[debian-edu-commits] [Git][debian-edu/debian-edu-config][master] 5 commits: Add systemd services for configuring Chromium/Firefox from LDAP
Mike Gabriel (@sunweaver)
gitlab at salsa.debian.org
Mon Aug 7 15:11:18 BST 2023
Mike Gabriel pushed to branch master at Debian Edu / debian-edu-config
Commits:
39890c47 by Guido Berhoerster at 2023-08-07T14:08:25+00:00
Add systemd services for configuring Chromium/Firefox from LDAP
Factor out logic from init script into separate script which are then called
from both the init script and systemd services.
- - - - -
085be419 by Guido Berhoerster at 2023-08-07T14:08:25+00:00
Add systemd service enabling NAT for thin clients
- - - - -
d8d40e3d by Guido Berhoerster at 2023-08-07T14:08:25+00:00
Add systemd service for fetching the RootCA file from the main server
- - - - -
a06fb0d8 by Guido Berhoerster at 2023-08-07T14:08:25+00:00
Drop init script for fetching LDAP SSL public key from legacy main servers
This drops support for clients running behind a main server based on DebianEdu
stretch (closes: #1030116).
- - - - -
90dec108 by Guido Berhoerster at 2023-08-07T14:08:25+00:00
Update debian/rules for init scripts and systemd services
Closes: #1039166
- - - - -
14 changed files:
- Makefile
- debian/debian-edu-config.chromium-ldapconf
- + debian/debian-edu-config.chromium-ldapconf.service
- + debian/debian-edu-config.enable-nat.service
- − debian/debian-edu-config.fetch-ldap-cert
- debian/debian-edu-config.fetch-rootca-cert
- + debian/debian-edu-config.fetch-rootca-cert.service
- debian/debian-edu-config.firefox-ldapconf
- + debian/debian-edu-config.firefox-ldapconf.service
- debian/rules
- + share/debian-edu-config/tools/chromium-ldapconf
- + share/debian-edu-config/tools/fetch-rootca-cert
- + share/debian-edu-config/tools/firefox-ldapconf
- + share/debian-edu-config/tools/nat
Changes:
=====================================
Makefile
=====================================
@@ -321,6 +321,10 @@ install: install-testsuite
share/debian-edu-config/tools/copy-host-keytab \
share/debian-edu-config/tools/improve-desktop-l10n \
share/debian-edu-config/tools/install-task-pkgs \
+ share/debian-edu-config/tools/chromium-ldapconf \
+ share/debian-edu-config/tools/firefox-ldapconf \
+ share/debian-edu-config/tools/nat \
+ share/debian-edu-config/tools/fetch-rootca-cert \
; do \
$(INSTALL) $$f $(DESTDIR)/usr/$$f ; \
done
=====================================
debian/debian-edu-config.chromium-ldapconf
=====================================
@@ -20,31 +20,9 @@ set -e
. /lib/lsb/init-functions
-if [ -e /etc/debian-edu/config ] ; then
- . /etc/debian-edu/config
-fi
-
-do_start() {
- # Skip this on LTSP chroots
- if [ -e /etc/ltsp_chroot ] ; then
- return
- fi
-
- # Only networked profiles use LDAP
- if echo "$PROFILE" | egrep -q 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Thin-Client-Server|Minimal' ; then
- /usr/share/debian-edu-config/tools/update-chromium-homepage ldap:homepage
- fi
-
- if echo "$PROFILE" | grep -q LTSP-Server && [ -d /opt/ltsp ] ; then
- for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
- chroot $ltsp_chroot /usr/share/debian-edu-config/tools/update-chromium-homepage ldap:homepage
- done
- fi
-}
-
case "$1" in
start)
- do_start
+ /usr/share/debian-edu-config/tools/chromium-ldapconf
;;
stop)
;;
=====================================
debian/debian-edu-config.chromium-ldapconf.service
=====================================
@@ -0,0 +1,12 @@
+[Unit]
+Description=Update firefox configuration from LDAP
+After=network-online.target remote-fs.target nss-lookup.target slapd.service fetch-ldap-cert.service
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/share/debian-edu-config/tools/firefox-ldapconf
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target
=====================================
debian/debian-edu-config.enable-nat.service
=====================================
@@ -0,0 +1,14 @@
+[Unit]
+Description=Enables NAT for clients in the thin clients network
+After=remote-fs.target network-online.target
+Wants=remote-fs.target
+ConditionFileIsExecutable=/usr/sbin/iptables
+
+[Service]
+Type=oneshot
+ExecStart=/usr/share/debian-edu-config/tools/nat enable
+ExecStop=/usr/share/debian-edu-config/tools/nat disable
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target
=====================================
debian/debian-edu-config.fetch-ldap-cert deleted
=====================================
@@ -1,135 +0,0 @@
-#!/bin/sh
-### BEGIN INIT INFO
-# Provides: fetch-ldap-cert
-# Required-Start: $local_fs $remote_fs
-# Required-Stop: $local_fs $remote_fs
-# Should-Start: $network $syslog $named slapd
-# Default-Start: 2 3 4 5
-# Default-Stop:
-# Short-Description: Fetch LDAP SSL public key from the server
-# Description:
-# Start before krb5-kdc to give slapd time to become operational
-# before krb5-kdc try to connect to the LDAP server as a workaround
-# for #589915.
-# X-Start-Before: isc-dhcp-server krb5-kdc nslcd
-### END INIT INFO
-#
-# Author: Petter Reinholdtsen <pere at hungry.com>
-# Date: 2007-06-09
-#
-# Author: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
-# Date: 2022-01-06
-
-###
-### FIXME: Legacy init script for Debian Edu clients.
-###
-### --- Remove for Debian Edu bookworm+1 ---
-###
-### Warning: Removing this script will drop support for clients running
-### against Debian Edu main servers based on Debian Edu stretch and
-### earlier.
-###
-
-set -e
-
-. /lib/lsb/init-functions
-
-CERTFILE=/etc/ssl/certs/debian-edu-server.crt
-
-do_start() {
-
- # Locate LDAP server
- LDAPSERVER=$(debian-edu-ldapserver)
- LDAPPORT=636 # ldaps
- ERROR=false
-
- ###
- ### PHASE 1: LDAP server cert retrieval
- ###
-
- if ( [ ! -f $CERTFILE ] || [ ! -f $ROOTCACRT ] ) && [ -f /etc/nslcd.conf ] &&
- grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
-
- # LDAP server host not known/found, bailing out...
- if [ -z "$LDAPSERVER" ] ; then
- msg="Failed to locate LDAP server"
- log_action_begin_msg "$msg"
- log_action_end_msg 1
- logger -t fetch-ldap-cert "$msg."
- return 1
- fi
-
- [ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate."
-
- # Fetch LDAP certificate from the Debian Edu main server (i.e. from the LDAP server)
- /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new
- chmod 644 $CERTFILE.new
-
- if test -s $CERTFILE.new ; then
- mv $CERTFILE.new $CERTFILE
- [ "$VERBOSE" != no ] && log_action_end_msg 0
- logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER."
- else
- # We obviously have failed in some way if the CERTFILE.new is empty (zero size).
- # Something went wrong, if we end up here...
- rm -f $CERTFILE.new
- log_action_end_msg 1
- logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER."
- ERROR=true
- fi
-
- fi
-
- ###
- ### PHASE 2: Deploy the obtained CERTFILE to LTSP chroots, if any are present.
- ###
-
- if [ -d /opt/ltsp ] && [ "$ERROR" = "false" ]; then
-
- # Loop over all to be found LTSP chroots...
- for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
-
- if [ ! -d $ltsp_chroot/etc/ssl/certs/ ]; then
- # likely not a chroot dir, skipping...
- continue
- fi
-
- # Only install the CERTFILE into this chroot, if not already present...
- if [ ! -f $ltsp_chroot$CERTFILE ] && [ -f $ltsp_chroot/etc/nslcd.conf ] &&
- grep -q /etc/ssl/certs/debian-edu-server.crt $ltsp_chroot/etc/nslcd.conf ; then
-
- # Copy the obtained CERTFILE into the LTSP chroot (containing the LDAP server's
- # certificate.
- log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot "
- [ "$VERBOSE" != no ] &&
- if test -s $CERTFILE; then
- cp $CERTFILE $ltsp_chroot$CERTFILE
- [ "$VERBOSE" != no ] && log_action_end_msg 0
- else
- log_action_end_msg 1
- ERROR=true
- fi
- fi
-
- done
- fi
-
- if [ "$ERROR" = "true" ]; then
- return 1
- fi
-}
-
-case "$1" in
- start)
- do_start
- ;;
- stop)
- ;;
- restart|force-reload)
- ;;
- *)
- echo "Usage: $0 {start|stop|restart|force-reload}"
- exit 2
-esac
-
-exit 0
=====================================
debian/debian-edu-config.fetch-rootca-cert
=====================================
@@ -19,68 +19,10 @@ set -e
. /lib/lsb/init-functions
-if [ -r /etc/debian-edu/config ] ; then
- . /etc/debian-edu/config
-fi
-
-BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
-ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
-LOCALCACRT=/usr/local/share/ca-certificates/Debian-Edu_rootCA.crt
-
-do_start() {
-
- ERROR=false
-
- # Remove no longer used certificate file
- rm -f $BUNDLECRT
-
- # RootCA cert retrieval (avoid execution on the main server, things are in place)
- if echo "$PROFILE" | egrep -q 'Main-Server' ; then
- logger -t fetch-rootca-cert "Running on the main server, exiting."
- exit 0
- fi
- if [ ! -f $LOCALCACRT ] || [ ! -s $LOCALCACRT ] ; then
- # Since Debian Edu 10, the RootCA file is distributed
- # over http (always via the host serving www.intern, by default: TJENER)
- #
- # We do an availability check for the webserver first, to provide proper
- # error reporting (see below). So, the following check merely discovers,
- # if the webserver is online at all.
- if curl -sfk --head -o /dev/null https://www.intern 2>/dev/null; then
- # Now let's see if the webserver has the "Debian Edu RootCA" file.
- # This has been the case for Debian Edu main servers (TJENER) since
- # Debian Edu 10.1.
- if curl -fk https://www.intern/Debian-Edu_rootCA.crt > $LOCALCACRT 2>/dev/null && \
- grep -q CERTIFICATE $LOCALCACRT ; then
- # Make rootCA certificate available in /etc/ssl/certs/
- ln -nsf $LOCALCACRT $ROOTCACRT
- # Integrate the rootCA certificate into /etc/ssl/certs/ca-certificates
- update-ca-certificates
- logger -t fetch-rootca-cert "Deploy the Debian Edu rootCA certificate fetched from www.intern systemwide."
- else
- # Drop $ROOTCACRT and $LOCALCACRT files, as they probably only contain some
- # 404 http error message in html.
- rm -f $LOCALCACRT
- rm -f $ROOTCACRT
- logger -t fetch-rootca-cert "Failed to fetch rootCA certificate from www.intern."
- fi
- else
- # Report an error, if www.intern is down http-wise. This can happen and is probably
- # a temporary problem that needs an admin to fix it.
- log_action_end_msg 1
- logger -t fetch-rootca-cert "Failed to connect to www.intern, maybe the web server is down."
- ERROR=true
- fi
- fi
-
- if $ERROR; then
- return 1
- fi
-}
-
case "$1" in
start)
- do_start
+ /usr/share/debian-edu-config/tools/fetch-rootca-cert
+ exit $?
;;
stop)
;;
=====================================
debian/debian-edu-config.fetch-rootca-cert.service
=====================================
@@ -0,0 +1,13 @@
+[Unit]
+Description=Fetch Debian Edu rootCA certificate from the main server
+After=remote-fs.target network-online.target
+Before=nslcd.service
+Wants=remote-fs.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/share/debian-edu-config/tools/fetch-rootca-cert
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target
=====================================
debian/debian-edu-config.firefox-ldapconf
=====================================
@@ -20,31 +20,9 @@ set -e
. /lib/lsb/init-functions
-if [ -e /etc/debian-edu/config ] ; then
- . /etc/debian-edu/config
-fi
-
-do_start() {
- # Skip this on LTSP chroots
- if [ -e /etc/ltsp_chroot ] ; then
- return
- fi
-
- # Only networked profiles use LDAP
- if echo "$PROFILE" | egrep -q 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Thin-Client-Server|Minimal' ; then
- /usr/share/debian-edu-config/tools/update-firefox-homepage ldap:homepage
- fi
-
- if echo "$PROFILE" | grep -q LTSP-Server && [ -d /opt/ltsp ] ; then
- for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
- chroot $ltsp_chroot /usr/share/debian-edu-config/tools/update-firefox-homepage ldap:homepage
- done
- fi
-}
-
case "$1" in
start)
- do_start
+ /usr/share/debian-edu-config/tools/firefox-ldapconf
;;
stop)
;;
=====================================
debian/debian-edu-config.firefox-ldapconf.service
=====================================
@@ -0,0 +1,12 @@
+[Unit]
+Description=Update firefox configuration from LDAP
+After=network-online.target remote-fs.target nss-lookup.target slapd.service fetch-ldap-cert.service
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/share/debian-edu-config/tools/firefox-ldapconf
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target
=====================================
debian/rules
=====================================
@@ -10,13 +10,18 @@ override_dh_auto_install:
override_dh_installinit:
# Start it after 15bind9 and 19slapd
- dh_installinit --init-script fetch-ldap-cert -r --no-start
dh_installinit --init-script fetch-rootca-cert -r --no-start
# Start it after 15bind9, 19slapd and 95fetch-ldap-cert, and add some to be sure
dh_installinit --init-script firefox-ldapconf -r --no-start
dh_installinit --init-script chromium-ldapconf -r --no-start
dh_installinit --init-script enable-nat --no-start
+override_dh_installsystemd:
+ dh_installsystemd --no-start --name chromium-ldapconf
+ dh_installsystemd --no-start --name enable-nat
+ dh_installsystemd --no-start --name fetch-rootca-cert
+ dh_installsystemd --no-start --name firefox-ldapconf
+
override_dh_installman:
dh_installman
help2man -N -n "ldap-add-host-to-netgroup - Adds a host as a member in the given netgroup" \
=====================================
share/debian-edu-config/tools/chromium-ldapconf
=====================================
@@ -0,0 +1,23 @@
+#!/bin/sh
+#
+# Update Chromium configuration from LDAP
+#
+
+if [ -e /etc/debian-edu/config ] ; then
+ . /etc/debian-edu/config
+fi
+
+# Only networked profiles use LDAP
+case $PROFILE in
+ *Main-Server*|*Workstation*|*LTSP-Server*|*Thin-Client-Server*|*Minimal*)
+ /usr/share/debian-edu-config/tools/update-chromium-homepage ldap:homepage
+ ;;
+esac
+
+case $PROFILE in
+ *LTSP-Server*)
+ if [ -d /opt/ltsp ]; then
+ find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d -exec chroot {} /usr/share/debian-edu-config/tools/update-chromium-homepage ldap:homepage \;
+ fi
+ ;;
+esac
=====================================
share/debian-edu-config/tools/fetch-rootca-cert
=====================================
@@ -0,0 +1,60 @@
+#!/bin/sh
+#
+# Fetches Debian Edu rootCA certificate from the main server
+#
+# Author: Wolfgang Schweer, <wschweer at arcor.de>
+# Date: 2020-02-14
+#
+
+if [ -r /etc/debian-edu/config ] ; then
+ . /etc/debian-edu/config
+fi
+
+BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
+ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
+LOCALCACRT=/usr/local/share/ca-certificates/Debian-Edu_rootCA.crt
+
+# Remove no longer used certificate file
+rm -f $BUNDLECRT
+
+# RootCA cert retrieval (avoid execution on the main server, things are in place)
+case $PROFILE in
+*Main-Server*)
+ logger -t fetch-rootca-cert "Running on the main server, exiting."
+ exit 0
+ ;;
+esac
+
+if [ ! -f $LOCALCACRT ] || [ ! -s $LOCALCACRT ] ; then
+ # Since Debian Edu 10, the RootCA file is distributed
+ # over http (always via the host serving www.intern, by default: TJENER)
+ #
+ # We do an availability check for the webserver first, to provide proper
+ # error reporting (see below). So, the following check merely discovers,
+ # if the webserver is online at all.
+ if curl -sfk --head -o /dev/null https://www.intern 2>/dev/null; then
+ # Now let's see if the webserver has the "Debian Edu RootCA" file.
+ # This has been the case for Debian Edu main servers (TJENER) since
+ # Debian Edu 10.1.
+ if curl -fk https://www.intern/Debian-Edu_rootCA.crt > $LOCALCACRT 2>/dev/null && \
+ grep -q CERTIFICATE $LOCALCACRT ; then
+ # Make rootCA certificate available in /etc/ssl/certs/
+ ln -nsf $LOCALCACRT $ROOTCACRT
+ # Integrate the rootCA certificate into /etc/ssl/certs/ca-certificates
+ update-ca-certificates
+ logger -t fetch-rootca-cert "Deploy the Debian Edu rootCA certificate fetched from www.intern systemwide."
+ else
+ # Drop $ROOTCACRT and $LOCALCACRT files, as they probably only contain some
+ # 404 http error message in html.
+ rm -f $LOCALCACRT
+ rm -f $ROOTCACRT
+ logger -t fetch-rootca-cert "Failed to fetch rootCA certificate from www.intern."
+ fi
+ else
+ # Report an error, if www.intern is down http-wise. This can happen and is probably
+ # a temporary problem that needs an admin to fix it.
+ log_action_end_msg 1
+ logger -t fetch-rootca-cert "Failed to connect to www.intern, maybe the web server is down."
+ exit 1
+ fi
+fi
=====================================
share/debian-edu-config/tools/firefox-ldapconf
=====================================
@@ -0,0 +1,23 @@
+#!/bin/sh
+#
+# Update Firefox configuration from LDAP
+#
+
+if [ -e /etc/debian-edu/config ] ; then
+ . /etc/debian-edu/config
+fi
+
+# Only networked profiles use LDAP
+case $PROFILE in
+ *Main-Server*|*Workstation*|*LTSP-Server*|*Thin-Client-Server*|*Minimal*)
+ /usr/share/debian-edu-config/tools/update-firefox-homepage ldap:homepage
+ ;;
+esac
+
+case $PROFILE in
+ *LTSP-Server*)
+ if [ -d /opt/ltsp ]; then
+ find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d -exec chroot {} /usr/share/debian-edu-config/tools/update-firefox-homepage ldap:homepage \;
+ fi
+ ;;
+esac
=====================================
share/debian-edu-config/tools/nat
=====================================
@@ -0,0 +1,47 @@
+#!/bin/sh
+
+IPTABLES=/usr/sbin/iptables
+
+NETWORK_TO_NAT=
+OUTSIDE_IF=eth0
+
+[ -x $IPTABLES ] || exit 1
+
+# Only enable by default if LTSP is installed
+if [ -e /srv/ltsp ] ; then
+ NETWORK_TO_NAT="192.168.0.0/24"
+fi
+
+if [ -f /etc/default/enable-nat ] ; then
+ . /etc/default/enable-nat
+fi
+
+# Bail out if no network is configured
+[ -n "$NETWORK_TO_NAT" ] || exit 0
+
+case $1 in
+enable)
+ # Exit if already enabled
+ $IPTABLES -t nat -n -L POSTROUTING | \
+ awk -v net="$NETWORK_TO_NAT" '
+ NR > 2 && $1 == "MASQUERADE" && $4 == net {
+ found=1
+ exit
+ }
+ END {
+ exit(!found)
+ }' && exit 0
+
+ $IPTABLES -t nat -A POSTROUTING -s "$NETWORK_TO_NAT" -o "$OUTSIDE_IF" -j MASQUERADE
+
+ # Enable IP-forwarding if it isn't enabled already.
+ sysctl -wq net.ipv4.ip_forward=1
+ ;;
+disable)
+ $IPTABLES -F -t nat
+ ;;
+*)
+ printf 'usage: %s [enable|disable]\n' "$(basename "$0")" >&2
+ exit 1
+ ;;
+esac
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/a037063a41e55e7d5222795e07e3c5f47da2b1ea...90dec1088e8cdb0dc10417abb6fb7f901cac10fa
--
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/a037063a41e55e7d5222795e07e3c5f47da2b1ea...90dec1088e8cdb0dc10417abb6fb7f901cac10fa
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20230807/b4ac0ec6/attachment-0001.htm>
More information about the debian-edu-commits
mailing list