[debian-edu-commits] [Git][debian-edu/debian-edu-config][master] Adjust debian/debian-edu-config.fetch-ldap-cert. (Closes: #934380)
WolfgangSchweer
gitlab at salsa.debian.org
Sat Aug 10 13:27:21 BST 2019
WolfgangSchweer pushed to branch master at Debian Edu / debian-edu-config
Commits:
c47eabe5 by Wolfgang Schweer at 2019-08-10T12:23:59Z
Adjust debian/debian-edu-config.fetch-ldap-cert. (Closes: #934380)
Use independent conditions to make sure that the LDAP server certificate
is only downloaded once for both host and LTSP chroot.
Add code to validate the LDAP server certificate in case the Debian Edu
RootCA certificate is available for download.
Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>
- - - - -
2 changed files:
- debian/changelog
- debian/debian-edu-config.fetch-ldap-cert
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,13 @@
+debian-edu-config (2.10.67) UNRELEASED; urgency=medium
+
+ * Adjust debian/debian-edu-config.fetch-ldap-cert. (Closes: #934380)
+ - Use independent conditions to make sure that the LDAP server certificate
+ is only downloaded once for both host and LTSP chroot.
+ - Add code to validate the LDAP server certificate in case the Debian Edu
+ RootCA certificate is available for download.
+
+ -- Wolfgang Schweer <wschweer at arcor.de> Sat, 10 Aug 2019 14:14:26 +0200
+
debian-edu-config (2.10.66) unstable; urgency=medium
[ Wolfgang Schweer ]
=====================================
debian/debian-edu-config.fetch-ldap-cert
=====================================
@@ -23,14 +23,15 @@ set -e
CERTFILE=/etc/ssl/certs/debian-edu-server.crt
BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
+ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
do_start() {
# Locate LDAP server
LDAPSERVER=$(debian-edu-ldapserver)
-
+ LDAPPORT=636 # ldaps
ERROR=false
- if [ -f /etc/nslcd.conf ] &&
- grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
+ if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] &&
+ grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
if [ -z "$LDAPSERVER" ] ; then
msg="Failed to locate LDAP server"
log_action_begin_msg "$msg"
@@ -39,18 +40,43 @@ do_start() {
return 1
fi
[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate."
- if curl -f -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT ; then
- gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new ldap.intern < /dev/null
+ if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null | grep RootCA ; then
+ if curl -sfk --head -o /dev/null https://www.intern ; then
+ if curl -k https://www.intern/Debian-Edu_rootCA.crt > $ROOTCACRT && \
+ grep -q CERTIFICATE $ROOTCACRT ; then
+ gnutls-cli --x509cafile $ROOTCACRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
+ logger -t fetch-ldap-cert "Fetched rootCA certificate from www.intern."
+ else
+ rm -f $ROOTCACRT
+ if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT && \
+ grep -q CERTIFICATE $BUNDLECRT ; then
+ gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
+ logger -t fetch-ldap-cert "Fetched bundle certificate from www.intern."
+ else
+ rm -f $BUNDLECRT
+ logger -t fetch-ldap-cert "Failed to fetch certificates from www.intern."
+ fi
+ fi
+ else
+ log_action_end_msg 1
+ logger -t fetch-ldap-cert "Failed to connect to www.intern, maybe the web server down."
+ ERROR=true
+ fi
else
/usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new
chmod 644 $CERTFILE.new
+ logger -t fetch-ldap-cert "Fetched pre Buster LDAP server certificate."
fi
if test -s $CERTFILE.new ; then
mv $CERTFILE.new $CERTFILE
[ "$VERBOSE" != no ] && log_action_end_msg 0
- logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER."
+ if [ -f $BUNDLECRT ] ; then
+ logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER."
+ else
+ logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER."
+ fi
else
- rm $CERTFILE.new
+ rm -f $CERTFILE.new
log_action_end_msg 1
logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER."
ERROR=true
@@ -64,10 +90,24 @@ do_start() {
log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot "
if test -s $CERTFILE; then
cp $CERTFILE $ltsp_chroot$CERTFILE
+ [ "$VERBOSE" != no ] && log_action_end_msg 0
+ else
+ log_action_end_msg 1
+ ERROR=true
+ fi
+ log_action_begin_msg "Copying Debian Edu rootCA certificate to ltsp-chroot $ltsp_chroot "
+ if test -s $ROOTCACRT; then
+ cp $ROOTCACRT $ltsp_chroot$ROOTCACRT
[ "$VERBOSE" != no ] && log_action_end_msg 0
else
+ log_action_begin_msg "Copying TLS certificate bundle to ltsp-chroot $ltsp_chroot "
+ if test -s $BUNDLECRT; then
+ cp $BUNDLECRT $ltsp_chroot$BUNDLECRT
+ [ "$VERBOSE" != no ] && log_action_end_msg 0
+ else
log_action_end_msg 1
ERROR=true
+ fi
fi
fi
done
@@ -79,13 +119,7 @@ do_start() {
case "$1" in
start)
- # do absolutely nothing, if this host is already "attached" to
- # a Debian Edu network
- if [ -e /etc/ssl/certs/debian-edu-server.crt ]; then
- :
- else
- do_start
- fi
+ do_start
;;
stop)
;;
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/commit/c47eabe5e4075f13f45a20e59ed27aedeefa5dc0
--
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/commit/c47eabe5e4075f13f45a20e59ed27aedeefa5dc0
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20190810/46951c35/attachment-0001.html>
More information about the debian-edu-commits
mailing list