UDS Maverick: Call for Blueprints for Ubuntu Server

Wed Apr 28 18:14:25 UTC 2010

On Wed, Apr 28, 2010 at 1:55 PM, Andreas Hasenack <andreas at canonical.com>wrote:

>
> I think the goal should be to get a starting point that helps newbies to
> at least *see* something when they point an ldap client to the server,
> and also allow more seasoned admins to build upon that tree.
>
> For me, that means:
> - - we need a database configured (indexes, checkpoints, caches,
> DB_CONFIG, etc)
> - - we need a tree root
> - - seems like ou=People and ou=Group are pretty common and we should also
> have them at least
> - - basic ACLs to protect content that is not even there yet (like
> userPassword, krb5key, samba hashes, etc)
> - - basic ACLs to allow for group-delegated based administration
> - - an admin group, with a member for whom we have a password. This member
> is what the user should use. This concept of administration group
> resonates quite nicely with the default ubuntu sudo setup.
>
> It's because of this group based administration that I chose RFC2307bis,
> because it allows me to use the refint overlay and automatically update
> the group memberships if the user is removed from the tree, or has
> his/her name changed, etc.
>
> We can build upon that. A sudo-ldap package, for example, could detect
> that this tree is in place and offer to:
> - - add the sudo schema (assuming it was not added by the openldap-dit
> base package)
> - - create ou=sudoers and add the group based administration acls (if not
> part of the default dit)
> - - perhaps even migrate an existing /etc/sudoers to ldap if so desired
> (there are scripts for that)
>
> The above can all be done dynamically at postinst, because we have
> cn=config, if the package is installed on the same machine as the ldap
> server. If not, then it would need ldap credentials to make these
> changes over the network, but even so it could work.
>

I totally agree I think doing all that for Lucid would be a great thing for
new users to OpenLDAP and Ubuntu.

>
> In karmic, openldap-dit triggers a bug in slapd which starts consuming
> 100% cpu and hangs. I filed a LP bug with a patch, and it was applied to
> lucid, but not to the karmic package yet (#485026). It's one of the
> problems (or risks, should I say) of using these many overlays.
> Sometimes a specific combination of them triggers a bug, like that case.
>
>
>

Ya, it gets complicated pretty quick once you start adding multiple schemas
and acls :-).  I guess when that happens the tool should fail gracefully and
maybe point to documentation on how to manually add the required objects to
your tree.

I would really like to see OpenLDAP be a great selling point for Ubuntu
Server, and should have time this cycle to help out developing, testing, or
whatever needs to be done.

-- 
Party On,
Adam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-server/attachments/20100428/9f6f2b26/attachment.html>