Re: Ping: Re: Cooperation between DebianEdu/Skolelinux and EdUbuntu ?
On Thu, Aug 12, 2010 at 08:07:27AM +0200, Martin Oehler wrote: > > I warmly welcome an Ubuntu developer helping package Skolelinux-RLP > > stuff to be usable for all Debian derivatives and Debian itself. > > Correct, but why should we care where her or he does his main open source > work? Because fixing a problem at the root is more clever than doing it over and over again after an upgrade Ubuntu to recent Debian sid status? Anybody is free to spend his time and if he likes repeating the work to always apply the same patch or whatever change which is needed it is fine for me. But for those few people who are to lazy to do this there is the option to fix the problem in Debian and be done with it for the next Ubuntu for from sid. Ahh, and by the way: *I* care to some extend how other people spend their time on a common project. It's called education if I try to propagate some experiences I have made. Kind regards Andreas. -- http://fam-tille.de -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100812080049.gb28...@an3as.eu
Re: Idea for enabling LDAP SSL certificate checking
Den 12. aug. 2010 00:38, skrev Petter Reinholdtsen: > > Todays squeeze-test version of Debian Edu fail to make sure LDAP > clients verify that they are talking to the correct LDAP server. This > is a security risk and should be fixed before the release. > > I do not really know all the hairy details of SSL certificate > checking, but thanks the very useful TLS error messages from ldapvi, I > have been able to get an idea for how to be able to enable SSL > certificate checking for the LDAP connections in Debian Edu/Squeeze. > > ldapvi claim the certificate do not match the name of the server being > contacted. The name in the certificate is specified in > /etc/ldap/ssl/slapd-cert.cnf to "ldap", and the warning made me > suspect that perhaps the LDAP clients require the certificate to use > the FQDN now instead of the short name. > > This would force those trying to use a different DNS domain name for > their Debian Edu installation to create a new certificate for the LDAP > server, but I suspect that is unavoidable. > > This patch in debian-edu-config would change the certificate name: > > Index: etc/ldap/ssl/slapd-cert.cnf > === > --- etc/ldap/ssl/slapd-cert.cnf (revision 68196) > +++ etc/ldap/ssl/slapd-cert.cnf (working copy) > @@ -13,7 +13,7 @@ > L=Skolen > O=Ldap server > OU=Automatically-generated Ldap SSL key > -CN=ldap > +CN=ldap.intern > emailaddress=postmas...@ldap.intern > > > I tested this, and with I got 'ldapsearch -ZZ -x' working with > tls_certreq demand in /etc/ldap/ldap.conf and ldap://ldap.intern as > the URI in ldap.conf. 'ldapvi -ZZD '(cn=admin)' worked too, but nslcd > did not. To get nslcd working, I had to add 'tls_cacertfie > /etc/ldap/ssl/ldap-server-pubkey.pem' to /etc/nslcd.conf. Not quite > sure how to do that with preseeding, so perhaps we have to add a new > cfengine rule for this. > > Anyone know if I am on the right path with this, or that the LDAP > certificate problems should be solved in a different way? > > If I am on the right path, I believe all clients using LDAP need to > connect to ldap.intern and not just ldap, and it will also require > adjustments to the client autoconfiguration and preseeding to make > sure FQDN names is always used. > > Happy hacking, I don't remember if I've tested with Squeeze specifically, but my experience is that it works as long as the certificate Common Name exactly matches the hostname you're connecting to. In other words, if the certificate Common Name is "ldap", one has to connect to the server using the hostname "ldap". I know that that worked in lenny at least, I'll be very surprised if it doesn't in squeeze (but at least in lenny ldapvi had a bug making it the only program not to accept the certificate). This said, one can make it possible to use both "ldap" and "ldap.intern". Use e.g. "ldap.intern" as the Common Name, and put "DNS:ldap" in the subjectAltName (google openssl subjectAltName for more information). Hope this helps, John. -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4c63add6.3010...@bzz.no
Re: Idea for enabling LDAP SSL certificate checking
[John S. Skogtvedt] > In other words, if the certificate Common Name is "ldap", one has to > connect to the server using the hostname "ldap". I know that that > worked in lenny at least, I'll be very surprised if it doesn't in > squeeze (but at least in lenny ldapvi had a bug making it the only > program not to accept the certificate). I suspect something changed between Lenny and Squeeze, as certificate checking seem to have become stricter. > This said, one can make it possible to use both "ldap" and > "ldap.intern". Use e.g. "ldap.intern" as the Common Name, and put > "DNS:ldap" in the subjectAltName (google openssl subjectAltName for > more information). Sound like a better idea, as it do not force us to change all instances of ldap to ldap.intern. Testing it now. Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100812082701.ga6...@login2.uio.no
Bug#570767: images should be available in squeeze
Hi Otavio, On Donnerstag, 12. August 2010, Otavio Salvador wrote: > This is debian-installer-netboot-images that is at SVN. Take a look on it. > I am waiting for FTP Masters to give an ack on this to me to upload i t. Normally ftpmasters "ack" by letting it go through NEW :) - IOW, I dont really understand what you are waiting for - can you explain? I'd really like to see this in squeeze, but this needs to happen really fast. cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: Ping: Re: Cooperation between DebianEdu/Skolelinux and EdUbuntu ?
On Thu, Aug 12, 2010 at 08:07:27AM +0200, Martin Oehler wrote: Hello Jonas, On Wed, Aug 11, 2010 at 05:30:19PM +0200, Jonas Smedegaard wrote: It seems to me that none of [some software developed for Skolelinux-RLP not yet part of Debian as required by RLP contracts] is easier solved by moving away from Debian and closer to Ubuntu. I didn't suggest moving away from Debian or Skolelinux. Fine. Then we (apparently) perfectly agree. >Ubuntu (+flavor) is a good, solid distribution, why not work with >these people if there is a packager ready for the job? Sure. We all agree that collaboration is good. I warmly welcome an Ubuntu developer helping package Skolelinux-RLP stuff to be usable for all Debian derivatives and Debian itself. Correct, but why should we care where her or he does his main open source work? I do not care where individuals do individual work. I care here because topic of the thread is *collaborative* work. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: Digital signature
Re: Current errors detected for Main-server+Thin-Client-Server in Debian Edu/Squeeze
On Thu, Aug 12, 2010 at 12:49:09AM +0200, Petter Reinholdtsen wrote: Here are the current errors detected by the self testing then installing Main-server + Thin-Client-Server via PXE: error: ./cups: URL 'https://www:631/' is not working. error: ./cups: URL 'https://localhost:631/' is not working. I suspect above is #588234 or #591509, both fixed in unstable today. error: ./taskpkgs: Package jackd in task education-workstation is not installed! error: ./taskpkgs: Package jackd in task education-thin-client-server is not installed! Most likely due to still not fully completed jackd -> jack1/jack2 transition. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: Digital signature
Re: Idea for enabling LDAP SSL certificate checking
On Thu, Aug 12, 2010 at 10:27:01AM +0200, Petter Reinholdtsen wrote: [John S. Skogtvedt] In other words, if the certificate Common Name is "ldap", one has to connect to the server using the hostname "ldap". I know that that worked in lenny at least, I'll be very surprised if it doesn't in squeeze (but at least in lenny ldapvi had a bug making it the only program not to accept the certificate). I suspect something changed between Lenny and Squeeze, as certificate checking seem to have become stricter. Perhaps what changed was simply host resolving - to more aggressively resolve FQDN instead of only hostname. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: Digital signature
debian-edu-config_1.443~svn68251_i386.changes ACCEPTED
Accepted: debian-edu-config_1.443~svn68251.dsc to pool/local/d/debian-edu-config/debian-edu-config_1.443~svn68251.dsc debian-edu-config_1.443~svn68251.tar.gz to pool/local/d/debian-edu-config/debian-edu-config_1.443~svn68251.tar.gz debian-edu-config_1.443~svn68251_all.deb to pool/local/d/debian-edu-config/debian-edu-config_1.443~svn68251_all.deb Override entries for your package: debian-edu-config_1.443~svn68251.dsc - extra local/misc debian-edu-config_1.443~svn68251_all.deb - extra local/misc Announcing to comm...@skolelinux.org Thank you for your contribution to Debian-Edu/Skolelinux archive. -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1ojxrb-00031e...@administrator.skolelinux.no
debian-edu-config_1.443~svn68274_i386.changes ACCEPTED
Accepted: debian-edu-config_1.443~svn68274.dsc to pool/local/d/debian-edu-config/debian-edu-config_1.443~svn68274.dsc debian-edu-config_1.443~svn68274.tar.gz to pool/local/d/debian-edu-config/debian-edu-config_1.443~svn68274.tar.gz debian-edu-config_1.443~svn68274_all.deb to pool/local/d/debian-edu-config/debian-edu-config_1.443~svn68274_all.deb Override entries for your package: debian-edu-config_1.443~svn68274.dsc - extra local/misc debian-edu-config_1.443~svn68274_all.deb - extra local/misc Announcing to comm...@skolelinux.org Thank you for your contribution to Debian-Edu/Skolelinux archive. -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1ojdtz-0003uf...@administrator.skolelinux.no
debian-edu-config_1.443~svn68283_i386.changes ACCEPTED
Accepted: debian-edu-config_1.443~svn68283.dsc to pool/local/d/debian-edu-config/debian-edu-config_1.443~svn68283.dsc debian-edu-config_1.443~svn68283.tar.gz to pool/local/d/debian-edu-config/debian-edu-config_1.443~svn68283.tar.gz debian-edu-config_1.443~svn68283_all.deb to pool/local/d/debian-edu-config/debian-edu-config_1.443~svn68283_all.deb Override entries for your package: debian-edu-config_1.443~svn68283.dsc - extra local/misc debian-edu-config_1.443~svn68283_all.deb - extra local/misc Announcing to comm...@skolelinux.org Thank you for your contribution to Debian-Edu/Skolelinux archive. -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1ojee9-0007ul...@administrator.skolelinux.no
Processing of debian-edu-install_1.516_i386.changes
debian-edu-install_1.516_i386.changes uploaded successfully to localhost along with the files: debian-edu-install_1.516.dsc debian-edu-install_1.516.tar.gz debian-edu-install_1.516_all.deb debian-edu-install-udeb_1.516_all.udeb debian-edu-profile-udeb_1.516_all.udeb Greetings, Your Debian queue daemon (running on host franck.debian.org) -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1ojfgi-00073g...@franck.debian.org
debian-edu-install_1.516_i386.changes ACCEPTED
Accepted: debian-edu-install-udeb_1.516_all.udeb to main/d/debian-edu-install/debian-edu-install-udeb_1.516_all.udeb debian-edu-install_1.516.dsc to main/d/debian-edu-install/debian-edu-install_1.516.dsc debian-edu-install_1.516.tar.gz to main/d/debian-edu-install/debian-edu-install_1.516.tar.gz debian-edu-install_1.516_all.deb to main/d/debian-edu-install/debian-edu-install_1.516_all.deb debian-edu-profile-udeb_1.516_all.udeb to main/d/debian-edu-install/debian-edu-profile-udeb_1.516_all.udeb Override entries for your package: debian-edu-install-udeb_1.516_all.udeb - optional debian-installer debian-edu-install_1.516.dsc - source misc debian-edu-install_1.516_all.deb - extra misc debian-edu-profile-udeb_1.516_all.udeb - optional debian-installer Announcing to debian-devel-chan...@lists.debian.org Thank you for your contribution to Debian. -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1ojfqq-hw...@franck.debian.org
debian-edu-install_1.516_i386.changes ACCEPTED
Accepted: debian-edu-install-udeb_1.516_all.udeb to pool/local/d/debian-edu-install/debian-edu-install-udeb_1.516_all.udeb debian-edu-install_1.516.dsc to pool/local/d/debian-edu-install/debian-edu-install_1.516.dsc debian-edu-install_1.516.tar.gz to pool/local/d/debian-edu-install/debian-edu-install_1.516.tar.gz debian-edu-install_1.516_all.deb to pool/local/d/debian-edu-install/debian-edu-install_1.516_all.deb debian-edu-profile-udeb_1.516_all.udeb to pool/local/d/debian-edu-install/debian-edu-profile-udeb_1.516_all.udeb Override entries for your package: debian-edu-install-udeb_1.516_all.udeb - optional local/debian-installer debian-edu-install_1.516.dsc - extra local/misc debian-edu-install_1.516_all.deb - extra local/misc debian-edu-profile-udeb_1.516_all.udeb - optional local/debian-installer Announcing to comm...@skolelinux.org Thank you for your contribution to Debian-Edu/Skolelinux archive. -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1ojfoj-0003bl...@administrator.skolelinux.no
debian-edu-config_1.443~svn68312_i386.changes ACCEPTED
Accepted: debian-edu-config_1.443~svn68312.dsc to pool/local/d/debian-edu-config/debian-edu-config_1.443~svn68312.dsc debian-edu-config_1.443~svn68312.tar.gz to pool/local/d/debian-edu-config/debian-edu-config_1.443~svn68312.tar.gz debian-edu-config_1.443~svn68312_all.deb to pool/local/d/debian-edu-config/debian-edu-config_1.443~svn68312_all.deb Override entries for your package: debian-edu-config_1.443~svn68312.dsc - extra local/misc debian-edu-config_1.443~svn68312_all.deb - extra local/misc Announcing to comm...@skolelinux.org Thank you for your contribution to Debian-Edu/Skolelinux archive. -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1ojn4k-0002hj...@administrator.skolelinux.no
