[debian-edu-commits] [Git][debian-edu/debian-edu-config][master] 5 commits: Provide Xfce screensaver for LTSP clients (workaround for #922718 in Buster)
WolfgangSchweer
gitlab at salsa.debian.org
Sat Feb 23 16:09:00 GMT 2019
WolfgangSchweer pushed to branch master at Debian Edu / debian-edu-config
Commits:
35b9f447 by Wolfgang Schweer at 2019-02-23T15:38:10Z
Provide Xfce screensaver for LTSP clients (workaround for #922718 in Buster)
- - - - -
0b05df45 by Wolfgang Schweer at 2019-02-23T15:43:46Z
Make /etc/debian-edu/www/debian-edu-bundle.{crt,pem} world readable.
This is needed to be able to download the bundled certificates.
- - - - -
e4317060 by Wolfgang Schweer at 2019-02-23T15:45:28Z
Verify the LDAp server certificate using the downloaded Debian-Edu_rootCa one.
- - - - -
52f908df by Wolfgang Schweer at 2019-02-23T15:48:18Z
Fix various testsuite scripts to match the last configuration changes.
These are testsuite/{ldap-client,ldap-server,sudo,webcache,webserver}
- - - - -
735bb126 by Wolfgang Schweer at 2019-02-23T16:08:06Z
Add changelog entries for last commits.
- - - - -
9 changed files:
- cf3/cf.workarounds
- debian/changelog
- debian/debian-edu-config.fetch-ldap-cert
- share/debian-edu-config/tools/create-debian-edu-certs
- testsuite/ldap-client
- testsuite/ldap-server
- testsuite/sudo
- testsuite/webcache
- testsuite/webserver
Changes:
=====================================
cf3/cf.workarounds
=====================================
@@ -22,5 +22,13 @@ files:
"/etc/resolvconf/update-libc.d/squid"
link_from => ln_s("/usr/share/debian-edu-config/squid.resolvconf"),
move_obstructions => "true";
+
+commands:
+
+ debian.xfce.(ltspclient|ltspserver).installation::
+ # Provide a screensaver as a workaround for #922718 (fixed in experimental
+ # but not in Buster). FIXME: Check if this is still needed for Bullseye.
+ "/usr/bin/apt-get install -y xscreensaver"
+ contain => in_shell;
}
=====================================
debian/changelog
=====================================
@@ -1,8 +1,21 @@
debian-edu-config (2.10.61) UNRELEASED; urgency=medium
+ [ Holger Levsen ]
* www/index* and www/*.po: replace http://popcon.skolelinux.org with
https://popcon.debian.org as the former is unmaintained.
+ [ Wolfgang Schweer ]
+ * cf3/cf.workarounds:
+ - Provide Xfce screensaver for LTSP clients (workaround for bug #922718,
+ fixed in experimental but unlikely to be fixed in Buster).
+ * Improve LDAP server certificate check:
+ - tools/create-debian-edu-certs:
+ Make /etc/debian-edu/www/debian-edu-bundle.{crt,pem} downloadable.
+ - debian-edu-config.fetch-ldap-cert:
+ Verify the LDAP server cert using the downloaded Debian-Edu_rootCa one.
+ * testsuite/{ldap-client,ldap-server,sudo,webcache,webserver}:
+ - Fix scripts to match the recent configuration changes.
+
-- Holger Levsen <holger at debian.org> Fri, 15 Feb 2019 11:58:26 +0100
debian-edu-config (2.10.60) unstable; urgency=medium
=====================================
debian/debian-edu-config.fetch-ldap-cert
=====================================
@@ -22,6 +22,7 @@ set -e
. /lib/lsb/init-functions
CERTFILE=/etc/ssl/certs/debian-edu-server.crt
+BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
do_start() {
# Locate LDAP server
@@ -38,11 +39,13 @@ do_start() {
return 1
fi
[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate."
- /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new
+ if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT ; then
+ gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new ldap.intern < /dev/null
+ fi
if test -s $CERTFILE.new ; then
mv $CERTFILE.new $CERTFILE
[ "$VERBOSE" != no ] && log_action_end_msg 0
- logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER."
+ logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER."
else
rm $CERTFILE.new
log_action_end_msg 1
=====================================
share/debian-edu-config/tools/create-debian-edu-certs
=====================================
@@ -72,6 +72,7 @@ generate() {
# available via web-server.
cp /etc/ssl/certs/debian-edu-bundle.crt /etc/debian-edu/www
cp /etc/ssl/certs/debian-edu-bundle.pem /etc/debian-edu/www
+ chmod 644 /etc/debian-edu/www/debian-edu-bundle.*
logger -t create-debian-edu-certs "Certs with both .crt and .pem extension made available in /etc/debian-edu/www."
}
=====================================
testsuite/ldap-client
=====================================
@@ -51,7 +51,7 @@ for file in nslcd.conf ; do
done
# Verify that NSS is properly configured for netgroups in LDAP.
-if egrep -q '^netgroup: +files *.* +(ldap|sss)$' /etc/nsswitch.conf ; then
+if egrep -q '^netgroup: +nis *.* +(ldap|sss)$' /etc/nsswitch.conf ; then
success "NSS netgroup setting is correct in /etc/nsswitch.conf"
else
error "NSS netgroup setting is wrong in /etc/nsswitch.conf"
@@ -71,14 +71,14 @@ fi
host -a -t srv _ldap._tcp | sed "s/^/info: SRV record from DNS: /"
host -a "$ldap_server" | sed "s/^/info: LDAP server from DNS: /"
-if [ -f /etc/ldap/ldap.conf ] ; then
- if egrep -q "^HOST (ldap|$ldap_server)" /etc/ldap/ldap.conf ; then
+if [ -f /etc/nslcd.conf ] ; then
+ if egrep -q "^uri (ldap|$ldap_server)" /etc/nslcd.conf ; then
:
else
error "ldap/ldap.conf misses definition of HOST ldap"
fi
else
- error "/etc/ldap/ldap.conf is missing."
+ error "/etc/nslcd.conf is missing."
fi
# test netgroups
@@ -150,25 +150,13 @@ else
error "Missing /usr/bin/ldapsearch "
fi
-pubcert=/etc/ldap/ssl/ldap-server-pubkey.pem
-privcert=/etc/ldap/ssl/slapd.pem
-sedextract='/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p'
+pubcert=/etc/ssl/certs/debian-edu-server.crt
+cacert=/etc/ssl/certs/Debian-Edu_rootCA.crt
if [ -s $pubcert ] ; then
- if [ -f $privcert ] ; then
- # Only compare the public part
- if sed -n "$sedextract" < $privcert | \
- diff - $pubcert ; then
- success "Saved LDAP certificate matches slapd certificate"
+ if openssl verify -CAfile $cacert $pubcert; then
+ success "LDAP certificate matches rootCA certificate"
else
- error "Saved LDAP certificate do not matches slapd certificate"
- fi
- else
- if echo | openssl s_client -connect $ldap_server:ldaps 2>/dev/null | \
- sed -n "$sedextract" | diff - $pubcert ; then
- success "Fetched LDAP certificate matches slapd certificate"
- else
- error "Fetched LDAP certificate do not matches slapd certificate"
- fi
+ error "LDAP certificate doesn't match rootCA certificate"
fi
else
error "Missing LDAP certificate $pubcert"
@@ -220,7 +208,7 @@ fi
if echo "$PROFILE" | egrep -q 'LTSP-Server' ; then
check_file_perm \
- /opt/ltsp/*/etc/ldap/ssl/ldap-server-pubkey.pem 644
+ /opt/ltsp/*/etc/ssl/certs/debian-edu-server.crt 644
fi
exit $RESULT
=====================================
testsuite/ldap-server
=====================================
@@ -36,7 +36,7 @@ fi
RESULT=0
-for port in ldap ldaps ; do
+for port in ldap; do
netstat_check $port tcp slapd || RESULT=1
done
@@ -47,30 +47,17 @@ else
RESULT=1
fi
-if [ -f /etc/ldap/ssl/slapd.pem ] ; then
- openssl verify /etc/ldap/ssl/slapd.pem |
- sed "s%^%info: $0: slapd.pem: %"
-else
- echo "error: Missing /etc/ldap/ssl/slapd.pem"
- RESULT=1
-fi
-
-# If the client certificate exist, verify that it is identical to the
-# server certificate. If not, it was probably downloaded from the
-# wrong LDAP server.
-if [ -f /etc/ldap/ssl/ldap-server-pubkey.pem ] ; then
- if awk '/^-----BEGIN CERTIFICATE-----$/ { yes=1 }
- yes { print }
- /^-----END CERTIFICATE-----$/ { yes=0 }' /etc/ldap/ssl/slapd.pem |
- cmp -s /etc/ldap/ssl/ldap-server-pubkey.pem -
- then
- echo "success: Client certificate for LDAP server matches slapd cert."
+if [ -f /etc/ssl/certs/debian-edu-server.crt ] ; then
+ if [ -f /etc/ssl/certs/Debian-Edu_rootCA.crt ] ; then
+ openssl verify -CAfile /etc/ssl/certs/Debian-Edu_rootCA.crt /etc/ssl/certs/debian-edu-server.crt |
+ sed "s%^%info: $0: debian-edu-server.crt: %"
+ echo "success: Certificate debian-edu-server.crt has been verified by Debian-Edu_rootCA.crt."
else
- echo "error: Certificate in /etc/ldap/ssl/slapd.pem and /etc/ldap/ssl/ldap-server-pubkey.pem differ."
- RESULT=1
+ echo "error: Certificate /etc/ssl/certs/Debian-Edu_rootCA.crt is missing."
fi
else
- echo "warning: Missing /etc/ldap/ssl/ldap-server-pubkey.pem"
+ echo "error: Certificate /etc/ssl/certs/debian-edu-server.crt is missing."
+ RESULT=1
fi
echo "info: connection per ldap-client"
=====================================
testsuite/sudo
=====================================
@@ -18,10 +18,10 @@ else
echo "error: $0: sudoRole object for root missing in ldap"
fi
-if grep -q '^sudoers_base' /etc/ldap/ldap.conf ; then
- echo "success: $0: suduers_base is set in ldap.conf"
+if grep -q '^sudoers_base' /etc/sudo-ldap.conf ; then
+ echo "success: $0: suduers_base is set in sudo-ldap.conf"
else
- echo "error: $0: suduers_base is missing ldap.conf"
+ echo "error: $0: suduers_base is missing sudo-ldap.conf"
fi
if grep -q '^sudoers:.* ldap' /etc/nsswitch.conf ; then
=====================================
testsuite/webcache
=====================================
@@ -87,7 +87,7 @@ export http_proxy ftp_proxy
url=https://www.intern/
-if HEAD $HEADOPTS $url 2>&1 | grep -q 'certificate verify' ; then
+if HEAD $HEADOPTS $url 2>&1 | grep -q '200 OK' ; then
echo "success: $0: Valid response from '$url' using proxy '$http_proxy'."
else
echo "error: $0: Unable to connect to '$url' using proxy '$http_proxy'."
=====================================
testsuite/webserver
=====================================
@@ -25,7 +25,7 @@ fi
server=www
# Wait for 10 seconds
-HEADOPTS="-t 10"
+HEADOPTS="-t 10 -S"
unset http_proxy || true
unset https_proxy || true
@@ -47,7 +47,7 @@ if [ ! -x /usr/bin/HEAD ] ; then
exit 1
else
url=https://$server/
- if HEAD $HEADOPTS $url 2>&1 | grep -q 'certificate verify' ; then
+ if HEAD $HEADOPTS $url 2>&1 | grep -q '200 OK' ; then
echo "success: $0: Apache is listening on '$url'."
else
echo "error: $0: Apache is not listening on '$url'."
@@ -55,7 +55,7 @@ else
for url in "https://$server/munin/" "https://$server/sitesummary/" \
"https://$server/debian-edu-doc/" ; do
- if HEAD $HEADOPTS $url 2>&1 | grep -q 'certificate verify' ; then
+ if HEAD $HEADOPTS $url 2>&1 | grep -q '200 OK' ; then
echo "success: $0: URL '$url' is working."
else
echo "error: $0: URL '$url' is not working."
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/compare/266cf2a6ceef181870c1ac7a71e881c2c70f9e0d...735bb1263bc9369572343b64de42d118d50963bc
--
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/compare/266cf2a6ceef181870c1ac7a71e881c2c70f9e0d...735bb1263bc9369572343b64de42d118d50963bc
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20190223/70d966bc/attachment-0001.html>
More information about the debian-edu-commits
mailing list