[debian-edu-commits] [Git][debian-edu/debian-edu-config][master] 3 commits: Move LDAP database backend from deprecated BDB to default MDB one
Wolfgang Schweer (@schweer-guest)
gitlab at salsa.debian.org
Wed Aug 18 12:09:44 BST 2021
Wolfgang Schweer pushed to branch master at Debian Edu / debian-edu-config
Commits:
9573d80e by Wolfgang Schweer at 2021-08-18T13:06:29+02:00
Move LDAP database backend from deprecated BDB to default MDB one
Add share/debian-edu-config/slapd-debian-edu-mdb.conf (configuration)
Adjust cf3/cf.ldapserver to copy/link configuration file conditionally
Adjust debian/debian-edu-config.postinst to handle the migration upon upgrades
Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>
- - - - -
53fdc37b by Wolfgang Schweer at 2021-08-18T13:08:03+02:00
Adjust debian/debian-edu-config.lintian-overrides, thanks Lintian
Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>
- - - - -
58aeeb0f by Wolfgang Schweer at 2021-08-18T13:08:43+02:00
Add changelog entries for last commits
Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>
- - - - -
7 changed files:
- Makefile
- cf3/cf.ldapserver
- debian/changelog
- debian/debian-edu-config.lintian-overrides
- debian/debian-edu-config.postinst
- + share/debian-edu-config/slapd-debian-edu-mdb.conf
- + share/debian-edu-config/tools/move-ldap-bdb-to-mdb
Changes:
=====================================
Makefile
=====================================
@@ -102,7 +102,6 @@ SYSCONFFILES = \
php/apache2/php-debian-edu.ini \
insserv/overrides/ntp \
ldap/rootDSE-debian-edu.ldif \
- ldap/slapd-debian-edu.conf \
samba/smb-debian-edu.conf \
slbackup-php/config.php \
smbldap-tools/smbldap_bind.conf \
@@ -342,6 +341,7 @@ install: install-testsuite
share/debian-edu-config/isc-dhcp-server.service \
share/debian-edu-config/isc-dhcp-server.service.eth1_only \
share/debian-edu-config/killer.cron \
+ share/debian-edu-config/slapd-debian-edu-mdb.conf \
share/pam-configs/edu-group \
share/pam-configs/edu-umask \
share/perl5/Debian/Edu.pm \
=====================================
cf3/cf.ldapserver
=====================================
@@ -8,8 +8,10 @@ files:
debian.server.installation::
+ "etc/ldap/slapd-debian-edu-mdb.conf"
+ copy_from => local_cp("/usr/share/debian-edu-config/slapd-debian-edu-mdb.conf");
"/etc/ldap/slapd.conf"
- link_from => ln_s("/etc/ldap/slapd-debian-edu.conf"),
+ link_from => ln_s("/etc/ldap/slapd-debian-edu-mdb.conf"),
move_obstructions => "true";
commands:
=====================================
debian/changelog
=====================================
@@ -5,6 +5,15 @@ debian-edu-config (2.12.1) UNRELEASED; urgency=medium
- ldap-bootstrap/gosa.ldif: Add group icinga-admins.
- tools/edu-icinga-setup: Adjust configuration files (HERE documents) to use
icinga-admins group for administrator role.
+ * Move LDAP database backend from deprecated BDB to default MDB one:
+ - Add share/debian-edu-config/slapd-debian-edu-mdb.conf (configuration).
+ - Adjust cf3/cf.ldapserver to copy/link configuration file conditionally.
+ - Adjust debian/debian-edu-config.postinst to handle the migration upon
+ upgrades.
+ - Add separate tool share/debian-edu-config/tools/move-ldap-bdb-to-mdb (just
+ in case the migration should be done earlier).
+ * Adjust Makefile.
+ * Adjust debian/debian-edu-config.lintian-overrides, thanks Lintian.
-- Wolfgang Schweer <wschweer at arcor.de> Mon, 16 Aug 2021 17:56:10 +0200
=====================================
debian/debian-edu-config.lintian-overrides
=====================================
@@ -10,3 +10,11 @@ debian-edu-config binary: debconf-is-not-a-registry usr/share/debian-edu-config/
debian-edu-config binary: debconf-is-not-a-registry usr/share/debian-edu-config/tools/edu-icinga-setup
debian-edu-config binary: remove-of-unknown-diversion usr/bin/gtick postrm:18
debian-edu-config binary: uses-dpkg-database-directly usr/sbin/debian-edu-ltsp-install
+debian-edu-config binary: debconf-is-not-a-registry usr/share/debian-edu-config/tools/run-at-firstboot
+debian-edu-config binary: missing-systemd-service-for-init.d-script chromium-ldapconf
+debian-edu-config binary: missing-systemd-service-for-init.d-script enable-nat
+debian-edu-config binary: missing-systemd-service-for-init.d-script fetch-ldap-cert
+debian-edu-config binary: missing-systemd-service-for-init.d-script fetch-rootca-cert
+debian-edu-config binary: missing-systemd-service-for-init.d-script firefox-ldapconf
+debian-edu-config binary: script-not-executable usr/share/debian-edu-config/killer.cron
+debian-edu-config binary: possibly-insecure-handling-of-tmp-files-in-maintainer-script postinst:260
=====================================
debian/debian-edu-config.postinst
=====================================
@@ -253,6 +253,22 @@ configure)
sed -i '/post-up/d' /etc/network/interfaces
fi
fi
+ # Move LDAP BDB data base to default MDB one.
+ if dpkg --compare-versions "$2" le "2.12.1" && grep -q Main-Server /etc/debian-edu/config && \
+ [ ! -f /var/lib/ldap/data.mdb ] ; then
+ TMPDIR=$(mktemp -d)
+ slapcat > $TMPDIR/all.ldif
+ service slapd stop
+ rm /var/lib/ldap/*
+ cp /usr/share/debian-edu-config/slapd-debian-edu-mdb.conf /etc/ldap
+ ln -sf /etc/ldap/slapd-debian-edu-mdb.conf /etc/ldap/slapd.conf
+ service slapd start
+ slapadd -l $TMPDIR/all.ldif
+ if [ -f /var/lib/ldap/data.mdb ] ; then
+ rm $TMPDIR/all.ldif
+ rm -f /etc/ldap/slapd-debian-edu.conf
+ fi
+ fi
;;
esac
=====================================
share/debian-edu-config/slapd-debian-edu-mdb.conf
=====================================
@@ -0,0 +1,165 @@
+# The Debian Edu specific slapd configuration file
+# Last edit: 2021-08-15
+
+# Schema and objectClass definitions
+include /etc/ldap/schema/core.schema
+include /etc/ldap/schema/cosine.schema
+include /etc/ldap/schema/nis.schema
+include /etc/ldap/schema/autofs-debian-edu.schema
+include /etc/ldap/schema/inetorgperson.schema
+include /etc/ldap/schema/gosa/dhcp.schema
+include /etc/ldap/schema/gosa/dnszone.schema
+include /etc/ldap/schema/kerberos.schema
+include /etc/ldap/schema/ltspclientaux.schema
+
+## gosa:
+include /etc/ldap/schema/gosa/samba3.schema
+include /etc/ldap/schema/gosa/trust.schema
+include /etc/ldap/schema/gosa/gosystem.schema
+include /etc/ldap/schema/gosa/gofon.schema
+include /etc/ldap/schema/gosa/goto.schema
+include /etc/ldap/schema/gosa/gosa-samba3.schema
+include /etc/ldap/schema/gosa/gofax.schema
+include /etc/ldap/schema/gosa/goserver.schema
+include /etc/ldap/schema/gosa/goto-mime.schema
+include /etc/ldap/schema/gosa/sudo.schema
+
+# Where the pid file is put. The init.d script
+# will not stop the server if you change this.
+pidfile /run/slapd/slapd.pid
+
+# Read slapd.conf(5) for possible values
+#loglevel 65535
+loglevel none
+
+rootDSE /etc/ldap/rootDSE-debian-edu.ldif
+
+# TLS/SSL
+TLSCACertificateFile /etc/ssl/certs/Debian-Edu_rootCA.crt
+TLSCertificateKeyFile /etc/ssl/private/debian-edu-server.key
+TLSCertificateFile /etc/ssl/certs/debian-edu-server.crt
+
+modulepath /usr/lib/ldap
+moduleload back_mdb
+moduleload back_monitor
+
+defaultsearchbase "dc=skole,dc=skolelinux,dc=no"
+security update_ssf=128 simple_bind=128
+
+# Access via ldapi/unix socket is assumed to have 128 bit encryption.
+# This is required to allow the kerberos and powerdns daemon to
+# connect.
+localssf 128
+
+backend mdb
+backend monitor
+
+#######################################################################
+# MDB database definitions
+#######################################################################
+
+# The backend type, ldbm, is the default standard
+
+database mdb
+# Set the database in memory cache size.
+#
+#cachesize 4000
+#dbnosync
+#sizelimit 4000
+
+# First database
+suffix "dc=skole,dc=skolelinux,dc=no"
+rootdn "cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no"
+# Where the database file are physically stored
+directory "/var/lib/ldap"
+
+# Indices to maintain
+index objectClass pres,eq
+index cn,sn,ou pres,eq,sub
+index uid pres,eq,sub
+index krbPrincipalName pres,eq,sub
+index uidNumber eq
+index gidNumber eq
+index memberUid eq
+index default eq
+#for some clients, even if not used
+index givenname eq
+index displayName eq
+#index telephoneNumber eq
+
+# ldap2zone index
+index zoneName eq
+index relativeDomainName eq
+
+# Sudo
+index sudoUser eq,sub
+
+# LTSP configuration index (dhcpHWAddress also used by dhcpd)
+index macAddress eq
+index dhcpHWAddress eq
+
+# libnss-ldapd look for this one. Make sure it is indexed to avoid
+# lots of log messages.
+index uniqueMember eq
+
+# lwat cron job uses this
+index createTimestamp eq
+
+# Save the time that the entry gets modified
+lastmod on
+
+## map authentication via gssapi on user dn:
+authz-regexp "uid=([^,]*),cn=gssapi,cn=auth"
+ "ldap:///dc=skole,dc=skolelinux,dc=no??sub?(uid=$1)"
+
+## default: no access, but allow members of the ldap-admins group full
+## access.
+access to *
+ by group.exact="cn=ldap-admins,ou=ldap-access,dc=skole,dc=skolelinux,dc=no" manage
+ by * none break
+
+access to attrs=userPassword
+ by self =wx
+ by anonymous auth
+ by set="[cn=admins,ou=group,dc=skole,dc=skolelinux,dc=no]/member & this" none
+ by * none
+
+access to attrs=shadowLastChange
+ by self ssf=128 =w
+ by set="[cn=admins,ou=group,dc=skole,dc=skolelinux,dc=no]/member & this" none
+ by * none
+
+access to dn.subtree="dc=skole,dc=skolelinux,dc=no"
+ attrs=children,entry
+ by * none break
+
+# Control access to kerberos attributes
+access to attrs=krbPrincipalKey,krbExtraData
+ by dn.exact="cn=kdc-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" read
+ by dn.exact="cn=kadmin-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" write
+ by self read
+ by * auth
+
+access to attrs=krbPrincipalName,krbLastPwdChange
+ by dn.exact="cn=kdc-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" read
+ by dn.exact="cn=kadmin-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" write
+ by * auth
+ by * read
+
+# Limit access to kerberos data in cn=kerberos. Allow everyone to
+# see the objects, as long as the attributes
+# krbPrincipalKey,krbLastPwdChange and krbExtraData are hidden.
+access to dn.subtree="cn=kerberos,dc=skole,dc=skolelinux,dc=no"
+ by dn.exact="cn=kdc-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" read
+ by dn.exact="cn=kadmin-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" write
+ by * read
+
+# Default access; kadmin needs full access:
+access to *
+ by dn.exact="cn=kadmin-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" write
+ by * read
+
+# Last database.. back-monitor is nice to have. Use 'cn=monitor' as base
+database monitor
+
+# End of ldapd configuration file
=====================================
share/debian-edu-config/tools/move-ldap-bdb-to-mdb
=====================================
@@ -0,0 +1,18 @@
+#!/bin/sh
+set -e
+
+TMPDIR=$(mktemp -d)
+# Move LDAP data base from Berkeley bdb to default LDAP mdb.
+if [ ! -f /var/lib/ldap/data.mdb ] ; then
+ slapcat > $TMPDIR/all.ldif
+ service slapd stop
+ rm /var/lib/ldap/*
+ cp /usr/share/debian-edu-config/slapd-debian-edu-mdb.conf /etc/ldap
+ ln -sf /etc/ldap/slapd-debian-edu-mdb.conf /etc/ldap/slapd.conf
+ service slapd start
+ slapadd -l $TMPDIR/all.ldif
+ if [ -f /var/lib/ldap/data.mdb ] ; then
+ rm $TMPDIR/all.ldif
+ rm -f /etc/ldap/slapd-debian-edu.conf
+ fi
+fi
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/fff38a54f0d5f61c6f3e4c94fbce53c56de8dc19...58aeeb0f9799bf30ee8bda9262a510f62bb186fd
--
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/fff38a54f0d5f61c6f3e4c94fbce53c56de8dc19...58aeeb0f9799bf30ee8bda9262a510f62bb186fd
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20210818/8ec6ab86/attachment-0001.htm>
More information about the debian-edu-commits
mailing list