[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Is LWAT completely broken in Squeeze?

On 24. aug. 2010 02:26, Andreas B. Mundt wrote:
>> 2. The addition of kerberos calls for some hooks. gosa tries to solve
>> this by setting passwords using sudo, which thankfully fails, or else
>> everyone with access to the auth-file could read all the passwords given
>> to each user. not that much of a problem if the user changes the
>> passowrd using pam, but if the user changes to h*s favourite password
>> using gosa, the admin can look this up. I'll try to write some php code
>> to store the kerberos password from within lwat, but I can see some
>> conflicts if somethin fails during password changes. (not sure why
>> things changes)
> 
> I am not sure what you mean with the "auth-file". If you mean /var/log/auth.log,
> there should be no logging of passwords etc. by gosa sudo calls. Logging is switched of in
> <URL:http://svn.debian.org/wsvn/debian-edu/trunk/src/debian-edu-config/ldap-bootstrap/sudo.ldif>. 
> Doesn't this work anymore?

Well, I had a lot of lines in the log with usernames/passwords when
creating users. Maybe it was because I had added a user in /etc/sudoers ?

>> 4. is the mail setup of debian-edu changed ? Looks like everythin is
>> sent to /var/mail/<uid>. Also courier is replaced by dovecot. Is the
>> dovecot setup working ?
> 
> <URL:http://lists.debian.org/debian-edu/2010/05/msg00180.html>
> The mail setup with dovecot worked fine the last time I tested
> it. Users can authenticate to the imap server using their kerberos
> ticket. When sending mails, it is checked that sender's address
> corresponds to the principal. 

Fine, I'll check later, but I take your word for it.

> Finn-Arne, I guess it would be quite help-full for the project if you
> could outline what your short- and longterm plans regarding LWAT are.

The goal for lwat was to create a usable Ldap Web Adminstration tool,
and that's still the goal. And if you install lwat on a (non-debian-edu)
server uses ldap for authentication, it's still a helpfull tool.

...

> Have you ever thought about adding a plugin to GOsa which adds the
> features special to schools' use cases? With that approach, the code
> that needs your maintenance might be smaller, and by sharing it with
> others, everybody might profit in the end?

I looked at several tools years ago, including gosa, and found that it
didn't fill the need for debian-edu, at least not my custommers. Taken
the audience of debian-edu in Norway, I'm still not sure that gosa will
fit.

To answer the original question:
 Is LWAT completetly broken in Squeeze?
The answer is no.
There has been changes in the setup in debian-edu, which calls for
(slightly) different config-file for lwat, and for new templates.

I think these changes was introduced May, after that we've had a rather
busy period. But I hope we are not the only people in the project that
understands ldap ?

// faj
Reply to: