[debian-edu-commits] [Git][debian-edu/debian-edu-config][master] 3 commits: Move LDAP database backend from deprecated BDB to default MDB one

Wolfgang Schweer (@schweer-guest) gitlab at salsa.debian.org
Wed Aug 18 12:09:44 BST 2021



Wolfgang Schweer pushed to branch master at Debian Edu / debian-edu-config


Commits:
9573d80e by Wolfgang Schweer at 2021-08-18T13:06:29+02:00
Move LDAP database backend from deprecated BDB to default MDB one

 Add share/debian-edu-config/slapd-debian-edu-mdb.conf (configuration)
 Adjust cf3/cf.ldapserver to copy/link configuration file conditionally
 Adjust debian/debian-edu-config.postinst to handle the migration upon upgrades

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -
53fdc37b by Wolfgang Schweer at 2021-08-18T13:08:03+02:00
Adjust debian/debian-edu-config.lintian-overrides, thanks Lintian

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -
58aeeb0f by Wolfgang Schweer at 2021-08-18T13:08:43+02:00
Add changelog entries for last commits

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -


7 changed files:

- Makefile
- cf3/cf.ldapserver
- debian/changelog
- debian/debian-edu-config.lintian-overrides
- debian/debian-edu-config.postinst
- + share/debian-edu-config/slapd-debian-edu-mdb.conf
- + share/debian-edu-config/tools/move-ldap-bdb-to-mdb


Changes:

=====================================
Makefile
=====================================
@@ -102,7 +102,6 @@ SYSCONFFILES = \
 	php/apache2/php-debian-edu.ini \
 	insserv/overrides/ntp \
 	ldap/rootDSE-debian-edu.ldif \
-	ldap/slapd-debian-edu.conf \
 	samba/smb-debian-edu.conf \
 	slbackup-php/config.php \
 	smbldap-tools/smbldap_bind.conf \
@@ -342,6 +341,7 @@ install: install-testsuite
 		share/debian-edu-config/isc-dhcp-server.service \
 		share/debian-edu-config/isc-dhcp-server.service.eth1_only \
 		share/debian-edu-config/killer.cron \
+		share/debian-edu-config/slapd-debian-edu-mdb.conf \
 		share/pam-configs/edu-group \
 		share/pam-configs/edu-umask \
 		share/perl5/Debian/Edu.pm \


=====================================
cf3/cf.ldapserver
=====================================
@@ -8,8 +8,10 @@ files:
 
   debian.server.installation::
 
+    "etc/ldap/slapd-debian-edu-mdb.conf"
+      copy_from => local_cp("/usr/share/debian-edu-config/slapd-debian-edu-mdb.conf");
     "/etc/ldap/slapd.conf"
-    link_from => ln_s("/etc/ldap/slapd-debian-edu.conf"),
+    link_from => ln_s("/etc/ldap/slapd-debian-edu-mdb.conf"),
     move_obstructions => "true";
 
 commands:


=====================================
debian/changelog
=====================================
@@ -5,6 +5,15 @@ debian-edu-config (2.12.1) UNRELEASED; urgency=medium
     - ldap-bootstrap/gosa.ldif: Add group icinga-admins.
     - tools/edu-icinga-setup: Adjust configuration files (HERE documents) to use
       icinga-admins group for administrator role.
+  * Move LDAP database backend from deprecated BDB to default MDB one:
+    - Add share/debian-edu-config/slapd-debian-edu-mdb.conf (configuration).
+    - Adjust cf3/cf.ldapserver to copy/link configuration file conditionally.
+    - Adjust debian/debian-edu-config.postinst to handle the migration upon
+      upgrades.
+    - Add separate tool share/debian-edu-config/tools/move-ldap-bdb-to-mdb (just
+      in case the migration should be done earlier).
+  * Adjust Makefile.
+  * Adjust debian/debian-edu-config.lintian-overrides, thanks Lintian.
 
  -- Wolfgang Schweer <wschweer at arcor.de>  Mon, 16 Aug 2021 17:56:10 +0200
 


=====================================
debian/debian-edu-config.lintian-overrides
=====================================
@@ -10,3 +10,11 @@ debian-edu-config binary: debconf-is-not-a-registry usr/share/debian-edu-config/
 debian-edu-config binary: debconf-is-not-a-registry usr/share/debian-edu-config/tools/edu-icinga-setup
 debian-edu-config binary: remove-of-unknown-diversion usr/bin/gtick postrm:18
 debian-edu-config binary: uses-dpkg-database-directly usr/sbin/debian-edu-ltsp-install
+debian-edu-config binary: debconf-is-not-a-registry usr/share/debian-edu-config/tools/run-at-firstboot
+debian-edu-config binary: missing-systemd-service-for-init.d-script chromium-ldapconf
+debian-edu-config binary: missing-systemd-service-for-init.d-script enable-nat
+debian-edu-config binary: missing-systemd-service-for-init.d-script fetch-ldap-cert
+debian-edu-config binary: missing-systemd-service-for-init.d-script fetch-rootca-cert
+debian-edu-config binary: missing-systemd-service-for-init.d-script firefox-ldapconf
+debian-edu-config binary: script-not-executable usr/share/debian-edu-config/killer.cron
+debian-edu-config binary: possibly-insecure-handling-of-tmp-files-in-maintainer-script postinst:260


=====================================
debian/debian-edu-config.postinst
=====================================
@@ -253,6 +253,22 @@ configure)
 			sed -i '/post-up/d' /etc/network/interfaces
 		fi
 	fi
+	# Move LDAP BDB data base to default MDB one.
+	if dpkg --compare-versions "$2" le "2.12.1" && grep -q Main-Server /etc/debian-edu/config && \
+		[ ! -f /var/lib/ldap/data.mdb ] ; then
+		TMPDIR=$(mktemp -d)
+		slapcat > $TMPDIR/all.ldif
+		service slapd stop
+		rm /var/lib/ldap/*
+		cp /usr/share/debian-edu-config/slapd-debian-edu-mdb.conf /etc/ldap
+		ln -sf /etc/ldap/slapd-debian-edu-mdb.conf /etc/ldap/slapd.conf
+		service slapd start
+		slapadd -l $TMPDIR/all.ldif
+		if [ -f /var/lib/ldap/data.mdb ] ; then
+			rm $TMPDIR/all.ldif
+			rm -f /etc/ldap/slapd-debian-edu.conf
+		fi
+	fi
     ;;
 esac
 


=====================================
share/debian-edu-config/slapd-debian-edu-mdb.conf
=====================================
@@ -0,0 +1,165 @@
+# The Debian Edu specific slapd configuration file
+# Last edit: 2021-08-15
+
+# Schema and objectClass definitions
+include	/etc/ldap/schema/core.schema
+include	/etc/ldap/schema/cosine.schema
+include	/etc/ldap/schema/nis.schema
+include	/etc/ldap/schema/autofs-debian-edu.schema
+include	/etc/ldap/schema/inetorgperson.schema
+include	/etc/ldap/schema/gosa/dhcp.schema
+include	/etc/ldap/schema/gosa/dnszone.schema
+include	/etc/ldap/schema/kerberos.schema
+include	/etc/ldap/schema/ltspclientaux.schema
+
+## gosa:
+include	/etc/ldap/schema/gosa/samba3.schema
+include	/etc/ldap/schema/gosa/trust.schema
+include	/etc/ldap/schema/gosa/gosystem.schema
+include	/etc/ldap/schema/gosa/gofon.schema
+include	/etc/ldap/schema/gosa/goto.schema
+include	/etc/ldap/schema/gosa/gosa-samba3.schema
+include	/etc/ldap/schema/gosa/gofax.schema
+include	/etc/ldap/schema/gosa/goserver.schema
+include	/etc/ldap/schema/gosa/goto-mime.schema
+include	/etc/ldap/schema/gosa/sudo.schema
+
+# Where the pid file is put. The init.d script
+# will not stop the server if you change this.
+pidfile	/run/slapd/slapd.pid
+
+# Read slapd.conf(5) for possible values
+#loglevel	65535
+loglevel	none
+
+rootDSE	/etc/ldap/rootDSE-debian-edu.ldif
+
+# TLS/SSL
+TLSCACertificateFile	/etc/ssl/certs/Debian-Edu_rootCA.crt
+TLSCertificateKeyFile	/etc/ssl/private/debian-edu-server.key
+TLSCertificateFile		/etc/ssl/certs/debian-edu-server.crt
+
+modulepath	/usr/lib/ldap
+moduleload	back_mdb
+moduleload	back_monitor
+
+defaultsearchbase "dc=skole,dc=skolelinux,dc=no"
+security update_ssf=128  simple_bind=128
+
+# Access via ldapi/unix socket is assumed to have 128 bit encryption.
+# This is required to allow the kerberos and powerdns daemon to
+# connect.
+localssf 128
+
+backend		mdb
+backend		monitor
+
+#######################################################################
+# MDB database definitions
+#######################################################################
+
+# The backend type, ldbm, is the default standard
+
+database	mdb
+# Set the database in memory cache size.
+#
+#cachesize   4000
+#dbnosync
+#sizelimit 4000
+
+# First database
+suffix		"dc=skole,dc=skolelinux,dc=no"
+rootdn		"cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no"
+# Where the database file are physically stored
+directory	"/var/lib/ldap"
+
+# Indices to maintain
+index           objectClass     pres,eq
+index           cn,sn,ou        pres,eq,sub
+index           uid             pres,eq,sub
+index           krbPrincipalName pres,eq,sub
+index           uidNumber       eq
+index           gidNumber       eq
+index           memberUid       eq
+index           default         eq
+#for some clients, even if not used
+index		givenname	eq
+index		displayName	eq
+#index		telephoneNumber	eq
+
+# ldap2zone index
+index zoneName                          eq
+index relativeDomainName                eq
+
+# Sudo
+index sudoUser                      eq,sub
+
+# LTSP configuration index (dhcpHWAddress also used by dhcpd)
+index macAddress                        eq
+index dhcpHWAddress                     eq
+
+# libnss-ldapd look for this one.  Make sure it is indexed to avoid
+# lots of log messages.
+index uniqueMember                      eq
+
+# lwat cron job uses this
+index createTimestamp                   eq
+
+# Save the time that the entry gets modified
+lastmod on
+
+## map authentication via gssapi on user dn:
+authz-regexp "uid=([^,]*),cn=gssapi,cn=auth"
+        "ldap:///dc=skole,dc=skolelinux,dc=no??sub?(uid=$1)"
+
+## default: no access, but allow members of the ldap-admins group full
+## access.
+access to *
+        by group.exact="cn=ldap-admins,ou=ldap-access,dc=skole,dc=skolelinux,dc=no" manage
+        by * none break
+
+access to attrs=userPassword
+	by self      =wx
+	by anonymous auth
+	by set="[cn=admins,ou=group,dc=skole,dc=skolelinux,dc=no]/member & this" none
+	by * none
+
+access to attrs=shadowLastChange
+	by self      ssf=128 =w
+	by set="[cn=admins,ou=group,dc=skole,dc=skolelinux,dc=no]/member & this" none
+	by * none
+
+access to dn.subtree="dc=skole,dc=skolelinux,dc=no"
+	attrs=children,entry
+	by * none break
+
+# Control access to kerberos attributes
+access to attrs=krbPrincipalKey,krbExtraData
+       by dn.exact="cn=kdc-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no"  read
+       by dn.exact="cn=kadmin-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no"  write
+       by self read
+       by * auth
+
+access to attrs=krbPrincipalName,krbLastPwdChange
+       by dn.exact="cn=kdc-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no"  read
+       by dn.exact="cn=kadmin-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no"  write
+       by * auth
+       by * read
+
+# Limit access to kerberos data in cn=kerberos.  Allow everyone to
+# see the objects, as long as the attributes
+# krbPrincipalKey,krbLastPwdChange and krbExtraData are hidden.
+access to dn.subtree="cn=kerberos,dc=skole,dc=skolelinux,dc=no"
+       by dn.exact="cn=kdc-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" read
+       by dn.exact="cn=kadmin-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" write
+       by * read
+
+# Default access; kadmin needs full access:
+access to *
+       by dn.exact="cn=kadmin-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" write
+       by * read
+
+# Last database.. back-monitor is nice to have. Use 'cn=monitor' as base
+database monitor
+
+# End of ldapd configuration file


=====================================
share/debian-edu-config/tools/move-ldap-bdb-to-mdb
=====================================
@@ -0,0 +1,18 @@
+#!/bin/sh
+set -e
+
+TMPDIR=$(mktemp -d)
+# Move LDAP data base from Berkeley bdb to default LDAP mdb.
+if [ ! -f /var/lib/ldap/data.mdb ] ; then
+	slapcat > $TMPDIR/all.ldif
+	service slapd stop
+	rm /var/lib/ldap/*
+	cp /usr/share/debian-edu-config/slapd-debian-edu-mdb.conf /etc/ldap
+	ln -sf /etc/ldap/slapd-debian-edu-mdb.conf /etc/ldap/slapd.conf
+	service slapd start
+	slapadd -l $TMPDIR/all.ldif
+	if [ -f /var/lib/ldap/data.mdb ] ; then
+		rm $TMPDIR/all.ldif
+		rm -f /etc/ldap/slapd-debian-edu.conf
+	fi
+fi



View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/fff38a54f0d5f61c6f3e4c94fbce53c56de8dc19...58aeeb0f9799bf30ee8bda9262a510f62bb186fd

-- 
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/fff38a54f0d5f61c6f3e4c94fbce53c56de8dc19...58aeeb0f9799bf30ee8bda9262a510f62bb186fd
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20210818/8ec6ab86/attachment-0001.htm>


More information about the debian-edu-commits mailing list