Re: cipux in NEW queue
Kurt Gramlich skrev:
> * Steffen Jöris <Steffen.Joeris@skolelinux.de> [070403 13:23]:
>
>> The current point which needs to be discussed is the use of the
>> cipux-rpc.postinst script. This script calls various cipux commands (or a
>> cipux command which calls another cipux command ...) which in the end fills
>> in LDAP data. Note that I did not completely examine the script, so somebody
>> else might want to give an explanation here. My personal understanding is, to
>> put it into a nutshell, that cipux needs to fill in the LDAP data with own
>> attributes in order to function. I would consider this as a violation of the
>> debian policy, because it adds (without noticing) ldap data which no admin
>> would expect while installing it and it gets not removed during a purge.
>
> Not ldap date but it builds up a ldap tree. Regard CipUX with its
> functions more as a replace for webmin as a replace for wlus.
>
> AFAIK DebianEdu configures his own LDAP tree since we are using
> Openldap.
If this could then be done in debian-edu-config instead, and cipux just
provided the sample scripts, then I guess cipux could be closer to be
included into debian(-edu).
Cipux also messes with the configuration file of slapd, giving cipuxadm
complete control over the ldap-tree, then saves the password in
cleartext on the main-server.
> Did you test that it gets not removed during a purge?
>
>> The question here would be, if this is really a violation, if so how can it be
>> avoided or in a drastical case, do we want to ignore it and consider it a
>> special case, which is possible through our policy[1], but strongly not
>> recommended and should only be a temporary solution.
>
> To build up a ldap tree has to be, anyway which one. Without you
> are not able to use ldap.
Yes, it's possible to make a package that is both debian-complaint, and
that let you administer users in ldap. But you need a setup tool to make
it possible, then you need to run that script afterwards. lwat will
manage that for you, and I gue
ss it could be possible for cipux as well.
On the other hand, you need to edit both nsswitch.conf, pam_ldap.conf
and libnss-ldap.conf and the files under /etc/pam.d/ to make the
accounts work.
>> My question now is concerning debian-edu, is it really necessary to change the
>> LDAP data and if so why?
>
> Yes, because our users need it. We will fullfill the needs of or
> users.
>> Is there any backwards compatibility with the old LDAP data, e.g. will the old
>> users show up or can an admin just insert an old ldap backup and everything
>> works?
>
> Would be nice to have.
>
>> Do we care about backwards compatibility or how do we want to offer
>> Debian-Edu/Skolelinux 3.0 and keep the admin effort to a minimum while
>> upgrading to the new version?
>
> Yes we care, if the manpower is enough to do it.
Well, no-one managed to get a working solution into debian-etch before
the window closed. So we dont have the manpower. Why is it then best to
use a solution that require some customized setup, and without an
upgrade-path for existing installations ?
--
Finn-Arne Johansen
faj@bzz.no http://bzz.no/
EE2A71C6403A3D191FCDC043006F1215062E6642 062E6642
Reply to: