[02:09] <zch> hi
[02:11] <zch> hi ajmitch, I want try your authtool app, but I have a dependency problem
[02:11] <zch> "ImportError: No module named Version"
[03:25] <zch> hi
[03:26] <zch> does someone know the dependecies from ajmitch's authtool?
[07:12] <ajforgue> So I want to use LDAP to mantain lists of users that have access to servers.  Right now we do |(uid=...)(uid=...) which is a pain in the ass.  Would it make sense to do |(eduPersonAccess=unix)(eduPersonHostAccess=FQDN) and add those attributes to users or is there a better way?
[07:13] <fernando> (&(eduPersonAccess=unix)(eduPersonHostAccess=FQDN)) this?
[07:14] <ajforgue> well, it has to be or, because eduPersonAccess=unix would get access to ALL unix/lunix hosts.
[07:14] <ajforgue> forgot to explain that... heh
[07:19] <ajforgue> we have 100 something servers, so potentially someone could have an attribute with that many entries
[07:23] <ajforgue> Ideally I want pam_ldap to do something better ;_;
[07:40] <wasabi> morning
[07:42] <ajforgue> hey jerry
[07:45] <wasabi> hi
[08:10] <zch> hi
[08:16] <zch> ajforgue: I do not really understand you
[08:16] <zch> ajforgue: what is your current solution?
[08:18] <zch> "|(uid=...)(uid=...)" means what? is this your "pam_filter" string?
[08:21] <ajforgue> yeah
[08:21] <ajforgue> I guess I suck at explaining things
[08:22] <zch> ajforgue: are you looking for a better pam-filter?
[08:23] <ajforgue> something more centrally maintainable than what I have now
[08:24] <ajforgue> not really ubuntu-directory specific, just general ldap/linux question
[08:25] <ajforgue> I'd rather use groups, but pam_filter doesn't really make that easy
[08:26] <zch> I do not know the eduPerson* attributes, but what about: (&(uid=*)(eduPersonAccess=unix)(eduPersonHostAccess=FQDN)) ?
[08:27] <zch> from which schema is eduPerson*
[08:28] <ajforgue> educause.. http://www.educause.edu/content.asp?PAGE_ID=949&bhcp=1
[08:28] <ajforgue> almost every university uses it
[08:28] <zch> oh thanks, for the info
[08:31] <zch> do I understand it right: you have a lot of users, but not every user should have access do every server, is that right?
[08:35] <ajforgue> yup
[08:36] <ajforgue> so I'm creating an attribute that's set if they should have access to all Servers. and one for specific hosts
[08:36] <ajforgue> since we have 35000 users, only some of them will have access to some servers
[08:36] <ajforgue> and only a few people with access to all of them
[08:37] <ajforgue> ldapsearch -Y GSSAPI -h rhds1.sys.oakland.edu '(|(ouEduPersonHostAccess=anthracite.sys.oakland.edu)(ouEduPersonGlobalAccess=unix))'
[08:37] <ajforgue> so that says allow people with specific access to this host OR users with access to all unix hosts
[08:37] <ajforgue> which I think will work
[08:41] <zch> what is wrong with this filter?
[08:42] <ajforgue> nothing -- just asking if this seems like a good idea
[08:43] <zch> are this attributes indexed?
[08:43] <ajforgue> yup
[08:46] <zch> I think this filter is ok
[08:46] <zch> but I am not an LDAP-guru
[08:47] <fernando> ajforgue: | is right? OR
[08:48] <zch> pam-ldap has an extra option for host access control, it uses the "host" attribute, perhaps it uses a more intelligent mechanism
[08:51] <ajforgue> yeah, "|" is right
[08:52] <zch> ajforgue: why are you not so happy with this filter?
[08:52] <ajforgue> It feels like a hack
[08:52] <ajforgue> but it's linux, so I guess I should get used to it
[08:53] <ajforgue> pam_check_host_attr?
[08:53] <zch> yes, but you can't use it
[08:55] <zch> I only think it does something special because a (&($filter)(host=FQDN)) would not be so hard
[08:58] <ajforgue> I want to use ouEduPersonGlobalAccess for other stuff like web applications and such, so I'll not use pam's thing
[09:00] <zch> btw, for pam_check_host_attr: http://www.nabble.com/Regarding-%22pam_check_host_attr%22-t1127306.html
[09:05] <zch> ajforgue: why do you use (|(uid=...)(uid=...)) and not '(|(ouEduPersonHostAccess=anthracite.sys.oakland.edu)(ouEduPersonGlobalAccess=unix)) ?
[09:17] <ajforgue> that's what we're moving to
[09:18] <zch> ajforgue: I think I get it
[09:20] <zch> ajforgue: which LDAP server do you have?
[09:20] <ajforgue> RHDS
[09:20] <ajforgue> aka FDS
[09:21] <zch> for how long?
[09:22] <ajforgue> it's not in production yet
[09:22] <ajforgue> it will be by the end of the year
[09:24] <zch> ajforgue: and how do you manage 35000 users?
[09:26] <ajforgue> lots of perl and php
[09:26] <ajforgue> that thankfully I don't have to maintain
[09:26] <zch> :)
[09:27] <ajforgue> we have an ERP that the data comes out of, so we just sync from there
[09:27] <zch> ajforgue: own perl and php apps?
[09:29] <ajforgue> yeah
[09:30] <ajforgue> with a web interface
[09:30] <ajforgue> @_@
[10:41] <ajforgue> ajmitch: can you send me the pictures you took?
[10:43] <ajmitch> yeah, I probably can
[10:46] <zch> hi ajmitch
[11:05] <zch> ajmitch: can I help with authtool?
[11:12] <zch> hmm, no? :(
[11:14] <Burgwork> it is currently very early in ajmitch's morning
[11:16] <zch> hm, ok
[11:46] <zch> good night