Kurt Gramlich skrev: > * Steffen Jöris <[EMAIL PROTECTED]> [070403 13:23]: > >> The current point which needs to be discussed is the use of the >> cipux-rpc.postinst script. This script calls various cipux commands (or a >> cipux command which calls another cipux command ...) which in the end fills >> in LDAP data. Note that I did not completely examine the script, so somebody >> else might want to give an explanation here. My personal understanding is, >> to >> put it into a nutshell, that cipux needs to fill in the LDAP data with own >> attributes in order to function. I would consider this as a violation of the >> debian policy, because it adds (without noticing) ldap data which no admin >> would expect while installing it and it gets not removed during a purge. > > Not ldap date but it builds up a ldap tree. Regard CipUX with its > functions more as a replace for webmin as a replace for wlus. > > AFAIK DebianEdu configures his own LDAP tree since we are using > Openldap.
If this could then be done in debian-edu-config instead, and cipux just provided the sample scripts, then I guess cipux could be closer to be included into debian(-edu). Cipux also messes with the configuration file of slapd, giving cipuxadm complete control over the ldap-tree, then saves the password in cleartext on the main-server. > Did you test that it gets not removed during a purge? > >> The question here would be, if this is really a violation, if so how can it >> be >> avoided or in a drastical case, do we want to ignore it and consider it a >> special case, which is possible through our policy[1], but strongly not >> recommended and should only be a temporary solution. > > To build up a ldap tree has to be, anyway which one. Without you > are not able to use ldap. Yes, it's possible to make a package that is both debian-complaint, and that let you administer users in ldap. But you need a setup tool to make it possible, then you need to run that script afterwards. lwat will manage that for you, and I gue ss it could be possible for cipux as well. On the other hand, you need to edit both nsswitch.conf, pam_ldap.conf and libnss-ldap.conf and the files under /etc/pam.d/ to make the accounts work. >> My question now is concerning debian-edu, is it really necessary to change >> the >> LDAP data and if so why? > > Yes, because our users need it. We will fullfill the needs of or > users. >> Is there any backwards compatibility with the old LDAP data, e.g. will the >> old >> users show up or can an admin just insert an old ldap backup and everything >> works? > > Would be nice to have. > >> Do we care about backwards compatibility or how do we want to offer >> Debian-Edu/Skolelinux 3.0 and keep the admin effort to a minimum while >> upgrading to the new version? > > Yes we care, if the manpower is enough to do it. Well, no-one managed to get a working solution into debian-etch before the window closed. So we dont have the manpower. Why is it then best to use a solution that require some customized setup, and without an upgrade-path for existing installations ? -- Finn-Arne Johansen [EMAIL PROTECTED] http://bzz.no/ EE2A71C6403A3D191FCDC043006F1215062E6642 062E6642 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
