Re: a webmin replacement for etch...
Hi,
as a upstream author I will try to help to answer the questions as good as
I can. But forgive me answering late (and may be a little bit short) but
I am moving to Berlin right now.
Holger Levsen schrieb:
> as we know since a long time, etch will not be released with webmin and we
> need an alternative.
ACK
> One application, which seems to suit this need, is cipux. See
> http://wiki.debian.org/DebianEdu/CipUX/
ok
> An installation manual to install cipux on sarge can be found at
> http://wiki.debian.org/DebianEdu/CipUX/Installation/3.2.12 - but I havent
> found instructions to install it on etch, so I am writing this email to
> understand, what cipux is and if we can get it included in Debian/etch or
> into our repository, because it is (most probably) too late to get it into
> etch.
The Version 3.2.12 is not release yet. It is tested now by the French team.
But it is planned to release it soon.
> So I looked for the cipux sources, and as far as I can see, the latest sources
> (as debian source packages) are at
> http://debiantest.cipworx.org/dists/sid/main/binary-all/
Well yes a subset is there but only for testing. You should use
debian.cipworx.org
> But there are two tar.gz there:
>
> cipux_3.2.11-1.tar.gz 10-Oct-2006 06:48 16.7M
> cipux_3.2.11.orig.tar.gz 25-Aug-2006 23:08 26.4M
>
> And I'm a bit confused by the 10 megabyte size difference...
Because it is a subset. Some of the functionallity is not tested for Debian-Edu.
I also would suggest not to import the hole into Debian.
> Anyway, it seems cipux also needs two more packages, which are not in debian
> yet: libauthen-simple-pam-perl and.libauthen-simple-perl. The latest source
> versions (as debian packages) I found are located at
> http://backports.cipworx.org/dists/sid/main/source/perl/
Xavier has made also baclports for that as far as I know.
> To have easier access, I copied those sources to
> http://developer.skolelinux.no/~holger/
> Based on these packages (or newer versions of them) I want to install cipux on
> a debian-edu/etch-system. But the instructions on
> http://wiki.debian.org/DebianEdu/CipUX/Installation/3.2.12 are targeted too
> much at sarge and manual installation. For debian-edu/etch we need automatic
> installation and configuration. So as a first step, I would be happy if
> someone could tell, which packages (the cipux source package builds many
> packages) we need to use CipUX as a webmin-replacement for etch.
> And then, what additional scripts (if any) need to be executed, to configure
> CipUX.
The reason for having a manual installation manual and not a script can be found in
the debian policy. So you should apply the nessesary changes directly to the files
in you SVN, as debian-edu also deploys a patches version of slapd.conf for example.
...
>From the bas CipUX packages this are.
cipux-common
cipux-cibot
Then you have base support.
If you want a GUI or other sofware connected to CipUX you must install:
cipux-rpc
On top of that you can have for example
cipux-cat-webmin (which is not a good choice, because of dependecies)
cipux-cat-apache (which is not released, replacement for cipux-cat-webmin)
cipux-cat-moodle (alias cipuxPHP, developed by the French team)
cipux-cat-moodle is used in production in France. But there is a security
revision undergoing right now, so it seems that it can be improved.
The CLI is working out of the box
If you want to have SAMBA support you can configure this or wait for cipux-samba
which might release with 3.2.12
You should skip the following
cipux-deploy
cipux-client
cipux-notifier
> As a second step, these three (if that is correct) source packages should be
> uploaded to debian-edu and debian.
>
> Also, I have to admit, I have not fully understood the CipUX architecture:
> quoting from the wiki-page: "CipUX is made up of several parts: on bottom is
> the LDAP server. On top of that, the LDAP abstraction layer CipUX::?CiBot can
> be found. Then the CipUX::Task module delivers daily administration task
> functions to different institutions: (1) The graphical CAT user interface.
> (2) The CipUX shell command line, and (3) the RPC daemon."
>
> So what we really want/need for Debian-Edu is CipUX/CAT. Correct? And
> CipUX/CAT is the php frontend to CipUX?
cipux-cat-webmin is the full blown up Admin Tool normally CAT
cipuxPHP (alias cipux-cat-moodle) is a subset
cipux_task is the commandline interface
> This php frontend (if I understand the architecture correctly) has received a,
> IMO, quite scary security review, which conclusion was, to better rewrite it
> from scratch. And this needs a documentation of the CipUX-PRC API, as
> documented in http://wiki.debian.org/DebianEdu/CipUX/Requests
Well the task command line API is the CipUX RPC API minus one parameter. So
it can be calculates automatically. See cipux_task_* at http://man.cipux.org
> Also Cipux itself probably needs a security review... but at the moment I want
> to understand the automatic installation on etch first. And maybe someone
> else can do the review while I can help making the automatic installation
> (and configuration) in Debian-Edu/etch possible :-)
A security review is alway a good thing. Klaus Knopper had made a review of
cipux-rpc. Morten Werner Olsen has also made some comments which are alls
corred. More are welcome.
> The requiered features to have a replacement for webmin are (just discussed at
> the debian-edu devel meeting in Oslo):
> - administrate the user-data which is kept in LDAP
> - easy to use (for teachers, not kernel hackers)
> - usable from remote from any desktop
>
> It seems this requirements are also met by GOSA (used by the LiMuX-project
> (linux in the city of munich) and phpldapadmin (and maybe others, any hints?).
This is an LDAP browser and not customized for teachers.
> These tools have the advantage, that they are allready included in Debian,
> but need to be tweaked to work with our LDAP schema and probably made a bit
> easier to use (by disabling some unused features) - but this is only package
> configuration.
>
> Screenshots are available at https://gosa.gonicus.de/ and
> http://phpldapadmin.sourceforge.net/screenshots.php
>
> (I cannot really say something about the moodle integration, which is
> done/possible with CipUX. But, IMHO, this is a new feature. What we really
> need (first), is a replacement for webmin. A better webmin is nice to have,
> but not a must. And I would also appreciate help to answer the question, what
> "moodle integration" really means.)
cipux-cat-apache can be a solution, because it uses most of the functionallity
an 90% of the code of cipux-cat-webmin but without root privileges.
> Also I noted the #cpiux meeting is scheduled tomorrow at 18 UTC, which is one
> hour after the debian-edu meeting has started (where we will discuss the
> webmin replacement issue). Hopefully these schedules fit together...
>
> And I'm sorry not to have investigated this issue earlier... because I see
> a scenario I completly dislike:
>
> 1. packaging CipUX takes very long (read: too long for our release plan to
> release shortly after debian/etch has been released) and (maybe) the
> resulting packages will not be accepted into debian-edu because of security
> issues.
Then make a review. This offer is on the table since January.
> 2. the debian-edu developers invest time and work to make gosa or phpldapadmin
> usuable as a replacement for webmin.
>
> 3. the french and german team are annoyed (because they worked for nothing and
> the gosa/phpldapadmin solution doesnt satisfies their needs) and release a
> add-on cd for debian-edu which includes CipUX.
This could happen. Because there are schools in Germany which looked at other
Admin tools (Gosa, gq, ...), but want some role based customized tools. It is
not just a different view to a LDAP server. You should look at the feature list
of CipUX.
> I don't want this too happen! And I will definitly be happy with CipUX, if the
> result of the security review(s) are put into practice. As I will be happy
> with any other software, which meets our requirements, the DFSG, is ready in
> time and is supportable security-wise.
I also would like to support you in every way I can do.
Yours
Christian
Reply to: