Weekly report week 34, plans for week 35
* Andreas Schuldei (andreas@schuldei.org) [040816 17:58]:
> in week 34 i plan to
> - improve the cerebrum package some more.
this did not happen. for some reason the cerebrum developers did
not reply to petters mail, either... :-(
> - supply a patch for upstream`s fix_ldif (in the debain openldap
> package), as requested by the openldap maintainers.
done. some discussion followed, but nothing specific has happend
yet. merging the patches was smooth with kdiff3. i can recomment
it for merging and generating patches.
> - install afs and kerberos on my home server and get some feeling
> for it.
this was very interesting and educating. i was/am doing this
together with Roland Bauerschmidt (rb@debian.org) who knows
kerberos pretty well and is visiting right now. This is what we
learned:
- the afs module in the kernel sources is manure.
- afs is quite powerful: it can replicate (to a limited extent),
and seems to handle even funny filetypes (in contrast to what i
heared earlier), is designed for security, ... etc
- debian-edu relevant problems could be that every one of the
three systems (ldap, kerberos and afs) needs/wants its own user
(machine, group) database. (this is what cerebrum was designed
for and could solve elegantly, once interfaces to these
systems were implemented.)
- the configuration is not trivial. in fact we only managed to
install it partly on rolands notebook until now, not on my
workstation or server. We are in contact with the high powers
of AFS to isolate the problem and rectify it.
- afs could perhaps replace samba, since there is a windows
driver and an afs login dll (which is still incomplete and not
bugfree). samba would not work with afs, since it can not hold
afs authentifcation tokens and thus could not read files and
serve them. (this could be worked around by using samba with
pam and transmitting the password in the clear over the network
but that would be laughable after using high-grade security
apps like kerberos and afs.)
- posix groups do not work as filesystem ACLs on afs. this is
important since we designed the whole filesharing system around
posix groups. one would need to use AFS`s own, more advanced
and flexible ACLs. One could emulate the posixs ACLs, though.
This could be a job for cerebrum, again. This would partly(?)
nullify the need for so many posix groups (and require ACL
groups instead).
In conclusion: we would have a highly secure, easy to use system
if we managed to combine afs, kerberos, ldap and cerebrum (as the
glue between them). this would put us in a unique position since
many people (of big/important/secretive companies/organisations)
are looking for such a solution. Are we too ambitious?
besides the above
- the social security and tax stuff was sorted out, finally
- i hacked on wlus and released a new version -17
- i continued to sort out oldenburg-devcamp stuff (with joeyh)
sorted out the trip to oslo
- uploaded some packages to the debian archive
- sorted out the trip to oldenburg
Reply to: