Re: cipux in NEW queue

To: debian-edu@lists.debian.org
Subject: Re: cipux in NEW queue
From: Finn-Arne Johansen <faj@bzz.no>
Date: Wed, 04 Apr 2007 19:56:31 +0200
Message-id: <[🔎] 4613E6CF.5010702@bzz.no>
In-reply-to: <[🔎] 20070403121244.GU1232@gnu-tec.de>
References: <[🔎] 200704032122.56749.Steffen.Joeris@skolelinux.de> <[🔎] 20070403121244.GU1232@gnu-tec.de>

Kurt Gramlich skrev:
> * Steffen Jöris <Steffen.Joeris@skolelinux.de> [070403 13:23]:
> 
>> The current point which needs to be discussed is the use of the 
>> cipux-rpc.postinst script. This script calls various cipux commands (or a 
>> cipux command which calls another cipux command ...) which in the end fills 
>> in LDAP data. Note that I did not completely examine the script, so somebody 
>> else might want to give an explanation here. My personal understanding is, to 
>> put it into a nutshell, that cipux needs to fill in the LDAP data with own 
>> attributes in order to function. I would consider this as a violation of the 
>> debian policy, because it adds (without noticing) ldap data which no admin 
>> would expect while installing it and it gets not removed during a purge.
> 
> Not ldap date but it builds up a ldap tree. Regard CipUX with its
> functions more as a replace for webmin as a replace for wlus.
> 
> AFAIK DebianEdu configures his own LDAP tree since we are using
> Openldap.

If this could then be done in debian-edu-config instead, and cipux just
provided the sample scripts, then I guess cipux could be closer to be
included into debian(-edu).

Cipux also messes with the configuration file of slapd, giving cipuxadm
complete control over the ldap-tree, then saves the password in
cleartext on the main-server.

> Did you test that it gets not removed during a purge?
> 
>> The question here would be, if this is really a violation, if so how can it be 
>> avoided or in a drastical case, do we want to ignore it and consider it a 
>> special case, which is possible through our policy[1], but strongly not 
>> recommended and should only be a temporary solution.
> 
> To build up a ldap tree has to be, anyway which one. Without you
> are not able to use ldap.

Yes, it's possible to make a package that is both debian-complaint, and
that let you administer users in ldap. But you need a setup tool to make
it possible, then you need to run that script afterwards. lwat will
manage that for you, and I gue
ss it could be possible for cipux as well.

On the other hand, you need to edit both nsswitch.conf, pam_ldap.conf
and libnss-ldap.conf and the files under /etc/pam.d/ to make the
accounts work.

>> My question now is concerning debian-edu, is it really necessary to change the 
>> LDAP data and if so why? 
> 
> Yes, because our users need it. We will fullfill the needs of or
> users.
>> Is there any backwards compatibility with the old LDAP data, e.g. will the old 
>> users show up or can an admin just insert an old ldap backup and everything 
>> works? 
> 
> Would be nice to have.
> 
>> Do we care about backwards compatibility or how do we want to offer 
>> Debian-Edu/Skolelinux 3.0 and keep the admin effort to a minimum while 
>> upgrading to the new version?
> 
> Yes we care, if the manpower is enough to do it.

Well, no-one managed to get a working solution into debian-etch before
the window closed. So we dont have the manpower. Why is it then best to
use a solution that require some customized setup, and without an
upgrade-path for existing installations ?

-- 
Finn-Arne Johansen
faj@bzz.no http://bzz.no/
EE2A71C6403A3D191FCDC043006F1215062E6642 062E6642

Reply to:

References:
- cipux in NEW queue
  - From: Steffen Joeris <Steffen.Joeris@skolelinux.de>
- Re: cipux in NEW queue
  - From: Kurt Gramlich <kurt@lugrav.de>

Prev by Date: Re: Automation Services
Next by Date: Re: cipux in NEW queue
Previous by thread: Re: cipux in NEW queue
Next by thread: Re: cipux in NEW queue
Index(es):
- Date
- Thread