Am Samstag 08 Mai 2010, 14:42:48 schrieb Andreas B. Mundt: > Hi, > > many thanks for all the answers and hints so far! I will reply to them > soon, but first a technical question that just came up when I > excitedly started to make a first draft implementation: > > To avoid having the user to click through the gosa builtin > "configurator" after installing the system, it would be nice to > prepare gosa already during system installation of our main-server. > > The idea is to prepare a gosa.ldif which contains all needed to start > (dropped into ldap) in combination with the coresponding configuration > gosa.config. > > In gosa.config, timezone and language have to be modified during > install, as well as ldap and gosa-admin password(-hashes). > > For the ldap tree, I guess most parts are straight forward, but how > can I create the gosaAclEntry? I suspect it has to correspond to the > gosa-admin (called ldapadmin below). Below you find a draft > ldif. $ROOTPW is replaced by the password hash during installation.
The ACL entry below keeps a comma separated list of base64 encoded dn's and the final access rights that this one gets. If the dn never changes (i.e. it is always a fixed user inside of your skolelinux tree, you never have to change that. We do it the same way with FAI based "initial" installs. All you need is a working gosa.conf, slapd.conf, schema in the right place and a slapadd for the minimalistic base ldif. You can go further and make the base configurable, too. But this is a bit more complicated in case of unicode bases. It would be a good idea to add some acl roles to this base ldif, so that users don't have to bother with creating ACLs directly. They can just choose from a predefined ACL set. This is shown in the ACL screencast of https://oss.gonicus.de/labs/gosa. I mean: students should be able to change their passwords, teachers may not be able to do "too much" and superadmins are the most skilled teachers ;-) Cheers, Cajus -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
