[03:42] <sbalneav> Evening all
[03:44] <Ahmuck-Sr> .
[16:16] <aidave> kabikaboo 1.7 now out!  https://launchpad.net/kabikaboo
[16:22] <sbalneav> I think we might need this:
[16:22] <sbalneav> http://git.gnome.org/browse/nanny/tree/
[16:22] <sbalneav> I'll see about packaging it.
=== alkisg1 is now known as alkisg
[16:23] <alkisg> sbalneav: at some point you were thinking about packaging an easy to setup ldap template, for schools... care to pick it up? I'm willing to help as much as I can... :)
[20:08] <alkisg> I'm trying to setup LDAP for the first time. I can succesfully do `sudo ldapaddgroup test` but I cannot get `sudo ldapadduser test test` to work, it says "ldap_add: no such object (32)". Help?!
[20:09] <sbalneav> Which package are you using?
[20:09] <alkisg> I did: sudo apt-get -y install slapd ldap-utils ldapscripts
[20:10] <sbalneav> Ahhhh, ldapscripts :)
[20:10] <alkisg> Ah got it! The ubuntu guide was using "People" while ldapscripts is using "Users"...
[20:10] <sbalneav> yeah
[20:11] <sbalneav> the whole problem with ldap is everything ONLY works if you've got your database laid out the exact way the scripts want.
[20:11] <sbalneav> and there's NO standard for your ou's
[20:11] <sbalneav> so some use "users"
[20:11] <alkisg> I wonder why http://doc.ubuntu.com/ubuntu/serverguide/C/openldap-server.html doesn't mention this problem, though :(
[20:11] <sbalneav> some "Users"
[20:11] <sbalneav> some "People"
[20:12] <sbalneav> some just use uid= with no ou at all
[20:12] <alkisg> Uhm... I think I'll just use whatever the ldapscripts use, to minimize configuration file editing :D
[20:12] <sbalneav> alkisg: silly boy! You're just supposed to KNOW this!!!
[20:12] <sbalneav> I've been using ldap for 10+ years.
[20:13] <sbalneav> next to RS232, it's the most non-standard standard I've ever seen.
[20:13] <alkisg> Heh... I was trying to avoid using it for too long now :D
[20:13] <alkisg> ...but maybe I need to see it to better decide what's better...
[20:14] <sbalneav> You talk to any good enterprise sysadm, you'll find they all have their own highly customized shell scripts for dealing with their specific LDAP instance.
[20:14] <sbalneav> Well, the problem with LDAP is, it's well supported.
[20:15] <sbalneav> Everything can talk to ldap, problem is, you have to CUSTOMIZE everything to get it to talk to the way YOU layed out your ldap.
[20:15] <alkisg> Bah... we should make a package for easy ldap installation for schools!
[20:15] <alkisg> I think I saw some packages in synaptic for caching credentials, do they work OK when the server's down?
[20:15] <sbalneav> Well, it's not hard.
[20:16] <sbalneav> skolelinux does it.
[20:16] <sbalneav> you just pick a database layout
[20:16] <sbalneav> create a package that creates that layouyt
[20:16] <alkisg> Really?! Ah, I need to look at it for better compatibility then... they've probably thought about samba, too...
[20:16] <sbalneav> and patch ldaptools + any other ldap things to support that layout "out of the box:
[20:17] <sbalneav> it's not HARD
[20:17] <sbalneav> it's just... tedious
[20:17] <sbalneav> there's a lot of ldap tools.
[20:17] <sbalneav> or things that can talk to ldap.
[20:18] <alkisg> It's hard to get started with ldap... it'd be much easier if there was some easy-ldap package. ogra had started a spec about this I think 3 years ago, but it was never implemented...
[20:18] <sbalneav> Then you get told "Well, you shouldn't design an ldap database layout without talking to the server team"
[20:18] <sbalneav> and you talk to the server team, and 5 guys have 8 different ways they want to do the layout.
[20:18] <alkisg> Heh
[20:18] <sbalneav> And... here we are.
[20:18] <sbalneav> I was going to implement it.
[20:18] <sbalneav> I'm STILL willing to implement it.
[20:19] <alkisg> Well, there are many schools out there *without sysadmins or server teams* looking for an easy way to install ldap + nfs
[20:19] <alkisg> I'm willling to help however I can
[20:19] <sbalneav> it's EASY to implemnt.  Consensus is hard.
[20:19] <Ahmuck-Sr> alkisg>	Well, there are many schools out there *without sysadmins or server teams* looking for an easy way to install ldap + nfs
[20:19] <sbalneav> Lets talk about it at tomorrow's meeting.
[20:19] <Ahmuck-Sr> this is a correct statement
[20:19] <alkisg> sbalneav: nice :)
[20:19]  * Ahmuck-Sr has been on this soapbox for a while
[20:20] <alkisg> Ahmuck-Sr: did you get to install it?
[20:20] <sbalneav> LaserJock told me about bikeshedding.  You guys know what that is?
[20:20] <Ahmuck-Sr> isn't LDAP standard?
[20:20] <sbalneav> Ahmuck-Sr: Yes and no
[20:20] <sbalneav> LDAP itself is standard.
[20:20] <sbalneav> just like SQL is standard.
[20:20] <sbalneav> how you design your DATABASE for access, isn't
[20:20] <alkisg> Heh... http://en.wiktionary.org/wiki/bikeshedding
[20:20] <sbalneav> it's up to you
[20:21] <sbalneav> right, and ldap becomes the ultimate bikeshed.
[20:22] <sbalneav> EVERYbody has an opinion as to why a databse should use ou=People instead of ou=Users
[20:23] <alkisg> sbalneav: what tools are you using to manage users? ldapscripts?
[20:23] <sbalneav> Why you should use o=Greek Schools Division instead of dc=greek,dc=edu,dc=gk
[20:23] <sbalneav> alkisg: I have all my own custom scripts I've written, modified, and dragged with me for the last 10 years.
[20:24] <alkisg> Heh, at least that tells me that ldap is stable :D
[20:24] <sbalneav> Oh, it's a fine system
[20:24] <sbalneav> it works well.
[20:24] <alkisg> Is dc=school,dc=local acceptable to be used by all greek schools? :D
[20:25] <alkisg> If so, I'm good to go...
[20:28] <sbalneav> it's just the barrier to entry is SO FRIGGING HIGH
[20:28] <stgraber> sbalneav: are you using kerberos for password storage/policy or not yet ?
[20:28] <sbalneav> No, I don't use kerberos yet.
[20:29] <sbalneav> so I'm using pamldap for my auth
[20:29] <alkisg> Can ldap work without nfs?
[20:29] <sbalneav> Sure
[20:29] <alkisg> I.e. some package to create the local home dirs etc?
[20:30] <sbalneav> Sure, that's no problem.
[20:30] <sbalneav> *ALL* you need to solve this problem is to simply VOTE on a layout.  And then say, "screw everybody else, this is the layout we support"
[20:30] <stgraber> sbalneav: I deployed it on my LAN (80 or so VMs ;)) and it's freaking cool to be able to ssh to a server, then to another, then to another and never have to re-auth. Then when the ticket expires (once a day), I have to login again and that's it.
[20:31] <sbalneav> You want something other tthan this, you're on your own.
[20:31] <sbalneav> which is EXACTLY what skolellinux does
[20:31] <stgraber> sbalneav: also I have my IMAP server, web server and proxy using kerberos, so no need to login there too :)
[20:31] <sbalneav> yeah, I just need to sit down with it for a day and actually play with it.
[20:32] <alkisg> stgraber: do put something in the wiki about how to do all this... :)
[20:32] <sbalneav> That's why, curretnly , skolellinux is the ONLY one that actually SUPPORTS ldap
[20:32]  * alkisg should better copy skolelinux's layout, then...
[20:33] <sbalneav> I've actually looked at skolelinux's ldap packages
[20:33] <sbalneav> it's just a presees.
[20:33] <sbalneav> it's just a preseed
[20:33] <sbalneav> My thought was: just steal their stuff :)
[20:33] <sbalneav> do what they do
[20:34] <sbalneav> then edubuntu can auth against skolelinux auth servers, or vice versa
[20:36] <alkisg> Right. That's what I'd like to have in edubuntu, prepackaged solutions...
[20:56] <stgraber> alkisg: I'm not yet finished with looking at kerberos, I have the basics working but I need to connect it better with my LDAP
[20:57] <alkisg> It'd be nice to have such solutions in edubuntu, working out of the box...