* Andreas Schuldei ([EMAIL PROTECTED]) [040816 17:58]: > in week 34 i plan to > - improve the cerebrum package some more.
this did not happen. for some reason the cerebrum developers did not reply to petters mail, either... :-( > - supply a patch for upstream`s fix_ldif (in the debain openldap > package), as requested by the openldap maintainers. done. some discussion followed, but nothing specific has happend yet. merging the patches was smooth with kdiff3. i can recomment it for merging and generating patches. > - install afs and kerberos on my home server and get some feeling > for it. this was very interesting and educating. i was/am doing this together with Roland Bauerschmidt ([EMAIL PROTECTED]) who knows kerberos pretty well and is visiting right now. This is what we learned: - the afs module in the kernel sources is manure. - afs is quite powerful: it can replicate (to a limited extent), and seems to handle even funny filetypes (in contrast to what i heared earlier), is designed for security, ... etc - debian-edu relevant problems could be that every one of the three systems (ldap, kerberos and afs) needs/wants its own user (machine, group) database. (this is what cerebrum was designed for and could solve elegantly, once interfaces to these systems were implemented.) - the configuration is not trivial. in fact we only managed to install it partly on rolands notebook until now, not on my workstation or server. We are in contact with the high powers of AFS to isolate the problem and rectify it. - afs could perhaps replace samba, since there is a windows driver and an afs login dll (which is still incomplete and not bugfree). samba would not work with afs, since it can not hold afs authentifcation tokens and thus could not read files and serve them. (this could be worked around by using samba with pam and transmitting the password in the clear over the network but that would be laughable after using high-grade security apps like kerberos and afs.) - posix groups do not work as filesystem ACLs on afs. this is important since we designed the whole filesharing system around posix groups. one would need to use AFS`s own, more advanced and flexible ACLs. One could emulate the posixs ACLs, though. This could be a job for cerebrum, again. This would partly(?) nullify the need for so many posix groups (and require ACL groups instead). In conclusion: we would have a highly secure, easy to use system if we managed to combine afs, kerberos, ldap and cerebrum (as the glue between them). this would put us in a unique position since many people (of big/important/secretive companies/organisations) are looking for such a solution. Are we too ambitious? besides the above - the social security and tax stuff was sorted out, finally - i hacked on wlus and released a new version -17 - i continued to sort out oldenburg-devcamp stuff (with joeyh) � sorted out the trip to oslo - uploaded some packages to the debian archive - sorted out the trip to oldenburg
