[debian-edu-commits] [Git][debian-edu/debian-edu-config][personal/gber/testsuite-fixes] 8 commits: ldap-createuser-krb5: fix password prompt
Mike Gabriel (@sunweaver)
gitlab at salsa.debian.org
Tue Sep 19 19:35:26 BST 2023
Mike Gabriel pushed to branch personal/gber/testsuite-fixes at Debian Edu / debian-edu-config
Commits:
21457dc8 by Guido Berhoerster at 2023-09-19T11:46:53+02:00
ldap-createuser-krb5: fix password prompt
- - - - -
fddcfc17 by Guido Berhoerster at 2023-09-19T15:15:46+02:00
Disable cfengine3 systemd service
Disabling only cf-execd in 75b4e3f7 (see #1041323) did not work as it gets
pulled in as a dependency of cfengine3. Thus disable the cfengine3 service
instead.
- - - - -
edb281b6 by Guido Berhoerster at 2023-09-19T18:35:17+00:00
Rewrite testsuite/filesystems, add exception for /boot
Rewrite for clarity and robustness.
Add exception for /boot which may use ext2.
- - - - -
86fc201b by Guido Berhoerster at 2023-09-19T18:35:17+00:00
testsuite/ldap-client: fix invocation of ldapsearch
The -h command line option has been removed, ldapsearch now only accepts a LDAP
URI via the -H option. Use dig and awk instead of host and interpret the SRV
record properly.
- - - - -
38f913b8 by Guido Berhoerster at 2023-09-19T18:35:17+00:00
testsuite/ldap-client: improve error message on PAM modules
Also do not use the deprecated egrep and get rid of unnecessary wc.
- - - - -
975a7e30 by Guido Berhoerster at 2023-09-19T18:35:17+00:00
testsuite/ldap-server: fix invocation of ldapsearch
The -h command line option has been removed, ldapsearch now only accepts a LDAP
URI via the -H option.
- - - - -
ee9e13fc by Guido Berhoerster at 2023-09-19T18:35:17+00:00
Fix remaining invocations of ldapsearch
- - - - -
3640fa41 by Guido Berhoerster at 2023-09-19T18:35:17+00:00
Disable the LDAP PAM module
This contains a workaround for #1039873 which can be removed one the fix is
available on bookworm (Closes #1051841).
- - - - -
11 changed files:
- Makefile
- README
- cf3/cf.cf-execd → cf3/cf.cfengine3
- cf3/cf.ldapclient
- cf3/promises.cf
- etc/ldap/rootDSE-debian-edu.ldif
- ldap-tools/ldap-createuser-krb5
- + libexec/debian-edu-edit-pam
- testsuite/filesystems
- testsuite/ldap-client
- testsuite/ldap-server
Changes:
=====================================
Makefile
=====================================
@@ -22,6 +22,7 @@ SPROGS = \
$(NULL)
LIBEXECPROGS = \
+ debian-edu-edit-pam \
debian-edu-cups-queue-autoflush-for-netgroup-hosts \
debian-edu-cups-queue-autoreenable-for-netgroup-hosts \
debian-edu-fsautoresize-for-netgroup-hosts \
@@ -52,7 +53,7 @@ wwwdir = /etc/debian-edu/www
CF3FILES = \
cf.adduser \
cf.apache2 \
- cf.cf-execd \
+ cf.cfengine3 \
cf.cups \
cf.desktop-networked \
cf.dhcpserver \
=====================================
README
=====================================
@@ -277,7 +277,7 @@ by MS AD, by adding the _ldap._tcp SRV records, or just using our
- use _ldap._tcp SRV record to find LDAP server
- use ldap "root" object to find LDAP tree info (like AD
defaultNamingContext attribute)
- "ldapsearch -x -s base -h $server -b '' -x '*'"
+ "ldapsearch -x -s base -H ldap://$server -b '' -x '*'"
- subnet three with relevant information? AD have subtree
"CN=Subnets,CN=Sites,CN=Configuration,$base" with objectClass=subnet
objects.
=====================================
cf3/cf.cf-execd → cf3/cf.cfengine3
=====================================
@@ -1,15 +1,15 @@
-bundle agent cf_execd
+bundle agent cfengine3
{
-# Disable cf-execd which is enabled by default when systemd is used (#1043353)
+# Disable cfengine3 services which are enabled by default when systemd is used (#1043353)
services:
debian.systemd.(server|ltspserver).installation::
- "cf-execd.service"
+ "cfengine3.service"
service_policy => "stop";
- "cf-execd.service"
+ "cfengine3.service"
service_policy => "disable";
}
=====================================
cf3/cf.ldapclient
=====================================
@@ -8,6 +8,14 @@ commands:
"/usr/share/debian-edu-config/tools/setup-roaming"
contain => in_shell;
+
+# remove PAM LDAP module
+ debian.!roaming.installation::
+
+# this can be replaced with /usr/sbin/pam-auth-update --disable ldap on the fix
+# for #1039873 is available on bookworm
+ "/usr/bin/env EDITOR=/usr/libexec/debian-edu-config/debian-edu-edit-pam DEBIAN_FRONTEND=editor /usr/sbin/pam-auth-update"
+ contain => in_shell;
}
bundle agent editline_ldapclient
=====================================
cf3/promises.cf
=====================================
@@ -28,7 +28,7 @@ body common control
bundlesequence => {
edu,
- cf_execd,
+ cfengine3,
permission_homes,
editline_homes,
editline_bind,
@@ -76,7 +76,7 @@ body common control
"debian-edu/cf.adduser",
"debian-edu/cf.apache2",
"debian-edu/cf.bind",
- "debian-edu/cf.cf-execd",
+ "debian-edu/cf.cfengine3",
"debian-edu/cf.chromium",
"debian-edu/cf.cups",
"debian-edu/cf.samba",
=====================================
etc/ldap/rootDSE-debian-edu.ldif
=====================================
@@ -1,5 +1,5 @@
# This entry is available using
-# ldapsearch -LLL -h ldap -s base -b '' -x '*' +
+# ldapsearch -LLL -H ldap://ldap -s base -b '' -x '*' +
dn:
objectClass: labeledURIObject
labeledURI: http://www.skolelinux.org/ LDAP for Debian Edu/Skolelinux
=====================================
ldap-tools/ldap-createuser-krb5
=====================================
@@ -60,7 +60,8 @@ if [[ $# -ne 2 || -z "$USERNAME" || -z "$GECOS" ]]; then
exit 1
fi
-read -rs -p "new password: " PASSWORD
+read -rs -p "new user password: " PASSWORD
+echo
read -rs -p "confirm password: " CONFIRM
if [[ "${CONFIRM}" != "${PASSWORD}" ]]; then
echo "passwords do not match" >&2
=====================================
libexec/debian-edu-edit-pam
=====================================
@@ -0,0 +1,27 @@
+#!/bin/sh
+#
+# This is a workaround for #1039873 and intended to be used with the debconf
+# editor frontend which is invoked by pam-auth-update. A temporary file with
+# the settings is passed as the first argument.
+#
+
+tmpfile="$(mktemp)"
+trap 'rm "${tmpfile}"' EXIT
+awk '
+/^libpam-runtime\/profiles=/ {
+ sep = ""
+ gsub(/^libpam-runtime\/profiles="|"$/, "")
+ len = split($0, names, /,/)
+ printf("libpam-runtime/profiles=\"")
+ for (i = 1; i <= len; i++) {
+ gsub(/^[ \t]*|[ \t]*$/, "", names[i])
+ if (names[i] != "LDAP Authentication") {
+ printf("%s%s", sep, names[i])
+ sep = ", "
+ }
+ }
+ printf("\"\n")
+ next
+}
+{ print }' "$1" > "${tmpfile}" && \
+ cat "${tmpfile}" > "$1"
=====================================
testsuite/filesystems
=====================================
@@ -1,58 +1,65 @@
#!/bin/sh
#
-# Check that we are using ext3, not ext2
+# Check that we are using ext3/4 filesystems with expected options
if test -r /etc/debian-edu/config ; then
. /etc/debian-edu/config
fi
-LANG=C
-export LANG
-
-awk "/ext2/ { print \"error: $0: Using ext2 on\",\$2 }" /proc/mounts
-awk "/ext3|ext4/ { print \"success: $0: Using ext3 on\",\$2 }" /proc/mounts
-
-# Check if the filesystems on the mountpoints support acls
-for f in `grep 'ext' /proc/mounts|awk '{print $1}'`; do
- if [ `chacl -l $f | grep 'cannot get'` ]; then
- echo "error: $0: $f doesn't support acls"
- else
- echo "success: $0: $f supports acls"
- fi
-done
-
-# Make sure all ext3/ext4 mount points are online resizable
-for p in `(df -Pt ext3 2>/dev/null;df -Pt ext4 2>/dev/null) | grep -v ^Filesystem |awk '{print $1}'`; do
- if tune2fs -l $p| grep features | grep -q resize_inode ; then
- :
- else
- echo "error: $0: Missing resize_inode in ext3/ext4 fs $p"
- fi
-done
+LC_ALL=C
+export LC_ALL
+
+scriptname="$0"
+
+while read -r line; do
+ set -- $line
+ case $3 in
+ ext2)
+ if [ $2 != '/boot' ]; then
+ printf 'error: %s: Using ext2 on %s\n' "${scriptname}" "$1"
+ fi
+ ;;
+ ext3|ext4)
+ printf 'success: %s: Using ext3/4 on %s\n' "${scriptname}" "$1"
-if echo "$PROFILE" | grep -q Main-Server ; then
+ # Check if the filesystems on the mountpoints support acls
+ if chacl -l "$1" >/dev/null 2>&1; then
+ printf "success: %s: %s supports acls\n" "${scriptname}" "$1"
+ else
+ printf "error: %s: %s doesn't support acls\n" "${scriptname}" "$1"
+ fi
+
+ # Make sure all ext3/ext4 mount points are online resizable
+ if ! tune2fs -l "$1" | grep -q '^Filesystem features:.* resize_inode'; then
+ printf 'error: %s: Missing resize_inode in ext3/ext4 fs %s\n' "${scriptname}" "$2"
+ fi
+ ;;
+ esac
+done </proc/mounts
+
+case $PROFILE in
+*Main-Server*)
# Make sure autofs do not hide the real file systems
if [ -d /skole/tjener/home0/lost+found ] ; then
- echo "success: $0: Found lost+found in /skole/tjener/home0/"
+ printf 'success: %s: Found lost+found in /skole/tjener/home0/\n' "${scriptname}"
else
- echo "error: $0: No lost+found in /skole/tjener/home0/. Blocked by autofs?"
+ printf 'error: %s: No lost+found in /skole/tjener/home0/. Blocked by autofs?\n' "${scriptname}"
fi
# Make sure home0 and backup have acl and user_xattr enabled. See
# if bug #638822 is present or not.
for dir in /skole/tjener/home0 /skole/backup; do
- dev="$(LC_ALL=C df -P /var/log|awk '/%/ {print $1}')"
- for opt in acl user_xattr ; do
- if LC_ALL=C tune2fs -l "$dev" | \
- grep 'Default mount' | \
- grep -qw $opt ; then
- echo "success: $0: Found option $opt in $dir."
- else
- echo "error: $0: Did not find option $opt in $dir."
- fi
- done
+ dev="$(findmnt -T "${dir}" -n -o SOURCE)"
+ for opt in acl user_xattr; do
+ if tune2fs -l "${dev}" | grep -q "^Default mount options:.* ${opt}"; then
+ printf "success: %s: Found option %s in %s.\n" "${scriptname}" "${opt}" "${dir}"
+ else
+ printf "error: %s: Did not find option %s in %s.\n" "${scriptname}" "${opt}" "${dir}"
+ fi
+ done
done
-fi
+ ;;
+esac
# Report too full file systems. Should have at least 20% free to
# avoid warning from Nagios, preferably between 20% and 25%.
=====================================
testsuite/ldap-client
=====================================
@@ -24,13 +24,20 @@ fi
RESULT=0
-# Locate LDAP server dynamically, by looking up SRV records. The -N 2
+# Locate LDAP server dynamically, by looking up SRV records. The +ndots=2
# argument is tested and found to work with the debian package
# bind9-host, and not with the host package.
-ldap_servers=$(host -N 2 -t srv _ldap._tcp | rev | awk '/VRS/ {print $1}' | cut -d. -f2- | rev)
-# Cut the list to one server as we do not handle redundant servers at
-# the moment.
-ldap_server=$(echo $ldap_servers | awk '{print $1}')
+ldap_server_port="$(dig +search +ndots=2 +short _ldap._tcp srv | awk '
+(t == "") || ($1 < prio) {
+ prio = $1
+ t = $4
+ sub(/\.$/,"",t)
+ p = $3
+}
+END { if (t != "") printf("%s:%d", t, p) }
+')"
+ldap_server="${ldap_server_port%:*}"
+ldap_server_uri="ldap://${ldap_server_port}"
# Test if LDAP server is reachable
if ping -c1 $ldap_server > /dev/null 2>&1 ; then
@@ -39,6 +46,7 @@ else
error "Dynamically located LDAP server '$ldap_server' is not pingable, continuing tests using DNS alias ldap."
# Autodetection failed, use hardcoded DNS name for the rest of the tests
ldap_server=ldap.intern
+ ldap_server_uri="ldap://${ldap_server}"
fi
for file in nslcd.conf ; do
@@ -68,8 +76,10 @@ else
SERVICES="$SERVICES nscd"
fi
-host -a -t srv _ldap._tcp | sed "s/^/info: SRV record from DNS: /"
-host -a "$ldap_server" | sed "s/^/info: LDAP server from DNS: /"
+printf 'info: SRV record from DNS: '
+dig +search +ndots=2 +noall +answer +nocomments _ldap._tcp srv
+printf 'info: LDAP server from DNS: '
+dig +noall +answer +nocomments "$ldap_server"
if [ -f /etc/nslcd.conf ] ; then
if grep -Eq "^uri (ldap|$ldap_server)" /etc/nslcd.conf ; then
@@ -116,13 +126,13 @@ done
if [ -x /usr/bin/ldapsearch ] ; then
namingContexts="$(
- ldapsearch -s base -h $ldap_server -b '' -x '*' '+' | \
+ ldapsearch -s base -H "${ldap_server_uri}" -b '' -x '*' '+' | \
awk '/^namingContexts:/ {print $2}' | head -1
)"
echo info: $0: LDAP rootDSE namingContext: $namingContexts
LDAP_MOUNTS="$(
- ldapsearch -LLL -h $ldap_server -b $namingContexts \
+ ldapsearch -LLL -H "${ldap_server_uri}" -b $namingContexts \
-x '(objectClass=automount)' |\
grep "^cn:" | while read attr val; do
echo "$val"
@@ -137,10 +147,10 @@ if [ -x /usr/bin/ldapsearch ] ; then
# Try a search using TLS too
group=admins
- if ldapsearch -ZZ -LLL -h $ldap_server -b $namingContexts \
+ if ldapsearch -ZZ -LLL -H "${ldap_server_uri}" -b $namingContexts \
-x "(&(cn=$group)(objectclass=posixGroup))" >/dev/null 2>&1 ; then
success "TLS search on $ldap_server for cn=$group returned OK exit code."
- elif ldapsearch -ZZ -LLL -h ldap.intern -b $namingContexts \
+ elif ldapsearch -ZZ -LLL -H ldap://ldap.intern -b $namingContexts \
-x "(&(cn=$group)(objectclass=posixGroup))" >/dev/null 2>&1 ; then
success "TLS search on ldap.intern for cn=$group returned OK exit code."
else
@@ -162,10 +172,10 @@ else
error "Missing LDAP certificate $pubcert"
fi
-if [ 1 -eq $(grep -v '^#' /etc/pam.d/common-auth | egrep 'pam_krb5.so|pam_ldap.so|pam_sss.so' | wc -l) ] ; then
+if [ 1 -eq $(grep -v '^#' /etc/pam.d/common-auth | grep -Ec 'pam_krb5.so|pam_ldap.so|pam_sss.so') ] ; then
success "Only one PAM module of krb5, ldap and sss is enabled"
else
- error "Not only one PAM module of krb5, ldap and sss is enabled"
+ error "More than one PAM module of krb5, ldap and sss is enabled"
fi
# Make sure winbind PAM module isn't active
=====================================
testsuite/ldap-server
=====================================
@@ -73,11 +73,11 @@ netstat -a --numeric-hosts | grep :ldap |
# limit (32768) file descriptors were tried but required incresing
# file-max, took very long and caused very high load on the server
# during testing.
-ldap_server=ldap
+ldap_server_uri=ldap
limit=1200
ulimit -n 2048
-if ldapsearch -s base -h $ldap_server -b '' -x '*' '+' > /dev/null 2>&1 ; then
+if ldapsearch -s base -H "ldap://$ldap_server" -b '' -x '*' '+' > /dev/null 2>&1 ; then
echo "success: $0: search work before flodding the LDAP server with $limit connections."
else
echo "error: $0: search fail before flodding the LDAP server with $limit connections"
@@ -86,7 +86,7 @@ fi
perl -MNet::LDAP -e "sleep(5); my @c; for my \$n (0 .. $limit) { \$c[\$n] = Net::LDAP->new('ldap://$ldap_server', onerror => undef); my \$root = \$c[\$n]->root_dse() if \$c[\$n]; } sleep(5);"
-if ldapsearch -s base -h $ldap_server -b '' -x '*' '+' > /dev/null 2>&1 ; then
+if ldapsearch -s base -H "ldap://$ldap_server" -b '' -x '*' '+' > /dev/null 2>&1 ; then
echo "success: $0: search work after flodding the LDAP server with $limit connections."
else
echo "error: $0: search fail after flodding the LDAP server with $limit connections"
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/78f056f9dc14493aec8f583c9d64c1ed01dec4d2...3640fa41ee1f02fb53dab5263b9026a89a3bbb3e
--
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/78f056f9dc14493aec8f583c9d64c1ed01dec4d2...3640fa41ee1f02fb53dab5263b9026a89a3bbb3e
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20230919/5b4034e2/attachment-0001.htm>
More information about the debian-edu-commits
mailing list