[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [GOsa] Netgroups and ACL's


(cc debian-edu to allow for comments/discussion/additions)

On Fri, May 07, 2010 at 12:41:26PM +0200, Benoit Mortier wrote:
> Le Friday 07 May 2010 12:03:00 Andreas B. Mundt, vous avez écrit :
> > On Wed, May 05, 2010 at 02:08:00PM +0200, Cajus Pollmeier wrote:
> > > Am Mittwoch 05 Mai 2010 13:55:35 schrieb Gerrard Geldenhuis:
> > > >  An email thread in April stated that Netgroups were not supported.
> > > > Is that a "not yet" or is the view that you can achieve the same
> > > > result by using ACL's.
> > >
> > > They are not supported means: if someone has time or wants to start a
> > > payed project, netgroups are "not yet" supported ;-)
> > you can find an experimental hack (probably horrible for someone who
> > knows php) to add "some" support here:
> >
> >     http://lists.debian.org/debian-edu/2010/04/msg00124.html
> - First there will be a GOsa² in squeeze, currently working on it, it will 
> be 2.6.10 i think
> - Second i'am interested in making GOsa² work with skolelinux could you 
> enter a whislist in the gosa tracker with a you findings and explaning 
> what should be done
> - Third  of course you are welcome on the #gosa on freenode to discuss 
> it ;-)

Hello Benoit,

first, I am really happy about you offering support! (I've seen you are
involved in the debian ldap package aswell: #512360, so that's exactly the
competence we need here :)).

Perhaps I start with describing the current situation from my point of
view (others please add/correct what's missing or I got wrong):

In debian-edu lenny we use lwat for administration of the System. Lwat
has been written especially for skolelinux/debian-edu, this means it's
targeted at the basics you need to add/remove users (students and
teachers) (posix-) groups and machines. The machines have to be added
to LDAP to use their (static) IP addresses for access control. 

The major advantage of LWAT is it's simplicity: At many schools there
is a teacher who rarely knows about ldap at all and is easily
overwhelmed by hundreds of attributes and features. (The "job" has to
be done often by maths-, or physics- teacher because their colleagues
from history or languages expect them to understand technology best).
So there is no professional sysadmin, and the teacher's standard
workload is reduced by one or two hours per week if reduced at all,
i.e. he cannot spend much time learning how to get the system
started. (And school starts already just after the vacations... ;-) ).

Unfortunately LWAT seems to retire upstream as well as in debian:
For sure this can be fixed (again), but I already spent some
amount of time and energy on LWAT and by now prefer to put this time
into something that promises more returned value in the long run.   

At this point GOsa² comes into play. So far, I tried to kind of "strip it
down" to the basics needed at school. I did this by simply not
installing plugins or commenting them in gosa.config. I guess user and
group management should work out of box, what's missing compared to
LWAT is the machine management: We can assign netgroups to machines:
For example when a machine is member of the "shutdown-at-nigth"
netgroup, a script halts that machine in the evening. More important
netgroups allow mounting the home directory etc. Currently this is
essential, therefore the hack mentioned above.

The good news is, as pointed out by Petter (
http://lists.debian.org/debian-edu/2010/05/msg00025.html ) that this
might not be needed in the future where we plan to use kerberos. 
Of course grouping of machines would be nice, to define
"shutdown-at-nigth" and "fsautoresize"-hosts. (I would expect that 
something like that is already somewhere in gosa, but perhaps in
combination with a hundred other features :( ....).    

Many features GOsa² offers are probably not needed, ACLs, References,
Environment, I guess that gets too complicated and confusing. (Can
these tabs be "switched off"?). Our (little) users usually just change
their password :). (I think there is a junior-admin group currently with
limited admin rights, but that's all). As Holger pointed out on IRC a
some days ago: fai might be interesting: install a package on all

There are probably some more ideas and thoughts around- please add
them (I am involved with the project for not too long and there are
many with much more experience and knowledge).

Ok, so far; I hope I could draw a picture what's currently needed and
planed. Do you think GOsa² makes sense for us and can be adopted for
our needs?

To finish, a concrete question concerning the various passwords in ldap
(posix, samba, kerberos): How is the synchronization usually done,
with scripts, ldab overlay (smbk5pwd), or can gosa help here too?

Best regards,


Reply to: