gosa as ldap frontend

To: debian-edu@lists.debian.org
Subject: gosa as ldap frontend
From: "Andreas B. Mundt" <andi.mundt@web.de>
Date: Thu, 22 Apr 2010 21:51:45 +0200
Message-id: <[🔎] 20100422195145.GA7939@flashgordon>
Mail-followup-to: debian-edu@lists.debian.org

Hi all,

the last days I've spent on testing how gosa might be used as ldap
frontend for debian-edu. Currently, there is no working Version in
Squeeze, but hopefully this changes before the freeze (
http://bugs.debian.org/573220 ).

After some minor configuration fixes (see below), gosa can be
configured and started. Many plugins never needed for skolelinux can
be removed/commented in the config file and finally the basics remain:
Users, Groups and system/machines. I testet a bit adding users and
groups and found that with templates (which we could provide in ldap),
things get not too complicated. Adding machines to allow dhcp-offers
works as well, of course there are no predefined names or IP-ranges.

What's missing are netgroups (
https://oss.gonicus.de/pipermail/gosa/2010-April/004497.html )
and some other lwat features especially targeted for skolelinux. To
add machines to netgroups as well, I hacked the system-plugin, see
patch below. With this (draft) patch applied, it is possible to check
the netgroups a machine is associated with (see attached screenshot).
(The patch is probably really ugly, it's the first time I used php.
For example, it does not remove the netgroup entries if a machine is
deleted completely...).   

Concerning security, things seem to have improved. There is now a
command which encrypts the password and I guess only the hash is left
in the configuration file, see gosa's README.Debian for details. 

To sum up: I guess, if someone is familiar with php programming and
able to invest a couple of days, it would probably be possible to adopt
gosa to our needs and perhaps even prepare our own plugins. (
https://oss.gonicus.de/labs/gosa/wiki/DocumentationInstallingGOsaWritingPlugins )  
Maybe, lwat can be kind of plugged in :).

So if anyone interested, feel free to move on! I probably forgot some
details, just ask if you want to give it a try yourself and things do
not work as explained below.

Regards,

	Andi


Details for the brave:

Download the packages at gonicus or add this line to sources.list: 
deb http://oss.gonicus.de/pub/gosa/debian-lenny/ ./ 

I used these packages (perhaps some more):

ii  gosa                            2.6.9-1lenny1
ii  gosa-plugin-dhcp                2.6.9-1lenny1
ii  gosa-plugin-dhcp-schema         2.6.9-1lenny1
ii  gosa-plugin-ldapmanager         2.6.9-1lenny1
ii  gosa-plugin-systems             2.6.9-1lenny1
ii  gosa-schema                     2.6.9-1lenny1

Now some (gosa-) schema-files have to be included in
slapd-lenny_debian-edu.conf, mine looks like:
----------8<-------------------------------------------8<--------
# $Id: slapd-skolelinux.conf,v 1.7 2003/06/27 14:47:20 pere Exp $

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/courier.schema
include         /etc/ldap/schema/automount.schema
include         /etc/ldap/schema/inetorgperson.schema
#include                /etc/ldap/schema/gosa/samba.schema
include         /etc/ldap/schema/dhcp.schema
include         /etc/ldap/schema/dnsdomain2.schema

include         /etc/ldap/schema/gosa/samba3.schema
include         /etc/ldap/schema/gosa/trust.schema
include         /etc/ldap/schema/gosa/gosystem.schema
include         /etc/ldap/schema/gosa/gofon.schema
include         /etc/ldap/schema/gosa/goto.schema
include         /etc/ldap/schema/gosa/gosa-samba3.schema
include         /etc/ldap/schema/gosa/gofax.schema
include         /etc/ldap/schema/gosa/goserver.schema
include         /etc/ldap/schema/gosa/goto-mime.schema
include         /etc/ldap/schema/gosa/hdb.schema

include         /etc/ldap/schema/lis_new.schema

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
----------8<--------------------------8<--------------------

Remove dateOfBirth from lis.schema it's already defined some where in
the gosa stuff:

--- schema/lis.schema   2009-08-30 14:16:59.000000000 +0200
+++ schema/lis_new.schema       2010-04-16 19:35:37.000000000 +0200
@@ -22,14 +22,6 @@
        SYNTAX    1.3.6.1.4.1.1466.115.121.1.26
        EQUALITY  caseIgnoreIA5Match )

-# LiS.1.2  dateOfBirth
-#
-attributetype ( 1.3.6.1.4.1.8990.42.1.2 NAME 'dateOfBirth'
-       DESC     'Date of birth, accurate to the day'
-       SYNTAX    1.3.6.1.4.1.1466.115.121.1.24
-       EQUALITY  generalizedTimeMatch
-       SINGLE-VALUE )
-
 # LiS.1.3  kinship
 #
-----------------------------8<------------------------ 

Now start the configuration tool. There are many options I do not know
(and did not care) much about, but you must finish the dialogs/checks
without errors. We could provide an adopted ldap tree and an
out-of-the-box configuration for skolelinux. 

Apply the attached patch at /usr/share/gosa/plugins/admin. Remember:
Probably I forgot something.
 
Happy hacking!

diff -ru systems_orig//class_termDNS.inc systems/class_termDNS.inc
--- systems_orig//class_termDNS.inc	2010-04-22 20:26:50.000000000 +0200
+++ systems/class_termDNS.inc	2010-04-22 20:37:02.000000000 +0200
@@ -461,10 +461,28 @@
       $smarty->assign("staticAddress","<font class=\"must\">*</font>");
 
       $smarty->assign("autonetACL",$this->acl_is_writeable("macAddress") && $this->acl_is_writeable("ipHostNumber")?"rw":"");
-
-      $display.= $smarty->fetch(get_template_path('network.tpl', TRUE));
     }
-
+/////////////////////////////////////////////////////////////////////
+    $ldap = $this->config->get_ldap_link();
+    $ldap->cd($this->config->current['BASE']); 
+    $filter="(&(objectClass=nisNetGroup)(!(memberNisNetGroup=*)))"; 
+    $ldap->search($filter,array("cn","nisNetgroupTriple"));
+    $selected= array();
+    $netgroups= array();
+    while($attrs = $ldap->fetch()){
+      if (isset($attrs['nisNetgroupTriple']) && (in_array('('.$this->cn.',-,-)', $attrs['nisNetgroupTriple']))){
+	$netgroups[] = $attrs['cn'][0]; 
+	$selected[] = $attrs['cn'][0];
+      }else{
+	$netgroups[] = $attrs['cn'][0];
+      }
+    }
+//    print_a($netgroups);
+//    @DEBUG (DEBUG_TRACE, __LINE__, __FUNCTION__, __FILE__, $memberOf, "Hallo");
+    $smarty->assign('netgroups', $netgroups);
+    $smarty->assign('selected', $selected);
+    $display.= $smarty->fetch(get_template_path('network.tpl', TRUE));
+///////////////////////////////////////////////////////////////////////
     return($display);
   }
 
@@ -859,6 +877,48 @@
         }    
       }
     }
+//////////////////////
+//    print_a($_POST);
+    print_a($_POST['checkbox']);
+    $ldap->cd($this->config->current['BASE']); 
+//	$ldap->modify($this->attrs);
+    $filter="(&(objectClass=nisNetGroup)(!(memberNisNetGroup=*)))"; 
+    $ldap->search($filter,array('dn','cn','nisNetgroupTriple'));
+    // loop over netgroups:
+    while($attrs = $ldap->fetch()){
+      unset($attrs['nisNetgroupTriple']['count']);
+      $ldap->cd($attrs['dn']);
+      $new = array();
+      // machine is a member but should not be one:
+      if (isset($attrs['nisNetgroupTriple']) && 
+	in_array('('.$this->cn.',-,-)', $attrs['nisNetgroupTriple']) && 
+	!in_array($attrs['cn'][0], $_POST['checkbox'])){
+	@DEBUG (DEBUG_TRACE, __LINE__, __FUNCTION__, __FILE__, $attrs['cn'][0], "remove ".$this->cn." from");
+	$new= array();
+	$tmp = array('('.$this->cn.',-,-)');
+	$new['nisNetgroupTriple'] = array_values(array_diff($attrs['nisNetgroupTriple'], $tmp));
+      }
+      // machine is not a member but should be one:
+      elseif ((!isset($attrs['nisNetgroupTriple']) || 
+		!in_array('('.$this->cn.',-,-)', $attrs['nisNetgroupTriple'])) &&
+		in_array($attrs['cn'][0], $_POST['checkbox'])){
+	@DEBUG (DEBUG_TRACE, __LINE__, __FUNCTION__, __FILE__, $attrs['cn'][0], "add ".$this->cn." to");
+	if (isset($attrs['nisNetgroupTriple'])){
+	  $tmp = $attrs['nisNetgroupTriple'];
+	  $tmp[] = '('.$this->cn.',-,-)';
+	  $new['nisNetgroupTriple'] = array_values(array_unique(array_merge($tmp)));
+	  $ldap->modify($new);
+	}else{
+	  $new = array('nisNetgroupTriple'=>'('.$this->cn.',-,-)', 'objectClass'=>'nisNetgroup');
+	}
+      }
+      $ldap->modify($new);
+      print_a($new);
+      if(!$ldap->success()){
+	msg_dialog::display(_("LDAP error"), msgPool::ldaperror($ldap->get_error(), $attrs['dn'], LDAP_MOD, get_class()));
+      }
+    }
+//////////////////// 
     $this->dialog = FALSE; 
 
     /****************/ 
diff -ru systems_orig//network.tpl systems/network.tpl
--- systems_orig//network.tpl	2010-04-22 20:26:50.000000000 +0200
+++ systems/network.tpl	2010-04-22 20:27:36.000000000 +0200
@@ -182,6 +182,10 @@
     
 	</tr>
 </table>
+<p class="seperator">&nbsp;</p>
+<h2>Netgroups:</h2>
+{html_checkboxes name='checkbox' selected=$selected values=$netgroups output=$netgroups separator="<br />" style="vertical-align:middle"}
+
 <input type="hidden" name="network_tpl_posted" value="1">
 
 <!--
Only in systems: services
Only in systems: systemSelect

Attachment: Preview1.png
Description: PNG image

Reply to:

Follow-Ups:
- Re: gosa as ldap frontend
  - From: Petter Reinholdtsen <pere@hungry.com>

Prev by Date: Re: Multimedia part on Squeeze
Next by Date: Re: Multimedia part on Squeeze
Previous by thread: Re: Multimedia part on Squeeze
Next by thread: Re: gosa as ldap frontend
Index(es):
- Date
- Thread