[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [GOsa] configuring gosa during system installation

Am Samstag 08 Mai 2010, 14:42:48 schrieb Andreas B. Mundt:
> Hi,
> many thanks for all the answers and hints so far! I will reply to them
> soon, but first a technical question that just came up when I
> excitedly started to make a first draft implementation:
> To avoid having the user to click through the gosa builtin
> "configurator" after installing the system, it would be nice to
> prepare gosa already during system installation of our main-server.
> The idea is to prepare a gosa.ldif which contains all needed to start
> (dropped into ldap) in combination with the coresponding configuration
> gosa.config.
> In gosa.config, timezone and language have to be modified during
> install, as well as ldap and gosa-admin password(-hashes).
> For the ldap tree, I guess most parts are straight forward, but how
> can I create the gosaAclEntry? I suspect it has to correspond to the
> gosa-admin (called ldapadmin below). Below you find a draft
> ldif. $ROOTPW is replaced by the password hash during installation.

The ACL entry below keeps a comma separated list of base64 encoded dn's and 
the final access rights that this one gets. If the dn never changes (i.e. it is 
always a fixed user inside of your skolelinux tree, you never have to change 

We do it the same way with FAI based "initial" installs. All you need is a 
working gosa.conf, slapd.conf, schema in the right place and a slapadd for the 
minimalistic base ldif. You can go further and make the base configurable, too. 
But this is a bit more complicated in case of unicode bases.

It would be a good idea to add some acl roles to this base ldif, so that users 
don't have to bother with creating ACLs directly. They can just choose from a 
predefined ACL set. This is shown in the ACL screencast of 

I mean: students should be able to change their passwords, teachers may not be 
able to do "too much" and superadmins are the most skilled teachers ;-)


Reply to: