[debian-edu-commits] [Git][debian-edu/debian-edu-config][personal/gber/system-trusted-certs] 15 commits: ldap-createuser-krb5: fix password prompt

Mon Oct 9 13:59:43 BST 2023

Guido Berhörster pushed to branch personal/gber/system-trusted-certs at Debian Edu / debian-edu-config

Commits:
21457dc8 by Guido Berhoerster at 2023-09-19T11:46:53+02:00
ldap-createuser-krb5: fix password prompt

- - - - -
fddcfc17 by Guido Berhoerster at 2023-09-19T15:15:46+02:00
Disable cfengine3 systemd service

Disabling only cf-execd in 75b4e3f7 (see #1041323) did not work as it gets
pulled in as a dependency of cfengine3. Thus disable the cfengine3 service
instead.

- - - - -
47cc42ed by Guido Berhoerster at 2023-09-20T08:23:42+02:00
Rewrite testsuite/filesystems, add exception for /boot

Rewrite for clarity and robustness.
Add exception for /boot which may use ext2.

- - - - -
7584d0c4 by Guido Berhoerster at 2023-09-20T08:23:42+02:00
testsuite/ldap-client: fix invocation of ldapsearch

The -h command line option has been removed, ldapsearch now only accepts a LDAP
URI via the -H option. Use dig and awk instead of host and interpret the SRV
record properly.

- - - - -
92cba3da by Guido Berhoerster at 2023-09-20T08:23:42+02:00
testsuite/ldap-client: improve error message on PAM modules

Also do not use the deprecated egrep and get rid of unnecessary wc.

- - - - -
7b4304a4 by Guido Berhoerster at 2023-09-20T08:23:42+02:00
testsuite/ldap-server: fix invocation of ldapsearch

The -h command line option has been removed, ldapsearch now only accepts a LDAP
URI via the -H option.

- - - - -
3504627e by Guido Berhoerster at 2023-09-20T08:23:42+02:00
Fix remaining invocations of ldapsearch

- - - - -
6d803b3a by Guido Berhoerster at 2023-09-20T08:26:17+02:00
Disable the LDAP PAM module

- - - - -
ed1d0ca1 by Guido Berhoerster at 2023-09-25T17:59:16+02:00
setup-freeradius-server: Set commonName and subjectAltNames on the server cert

Closes: #1010159.

- - - - -
e29c074f by Guido Berhoerster at 2023-09-25T17:59:35+02:00
setup-freeradius-server: Improve robustness

Use update-ini-file for OpenSSL config files.
Use more precise sed substitutions which do not rely on example values.
Increase password length from 8 to 16 characters.

- - - - -
02c4c4c1 by Guido Berhoerster at 2023-09-26T10:32:16+00:00
Change minimum UID/GID for LDAP user to 2000

With this change local user accounts now use the UID/GID range 1000-1999
instead of 500-999 whereas LDAP user accounts use 2000-59999 instead of
1000-59999.  This is to reserve UID/GID 0-999 for system users which is the
default in Debian and not conforming to it is increasingly problematic as
packages are beginning to use systemd-sysusers for creating system user
accounts which does not obey /etc/addusers.conf or /etc/login.defs by default.

The first user account created during installation now has UID/GID 2000 instead
of 1000.

Configure gosa and adjust ldap-createuser-krb5 accordingly.

Closes: #1003192.

- - - - -
41a4f5c6 by Mike Gabriel at 2023-09-27T22:31:46+02:00
release as 2.12.37

- - - - -
01e201ca by Mike Gabriel at 2023-09-27T22:32:59+02:00
Start 2.12.38 development.

d/changelog entries will be written on release using the git commit
messages.

Use 'gbp dch --since 2.12.37' to write d/changelog entries since that
last release.

Gbp-Dch: ignore

- - - - -
dda7b262 by Guido Berhoerster at 2023-10-09T14:54:31+02:00
Make libnssckbi.so consumers trust system root certificate store

Add debian-edu-config-p11-kit-nssckbi subpackage which contains a diversion for
libnssckbi.so and replaces it with symlink to p11-kit-trust.so in order to work
around #704180. Note that it is important to keep the renamed file outside of
/usr/lib/<arch>/ in order to prevent ldconfig from overwriting the symlink.

- - - - -
4b63838a by Guido Berhoerster at 2023-10-09T14:58:56+02:00
Stop adding the DebianEdu root CA to NSS shared database

NSS consumers like Firefox, Thunderbird, Chromium should use the system trusted
root CA store via p11-kit (Closes: #926388).

- - - - -

30 changed files:

- Makefile
- README
- − bin/debian-edu-copy-pki
- cf3/cf.adduser
- cf3/cf.cf-execd → cf3/cf.cfengine3
- cf3/cf.ldapclient
- cf3/promises.cf
- debian/changelog
- debian/control
- + debian/debian-edu-config-p11-kit-nssckbi.links
- + debian/debian-edu-config-p11-kit-nssckbi.postrm.in
- + debian/debian-edu-config-p11-kit-nssckbi.preinst.in
- debian/debian-edu-config.lintian-overrides
- debian/rules
- etc/ldap/rootDSE-debian-edu.ldif
- ldap-bootstrap/firstuser.ldif
- ldap-tools/ldap-createuser-krb5
- ldap-tools/ldap-debian-edu-install
- − lib/thunderbird/distribution/policies.json
- sbin/debian-edu-ltsp-install
- share/debian-edu-config/d-i/pre-pkgsel
- share/debian-edu-config/gosa.conf.template
- share/debian-edu-config/pam-nopwdchange.py
- share/debian-edu-config/tools/create-debian-edu-certs
- − share/debian-edu-config/tools/create-user-nssdb
- share/debian-edu-config/tools/goodbye-user-session
- share/debian-edu-config/tools/gosa-create
- share/debian-edu-config/tools/kerberos-kdc-init
- share/debian-edu-config/tools/setup-freeradius-server
- − share/debian-edu-config/tools/update-cert-dbs

The diff was not included because it is too large.

View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/124070c677508d1b2021e6f2e1bfb556990d48cc...4b63838ab777314d4611195f0be58c29203b8f1a

-- 
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/124070c677508d1b2021e6f2e1bfb556990d48cc...4b63838ab777314d4611195f0be58c29203b8f1a
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20231009/e112f485/attachment.htm>