[debian-edu-commits] [Git][debian-edu/debian-edu-config][bullseye] 9 commits: debian/debian-edu-config.fetch-ldap-cert: Drop retrieval of Debian-Edu_rootCA...
Mike Gabriel (@sunweaver)
gitlab at salsa.debian.org
Fri Feb 11 16:12:19 GMT 2022
Mike Gabriel pushed to branch bullseye at Debian Edu / debian-edu-config
Commits:
4f863e0c by Mike Gabriel at 2022-02-11T17:05:40+01:00
debian/debian-edu-config.fetch-ldap-cert: Drop retrieval of Debian-Edu_rootCA from this script. This now is the task of the fetch-rootca-cert script. (Closes: #971780).
- - - - -
1447dab1 by Mike Gabriel at 2022-02-11T17:09:42+01:00
debian/debian-edu-config.fetch-rootca-cert: Ensure proper symlinking of Debian-Edu_rootCA.crt in /usr/local/share/ca-certificates/ to Debian-Edu_rootCA.crt in /etc/ssl/ca-certificates. Forced symlinking is required, because earlier versions of the fetch-ldap-cert init script put Debian-Edu_rootCA.crt into /etc/ssl/ca-certificates/ as a file. Forced symlinking replaces files by the wanted symlink. The -n option (no-dereference) is required to make sure we don't follow any already existing symlink. (This related to #971780).
- - - - -
ca374ffa by Mike Gabriel at 2022-02-11T17:09:42+01:00
share/debian-edu-config/tools/update-proxy-from-wpad: Fix typo (wrong protocol in APT proxy config creation.
- - - - -
ec51aeda by Mike Gabriel at 2022-02-11T17:09:42+01:00
share/debian-edu-config/tools/update-proxy-from-wpad: Create a Debian Edu specific proxy configuration in /etc/apt/apt.conf.d/ named 03debian-edu-config rather than meddling with /etc/apt/apt.conf directly. Clean-up any earlier meddling from apt.conf, as well. (Closes: #1003560).
- - - - -
c11b1b3d by Mike Gabriel at 2022-02-11T17:09:42+01:00
d/changelog: typo fix
- - - - -
2308b5a7 by Mike Gabriel at 2022-02-11T17:09:53+01:00
share/debian-edu-config/tools/setup-roaming: Assure libsss-sudo is installed on Roaming Workstation. (Closes: #1004605).
- - - - -
8374f118 by Mike Gabriel at 2022-02-11T17:10:06+01:00
share/debian-edu-config/tools/gosa-remove: Capture removals of GOsa² user templates and ignore them. (Closes: #815042).
- - - - -
e9be2a4a by Mike Gabriel at 2022-02-11T17:10:15+01:00
ldap-schemas/: Update GOsa²-specific schema files from Debian's latest version of GOsa² (2.7.4+reloaded3-16).
- - - - -
c9a9791c by Mike Gabriel at 2022-02-11T17:11:50+01:00
share/debian-edu-config/tools/clean-up-host-keytabs: Don't fail on Kerberos principal removal.
- - - - -
13 changed files:
- debian/changelog
- debian/debian-edu-config.fetch-ldap-cert
- debian/debian-edu-config.fetch-rootca-cert
- ldap-schemas/gofon.schema
- ldap-schemas/gosa-samba3.schema
- ldap-schemas/goserver.schema
- ldap-schemas/gosystem.schema
- ldap-schemas/goto-mime.schema
- ldap-schemas/goto.schema
- share/debian-edu-config/tools/clean-up-host-keytabs
- share/debian-edu-config/tools/gosa-remove
- share/debian-edu-config/tools/setup-roaming
- share/debian-edu-config/tools/update-proxy-from-wpad
Changes:
=====================================
debian/changelog
=====================================
@@ -11,6 +11,31 @@ debian-edu-config (2.11.56+deb11u4) UNRELEASED; urgency=medium
* share/debian-edu-config/tools/setup-freeradius-server: Fix integer
comparison in run-by-root check. Script was not executable fully (not even
as root).
+ * debian/debian-edu-config.fetch-ldap-cert: Drop retrieval of
+ Debian-Edu_rootCA from this script. This now is the task of the
+ fetch-rootca-cert script. (Closes: #971780).
+ * debian/debian-edu-config.fetch-rootca-cert: Ensure proper symlinking of
+ Debian-Edu_rootCA.crt in /usr/local/share/ca-certificates/ to
+ Debian-Edu_rootCA.crt in /etc/ssl/ca-certificates. Forced symlinking is
+ required, because earlier versions of the fetch-ldap-cert init script put
+ Debian-Edu_rootCA.crt into /etc/ssl/ca-certificates/ as a file. Forced
+ symlinking replaces files by the wanted symlink. The -n option (no-
+ dereference) is required to make sure we don't follow any already existing
+ symlink. (This relates to #971780).
+ * share/debian-edu-config/tools/update-proxy-from-wpad:
+ - Fix typo (wrong protocol) in APT proxy config creation.
+ - Create a Debian Edu specific proxy configuration in /etc/apt/apt.conf.d/
+ named 03debian-edu-config rather than meddling with /etc/apt/apt.conf
+ directly. Clean up any earlier meddling from apt.conf, as well. (Closes:
+ #1003560).
+ * share/debian-edu-config/tools/setup-roaming: Assure libsss-sudo is installed
+ on Roaming Workstation. (Closes: #1004605).
+ * share/debian-edu-config/tools/gosa-remove: Capture removals of GOsa² user
+ templates and ignore them. (Closes: #815042).
+ * ldap-schemas/: Update schema files from Debian's latest GOsa² list of
+ schemas.
+ * share/debian-edu-config/tools/clean-up-host-keytabs: Don't fail
+ on Kerberos principal removal.
-- Mike Gabriel <sunweaver at debian.org> Fri, 14 Dec 2021 22:21:50 +0100
=====================================
debian/debian-edu-config.fetch-ldap-cert
=====================================
@@ -16,14 +16,25 @@
#
# Author: Petter Reinholdtsen <pere at hungry.com>
# Date: 2007-06-09
+#
+# Author: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
+# Date: 2022-01-06
+
+###
+### FIXME: Legacy init script for Debian Edu clients.
+###
+### --- Remove for Debian Edu bookworm+1 ---
+###
+### Warning: Removing this script will drop support for clients running
+### against Debian Edu main servers based on Debian Edu stretch and
+### earlier.
+###
set -e
. /lib/lsb/init-functions
CERTFILE=/etc/ssl/certs/debian-edu-server.crt
-BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
-ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
do_start() {
@@ -33,7 +44,7 @@ do_start() {
ERROR=false
###
- ### PHASE 1: RootCA / bundle-cert / LDAP server cert retrieval
+ ### PHASE 1: LDAP server cert retrieval
###
if ( [ ! -f $CERTFILE ] || [ ! -f $ROOTCACRT ] ) && [ -f /etc/nslcd.conf ] &&
@@ -50,116 +61,21 @@ do_start() {
[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate."
- # do an openssl connect to the LDAP server, and check whether its certificate
- # has been issued by the "Debian Edu RootCA", if not we are likely dealing with a
- # pre-Debian Edu 10 (aka buster) TJENER or with some other non-Debian-Edu LDAP
- # server.
- if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null | grep -q "Debian Edu RootCA" ; then
-
- # Since Debian Edu 10, the LDAP certificate (or the RootCA file) is distributed
- # over http (always via the host serving www.intern, by default: TJENER)
- #
- # We do an availability check for the webserver first, to provide proper
- # error reporting (see below). So, the following check merely discovers,
- # if the webserver is online at all.
- if curl -sfk --head -o /dev/null https://www.intern 2>/dev/null; then
-
- # Now let's see if the webserver has the "Debian Edu RootCA" file.
- # This has been the case for Debian Edu main servers (TJENER) since
- # Debian Edu 10.1.
- if curl -fk https://www.intern/Debian-Edu_rootCA.crt 1> $ROOTCACRT 2>/dev/null && \
-
- grep -q CERTIFICATE $ROOTCACRT ; then
-
- # Obtained a RootCA-verified version of the LDAP server's server certificate.
- gnutls-cli --x509cafile $ROOTCACRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null 1>/dev/null 2>/dev/null
- logger -t fetch-ldap-cert "Fetched rootCA certificate from www.intern."
-
- # If the host previously had got the BUNDLECERT file installed,
- # we make sure here to have it removed. From now on, the LTSP chroot
- # can operate on the ROOTCACRT file and the BUNDLECERT will never get
- # update anymore once the ROOTCACRT is available on www.intern.
- rm -f $BUNDLECRT
- else
-
- # If there is no Debian Edu RootCA available on www.intern, fallback to
- # debian-edu-bundle.crt download (an approach done by a Debian Edu 10.0
- # main server (aka TJENER) only and changed to RootCA provisioning in
- # in Debian Edu 10.1.
-
- # Drop the ROOTCACRT file, as it probably only contains some 404 http
- # error message in html.
- rm -f $ROOTCACRT
-
- # So, now let's see if the webserver has the "debian-edu-bundle.crt"
- # file. If so (and no Debian Edu RootCA file), then we are likely dealing
- # with a Debian Edu 10.0 main server.
- if curl -fk https://www.intern/debian-edu-bundle.crt 1> $BUNDLECRT 2>/dev/null && \
- grep -q CERTIFICATE $BUNDLECRT ; then
-
- # Obtained a self-verified version of the LDAP server's server certificate.
- # (The BUNDLECERT file should already contain the LDAP server's certificate,
- # so having this cert file should allow us to successfully and "verified'ly"
- # connect to the LDAP server and let us retrieve that very same certificate).
- gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null 1>/dev/null 2>/dev/null
- logger -t fetch-ldap-cert "Fetched bundle certificate from www.intern."
- else
-
- # We should never get here... If we do anyway, then something went
- # terribly wrong or the www.intern servicing server is misconfigured.
-
- # Drop the ROOTCACRT file, as it probably only contains some 404 http
- # error message in html.
- rm -f $BUNDLECRT
-
- logger -t fetch-ldap-cert "Failed to fetch certificates from www.intern."
- fi
-
- fi
-
- else
-
- # Report an error, if www.intern is down http-wise. This can happen and is probably
- # a temporary problem that needs an admin to fix it.
- log_action_end_msg 1
- logger -t fetch-ldap-cert "Failed to connect to www.intern, maybe the web server down."
- ERROR=true
-
- fi
-
- else
-
- # Fallback: Fetch LDAP certificate from a pre-Debian-Edu-10 (aka buster) LDAP server
- # (or some non-Debian-Edu LDAP server)
- /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new
- chmod 644 $CERTFILE.new
- logger -t fetch-ldap-cert "Fetched pre Buster LDAP server certificate."
+ # Fetch LDAP certificate from the Debian Edu main server (i.e. from the LDAP server)
+ /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new
+ chmod 644 $CERTFILE.new
- # FIXME: Add some error handling here:
- # - LDAP server down
- # - what-not-else...
-
- fi
-
- # By now, we should have obtained the LDAP server's CERTFILE (verified in two cases (10.0 or 10.1 TJENER),
- # simply downloaded from the LDAP server itself in the third case (pre-10.0 TJENER)
if test -s $CERTFILE.new ; then
mv $CERTFILE.new $CERTFILE
[ "$VERBOSE" != no ] && log_action_end_msg 0
- if [ -f $BUNDLECRT ] || [ -f $ROOTCACRT ] ; then
- logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER."
- else
- logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER."
- fi
+ logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER."
else
-
- # We obviously have failed in some other way, if the CERTFILE.new is empty (zero size)
- # Again, something went awfully wrong, if we end up here...
+ # We obviously have failed in some way if the CERTFILE.new is empty (zero size).
+ # Something went wrong, if we end up here...
rm -f $CERTFILE.new
log_action_end_msg 1
logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER."
ERROR=true
-
fi
fi
@@ -168,7 +84,7 @@ do_start() {
### PHASE 2: Deploy the obtained CERTFILE to LTSP chroots, if any are present.
###
- if [ -d /opt/ltsp ] ; then
+ if [ -d /opt/ltsp ] && [ "$ERROR" = "false" ]; then
# Loop over all to be found LTSP chroots...
for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
@@ -195,58 +111,10 @@ do_start() {
fi
fi
- if [ ! -f $ltsp_chroot$ROOTCACRT ]; then
-
- if test -e $ROOTCACRT; then
-
- # If we retrieved it, we also copy the obtained ROOTCACRT into the LTSP chroot
- # (containing the self-built rootCA of the Debian Edu site).
- log_action_begin_msg "Copying Debian Edu rootCA certificate to ltsp-chroot $ltsp_chroot "
- if test -s $ROOTCACRT; then
-
- # If the chroot previously had got the BUNDLECERT file installed,
- # we should make sure here to have it removed. From now on, the LTSP chroot
- # can operate on the ROOTCACRT file and the BUNDLECERT will never get
- # update anymore once the ROOTCACRT is available on www.intern.
- rm -f $ltsp_chroot$BUNDLECRT
- cp $ROOTCACRT $ltsp_chroot$ROOTCACRT
- [ "$VERBOSE" != no ] && log_action_end_msg 0
-
- else
- log_action_end_msg 1
- ERROR=true
- fi
-
- fi
-
- fi
-
- if [ ! -f $ltsp_chroot$BUNDLECRT ] && [ ! -f $ltsp_chroot$ROOTCACRT ]; then
-
- if test -e $BUNDLECRT; then
- # If we talked to a Debian Edu 10.0 main server (aka TJENER) above, then we
- # don't have the ROOTCACRT. We copy the BUNDLECRT file into the LTSP chroot
- # instead (containing all certificates ever issued for the Debian Edu site).
- # This is just a fallback, in fact, we need the Debian Edu RootCA.
-
- # If you end up here, then please upgrade your Debian Edu 10.0 server to a
- # a newer version (Debian Edu 10.1 and beyond).
- log_action_begin_msg "Copying TLS certificate bundle to ltsp-chroot $ltsp_chroot "
- if test -s $BUNDLECRT; then
- cp $BUNDLECRT $ltsp_chroot$BUNDLECRT
- [ "$VERBOSE" != no ] && log_action_end_msg 0
- else
- log_action_end_msg 1
- ERROR=true
- fi
- fi
-
- fi
-
done
fi
- if $ERROR; then
+ if [ "$ERROR" = "true" ]; then
return 1
fi
}
@@ -263,4 +131,5 @@ case "$1" in
echo "Usage: $0 {start|stop|restart|force-reload}"
exit 2
esac
+
exit 0
=====================================
debian/debian-edu-config.fetch-rootca-cert
=====================================
@@ -53,7 +53,7 @@ do_start() {
if curl -fk https://www.intern/Debian-Edu_rootCA.crt > $LOCALCACRT 2>/dev/null && \
grep -q CERTIFICATE $LOCALCACRT ; then
# Make rootCA certificate available in /etc/ssl/certs/
- ln -s $LOCALCACRT $ROOTCACRT
+ ln -nsf $LOCALCACRT $ROOTCACRT
# Integrate the rootCA certificate into /etc/ssl/certs/ca-certificates
update-ca-certificates
logger -t fetch-rootca-cert "Deploy the Debian Edu rootCA certificate fetched from www.intern systemwide."
=====================================
ldap-schemas/gofon.schema
=====================================
@@ -285,29 +285,29 @@ attributetype ( 1.3.6.1.4.1.10098.1.1.13.47 NAME 'goFonHomeServer'
# objectclass
objectclass (1.3.6.1.4.1.10098.1.2.3.11 NAME 'goFonAccount' SUP top AUXILIARY
- DESC 'GOFon Account objectclass (v1.0)'
+ DESC 'GOFon Account objectclass (v2.7)'
MUST ( goFonDeliveryMode $ telephoneNumber $ uid )
MAY ( goFonFormat $ goFonForwarding $ goFonHardware $ goFonPIN $ goFonVoicemailPIN $ goFonMacro $ goFonHomeServer ))
objectclass (1.3.6.1.4.1.10098.1.2.3.12 NAME 'goFonHardware' SUP top STRUCTURAL
- DESC 'defines a telephone (v1.0)'
+ DESC 'defines a telephone (v2.7)'
MUST ( cn $ macAddress $ ipHostNumber )
MAY (description $ goFonType $ goFonDmtfMode $ goFonHost $ goFonDefaultIP $
goFonQualify $ goFonAuth $ goFonSecret $ goFonInkeys $ goFonOutkey $
goFonTrunk $ goFonAccountCode $ goFonMSN $ goFonPermit $ goFonDeny ) )
objectclass (1.3.6.1.4.1.10098.1.2.3.13 NAME 'goFonPickupGroup' SUP top AUXILIARY
- DESC 'Additive for posixGroups (v1.0)'
+ DESC 'Additive for posixGroups (v2.7)'
MUST ( cn $ gidNumber ) )
objectclass (1.3.6.1.4.1.10098.1.2.3.14 NAME 'goFonMacro' SUP top STRUCTURAL
- DESC 'Macro definitions for asterisk machines (v1.0)'
+ DESC 'Macro definitions for asterisk machines (v2.7)'
MUST ( cn )
MAY ( goFonMacroVisible $ displayName $ goFonMacroContent $ description $
goFonMacroParameter ))
objectclass (1.3.6.1.4.1.10098.1.2.3.15 NAME 'goFonQueue' SUP top AUXILIARY
- DESC 'Queue definitions for asterisk machines (v1.0)'
+ DESC 'Queue definitions for asterisk machines (v2.7)'
MUST ( cn )
MAY ( goFonTimeOut $ goFonMaxLen $ goFonAnnounceFrequency $ goFonDialOption $
goFonMusiconHold $ goFonWelcomeMusic $ goFonQueueReportHold $
@@ -317,7 +317,7 @@ objectclass (1.3.6.1.4.1.10098.1.2.3.15 NAME 'goFonQueue' SUP top AUXILIARY
goFonQueueRetry $ goFonQueueLessThan $ goFonHomeServer ))
objectclass (1.3.6.1.4.1.10098.1.2.3.16 NAME 'goFonConference' SUP top STRUCTURAL
- DESC 'Conference definitions for asterisk machines (v1.0)'
+ DESC 'Conference definitions for asterisk machines (v2.7)'
MUST ( cn )
MAY ( description $ goFonConferenceOption $ goFonConferenceTimeout $ goFonPIN $
goFonConferenceOwner $ telephoneNumber $ goFonHomeServer))
=====================================
ldap-schemas/gosa-samba3.schema
=====================================
@@ -272,6 +272,10 @@ attributetype ( 1.3.6.1.4.1.10098.1.1.12.47 NAME 'gosaUserDefinedFilter'
DESC 'A user defined filter'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
+attributetype ( 1.3.6.1.4.1.10098.1.1.12.48 NAME 'gosaWebDAVQuota'
+ DESC 'Webdav share quota in KB'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
attributetype ( 1.3.6.1.4.1.10098.1.1.6.2 NAME 'academicTitle'
DESC 'Field to represent the academic title'
EQUALITY caseIgnoreMatch
@@ -298,34 +302,42 @@ attributetype ( 1.3.6.1.4.1.19414.2.1.651
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+# alias used to provide alternative rfc822 email addresses for kolab users
+attributetype ( 1.3.6.1.4.1.19414.2.1.3
+ NAME 'alias'
+ DESC 'RFC1274: RFC822 Mailbox'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+
# Classes
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.1 NAME 'gosaObject' SUP top AUXILIARY
- DESC 'Class for GOsa settings (v2.6.1)'
+ DESC 'Class for GOsa settings (v2.7)'
MUST ( gosaSubtreeACL ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.2 NAME 'gosaLockEntry' SUP top STRUCTURAL
- DESC 'Class for GOsa locking (v2.6.1)'
+ DESC 'Class for GOsa locking (v2.7)'
MUST ( gosaUser $ gosaObject $ cn ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.3 NAME 'gosaCacheEntry' SUP top STRUCTURAL
- DESC 'Class for GOsa caching (v2.6.1)'
+ DESC 'Class for GOsa caching (v2.7)'
MAY ( gosaUser )
MUST ( cn ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.4 NAME 'gosaDepartment' SUP top AUXILIARY
- DESC 'Class to mark Departments for GOsa (v2.6.1)'
+ DESC 'Class to mark Departments for GOsa (v2.7)'
MUST ( ou $ description )
MAY ( manager ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.5 NAME 'gosaMailAccount' SUP top AUXILIARY
- DESC 'Class to mark MailAccounts for GOsa (v2.6.1)'
+ DESC 'Class to mark MailAccounts for GOsa (v2.7)'
MUST ( mail $ gosaMailServer $ gosaMailDeliveryMode)
- MAY ( gosaMailQuota $ gosaMailAlternateAddress $ gosaMailForwardingAddress $
+ MAY ( alias $ gosaMailQuota $ gosaMailAlternateAddress $ gosaMailForwardingAddress $
gosaMailMaxSize $ gosaSpamSortLevel $ gosaSpamMailbox $
gosaVacationMessage $ gosaVacationStart $ gosaVacationStop $ gosaSharedFolderTarget $ acl))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.6 NAME 'gosaAccount' SUP top AUXILIARY
- DESC 'Class for GOsa Accounts (v2.6.6)'
+ DESC 'Class for GOsa Accounts (v2.7)'
MUST ( uid )
MAY ( sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ gosaDefaultPrinter $
gosaDefaultLanguage $ academicTitle $ personalTitle $ gosaHostACL $ dateOfBirth $
@@ -333,88 +345,89 @@ objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.6 NAME 'gosaAccount' SUP top AUXILIARY
gotoLastSystemLogin $ gotoLastSystem $ gosaLoginRestriction ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.7 NAME 'gosaHost' SUP top AUXILIARY
- DESC 'Class for GOsa Hosts (v2.6.1)'
+ DESC 'Class for GOsa Hosts (v2.7)'
MUST ( cn )
MAY ( description $ gosaService ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.8 NAME 'gosaProxyAccount' SUP top AUXILIARY
- DESC 'Class for GOsa Proxy settings (v2.6.1)'
+ DESC 'Class for GOsa Proxy settings (v2.7)'
MUST ( gosaProxyAcctFlags )
MAY ( gosaProxyID $ gosaProxyWorkingStart $ gosaProxyWorkingStop $ gosaProxyQuota $
gosaProxyQuotaPeriod ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.9 NAME 'gosaApplication' SUP top STRUCTURAL
- DESC 'Class for GOsa applications (v2.6.1)'
+ DESC 'Class for GOsa applications (v2.7)'
MUST ( cn $ gosaApplicationExecute )
MAY ( gosaApplicationName $ gosaApplicationIcon $ gosaApplicationFlags $ gosaApplicationMimeType $
gosaApplicationParameter $ gotoLogonScript $ description $ gosaApplicationCategory ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.10 NAME 'gosaApplicationGroup' SUP top AUXILIARY
- DESC 'Class for GOsa application groups (v2.6.1)'
+ DESC 'Class for GOsa application groups (v2.7)'
MUST ( cn )
MAY ( gosaMemberApplication $ gosaApplicationParameter ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.11 NAME 'gosaUserTemplate' SUP top AUXILIARY
- DESC 'Class for GOsa User Templates (v2.6.1)'
+ DESC 'Class for GOsa User Templates (v2.7)'
MUST ( cn ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.12 NAME 'gosaGroupOfNames'
- DESC 'GOsa object grouping (v2.6.1)'
+ DESC 'GOsa object grouping (v2.7)'
SUP top STRUCTURAL
MUST ( cn $ gosaGroupObjects ) MAY ( member $ description ) )
-objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.13 NAME 'gosaWebdavAccount'
- DESC 'GOsa webdav enabling account (v2.6.1)'
+objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.13 NAME 'gosaWebDAVAccount'
+ DESC 'GOsa webdav enabling account (v2.7)'
SUP top AUXILIARY
- MUST ( cn $ uid ))
+ MUST ( cn $ uid )
+ MAY ( gosaWebDAVQuota ) )
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.14 NAME 'gosaIntranetAccount'
- DESC 'GOsa Inatrent enabling account (v2.6.1)'
+ DESC 'GOsa Inatrent enabling account (v2.7)'
SUP top AUXILIARY
MUST ( cn $ uid )
MAY ( gosaDefaultLanguage ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.15 NAME 'gosaAdministrativeUnit'
- DESC 'Marker for administrational units (v2.6.1)'
+ DESC 'Marker for administrational units (v2.7)'
SUP top AUXILIARY
MUST ( gosaUnitTag ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.16 NAME 'gosaAdministrativeUnitTag'
- DESC 'Marker for objects below administrational units (v2.6.1)'
+ DESC 'Marker for objects below administrational units (v2.7)'
SUP top AUXILIARY
MUST ( gosaUnitTag ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.17 NAME 'gosaRole'
- DESC 'ACL container to define roles (v2.6.1)' SUP top STRUCTURAL
+ DESC 'ACL container to define roles (v2.7)' SUP top STRUCTURAL
MUST ( gosaAclTemplate $ cn )
MAY ( description ) )
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.18 NAME 'gosaAcl'
- DESC 'ACL container to define single ACLs (v2.6.1)' SUP top AUXILIARY
+ DESC 'ACL container to define single ACLs (v2.7)' SUP top AUXILIARY
MUST ( gosaAclEntry ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.19 NAME 'gosaSnapshotObject'
- DESC 'Container object for undo and snapshot data (v2.6.1)' SUP top STRUCTURAL
+ DESC 'Container object for undo and snapshot data (v2.7)' SUP top STRUCTURAL
MUST ( gosaSnapshotType $ gosaSnapshotTimestamp $ gosaSnapshotDN $ gosaSnapshotData )
MAY ( description ) )
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.20 NAME 'gosaConfig'
- DESC 'Settings for gosa. Replaces parts of the gosa.conf. (v2.6)' SUP top STRUCTURAL
+ DESC 'Settings for gosa. Replaces parts of the gosa.conf. (v2.7)' SUP top STRUCTURAL
MUST ( cn )
MAY ( gosaSetting ) )
-# GOto submenu entries
+# GOto submenu entry
objectclass (1.3.6.1.4.1.10098.1.2.1.43 NAME 'gotoSubmenuEntry'
- DESC 'GOto - contains environment settings (v2.6)' SUP top STRUCTURAL
+ DESC 'GOto - contains environment settings (v2.7)' SUP top STRUCTURAL
MUST ( cn )
MAY ( gosaApplicationIcon $ gosaApplicationPriority ) )
-# GOto menu entries
+# GOto menu entry
objectclass (1.3.6.1.4.1.10098.1.2.1.44 NAME 'gotoMenuEntry'
- DESC 'GOto - defines a menu entry (v2.6)' SUP top STRUCTURAL
+ DESC 'GOto - defines a menu entry (v2.7)' SUP top STRUCTURAL
MUST ( cn )
MAY ( gosaApplicationParameter $ gosaApplicationPriority ) )
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.21 NAME 'gosaProperties' SUP top AUXILIARY
- DESC 'Class for GOsa Properties, stores for example user filters (v2.6.8)'
- MAY ( gosaUserDefinedFilter ) )
+ DESC 'Store GOsa properties (v2.7)'
+ MAY ( gosaUserDefinedFilter ) )
=====================================
ldap-schemas/goserver.schema
=====================================
@@ -473,86 +473,86 @@ attributetype ( 1.3.6.1.4.1.10098.1.1.9.82 NAME 'gotoSessionType'
# Terminal Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.16 NAME 'goTerminalServer' SUP top AUXILIARY
- DESC 'Terminal server description (v2.6.1)'
+ DESC 'Terminal server description (v2.7)'
MUST ( cn $ goXdmcpIsEnabled )
- MAY ( description $ goTerminalServerStatus $ gotoSessionType ))
+ MAY ( description $ goTerminalServerStatus $ gotoSessionType $ goFontPath ))
# NFS Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.19 NAME 'goNfsServer' SUP top AUXILIARY
- DESC 'NFS server description (v2.6.1)'
+ DESC 'NFS server description (v2.7)'
MUST ( cn )
MAY ( goExportEntry $ description $ goNfsServerStatus ))
# Time Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.20 NAME 'goNtpServer' SUP top AUXILIARY
- DESC 'Time server description (v2.6.1)'
+ DESC 'Time server description (v2.7)'
MUST ( cn )
MAY ( goTimeSource $ description $ goNtpServerStatus ))
# Syslog Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.21 NAME 'goSyslogServer' SUP top AUXILIARY
- DESC 'Syslog server description (v2.6.1)'
+ DESC 'Syslog server description (v2.7)'
MUST ( cn )
MAY ( goSyslogSection $ description $ goSyslogServerStatus ))
# LDAP Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.22 NAME 'goLdapServer' SUP top AUXILIARY
- DESC 'LDAP server description (v2.6.1)'
+ DESC 'LDAP server description (v2.7)'
MUST ( cn )
MAY ( goLdapBase $ description $ goLdapServerStatus ))
# CUPS Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.23 NAME 'goCupsServer' SUP top AUXILIARY
- DESC 'CUPS server description (v2.6.1)'
+ DESC 'CUPS server description (v2.7)'
MUST ( cn )
MAY ( description $ goCupsServerStatus ))
# IMAP Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.24 NAME 'goImapServer' SUP top AUXILIARY
- DESC 'IMAP server description (v2.6.1)'
+ DESC 'IMAP server description (v2.7)'
MUST ( cn $ goImapName $ goImapConnect $ goImapAdmin $ goImapPassword )
MAY ( goImapSieveServer $ goImapSievePort $ description $ goImapServerStatus $
cyrusImap $ cyrusImapSSL $ cyrusPop3 $ cyrusPop3SSL ))
# Kerberos Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.25 NAME 'goKrbServer' SUP top AUXILIARY
- DESC 'Kerberos server description (v2.6.1)'
+ DESC 'Kerberos server description (v2.7)'
MUST ( cn $ goKrbRealm )
MAY ( description $ goKrbServerStatus ))
# Fax Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.26 NAME 'goFaxServer' SUP top AUXILIARY
- DESC 'Fax server description (v2.6.1)'
+ DESC 'Fax server description (v2.7)'
MUST ( cn $ goFaxAdmin $ goFaxPassword )
MAY ( description $ goFaxServerStatus ))
# Common server class
objectclass (1.3.6.1.4.1.10098.1.2.1.27 NAME 'goServer' SUP top AUXILIARY
- DESC 'Server description (v2.6.1)'
+ DESC 'Server description (v2.7)'
MUST ( cn )
MAY ( description $ macAddress $ ipHostNumber ))
# LogDB Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.28 NAME 'goLogDBServer' SUP top AUXILIARY
- DESC 'Log DB server description (v2.6.1)'
+ DESC 'Log DB server description (v2.7)'
MUST ( cn $ gosaLogDB $ goLogAdmin $ goLogPassword )
MAY ( goLogDBServerStatus ))
# Fon Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.29 NAME 'goFonServer' SUP top AUXILIARY
- DESC 'Fon server description (v2.6.1)'
+ DESC 'Fon server description (v2.7)'
MUST ( cn $ goFonAdmin $ goFonPassword $ goFonAreaCode $ goFonCountryCode )
MAY ( description $ goFonServerStatus ))
# Share Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.33 NAME 'goShareServer' SUP top AUXILIARY
- DESC 'Share server description (v2.6.1)'
+ DESC 'Share server description (v2.7)'
MUST ( cn )
MAY ( description $ goExportEntry $ goShareServerStatus ))
# Mail Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.36 NAME 'goMailServer' SUP top AUXILIARY
- DESC 'Mail server definition (v2.6.1)'
+ DESC 'Mail server definition (v2.7)'
MUST ( cn )
MAY ( description $ goMailServerStatus $ postfixHeaderSizeLimit $
postfixMailboxSizeLimit $ postfixMessageSizeLimit $
@@ -562,20 +562,20 @@ objectclass (1.3.6.1.4.1.10098.1.2.1.36 NAME 'goMailServer' SUP top AUXILIARY
# Glpi Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.37 NAME 'goGlpiServer' SUP top AUXILIARY
- DESC 'Glpi server definition (v2.6.1)'
+ DESC 'Glpi server definition (v2.7)'
MUST ( cn $ goGlpiAdmin $ goGlpiDatabase)
MAY ( description $ goGlpiPassword $ goGlpiServerStatus ) )
# Spamassassin definitions
objectclass (1.3.6.1.4.1.10098.1.2.1.38 NAME 'goSpamServer' SUP top AUXILIARY
- DESC 'Spam server definition (v2.6.1)'
+ DESC 'Spam server definition (v2.7)'
MUST ( cn )
MAY ( saRewriteHeader $ saTrustedNetworks $ saRequiredScore $ saFlags $
saRule $ saStatus ) )
# Clamav definitions
objectclass (1.3.6.1.4.1.10098.1.2.1.39 NAME 'goVirusServer' SUP top AUXILIARY
- DESC 'Virus server definition (v2.6.1)'
+ DESC 'Virus server definition (v2.7)'
MUST ( cn )
MAY ( avMaxThreads $ avMaxDirectoryRecursions $ avUser $ avFlags $
avArchiveMaxFileSize $ avArchiveMaxRecursion $ avArchiveMaxCompressionRatio $
@@ -583,12 +583,12 @@ objectclass (1.3.6.1.4.1.10098.1.2.1.39 NAME 'goVirusServer' SUP top AUXILIARY
# LogDB Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.40 NAME 'gosaLogServer' SUP top AUXILIARY
- DESC 'GOsa log server (v2.6)'
+ DESC 'GOsa log server (v2.7)'
MUST ( cn $ goLogDB $ goLogDBUser $ goLogDBPassword ))
# Environment Server
objectclass (1.3.6.1.4.1.10098.1.2.1.41 NAME 'goEnvironmentServer' SUP top AUXILIARY
- DESC 'Environment server definition (v2.6)'
+ DESC 'Environment server definition (v2.7)'
MUST ( cn )
MAY ( gotoKioskProfile ) )
=====================================
ldap-schemas/gosystem.schema
=====================================
@@ -333,7 +333,7 @@ attributetype ( 1.3.6.1.4.1.10098.1.1.2.12 NAME 'gotoHardwareChecksum'
# objectclass for Hardware definitions
objectclass (1.3.6.1.4.1.10098.1.2.1.3 NAME 'GOhard'
- DESC 'Gonicus Hardware definitions, objectclass (v2.6.1)' SUP top STRUCTURAL
+ DESC 'Gonicus Hardware definitions, objectclass (v2.7)' SUP top STRUCTURAL
MUST ( cn )
MAY ( ghGfxAdapter $ ghNetNic $ ghSoundAdapter $ ghIdeDev $ ghScsiDev $
macAddress $ ghUsbSupport $ ghMemSize $ ghCpuType $ ghInventoryNumber $
=====================================
ldap-schemas/goto-mime.schema
=====================================
@@ -40,7 +40,7 @@ attributetype ( 1.3.6.1.4.1.10098.1.1.14.4 NAME 'gotoMimeEmbeddedApplication'
# E: show in external viewer
# O: take settings from global mime group
# These fields are taken as OR. Additionally you can add a
-# Q: to ask wether a question should pop up - to save it to
+# Q: to ask whether a question should pop up - to save it to
# the local disc or not.
attributetype ( 1.3.6.1.4.1.10098.1.1.14.5 NAME 'gotoMimeLeftClickAction'
DESC 'GOto - Gonicus Terminal Concept, PPD data'
@@ -54,7 +54,7 @@ attributetype ( 1.3.6.1.4.1.10098.1.1.14.6 NAME 'gotoMimeIcon'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.28 SINGLE-VALUE)
objectclass (1.3.6.1.4.1.10098.1.2.4.1 NAME 'gotoMimeType'
- DESC 'Class to represent global mime types (v2.6.1)' SUP top STRUCTURAL
+ DESC 'Class to represent global mime types (v2.7)' SUP top STRUCTURAL
MUST ( cn $ gotoMimeFilePattern $ gotoMimeGroup )
MAY ( description $ gotoMimeIcon $ gotoMimeApplication $
gotoMimeEmbeddedApplication $ gotoMimeLeftClickAction ))
=====================================
ldap-schemas/goto.schema
=====================================
@@ -89,32 +89,32 @@ attributetype ( 1.3.6.1.4.1.10098.1.1.11.18 NAME 'gotoHotplugDeviceDN'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
objectclass (1.3.6.1.4.1.10098.1.2.1.1 NAME 'gotoTerminal'
- DESC 'GOto - Gonicus Terminal Concept, objectclass (v2.6.1)' SUP top AUXILIARY
+ DESC 'GOto - Gonicus Terminal Concept, objectclass (v2.7)' SUP top AUXILIARY
MUST ( cn )
MAY ( description $ macAddress $ ipHostNumber $ gotoShare $ goFonHardware ))
# objectclass for the Terminal Conecept
objectclass (1.3.6.1.4.1.10098.1.2.1.30 NAME 'gotoWorkstation'
- DESC 'GOto - Gonicus Terminal Concept, objectclass (v2.6.1)' SUP top AUXILIARY
+ DESC 'GOto - Gonicus Terminal Concept, objectclass (v2.7)' SUP top AUXILIARY
MUST ( cn )
MAY ( description $ macAddress $ ipHostNumber $ gotoShare $ goFonHardware ))
# objectclass for the Terminal Conecept
objectclass (1.3.6.1.4.1.10098.1.2.1.31 NAME 'gotoPrinter'
- DESC 'GOto - Gonicus Terminal Concept, objectclass (v2.2)' SUP top STRUCTURAL
+ DESC 'GOto - Gonicus Terminal Concept, objectclass (v2.7)' SUP top STRUCTURAL
MUST ( cn )
MAY ( labeledURI $ description $ l $ gotoPrinterPPD $ macAddress $ ipHostNumber $ gotoUserPrinter $
gotoUserAdminPrinter $ gotoGroupPrinter $ gotoGroupAdminPrinter ) )
# objectclass for the Terminal Conecept
objectclass (1.3.6.1.4.1.10098.1.2.1.32 NAME 'gotoEnvironment'
- DESC 'GOto - contains environment settings (v2.2)' SUP top AUXILIARY
+ DESC 'GOto - contains environment settings (v2.7)' SUP top AUXILIARY
MAY ( gotoProfileServer $ gotoProfileFlags $ gotoXResolution $ gotoShare $ gotoLogonScript $
gotoKioskProfile $ gotoHotplugDevice $ gotoProfileQuota $ gotoHotplugDeviceDN ) )
# objectclass for the Terminal Conecept
objectclass (1.3.6.1.4.1.10098.1.2.1.34 NAME 'gotoWorkstationTemplate'
- DESC 'GOto - Gonicus Terminal Concept, objectclass (v2.6.1)' SUP top AUXILIARY
+ DESC 'GOto - Gonicus Terminal Concept, objectclass (v2.7)' SUP top AUXILIARY
MUST ( cn )
MAY ( description $ gotoShare $ goFonHardware $
ghGfxAdapter $ ghNetNic $ ghSoundAdapter $ ghIdeDev $ ghScsiDev $
@@ -131,7 +131,7 @@ objectclass (1.3.6.1.4.1.10098.1.2.1.34 NAME 'gotoWorkstationTemplate'
# objectclass for the Terminal Conecept
objectclass (1.3.6.1.4.1.10098.1.2.1.35 NAME 'gotoTerminalTemplate'
- DESC 'GOto - Gonicus Terminal Concept, objectclass (v2.6.1)' SUP top AUXILIARY
+ DESC 'GOto - Gonicus Terminal Concept, objectclass (v2.7)' SUP top AUXILIARY
MUST ( cn )
MAY ( description $ gotoShare $ goFonHardware $
ghGfxAdapter $ ghNetNic $ ghSoundAdapter $ ghIdeDev $ ghScsiDev $
@@ -148,7 +148,7 @@ objectclass (1.3.6.1.4.1.10098.1.2.1.35 NAME 'gotoTerminalTemplate'
# objectclass for the Terminal Conecept
objectclass (1.3.6.1.4.1.10098.1.2.1.42 NAME 'gotoDevice'
- DESC 'GOto - contains environment settings (v2.6)' SUP top STRUCTURAL
+ DESC 'GOto - contains environment settings (v2.7)' SUP top STRUCTURAL
MUST ( cn )
MAY ( gotoHotplugDevice $ description ) )
=====================================
share/debian-edu-config/tools/clean-up-host-keytabs
=====================================
@@ -50,8 +50,8 @@ hosts_str=$(echo $hosts_str | tr 'A-Z' 'a-z')
for i in $(basename -a /etc/debian-edu/host-keytabs/* | sed 's#.intern.keytab##') ; do
match_value=$(echo $i | tr 'A-Z' 'a-z')
if [[ ! "${hosts_str},," =~ ",,$match_value,," ]]; then
- kadmin.local delprinc host/$i.intern at INTERN
- kadmin.local delprinc nfs/$i.intern at INTERN
+ kadmin.local delprinc host/$i.intern at INTERN || true
+ kadmin.local delprinc nfs/$i.intern at INTERN || true
rm /etc/debian-edu/host-keytabs/$i.intern.keytab
fi
done
=====================================
share/debian-edu-config/tools/gosa-remove
=====================================
@@ -29,6 +29,12 @@ MAXAGE_SEC=$(( $MAXAGE_DAYS*24*60*60 ))
PREFIX=/skole
HOSTNAME=$(hostname -s)
+
+# Obviously a user template was removed. Ignoring.
+echo "$HOMEDIR" | egrep -q "^$PREFIX/$HOSTNAME.*/%uid" && exit 0
+
+# An LDAP user that did not have their home at a place we manage with this script
+# has been removed. This should not happen. Exiting with error.
echo "$HOMEDIR" | egrep -q "^$PREFIX/$HOSTNAME.*$USERID" || exit 1
## move mail directory to home directory
=====================================
share/debian-edu-config/tools/setup-roaming
=====================================
@@ -13,7 +13,7 @@ export DEBIAN_FRONTEND
apt-get install -y host ldap-utils
apt-get install -y libpam-mklocaluser
-apt-get install -y libpam-sss libnss-sss
+apt-get install -y libpam-sss libnss-sss libsss-sudo
# Make sure the NSS module refered below always is installed
apt-get install -y libnss-myhostname libnss-mdns libnss-ldapd
=====================================
share/debian-edu-config/tools/update-proxy-from-wpad
=====================================
@@ -27,6 +27,18 @@ append_if_missing() {
fi
}
+remove_if_matches() {
+ file="$1"
+ shift
+ regexp="$@"
+ if [ -e "$file" ] ; then
+ if grep -qE "$regexp" "$file" ; then
+ log "Removing line matching '$regexp' from $file."
+ sed -i $file -e "/$regexp/d"
+ fi
+ fi
+}
+
# Update /etc/environment with the current proxy settings extracted
# from the WPAD file
update_etc_environment() {
@@ -54,7 +66,7 @@ update_etc_environment() {
# /etc/apt/apt.conf is created by debian-installer if a proxy was used
# during installation, so we update this file.
update_apt_conf() {
- file=/etc/apt/apt.conf
+ file=/etc/apt/apt.conf.d/03debian-edu-config
touch $file
chmod a+r $file
sed -e "s%^Acquire::http::Proxy .*%Acquire::http::Proxy \"$http_proxy\";%" \
@@ -71,7 +83,17 @@ update_apt_conf() {
fi
append_if_missing $file "Acquire::http::Proxy \"$http_proxy\";"
append_if_missing $file "Acquire::ftp::Proxy \"$ftp_proxy\";"
- append_if_missing $file "Acquire::ftp::Proxy \"$https_proxy\";"
+ append_if_missing $file "Acquire::https::Proxy \"$https_proxy\";"
+
+ # Fix main /etc/apt/apt.conf file (which we used until Debian Edu bullseye).
+ #
+ # FIXME: This code portion can be removed in the bookworm+1 release cycle
+ previously_used_file=/etc/apt/apt.conf
+ if [ -e $previously_used_file ]; then
+ remove_if_matches $previously_used_file ".*Acquire::http::Proxy\ .*;"
+ remove_if_matches $previously_used_file ".*Acquire::ftp::Proxy\ .*;"
+ remove_if_matches $previously_used_file ".*Acquire::https::Proxy\ .*;"
+ fi
}
if [ -r /etc/debian-edu/config ] ; then
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/a9e805a67f0d740022c4914aba9f135f380ddef5...c9a9791cc30e3fdc53c92a8ecc2dd3d5a5a8801d
--
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/a9e805a67f0d740022c4914aba9f135f380ddef5...c9a9791cc30e3fdc53c92a8ecc2dd3d5a5a8801d
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20220211/18c146e8/attachment-0001.htm>
More information about the debian-edu-commits
mailing list