=== fernando_ [n=fernando@200.96.251.210] has joined #ubuntu-directory === wasabi [n=wasabi@ubuntu/member/wasabi] has joined #ubuntu-directory === wasabi [n=wasabi@ubuntu/member/wasabi] has joined #ubuntu-directory === wasabi_ [n=wasabi@ubuntu/member/wasabi] has joined #ubuntu-directory === Burgundavia [n=corey@S0106000fb085cc63.gv.shawcable.net] has joined #ubuntu-directory === Fujitsu [n=Fujitsu@ubuntu/member/fujitsu] has joined #ubuntu-directory === fernando [n=fernando@unaffiliated/musb] has joined #ubuntu-directory === zch [n=zach@213-229-48-187.sdsl-line.inode.at] has joined #ubuntu-directory === zch [n=zach@213-229-48-187.sdsl-line.inode.at] has joined #ubuntu-directory [02:09] hi [02:11] hi ajmitch, I want try your authtool app, but I have a dependency problem [02:11] "ImportError: No module named Version" === SimonAnibal [n=sruiz@66.244.123.100] has joined #ubuntu-directory === wasabi [n=wasabi@ubuntu/member/wasabi] has joined #ubuntu-directory [03:25] hi [03:26] does someone know the dependecies from ajmitch's authtool? === cliebow_ [n=cliebow@smoothwallkludge.ellsworth-hs.ellsworth.k12.me.us] has joined #ubuntu-directory === nkinder [i=nkinder@nat/redhat/x-ef51a32ed9bdf8f4] has joined #ubuntu-directory === wasabi [n=wasabi@ubuntu/member/wasabi] has joined #ubuntu-directory === zch [n=manuel@85-124-232-237.work.xdsl-line.inode.at] has joined #ubuntu-directory === Burgwork [n=corey@ubuntu/member/burgundavia] has joined #ubuntu-directory === oconfig [i=forgue@2001:5c0:8fff:ffff:8000:0:8dd2:914] has joined #Ubuntu-Directory === oconfig is now known as ajforgue [07:12] So I want to use LDAP to mantain lists of users that have access to servers. Right now we do |(uid=...)(uid=...) which is a pain in the ass. Would it make sense to do |(eduPersonAccess=unix)(eduPersonHostAccess=FQDN) and add those attributes to users or is there a better way? [07:13] (&(eduPersonAccess=unix)(eduPersonHostAccess=FQDN)) this? [07:14] well, it has to be or, because eduPersonAccess=unix would get access to ALL unix/lunix hosts. [07:14] forgot to explain that... heh [07:19] we have 100 something servers, so potentially someone could have an attribute with that many entries [07:23] Ideally I want pam_ldap to do something better ;_; [07:40] morning [07:42] hey jerry [07:45] hi === nkassi [n=nkassi@yoda.tcc.fl.edu] has joined #ubuntu-directory [08:10] hi [08:16] ajforgue: I do not really understand you [08:16] ajforgue: what is your current solution? [08:18] "|(uid=...)(uid=...)" means what? is this your "pam_filter" string? [08:21] yeah [08:21] I guess I suck at explaining things [08:22] ajforgue: are you looking for a better pam-filter? [08:23] something more centrally maintainable than what I have now [08:24] not really ubuntu-directory specific, just general ldap/linux question [08:25] I'd rather use groups, but pam_filter doesn't really make that easy [08:26] I do not know the eduPerson* attributes, but what about: (&(uid=*)(eduPersonAccess=unix)(eduPersonHostAccess=FQDN)) ? [08:27] from which schema is eduPerson* [08:28] educause.. http://www.educause.edu/content.asp?PAGE_ID=949&bhcp=1 [08:28] almost every university uses it [08:28] oh thanks, for the info [08:31] do I understand it right: you have a lot of users, but not every user should have access do every server, is that right? [08:35] yup [08:36] so I'm creating an attribute that's set if they should have access to all Servers. and one for specific hosts [08:36] since we have 35000 users, only some of them will have access to some servers [08:36] and only a few people with access to all of them [08:37] ldapsearch -Y GSSAPI -h rhds1.sys.oakland.edu '(|(ouEduPersonHostAccess=anthracite.sys.oakland.edu)(ouEduPersonGlobalAccess=unix))' [08:37] so that says allow people with specific access to this host OR users with access to all unix hosts [08:37] which I think will work [08:41] what is wrong with this filter? [08:42] nothing -- just asking if this seems like a good idea [08:43] are this attributes indexed? [08:43] yup [08:46] I think this filter is ok [08:46] but I am not an LDAP-guru [08:47] ajforgue: | is right? OR [08:48] pam-ldap has an extra option for host access control, it uses the "host" attribute, perhaps it uses a more intelligent mechanism [08:51] yeah, "|" is right [08:52] ajforgue: why are you not so happy with this filter? [08:52] It feels like a hack [08:52] but it's linux, so I guess I should get used to it [08:53] pam_check_host_attr? [08:53] yes, but you can't use it [08:55] I only think it does something special because a (&($filter)(host=FQDN)) would not be so hard [08:58] I want to use ouEduPersonGlobalAccess for other stuff like web applications and such, so I'll not use pam's thing [09:00] btw, for pam_check_host_attr: http://www.nabble.com/Regarding-%22pam_check_host_attr%22-t1127306.html [09:05] ajforgue: why do you use (|(uid=...)(uid=...)) and not '(|(ouEduPersonHostAccess=anthracite.sys.oakland.edu)(ouEduPersonGlobalAccess=unix)) ? [09:17] that's what we're moving to [09:18] ajforgue: I think I get it [09:20] ajforgue: which LDAP server do you have? [09:20] RHDS [09:20] aka FDS [09:21] for how long? [09:22] it's not in production yet [09:22] it will be by the end of the year === cliebow_ [n=cliebow@smoothwallkludge.ellsworth-hs.ellsworth.k12.me.us] has joined #ubuntu-directory [09:24] ajforgue: and how do you manage 35000 users? [09:26] lots of perl and php [09:26] that thankfully I don't have to maintain [09:26] :) [09:27] we have an ERP that the data comes out of, so we just sync from there [09:27] ajforgue: own perl and php apps? [09:29] yeah [09:30] with a web interface [09:30] @_@ === robertj [n=robertj@68-117-213-120.dhcp.athn.ga.charter.com] has joined #ubuntu-directory [10:41] ajmitch: can you send me the pictures you took? [10:43] yeah, I probably can [10:46] hi ajmitch [11:05] ajmitch: can I help with authtool? [11:12] hmm, no? :( [11:14] it is currently very early in ajmitch's morning [11:16] hm, ok [11:46] good night