[wpkg-users] Extended hosts matches

Daniel Dehennin daniel.dehennin at ac-caen.fr
Fri May 28 12:18:15 CEST 2010


Rainer Meier <r.meier at wpkg.org> writes:

> Hi Daniel,

Hello,

I'm using my patched WPKG in test labs for sometimes now and give
advices of your comments.

[...]

> Feel free to prepare a patch for a current version of WPKG. Personally I've
> expressed many times on the list already why I think the way it's done is not
> the right one. A summary:
>
> - LDAP/AD link introduces a new communication channel to wpkg.js which is prone
> to errors.

My patch does not use LDAP query, WMI (already used by WPKG) to get
domain name and WinNT provider[1] to query groups.

No LDAP so no 'ou' match, this can be overcomed by computer group
membership.

> - A lot of non-portable code with quite high potential to break
> something needs to be introduced.

My patches are tested on WinXP and Win7, I have no win2k to test,
neither win9x if it should be supported.

> - Most users are using WPKG witout AD, so a few users will have to
> suffer from bugs introduced for a couple of AD users.

The previous patch seems quite AD specific (no samba/LDAP support), the
use of WinNT provider works on both.

Non member computers work fine in two ways:

- no domain name and no group membership matches
- specify a domainname in config.xml, with WPKG client connected to your
  server (because no netlogon can be used) WinNT group membership can
  works, you only need a minimal computer account (in samba/LDAP
  smbldap-useradd -w machine$ && smbldap-groupmod -m machine$ group1)


> - Export scripts written in Perl are already available to export AD
> structures to WPKG XML structures.

I'm using samba/LDAP and need to manage hundred separate servers and a
total of thousand of client computers. I prefer to use native LDAP
replication and group management than modifying hundreds of hosts.xml
and profiles.xml.

> - /applymultiple switch introduces complexity and breaks quite a lot
> of existing installations if used without caution. Moreover there is
> no scenario known to me which cannot be done without this
> functionality using existing functionality.

/applymultiple is disabled by default and WPKG works as expected.

When enabling /applymultiple I can, with group management, dissociate
the computer name and the profile, for our use, name match is very
restrictive.

Group management permit: 1 group == 1 profile, then we can have generic
profiles across all the servers, what ever the name policy is, if a
computer belong to the OfficeScan group, OfficeScan profile is applied.

If another site use another antivirus, no problem, we can deploy both
profiles on all sites, group match does the job.

> - Code posted in Bugzilla is not portable for different AD structures
> or generic LDAP servers.

No LDAP support in my patches.

> So feel free to create a patch for the current version of WPKG which might be
> applied for these users who need it. I am personally OK with the delivery of
> this patch even as part of the official shipment but I don't plan yet to
> introduce this code in the stable release of WPKG.

I tried to make my code acceptable in mainline, it needs work to permit
OS match for example:
- 1 new function getHostOS
- 1 new attribute in the host array
- 1 call to getHostOS in gatherHostInfos
- modify hosts.xsd to add the new attribute

The getHostsApplying is generic, this is the place which receive the
more change and where the WPKG behaviour may have changed.

getHostsApplying use exclusively regex match and is generic about
attributes match, it loops over all hosts.xml attributes and tests them
against the host array (which could be renamed computer to avoid any
ambiguity). The only specific stuff in it is the compatibility code to
test IP addresses against the name attribute.

I'm really enthusiastic about this features, I do not implement all the
previous attempt did but group matches is the most useful to me.

A computer/user mode is interesting too, specially for a non GPO capable
server like samba:

- run at system level for computer management
- run at user level for user management

But I'm concerned about maintaining a looks-like forked wpkg.js, my free
software experience tells me "go mainline!" ;-)

Regards.

Footnotes: 
[1]  http://msdn.microsoft.com/en-us/library/aa772237%28v=VS.85%29.aspx

-- 
Daniel Dehennin
RAIP de l'Orne
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.wpkg.org/pipermail/wpkg-users/attachments/20100528/36f87ea1/attachment.sig>


More information about the wpkg-users mailing list