'll not use pam's thing | 08:58 |
| zch | btw, for pam_check_host_attr: http://www.nabble.com/Regarding-%22pam_check_host_attr%22-t1127306.html | 09:00 |
| zch | ajforgue: why do you use (|(uid=...)(uid=...)) and not '(|(ouEduPersonHostAccess=anthracite.sys.oakland.edu)(ouEduPersonGlobalAccess=unix)) ? | 09:05 |
| ajforgue | that's what we're moving to | 09:17 |
| zch | ajforgue: I think I get it | 09:18 |
| zch | ajforgue: which LDAP server do you have? | 09:20 |
| ajforgue | RHDS | 09:20 |
| ajforgue | aka FDS | 09:20 |
| zch | for how long? | 09:21 |
| ajforgue | it's not in production yet | 09:22 |
| ajforgue | it will be by the end of the year | 09:22 |
| === cliebow_ [n=cliebow@smoothwallkludge.ellsworth-hs.ellsworth.k12.me.us] has joined #ubuntu-directory | ||
| zch | ajforgue: and how do you manage 35000 users? | 09:24 |
| ajforgue | lots of perl and php | 09:26 |
| ajforgue | that thankfully I don't have to maintain | 09:26 |
| zch | :) | 09:26 |
| ajforgue | we have an ERP that the data comes out of, so we just sync from there | 09:27 |
| zch | ajforgue: own perl and php apps? | 09:27 |
| ajforgue | yeah | 09:29 |
| ajforgue | with a web interface | 09:30 |
| ajforgue | @_@ | 09:30 |
| === robertj [n=robertj@68-117-213-120.dhcp.athn.ga.charter.com] has joined #ubuntu-directory | ||
| ajforgue | ajmitch: can you send me the pictures you took? | 10:41 |
| ajmitch | yeah, I probably can | 10:43 |
| zch | hi ajmitch | 10:46 |
| zch | ajmitch: can I help with authtool? | 11:05 |
| zch | hmm, no? :( | 11:12 |
| Burgwork | it is currently very early in ajmitch's morning | 11:14 |
| zch | hm, ok | 11:16 |
| zch | good night | 11:46 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!