1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-sysadm] progress of the night
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20progress%20of%20the%20night&In-Reply-To=%3C1290485697.2796.87.camel%40akroma.ephaone.org%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="000829.html">
<LINK REL="Next" HREF="000816.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-sysadm] progress of the night</H1>
<B>Michael Scherer</B>
<A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20progress%20of%20the%20night&In-Reply-To=%3C1290485697.2796.87.camel%40akroma.ephaone.org%3E"
TITLE="[Mageia-sysadm] progress of the night">misc at zarb.org
</A><BR>
<I>Tue Nov 23 05:14:57 CET 2010</I>
<P><UL>
<LI>Previous message: <A HREF="000829.html">[Mageia-sysadm] something to not forget in case of svn import
</A></li>
<LI>Next message: <A HREF="000816.html">[Mageia-sysadm] progress of the night
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#815">[ date ]</a>
<a href="thread.html#815">[ thread ]</a>
<a href="subject.html#815">[ subject ]</a>
<a href="author.html#815">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>Hi,
so, following the meeting of yesterday, here is a new summary :
- svn ldap access is ready to roll, the module pam::access_commiters
should work fine.
I have finally found the issue after a long journey in the code of
openssh and pam_ldap. just for the record, if someone one day see that a
pam module do not work because openssh give " #010#012#015#177INCORRECT
" as password to your pam module, this is because there is a error
before ( in my case, the shell was not installed and this caused openssh
to overwrite the password to protect from timing attack, see
pam_auth.c ).
example :
node svn-server {
include pam::commiters_access
}
this should give access to people from the mga-commiters group, by
forcing the restricted shell on the server that include the class.
- I have also rewrote the restricted shell module.
Following the previous example, you cannot connect to the server.
Someone also need to autorise the access, by adding :
node svn-server {
include pam::commiters_access
include restrictshell::allow_svn
}
We can for now use git, svn, repsys ( pkgsubmit ), scp, sftp and rsync.
The 3 last one are not tested, and default configuration requires
tweaking for filtering the path. There is also support for cvs, but I do
not think we will use it.
So basically, we could deploy pam::commiters_access , add the proper
class for svn access, and let people use the svn. We just need to
migrate the local account to ldap, and setup the ssh keys by ourself.
The next steps are :
1) add support for ssh keys handling to catdap
2) deploy a cronjob to checkout keys from ldap to the fs
this part is half done, but if people have suggestions, do not hesitate
( I am not much in favor of using patchs on openssh like openssh-lpk
since they are not upstream )
I would also like that we start to use the class subversion::repository,
as there is lots of goodies included ( and I need to add more ).
Regarding the mailling lists deployment, I have started to work on
spamassassin integration, using amavis ( as this is the safest way i
know ). Unfortunately, my knowledge is either out of date ( ie, no more
rules_du_jour ) or already setup ( ie all plugins that I usually used
are loaded by default ). So the only customization I have added is rules
compiling from perl to C. I guess I will also look at enabling pyzor,
and maybe others tweak on postgrey as suggested by Luca.
I didn't tested anything, so if someone deploy it while I sleep, please
test before :). But as i think the default setup should just work fine,
it should not cause real trouble. ( on the other hand, we may need to do
more test on postfix ).
next steps will then be :
1) to test and validate the setup
2) to create 1 mailling list for testing and to see how and what we can
tweak it ( ie, a guinea pig ml )
3) to migrate one by one the current mailling list :
- subscribers
- web archives, if possible by preserving url ( I guess we can do some
magic on zarb side for this )
- gmane
Mailman can give use archives with mbox, there is ( iirc ) static html
page for web archives, and we have some basic tools to fetch the
configuration.
There is currently 12 mailling lists.
( blino also did some work, but I will let him talk of this, like :
- explaining the cooldron idea
- the vhost "repository" ( and that he need to add it to dns /o\ )
--
Michael Scherer
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="000829.html">[Mageia-sysadm] something to not forget in case of svn import
</A></li>
<LI>Next message: <A HREF="000816.html">[Mageia-sysadm] progress of the night
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#815">[ date ]</a>
<a href="thread.html#815">[ thread ]</a>
<a href="subject.html#815">[ subject ]</a>
<a href="author.html#815">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm
mailing list</a><br>
</body></html>
|
