Hi all, the last days I've spent on testing how gosa might be used as ldap frontend for debian-edu. Currently, there is no working Version in Squeeze, but hopefully this changes before the freeze ( http://bugs.debian.org/573220 ). After some minor configuration fixes (see below), gosa can be configured and started. Many plugins never needed for skolelinux can be removed/commented in the config file and finally the basics remain: Users, Groups and system/machines. I testet a bit adding users and groups and found that with templates (which we could provide in ldap), things get not too complicated. Adding machines to allow dhcp-offers works as well, of course there are no predefined names or IP-ranges. What's missing are netgroups ( https://oss.gonicus.de/pipermail/gosa/2010-April/004497.html ) and some other lwat features especially targeted for skolelinux. To add machines to netgroups as well, I hacked the system-plugin, see patch below. With this (draft) patch applied, it is possible to check the netgroups a machine is associated with (see attached screenshot). (The patch is probably really ugly, it's the first time I used php. For example, it does not remove the netgroup entries if a machine is deleted completely...). Concerning security, things seem to have improved. There is now a command which encrypts the password and I guess only the hash is left in the configuration file, see gosa's README.Debian for details. To sum up: I guess, if someone is familiar with php programming and able to invest a couple of days, it would probably be possible to adopt gosa to our needs and perhaps even prepare our own plugins. ( https://oss.gonicus.de/labs/gosa/wiki/DocumentationInstallingGOsaWritingPlugins ) Maybe, lwat can be kind of plugged in :). So if anyone interested, feel free to move on! I probably forgot some details, just ask if you want to give it a try yourself and things do not work as explained below. Regards, Andi Details for the brave: Download the packages at gonicus or add this line to sources.list: deb http://oss.gonicus.de/pub/gosa/debian-lenny/ ./ I used these packages (perhaps some more): ii gosa 2.6.9-1lenny1 ii gosa-plugin-dhcp 2.6.9-1lenny1 ii gosa-plugin-dhcp-schema 2.6.9-1lenny1 ii gosa-plugin-ldapmanager 2.6.9-1lenny1 ii gosa-plugin-systems 2.6.9-1lenny1 ii gosa-schema 2.6.9-1lenny1 Now some (gosa-) schema-files have to be included in slapd-lenny_debian-edu.conf, mine looks like: ----------8<-------------------------------------------8<-------- # $Id: slapd-skolelinux.conf,v 1.7 2003/06/27 14:47:20 pere Exp $ # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/courier.schema include /etc/ldap/schema/automount.schema include /etc/ldap/schema/inetorgperson.schema #include /etc/ldap/schema/gosa/samba.schema include /etc/ldap/schema/dhcp.schema include /etc/ldap/schema/dnsdomain2.schema include /etc/ldap/schema/gosa/samba3.schema include /etc/ldap/schema/gosa/trust.schema include /etc/ldap/schema/gosa/gosystem.schema include /etc/ldap/schema/gosa/gofon.schema include /etc/ldap/schema/gosa/goto.schema include /etc/ldap/schema/gosa/gosa-samba3.schema include /etc/ldap/schema/gosa/gofax.schema include /etc/ldap/schema/gosa/goserver.schema include /etc/ldap/schema/gosa/goto-mime.schema include /etc/ldap/schema/gosa/hdb.schema include /etc/ldap/schema/lis_new.schema # Where the pid file is put. The init.d script # will not stop the server if you change this. ----------8<--------------------------8<-------------------- Remove dateOfBirth from lis.schema it's already defined some where in the gosa stuff: --- schema/lis.schema 2009-08-30 14:16:59.000000000 +0200 +++ schema/lis_new.schema 2010-04-16 19:35:37.000000000 +0200 @@ -22,14 +22,6 @@ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 EQUALITY caseIgnoreIA5Match ) -# LiS.1.2 dateOfBirth -# -attributetype ( 1.3.6.1.4.1.8990.42.1.2 NAME 'dateOfBirth' - DESC 'Date of birth, accurate to the day' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 - EQUALITY generalizedTimeMatch - SINGLE-VALUE ) - # LiS.1.3 kinship # -----------------------------8<------------------------ Now start the configuration tool. There are many options I do not know (and did not care) much about, but you must finish the dialogs/checks without errors. We could provide an adopted ldap tree and an out-of-the-box configuration for skolelinux. Apply the attached patch at /usr/share/gosa/plugins/admin. Remember: Probably I forgot something. Happy hacking!
diff -ru systems_orig//class_termDNS.inc systems/class_termDNS.inc --- systems_orig//class_termDNS.inc 2010-04-22 20:26:50.000000000 +0200 +++ systems/class_termDNS.inc 2010-04-22 20:37:02.000000000 +0200 @@ -461,10 +461,28 @@ $smarty->assign("staticAddress","<font class=\"must\">*</font>"); $smarty->assign("autonetACL",$this->acl_is_writeable("macAddress") && $this->acl_is_writeable("ipHostNumber")?"rw":""); - - $display.= $smarty->fetch(get_template_path('network.tpl', TRUE)); } - +///////////////////////////////////////////////////////////////////// + $ldap = $this->config->get_ldap_link(); + $ldap->cd($this->config->current['BASE']); + $filter="(&(objectClass=nisNetGroup)(!(memberNisNetGroup=*)))"; + $ldap->search($filter,array("cn","nisNetgroupTriple")); + $selected= array(); + $netgroups= array(); + while($attrs = $ldap->fetch()){ + if (isset($attrs['nisNetgroupTriple']) && (in_array('('.$this->cn.',-,-)', $attrs['nisNetgroupTriple']))){ + $netgroups[] = $attrs['cn'][0]; + $selected[] = $attrs['cn'][0]; + }else{ + $netgroups[] = $attrs['cn'][0]; + } + } +// print_a($netgroups); +// @DEBUG (DEBUG_TRACE, __LINE__, __FUNCTION__, __FILE__, $memberOf, "Hallo"); + $smarty->assign('netgroups', $netgroups); + $smarty->assign('selected', $selected); + $display.= $smarty->fetch(get_template_path('network.tpl', TRUE)); +/////////////////////////////////////////////////////////////////////// return($display); } @@ -859,6 +877,48 @@ } } } +////////////////////// +// print_a($_POST); + print_a($_POST['checkbox']); + $ldap->cd($this->config->current['BASE']); +// $ldap->modify($this->attrs); + $filter="(&(objectClass=nisNetGroup)(!(memberNisNetGroup=*)))"; + $ldap->search($filter,array('dn','cn','nisNetgroupTriple')); + // loop over netgroups: + while($attrs = $ldap->fetch()){ + unset($attrs['nisNetgroupTriple']['count']); + $ldap->cd($attrs['dn']); + $new = array(); + // machine is a member but should not be one: + if (isset($attrs['nisNetgroupTriple']) && + in_array('('.$this->cn.',-,-)', $attrs['nisNetgroupTriple']) && + !in_array($attrs['cn'][0], $_POST['checkbox'])){ + @DEBUG (DEBUG_TRACE, __LINE__, __FUNCTION__, __FILE__, $attrs['cn'][0], "remove ".$this->cn." from"); + $new= array(); + $tmp = array('('.$this->cn.',-,-)'); + $new['nisNetgroupTriple'] = array_values(array_diff($attrs['nisNetgroupTriple'], $tmp)); + } + // machine is not a member but should be one: + elseif ((!isset($attrs['nisNetgroupTriple']) || + !in_array('('.$this->cn.',-,-)', $attrs['nisNetgroupTriple'])) && + in_array($attrs['cn'][0], $_POST['checkbox'])){ + @DEBUG (DEBUG_TRACE, __LINE__, __FUNCTION__, __FILE__, $attrs['cn'][0], "add ".$this->cn." to"); + if (isset($attrs['nisNetgroupTriple'])){ + $tmp = $attrs['nisNetgroupTriple']; + $tmp[] = '('.$this->cn.',-,-)'; + $new['nisNetgroupTriple'] = array_values(array_unique(array_merge($tmp))); + $ldap->modify($new); + }else{ + $new = array('nisNetgroupTriple'=>'('.$this->cn.',-,-)', 'objectClass'=>'nisNetgroup'); + } + } + $ldap->modify($new); + print_a($new); + if(!$ldap->success()){ + msg_dialog::display(_("LDAP error"), msgPool::ldaperror($ldap->get_error(), $attrs['dn'], LDAP_MOD, get_class())); + } + } +//////////////////// $this->dialog = FALSE; /****************/ diff -ru systems_orig//network.tpl systems/network.tpl --- systems_orig//network.tpl 2010-04-22 20:26:50.000000000 +0200 +++ systems/network.tpl 2010-04-22 20:27:36.000000000 +0200 @@ -182,6 +182,10 @@ </tr> </table> +<p class="seperator"> </p> +<h2>Netgroups:</h2> +{html_checkboxes name='checkbox' selected=$selected values=$netgroups output=$netgroups separator="<br />" style="vertical-align:middle"} + <input type="hidden" name="network_tpl_posted" value="1"> <!-- Only in systems: services Only in systems: systemSelect
Attachment:
Preview1.png
Description: PNG image