Differences between revisions 1 and 2
Revision 1 as of 2008-10-17 21:15:41
Size: 6052
Comment: draft
Revision 2 as of 2008-10-20 16:26:21
Size: 7046
Comment: update and translate to english
Deletions are marked like this. Additions are marked like this.
Line 16: Line 16:
|| ||'''Task''' ||'''Status'''||
|| 0) || We use the hole Skolelinux LDAP tree || ||
|| 0.a) || Install Skolelinux, create image (t0)|| Link to image t0 ||
|| 0.b) || Funktionstest von Windows Clients: Koennen die an die Domaene angeschlossen werden? Image (t1) Wenn das funktioniert, restore von Image (t0) || Link to Image t1 ||
|| 0.c) || Wenn wir wissen dass t0 OK ist, dann Installation von CipUX aus Paketen oder SVN. Davon unbedingt Image (t2) || Link to image t0 ||
|| 0.d) || Pam Konfiguration sollte weitestgehend entfallen. || ||
|| 0) || We use the hole Skolelinux LDAP tree || ||
|| 1) || Wenn keine cn=admins,ou=Group,dc=skole,dc=skolelinux,dc=no vorhanden ist: anlegen mit LDIF.|| ||
|| ||=> Die Gruppe ist auf Skolelinux 3.0r1 vorhanden, braucht nicht angelegt zu werden.|| ||
|| ||=> Egal ob Gruppe da war oder neu ist. Eine LDIF Datei im CipUX SVN speichern.|| ||
This task are for Skolelinux/Debian-Edu:

|| ||'''Task''' ||'''Status''' ||
||<#7fa0cf>0||<#7fa0cf>Basic infrastructure ||<#cf7fa0>accomplished||
||0.1 || We use the hole Skolelinux LDAP tree ||<#a0cf7f>OK ||
||0.2 || Install Skolelinux ||<#a0cf7f> installed ||
||0.3 || create image (t0) from Skolelinux ||<#cf7fa0>link to t0 ||
||0.4 || Functional test of Skolelinux: Can Clients join domain? ||<#cf7fa0> yes ||
||0.5 || If yes: create image (t1) ||<#cf7fa0> restored ||
||0.6 || If yes: restore to image (t0) ||<#cf7fa0> yes ||
||0.7 || Is t0 OK? ||<#cf7fa0> yes ||
||0.8 || yes t0 is OK: install SVN CipUX ||<#cf7fa0> installed ||
||0.9 || if t0 OK: create image (t2) from Skolelinux SVN CipUX ||<#cf7fa0> link to t2 ||
||0.10 || Pam should already be configured ||<#a0cf7f> OK ||
||<#7fa0cf>1||<#7fa0cf>Admin Group ||<#a0cf7f>accomplished||
||1.1 || Exists cn=admins,ou=Group,dc=skole,dc=skolelinux,dc=no? ||<#a0cf7f> yes ||
||1.2 || If no, create it with LDIF ||<#a0cf7f> created ||
||1.3 || save the LDIF of that account in SVN ||<#a0cf7f> link ||
||<#7fa0cf>2||<#7fa0cf> CAT administrator "cipadmin" ||<#cf7fa0>accomplished||
||2.1 || create that account via LDIF with relevant samba attr. || created ||
||2.2 || The account has all samba entries || yes ||
||2.3 || The account has all CipUX entries || yes ||
||2.4 || save LDIF in SVN || link ||
||2.5 || add "cipadmin" to "admins" via LDIF || added ||
||2.6 || save the LDIF in SVN || link ||
||2.7 || "cipadmin" can be used to add win clients to domains || yes ||
||<#7fa0cf>3||<#7fa0cf>Adoption of CipUX installation on Debian-Edu ||<#cf7fa0>accomplished||
||3.1 || The trust account for CipUX under DebianEdu is cn=admin || OK ||
||3.2 || Can cn=admin access all needed attributes: check ACL. || yes ||
||3.3 || Create a different cipux-storage-structure.conf || created ||
||3.4 || Change releven RDN in this file ou=User -> ou=People || OK ||
||3.5 || save this in SVN as an example for Debian-Edu || link ||
||3.6 || create a seperate cipux-storage-access.conf || created ||
||3.7 || change the Tree in this file: || OK ||
||3.8 || change or check the URL in this file || OK ||
||3.9 || save this in SVN as an example for Debian-Edu || link ||
||<#7fa0cf>4 ||<#7fa0cf>Some PAM tests: check ... ||<#cf7fa0>accomplished||
||4.1 || ... if "id admins" works || OK ||
||4.2 || ... if "id cipaadmin" works || OK ||
||4.3 || ... if "cipadmin" is in "admins" group || OK ||
||4.4 || ... if cipadmin can login from console (not terminal) || OK ||
||4.5 || ... if cipadmin can add a windows machines to a domain || OK ||
||4.6 || ... if he can make image (t3) || OK ||
||4.7 || save valid machine account as LDIF in SVN || link ||
||<#7fa0cf>5 ||<#7fa0cf> Samba Users ||<#cf7fa0>accomplished||
||5.1 || add samba LDAP configuration cipux-samba.conf ||<#cf7fa0>OK||
||5.2 || add 3 auto calc subs to CipUX::Object::Action::Create ||<#cf7fa0>OK||
||5.10|| Check if ... ||<#cf7fa0>OK||
||5.11|| ... samba user is created, if cipux-samba is installed ||<#cf7fa0>OK||
||5.12|| ... users are indentical to Skole execpt additional CipUX attr.||<#cf7fa0>OK||
||5.13|| ... no samba user is creaed, if cipux-samba is not installed ||<#cf7fa0>OK||
||5.14|| ... id <LOGIN> works ||<#cf7fa0>OK||
||5.15||... login with such a user on a windows (within a domain) works ||<#cf7fa0>OK||
||<#7fa0cf>6||<#7fa0cf> Samba Groups ||<#cf7fa0>accomplished||
||6.1 || add samba LDAP configuration cipux-samba.conf (if any) ||<#cf7fa0>OK||
||6.2 || find a solution for exporting created groups with samba ||<#cf7fa0>OK||
||6.3 || TODO? ||<#cf7fa0>OK||
||6.4 || TODO? ||<#cf7fa0>OK||
||6.5 || TODO? ||<#cf7fa0>OK||
||6.10||Check if ... ||<#cf7fa0>OK||
||6.11||... samba group is created if cipux-samba is installed ||<#cf7fa0>OK||
||6.12||... groups are indentical to Skole execpt additional CipUX attr. ||<#cf7fa0>OK||
||6.13||... no samba group is creaed, if cipux-samba is not installed ||<#cf7fa0>OK||
||6.14||... group shows up in PAM ||<#cf7fa0>OK||
||6.15||... if samba group exists, it should be exported to users who are member of this group||<#cf7fa0>OK||





== Todo for Future: ==
Line 27: Line 89:
||2) ||Wir nehmen einen neuen Benutzer ("cipadmin"), den wir|| ||
||a) ||per LDIF anlegen und ihn|| ||
||= ||> LDIF ins CipUܵX SVN|| ||
||b) ||per LDIF der cn=admins Gruppe zuordnen.|| ||
|| ||=> LDIF ins CipUܵX SVN|| ||
||c) || Diese Benutzer sollte alle relevanten Skolelinux und CipUX Schema beinhalten. Dieser Benutzer kann dann zum hinzufuegen von Windows Clients zur Domaenen benutzt werden. || ||
||d) || Dieser Nutzer sollte auch alle CipUX relevanten Eintraege haben, der ihn zu einem CipUX Admin macht. (Bitte unbedingt original CipUX cipadmin LDIF ansehen!)|| ||
|| ||=> In Zukunft oder sogar in dieser Woche sollte man die cipux admin object Konfiguration so erweitern dass "admin.cgi" solche Admins anlegt. (D.h. erstellen von admins, bzw. Samba Admins sollte dann per GUI gehen!)|| ||
|| 3) || Anpassung der CipUX Installation auf Skolelinux.|| ||
||a) ||In slapd.conf werden dem user "cn=cipuxadm" die Rechte, die er vorher auf dem CipUX Tree hatte jetzt fuer den Skolelinux Tree eingeraeumt.|| ||
||b) ||in cipux-storage-structure.conf werden die RDN auf Skole angepasst: ou=User -> ou=People|| ||
||c) ||In der cipux-storage-access.conf wird der Tree von ou=CipUX,dc=skole,dc=skolelinux,dc=no auf dc=skole,dc=skolelinux,dc=no geaendert.|| ||
||4) ||Es wird getestet ob:|| ||
||a) ||die cn=admins Gruppe per PAM existiert|| ||
||b) ||der user uid=cipadmin per PAM existiert|| ||
||c) ||Ob der user cipadmin in der Gruppe admins ist.|| ||
||d) ||Ob der user cipadmin sich auf der Konsole anmelden kann (nicht Terminal)|| ||
||e) ||Ob der user cipadmin einen Windows client der Domaene hinzufuegen kann.|| ||
||f) ||Wenn das geht image (t3) machen.|| ||
||g) ||LDIF an mich senden.|| ||
||5) ||Erweiterung der Konfiguration des object layers, so dass normale Samba user erzeugt werden, wenn CipUX::Samba installiert ist, sonst nicht.|| ||
|| ||Diese User sollen bis auf das zusaetzliche cipux Schema identisch sein mit einem Skolelinux Samba user.|| ||
||a) ||Testen ob solche user angelegt werden|| ||
||b) ||Testen ob sie in PAM auftauchen|| ||
||c) ||Testen ob man sich mit einem solchen User an einem Windowsrechner innerhalb der Domaene anmelden kann.|| ||
||6) ||Auch die Gruppen muessen das samba schema haben. Sonst koennen wir die Gruppen nicht als Shares zur Verfuegung gestellt werden. Dieses Schema muss in die Konfiguration von CipUX eingetragen werden. CipUX::Samba ist da die richtige Addresse.|| ||
||a) ||Testen ob das Samba schema in den Gruppen vorhanden ist, die mit CipUX angelegt wurden.|| ||
||b) ||Gruppen die mit CipUX angelegt wurden, sollten zu den Gruppen von Skolelinux identisch modulo cipux.schema sein.|| ||
||c) ||Testen ob die Gruppen in PAM existieren || ||
||d) ||Testen ob man user diesen Gruppen per GUI hinzufuegen kann || ||
||e) ||Wenn man sich als User an einer Windowsmaschine anmeldet sollte man seine Gruppe als Laufwerk mappen koennen. Manuelles mappen sollte also funktionieren, bzw. muss funktionieren, wenn wir es ausrollen.|| ||
||f) ||Das Automatische mappen wird i.d.R. per Net-Logon Bat Skript erledigt. Ich kenne die Loesung hierfuer fuer Skolelinux nicht. Das muss recherchiert werden.|| ||
|| ||Loesungen fuer CipUX 1.0 - 2.x diesbezueglich sahen immer so aus, dass ein crondjob userbezogen logon.bat Skripte erzeugte. Aber nach 3.x gab es auch andere Loesungen:|| ||
||a)|| Man ueberlaesst es der smb.conf (wie weiss ich nicht)|| ||
||b)|| Man macht ein grosses logon.bat skript fuer alle user. (unflexibel)|| ||

CipUX Samba

Status of the project:

Name:

cipux-samba

Concept:

ChristianKuelker

Programmers:

AlexejPastuchow

Status:

implentation

Start:

2008-05-22

End:

2008-10-27

Planned-release:

3.4.0

Alpha-release:

-

Beta-release:

-

Stable-release:

-

This task are for Skolelinux/Debian-Edu:

Task

Status

0

Basic infrastructure

accomplished

0.1

We use the hole Skolelinux LDAP tree

OK

0.2

Install Skolelinux

installed

0.3

create image (t0) from Skolelinux

link to t0

0.4

Functional test of Skolelinux: Can Clients join domain?

yes

0.5

If yes: create image (t1)

restored

0.6

If yes: restore to image (t0)

yes

0.7

Is t0 OK?

yes

0.8

yes t0 is OK: install SVN CipUX

installed

0.9

if t0 OK: create image (t2) from Skolelinux SVN CipUX

link to t2

0.10

Pam should already be configured

OK

1

Admin Group

accomplished

1.1

Exists cn=admins,ou=Group,dc=skole,dc=skolelinux,dc=no?

yes

1.2

If no, create it with LDIF

created

1.3

save the LDIF of that account in SVN

link

2

CAT administrator "cipadmin"

accomplished

2.1

create that account via LDIF with relevant samba attr.

created

2.2

The account has all samba entries

yes

2.3

The account has all CipUX entries

yes

2.4

save LDIF in SVN

link

2.5

add "cipadmin" to "admins" via LDIF

added

2.6

save the LDIF in SVN

link

2.7

"cipadmin" can be used to add win clients to domains

yes

3

Adoption of CipUX installation on Debian-Edu

accomplished

3.1

The trust account for CipUX under DebianEdu is cn=admin

OK

3.2

Can cn=admin access all needed attributes: check ACL.

yes

3.3

Create a different cipux-storage-structure.conf

created

3.4

Change releven RDN in this file ou=User -> ou=People

OK

3.5

save this in SVN as an example for Debian-Edu

link

3.6

create a seperate cipux-storage-access.conf

created

3.7

change the Tree in this file:

OK

3.8

change or check the URL in this file

OK

3.9

save this in SVN as an example for Debian-Edu

link

4

Some PAM tests: check ...

accomplished

4.1

... if "id admins" works

OK

4.2

... if "id cipaadmin" works

OK

4.3

... if "cipadmin" is in "admins" group

OK

4.4

... if cipadmin can login from console (not terminal)

OK

4.5

... if cipadmin can add a windows machines to a domain

OK

4.6

... if he can make image (t3)

OK

4.7

save valid machine account as LDIF in SVN

link

5

Samba Users

accomplished

5.1

add samba LDAP configuration cipux-samba.conf

OK

5.2

add 3 auto calc subs to CipUX::Object::Action::Create

OK

5.10

Check if ...

OK

5.11

... samba user is created, if cipux-samba is installed

OK

5.12

... users are indentical to Skole execpt additional CipUX attr.

OK

5.13

... no samba user is creaed, if cipux-samba is not installed

OK

5.14

... id <LOGIN> works

OK

5.15

... login with such a user on a windows (within a domain) works

OK

6

Samba Groups

accomplished

6.1

add samba LDAP configuration cipux-samba.conf (if any)

OK

6.2

find a solution for exporting created groups with samba

OK

6.3

TODO?

OK

6.4

TODO?

OK

6.5

TODO?

OK

6.10

Check if ...

OK

6.11

... samba group is created if cipux-samba is installed

OK

6.12

... groups are indentical to Skole execpt additional CipUX attr.

OK

6.13

... no samba group is creaed, if cipux-samba is not installed

OK

6.14

... group shows up in PAM

OK

6.15

... if samba group exists, it should be exported to users who are member of this group

OK

Todo for Future:

=> Fuer die Zukunft muss ein neues CipUX Object oder eine CipUX Object Erweiterung in den Konfigurations Dateien erstellt werden, mit der man diese Admin Groups anlegen kann. Im Moment koennen wir das hardgecoded lassen.