puavo-org / puavo-web Goto Github PK

sssd (https://fedorahosted.org/sssd/) provides NSS and PAM modules to integrate with LDAP and kerberos servers. Instructions on how to best configure sssd to work with puavo-users should be provided.

sssd installation instructions for Ubuntu and more information are available here: http://www.opinsys.fi/en/user-management-with-sssd-on-shared-laptops

Currently kerberos principals are created automatically by smbkrb5pwd when user's password is set for the first time. Puavo-users supports changing uids, but the old principals are not deleted at this point. Old principal entries should be removed from ldap when uid is changed.

User needs simple notice if new or old object is not valid when try to create or update it (School, Role, Group, User). It would be good thing if also highlight error fields.

"We're sorry but something went wrong..." is very typical error-message when using Puavo. It doesn't give enough information to the user and even though it says that administration has been informed, it is not the case. Error-message should tell what the actual problem was and give real instructions what to do.

To reproduce:

1. Edit some user
2. Deselect all roles
3. Save
4. Redirects to user page
5. Edit again and last selected role is still there

What should happen:

1. Edit some user
2. Deselect all roles
3. Save
4. Should show an error to user about no selected role

The following procedure seems to be possible in the current version of Puavo

1. User XXX.ZZZ is a school admin with "yllpitäjä" status
2. XXX.ZZZ isn't responsible anymore for administrating Puavo inside the school and his user type is changed to normal teacher
3. XXX.ZZZ moves a way from the city and his user name should be removed. Trying to do so the username cannot be deteted.
4. XXX.ZZZ usertype needs to be changed back to "ylläpitä" and after that is can be removed

#13

As described at the title. Some users look for the Change school tool under the Edit user information function but it is not available there. At the moment it is only available hidden under the arrow at the user information page.

There should be a way to set or clean attributes to multiple users at once (e.g. affiliation, roles, tags). The admin should be able to specify multiple targets by filtering and/or selecting before setting the attributes.

Administrator should be able to search and filter users in user list by different attributes.

School admins should belong automatically to a posixGroup that can be used in applications for authorization.

Samba3 doesn't support natively the attributes and constraints used by puavo-users, so there needs to be a set of scripts similar to smbldap-tools that contact puavo-users to manage hosts and users.

There should be an administrator level between organisation owners and school admins. Organisation admins should be able to add and modify schools, groups, roles, printers and external services. Main difference to school admins would be the ability to configure external services that have access to all schools' information in Puavo.

Add support for Promethean license to Puavo external files.

/etc/xdg/Promethean/ActivInspire/.inspire_license.xml

Puavo should do an LDAP exop password change request to change user's password. Currently it calls the ldappasswd binary with the new password as an argument. libldap-ruby doesn't currently support exop operations so either it needs to be extended or an alternative solution needs to be found.

Basic user should find the needed RSA-key file from someplace he/she can access. Key file is needed for the NX remote desktop.

#13

/opt/primus/primuskurre.exe
/opt/primus/prclient.ini

Make last changes to the Puavo interface based on usability tests.

Admins should be able to manage users using command line tools. Puavo-users provides a REST API that can be contacted by the tools.

In case a user who is a school admin and whose usertype is "ylläpitäjä" is changed to user type opettaja/teacher he still persists as a school admin. He/she is also still capable of logging in to the Puavo administration interface.

This means that if a user is degraded from admin to normal teacher he/she still might accidentally have the right to log in to Puavo. Degrading the user type doesn't affect the ability be a school admin and a normal teacher can act as one.

#13

Organisation owner must be able to set user to School Admin. School Admin can login to Puavo Users and manage school's information, roles, groups and users.

School Admin set on ldap by school's puavoSchoolAdmin attribute. Value must be a array of user's dn.

One should be able to sync Puavo's user database with Google Apps for Edu.

Searching in Puavo does not work on Internet Explorer (8.0.6001.18702)

Admins should not be able to create groups with names that have special meanings (e.g. anon, root) in the system to prevent problems on LTSP servers.

Some users (especially teachers) are affiliated with multiple schools. There should be a way to link users to multiple schools (and roles in them) to give them access to schools' services and resources.

When adding or editing a user, Firefox password manager steps in and automatically fills person id and the first password field with logged in user credentials which are saved in password manager.

Reproduce:

• Open Firefox
• Login to Puavo with an account with proper rights (e.g. admin)
• Save your credentials to Firefox password manager
• Add a new user
• Check person id and the first password field in user edit form.

eduPerson schema defined attribute eduPersonPrincipalName that holds authentication id in form of user@scope. This can be used to store the name of user's kerberos principal.

One should not be able to create users that begin with adm- or anon- as they have special functionality in LTSP systems.

Users should be able to change their profile picture, password and preferred language. In the future the same portal can be used for other self-service functions and preferences. The portal could also show other user information with instructions on how to get them changed (contact school admins). This could be also used to distribute required remote desktop keys for users who have remote access enabled.

There are constant problems while changing user passwords. By executing following commands on ldap-server resolves the problem for a while:

/etc/init.d/slapd restart
/etc/init.d/krb5-kdc restart
/etc/init.d/puavo_kadmind restart
/etc/init.d/slapd restart

For easy installation deb-packages for Ubuntu 12.04 should be created.

Puavo should be able to act as a SAML identity provider to external services like Google Apps.

If user information is separated with both tab and a comma in the original data, Puavo keeps the comma in the user attributes. When both are found, they should be used as a separator together.

It should be possible to get notifications to external web applications when data is changed in Puavo. It should be possible for admins to define webhooks that are called when data is changed. External applications can then act automatically without polling when something happens.

#13

#13

External files needs a support fot Mimio license file. The files are:

• /var/opt/mimio/global/global.reg
• /var/opt/mimio/global/shared.reg

Current documentation does not describe setup of preferred development environment. Following details should be specified:

• preferred environment (ubuntu 10.04, ruby vs. jruby, rake, etc ??)
• steps to rebuild the development environment on some OS (e.g. ubuntu 10.04 after fresh install?)
• preferred method for pushing patches upstream (github vs. something else?)
• steps to build and install the production environment (depends on #issue/11)

If you use mass addition fuction to create new users names with letter ó, the letter will also end up to the username, which is unwanted. Letter ó should be filtered and replaced with standard o.

Currently users have user type (affiliation), one or more roles and groups. These all convey partly the same information and this should be simplified.

School's admin users must be able to lock user accounts