Hello folks, Let me be non-spam message #2 this month :-) Recently we[1] had a need to add ldap/krb/afs support to adduser. In going about it, I''ve seen the existing todo/wishlist for the package, and combined the effort. I wanted to check a little in advance with you all, to see if you had any notes or special requirements before you''d officially accept it. (I decided to stick with Perl if you wondered; it''s good for the job, and not too much of a problem imho, since it''s not even intended to be the lowest-level interface - you still have useradd & friends for that). Here''s the situation displayed as a combination of my current status and your existing todo/wishlist: - strict and taint mode - global config options & config code in one place - modular design in terms of Perl modules - modular design in terms of frontends/backends that do the job - cleaned-up, simplified and improved code (imho) I am mostly done duplicating the existing functionality of adduser under the new "infrastructure". I paid special attentiont to not mess with existing gettext messages too much, and to re-use the "logic" embedded in the programs (all the pre- and post-checks and system execution etc.), so that there would be as little changes in behavior or existing code paths. SVN repository should be available within a week or so. So please follow up with any relevant thoughts. See ya, -doc
On Thu, Jan 04, 2007 at 11:59:54PM +0100, Davor Ocelic wrote:> Recently we[1] had a need to add ldap/krb/afs support to adduser.I am not sure whether it makes sense to have adduser write to other user database backends. If you, for example, install a mysql server on one system, is it desireable to have the mysql user created in ldap where it starts to exist on all systems? I suspect that it will be exceptionally hard to write an adduser ldap backend that will cover the needs of all installations using it. When doing your code, please think modular and define an interface between main adduser and the "storage backend". Along this interface, code responsibilities can be shared, and it would be possible to plug in other backends. The first step would probably be defining that interface and modifying existing adduser (including the "shadow/passwd" backend) to use it before even thinking about ldap or other backends. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don''t trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
This one time, at band camp, Marc Haber said:> On Thu, Jan 04, 2007 at 11:59:54PM +0100, Davor Ocelic wrote: > > Recently we[1] had a need to add ldap/krb/afs support to adduser. > > I am not sure whether it makes sense to have adduser write to other > user database backends. If you, for example, install a mysql server on > one system, is it desireable to have the mysql user created in ldap > where it starts to exist on all systems?Making --system users only use the password/shadow backend unless specifically forced in a config file is probably the simplest way to handle that. Otherwise, I agree.> When doing your code, please think modular and define an interface > between main adduser and the "storage backend". Along this interface, > code responsibilities can be shared, and it would be possible to plug > in other backends. > > The first step would probably be defining that interface and modifying > existing adduser (including the "shadow/passwd" backend) to use it > before even thinking about ldap or other backends.This is how I have started, but admittedly, I haven''t gone any further since shortly after Debconf. -- ----------------------------------------------------------------- | ,''''`. Stephen Gran | | : :'' : sgran@debian.org | | `. `'' Debian user, admin, and developer | | `- http://www.debian.org | ----------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20070105/b1d6ca7b/attachment.pgp
On Fri, 5 Jan 2007 10:40:30 +0100 Marc Haber <mh+adduser-devel@zugschlus.de> wrote:> On Thu, Jan 04, 2007 at 11:59:54PM +0100, Davor Ocelic wrote: > > Recently we[1] had a need to add ldap/krb/afs support to adduser. > > I am not sure whether it makes sense to have adduser write to other > user database backends. If you, for example, install a mysql server on > one system, is it desireable to have the mysql user created in ldap > where it starts to exist on all systems?This is a matter of configurable policy.> I suspect that it will be exceptionally hard to write an adduser ldap > backend that will cover the needs of all installations using it.Not really. The way I''ve thought about it, there would be something like /etc/adduser/add-user.ldif, which would be a template that can expand variables from adduser, and it would be configured to work with default debian ldap installation out of the box. If you modify ldap setup, then you would have to modify those ldif files too, of course.> When doing your code, please think modular and define an interface > between main adduser and the "storage backend". Along this interface, > code responsibilities can be shared, and it would be possible to plug > in other backends.Sure. As far as functions go, there''s a set of common functions in the Common module. And as far as data is concerned, I''ve preserved the existing model where all needed data is somewhere in the config hash (not *that* simple, but you get the idea). Then anyone can retrieve values from the config directly.> The first step would probably be defining that interface and modifying > existing adduser (including the "shadow/passwd" backend) to use it > before even thinking about ldap or other backends.Yes, that''s what I did and wrote in the previous e-mail. I currently more or less have all the features of the existing adduser working. Cya, -doc
On Fri, Jan 05, 2007 at 08:12:59PM +0100, Davor Ocelic wrote:> On Fri, 5 Jan 2007 10:40:30 +0100 > Marc Haber <mh+adduser-devel@zugschlus.de> wrote: > > On Thu, Jan 04, 2007 at 11:59:54PM +0100, Davor Ocelic wrote: > > > Recently we[1] had a need to add ldap/krb/afs support to adduser. > > > > I am not sure whether it makes sense to have adduser write to other > > user database backends. If you, for example, install a mysql server on > > one system, is it desireable to have the mysql user created in ldap > > where it starts to exist on all systems? > > This is a matter of configurable policy.Good.> > I suspect that it will be exceptionally hard to write an adduser ldap > > backend that will cover the needs of all installations using it. > > Not really. The way I''ve thought about it, there would be something > like /etc/adduser/add-user.ldif, which would be a template that > can expand variables from adduser, and it would be configured to > work with default debian ldap installation out of the box. If you modify > ldap setup, then you would have to modify those ldif files too, of course.I cannot comment about that since I do not have any remote clue about ldap.> > When doing your code, please think modular and define an interface > > between main adduser and the "storage backend". Along this interface, > > code responsibilities can be shared, and it would be possible to plug > > in other backends. > > Sure. As far as functions go, there''s a set of common functions in the > Common module.Great. We seem to be on the same line then.> > The first step would probably be defining that interface and modifying > > existing adduser (including the "shadow/passwd" backend) to use it > > before even thinking about ldap or other backends. > > Yes, that''s what I did and wrote in the previous e-mail. I currently more > or less have all the features of the existing adduser working.Would it be helpful for you to work in a branch in the adduser svn repository? If so, I can grant your alioth account commit access. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don''t trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
> > Let''s say no for now. I''ll come up with something I can show you > > in a week ...Hy folks, here''s a preview of the rewritten adduser: http://hcoop.net/~docelic/adduser/ If you want to see it online, read the NOTES file and then the other files. If you want to download it and see locally, there''s tarball available too: http://hcoop.net/~docelic/adduser/adduser.tar.gz Cya, -doc