[debian-edu-commits] [Git][debian-edu/debian-edu-config][master] 5 commits: Provide Xfce screensaver for LTSP clients (workaround for #922718 in Buster)

WolfgangSchweer gitlab at salsa.debian.org
Sat Feb 23 16:09:00 GMT 2019


WolfgangSchweer pushed to branch master at Debian Edu / debian-edu-config


Commits:
35b9f447 by Wolfgang Schweer at 2019-02-23T15:38:10Z
Provide Xfce screensaver for LTSP clients (workaround for #922718 in Buster)

- - - - -
0b05df45 by Wolfgang Schweer at 2019-02-23T15:43:46Z
Make /etc/debian-edu/www/debian-edu-bundle.{crt,pem} world readable.

This is needed to be able to download the bundled certificates.

- - - - -
e4317060 by Wolfgang Schweer at 2019-02-23T15:45:28Z
Verify the LDAp server certificate using the downloaded Debian-Edu_rootCa one.

- - - - -
52f908df by Wolfgang Schweer at 2019-02-23T15:48:18Z
Fix various testsuite scripts to match the last configuration changes.

These are testsuite/{ldap-client,ldap-server,sudo,webcache,webserver}

- - - - -
735bb126 by Wolfgang Schweer at 2019-02-23T16:08:06Z
Add changelog entries for last commits.

- - - - -


9 changed files:

- cf3/cf.workarounds
- debian/changelog
- debian/debian-edu-config.fetch-ldap-cert
- share/debian-edu-config/tools/create-debian-edu-certs
- testsuite/ldap-client
- testsuite/ldap-server
- testsuite/sudo
- testsuite/webcache
- testsuite/webserver


Changes:

=====================================
cf3/cf.workarounds
=====================================
@@ -22,5 +22,13 @@ files:
     "/etc/resolvconf/update-libc.d/squid"
       link_from => ln_s("/usr/share/debian-edu-config/squid.resolvconf"),
       move_obstructions => "true";
+
+commands:
+
+  debian.xfce.(ltspclient|ltspserver).installation::
+  # Provide a screensaver as a workaround for #922718 (fixed in experimental
+  # but not in Buster). FIXME: Check if this is still needed for Bullseye.
+    "/usr/bin/apt-get install -y xscreensaver"
+      contain => in_shell;
 }
 


=====================================
debian/changelog
=====================================
@@ -1,8 +1,21 @@
 debian-edu-config (2.10.61) UNRELEASED; urgency=medium
 
+  [ Holger Levsen ]
   * www/index* and www/*.po: replace http://popcon.skolelinux.org with
     https://popcon.debian.org as the former is unmaintained.
 
+  [ Wolfgang Schweer ]
+  * cf3/cf.workarounds:
+    - Provide Xfce screensaver for LTSP clients (workaround for bug #922718,
+      fixed in experimental but unlikely to be fixed in Buster).
+  * Improve LDAP server certificate check:
+    - tools/create-debian-edu-certs:
+      Make /etc/debian-edu/www/debian-edu-bundle.{crt,pem} downloadable.
+    - debian-edu-config.fetch-ldap-cert:
+      Verify the LDAP server cert using the downloaded Debian-Edu_rootCa one.
+  * testsuite/{ldap-client,ldap-server,sudo,webcache,webserver}:
+    - Fix scripts to match the recent configuration changes.
+
  -- Holger Levsen <holger at debian.org>  Fri, 15 Feb 2019 11:58:26 +0100
 
 debian-edu-config (2.10.60) unstable; urgency=medium


=====================================
debian/debian-edu-config.fetch-ldap-cert
=====================================
@@ -22,6 +22,7 @@ set -e
 . /lib/lsb/init-functions
 
 CERTFILE=/etc/ssl/certs/debian-edu-server.crt
+BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
 
 do_start() {
     # Locate LDAP server
@@ -38,11 +39,13 @@ do_start() {
 	    return 1
 	fi
 	[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate."
-	/usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new
+	if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT ; then
+	gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new ldap.intern < /dev/null
+	fi
 	if test -s $CERTFILE.new ; then
 	    mv $CERTFILE.new $CERTFILE
 	    [ "$VERBOSE" != no ] && log_action_end_msg 0
-	    logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER."
+	    logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER."
 	else
 	    rm $CERTFILE.new
 	    log_action_end_msg 1


=====================================
share/debian-edu-config/tools/create-debian-edu-certs
=====================================
@@ -72,6 +72,7 @@ generate() {
     # available via web-server.
     cp /etc/ssl/certs/debian-edu-bundle.crt /etc/debian-edu/www
     cp /etc/ssl/certs/debian-edu-bundle.pem /etc/debian-edu/www
+    chmod 644 /etc/debian-edu/www/debian-edu-bundle.*
     logger -t create-debian-edu-certs "Certs with both .crt and .pem extension made available in /etc/debian-edu/www."
 }
 


=====================================
testsuite/ldap-client
=====================================
@@ -51,7 +51,7 @@ for file in nslcd.conf ; do
 done
 
 # Verify that NSS is properly configured for netgroups in LDAP.
-if egrep -q '^netgroup: +files *.* +(ldap|sss)$' /etc/nsswitch.conf ; then
+if egrep -q '^netgroup: +nis *.* +(ldap|sss)$' /etc/nsswitch.conf ; then
     success "NSS netgroup setting is correct in /etc/nsswitch.conf"
 else
     error "NSS netgroup setting is wrong in /etc/nsswitch.conf"
@@ -71,14 +71,14 @@ fi
 host -a -t srv _ldap._tcp | sed "s/^/info: SRV record from DNS: /"
 host -a "$ldap_server" | sed "s/^/info: LDAP server from DNS: /"
 
-if [ -f /etc/ldap/ldap.conf ] ; then
-    if egrep -q "^HOST (ldap|$ldap_server)" /etc/ldap/ldap.conf ; then
+if [ -f /etc/nslcd.conf ] ; then
+    if egrep -q "^uri (ldap|$ldap_server)" /etc/nslcd.conf ; then
         :
     else
         error "ldap/ldap.conf misses definition of HOST ldap"
     fi
 else
-    error "/etc/ldap/ldap.conf is missing."
+    error "/etc/nslcd.conf is missing."
 fi
 
 # test netgroups
@@ -150,25 +150,13 @@ else
     error "Missing /usr/bin/ldapsearch "
 fi
 
-pubcert=/etc/ldap/ssl/ldap-server-pubkey.pem
-privcert=/etc/ldap/ssl/slapd.pem
-sedextract='/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p'
+pubcert=/etc/ssl/certs/debian-edu-server.crt
+cacert=/etc/ssl/certs/Debian-Edu_rootCA.crt
 if [ -s $pubcert ] ; then
-    if [ -f $privcert ] ; then
-	# Only compare the public part
-	if sed -n "$sedextract" < $privcert | \
-	    diff - $pubcert ; then
-	    success "Saved LDAP certificate matches slapd certificate"
+    if openssl verify -CAfile $cacert $pubcert; then
+	    success "LDAP certificate matches rootCA certificate"
 	else
-	    error "Saved LDAP certificate do not matches slapd certificate"
-	fi
-    else
-	if echo | openssl s_client -connect $ldap_server:ldaps 2>/dev/null | \
-	    sed -n "$sedextract" | diff - $pubcert ; then
-	    success "Fetched LDAP certificate matches slapd certificate"
-	else
-	    error "Fetched LDAP certificate do not matches slapd certificate"
-	fi
+	    error "LDAP certificate doesn't match rootCA certificate"
     fi
 else
     error "Missing LDAP certificate $pubcert"
@@ -220,7 +208,7 @@ fi
 
 if echo "$PROFILE" | egrep -q 'LTSP-Server' ; then
     check_file_perm \
-	/opt/ltsp/*/etc/ldap/ssl/ldap-server-pubkey.pem 644
+	/opt/ltsp/*/etc/ssl/certs/debian-edu-server.crt 644
 fi
 
 exit $RESULT


=====================================
testsuite/ldap-server
=====================================
@@ -36,7 +36,7 @@ fi
 
 RESULT=0
 
-for port in ldap ldaps ; do
+for port in ldap; do
     netstat_check $port tcp slapd || RESULT=1
 done
 
@@ -47,30 +47,17 @@ else
     RESULT=1
 fi
 
-if [ -f /etc/ldap/ssl/slapd.pem ] ; then
-    openssl verify  /etc/ldap/ssl/slapd.pem | 
-	  sed "s%^%info: $0: slapd.pem: %"
-else
-    echo "error: Missing /etc/ldap/ssl/slapd.pem"
-    RESULT=1
-fi
-
-# If the client certificate exist, verify that it is identical to the
-# server certificate.  If not, it was probably downloaded from the
-# wrong LDAP server.
-if [ -f /etc/ldap/ssl/ldap-server-pubkey.pem ] ; then
-    if awk '/^-----BEGIN CERTIFICATE-----$/ { yes=1 }
-            yes { print }
-           /^-----END CERTIFICATE-----$/ { yes=0 }' /etc/ldap/ssl/slapd.pem |
-	cmp -s /etc/ldap/ssl/ldap-server-pubkey.pem -
-    then
-	echo "success: Client certificate for LDAP server matches slapd cert."
+if [ -f /etc/ssl/certs/debian-edu-server.crt ] ; then
+    if [ -f /etc/ssl/certs/Debian-Edu_rootCA.crt ] ; then
+        openssl verify -CAfile /etc/ssl/certs/Debian-Edu_rootCA.crt /etc/ssl/certs/debian-edu-server.crt |
+        sed "s%^%info: $0: debian-edu-server.crt: %"
+        echo "success: Certificate debian-edu-server.crt has been verified by Debian-Edu_rootCA.crt."
     else
-	echo "error: Certificate in /etc/ldap/ssl/slapd.pem and /etc/ldap/ssl/ldap-server-pubkey.pem differ."
-	RESULT=1
+        echo "error: Certificate /etc/ssl/certs/Debian-Edu_rootCA.crt is missing."
     fi
 else
-    echo "warning: Missing /etc/ldap/ssl/ldap-server-pubkey.pem"
+    echo "error: Certificate /etc/ssl/certs/debian-edu-server.crt is missing."
+    RESULT=1
 fi
 
 echo "info: connection per ldap-client"


=====================================
testsuite/sudo
=====================================
@@ -18,10 +18,10 @@ else
     echo "error: $0: sudoRole object for root missing in ldap"
 fi
 
-if grep -q '^sudoers_base' /etc/ldap/ldap.conf ; then
-    echo "success: $0: suduers_base is set in ldap.conf"
+if grep -q '^sudoers_base' /etc/sudo-ldap.conf ; then
+    echo "success: $0: suduers_base is set in sudo-ldap.conf"
 else
-    echo "error: $0: suduers_base is missing ldap.conf"
+    echo "error: $0: suduers_base is missing sudo-ldap.conf"
 fi
 
 if grep -q '^sudoers:.* ldap' /etc/nsswitch.conf ; then


=====================================
testsuite/webcache
=====================================
@@ -87,7 +87,7 @@ export http_proxy ftp_proxy
 
 url=https://www.intern/
 
-if HEAD $HEADOPTS $url 2>&1 | grep -q 'certificate verify' ; then
+if HEAD $HEADOPTS $url 2>&1 | grep -q '200 OK' ; then
     echo "success: $0: Valid response from '$url' using proxy '$http_proxy'."
 else
     echo "error: $0: Unable to connect to '$url' using proxy '$http_proxy'."


=====================================
testsuite/webserver
=====================================
@@ -25,7 +25,7 @@ fi
 server=www
 
 # Wait for 10 seconds
-HEADOPTS="-t 10"
+HEADOPTS="-t 10 -S"
 
 unset http_proxy || true
 unset https_proxy || true
@@ -47,7 +47,7 @@ if [ ! -x /usr/bin/HEAD ] ; then
 	exit 1
 else
     url=https://$server/
-    if HEAD $HEADOPTS $url 2>&1 | grep -q 'certificate verify' ; then
+    if HEAD $HEADOPTS $url 2>&1 | grep -q '200 OK' ; then
 	echo "success: $0: Apache is listening on '$url'."
     else
 	echo "error: $0: Apache is not listening on '$url'."
@@ -55,7 +55,7 @@ else
 
     for url in "https://$server/munin/" "https://$server/sitesummary/" \
 	"https://$server/debian-edu-doc/" ; do
-	if HEAD $HEADOPTS $url 2>&1 | grep -q 'certificate verify' ; then
+	if HEAD $HEADOPTS $url 2>&1 | grep -q '200 OK' ; then
 	    echo "success: $0: URL '$url' is working."
 	else
 	    echo "error: $0: URL '$url' is not working."



View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/compare/266cf2a6ceef181870c1ac7a71e881c2c70f9e0d...735bb1263bc9369572343b64de42d118d50963bc

-- 
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/compare/266cf2a6ceef181870c1ac7a71e881c2c70f9e0d...735bb1263bc9369572343b64de42d118d50963bc
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20190223/70d966bc/attachment-0001.html>


More information about the debian-edu-commits mailing list