[debian-edu-commits] [Git][debian-edu/debian-edu-config][personal/gber/systemd] 11 commits: etc/dhcp/dhcp-debian-edu.conf: ldap-server. 'ldap' -> 'ldap.intern'. (Closes: #1039966)

Guido Berhörster (@gber) gitlab at salsa.debian.org
Wed Jul 19 08:05:29 BST 2023



Guido Berhörster pushed to branch personal/gber/systemd at Debian Edu / debian-edu-config


Commits:
c54b6cc4 by Daniel Teichmann at 2023-06-30T10:40:16+00:00
etc/dhcp/dhcp-debian-edu.conf: ldap-server. 'ldap' -> 'ldap.intern'. (Closes: #1039966) 
- - - - -
66d00155 by Guido Berhoerster at 2023-07-01T03:38:39+00:00
Fix samba usershares permissions

Setting the group ownership of /var/lib/samba/usershares/ to "students" fails
during the installation because this group is defined in LDAP and the slapd is
not running at the time the samba promise bundle is evaluated.  Thus use the
numeric GID instead.  The group is defined in
ldap-bootstrap/{samba.ldif,gosa.ldif}.  Closes: #1039461.

- - - - -
02972022 by Mike Gabriel at 2023-07-01T05:59:53+02:00
Revert "etc/dhcp/dhcp-debian-edu.conf: ldap-server. 'ldap' -> 'ldap.intern'. (Closes: #1039966) "

This reverts commit c54b6cc4d712b48a62e4c7103fe6edf96180526b.

- - - - -
62f81eb6 by Mike Gabriel at 2023-07-01T05:59:53+02:00
release as 2.12.33

- - - - -
50fabfaf by Mike Gabriel at 2023-07-01T06:06:50+02:00
Start 2.12.34 development.

 d/changelog entries will be written on release using the git commit
 messages.

 Use 'gbp dch --since 2.12.33' to write d/changelog entries since that
 last release.

- - - - -
04a9db68 by Daniel Teichmann at 2023-07-03T16:36:29+02:00
etc/dhcp/dhcp-debian-edu.conf: ldap-server. 'ldap' -> 'ldap.intern'. (Closes: #1039966) 
- - - - -
d86dd57c by Guido Berhoerster at 2023-07-17T16:14:29+02:00
Add systemd services for configuring Chromium/Firefox from LDAP

Factor out logic from init script into separate script which are then called
from both the init script and systemd services.

- - - - -
ae8bd77c by Guido Berhoerster at 2023-07-19T09:03:40+02:00
Add systemd service enabling NAT for thin clients

- - - - -
49c8c262 by Guido Berhoerster at 2023-07-19T09:03:40+02:00
Add systemd service for fetching the RootCA file from the main server

- - - - -
174176bc by Guido Berhoerster at 2023-07-19T09:03:40+02:00
Drop init script for fetching LDAP SSL public key from legacy main servers

This drops support for clients running behind a main server based on DebianEdu
stretch.

- - - - -
a1ef48e0 by Guido Berhoerster at 2023-07-19T09:03:40+02:00
Update debian/rules for init scripts and systemd services

- - - - -


17 changed files:

- Makefile
- cf3/cf.samba
- debian/changelog
- debian/debian-edu-config.chromium-ldapconf
- + debian/debian-edu-config.chromium-ldapconf.service
- + debian/debian-edu-config.enable-nat.service
- − debian/debian-edu-config.fetch-ldap-cert
- debian/debian-edu-config.fetch-rootca-cert
- + debian/debian-edu-config.fetch-rootca-cert.service
- debian/debian-edu-config.firefox-ldapconf
- + debian/debian-edu-config.firefox-ldapconf.service
- debian/rules
- etc/dhcp/dhcpd-debian-edu.conf
- + share/debian-edu-config/tools/chromium-ldapconf
- + share/debian-edu-config/tools/fetch-rootca-cert
- + share/debian-edu-config/tools/firefox-ldapconf
- + share/debian-edu-config/tools/nat


Changes:

=====================================
Makefile
=====================================
@@ -321,6 +321,10 @@ install: install-testsuite
 		share/debian-edu-config/tools/copy-host-keytab \
 		share/debian-edu-config/tools/improve-desktop-l10n \
 		share/debian-edu-config/tools/install-task-pkgs \
+		share/debian-edu-config/tools/chromium-ldapconf \
+		share/debian-edu-config/tools/firefox-ldapconf \
+		share/debian-edu-config/tools/nat \
+		share/debian-edu-config/tools/fetch-rootca-cert \
 	; do \
 		$(INSTALL) $$f $(DESTDIR)/usr/$$f ; \
 	done


=====================================
cf3/cf.samba
=====================================
@@ -9,9 +9,13 @@ files:
 
   debian.server.installation::
 
+    # GID 10004 is the "students" group, the group name cannot be used here
+    # since slapd is not running when this bundle is evaluated during
+    # installation, the GID must be to be kept in sync with
+    # ldap-bootstrap/{samba.ldif,gosa.ldif}
     "$(usershares_file)"
       create => "true",
-      perms => mog("1770","root","students");
+      perms => mog("1770","root","10004");
 
     "/etc/samba/smb.conf"
       link_from => ln_s("/etc/samba/smb-debian-edu.conf"),


=====================================
debian/changelog
=====================================
@@ -1,9 +1,33 @@
-debian-edu-config (2.12.33) UNRELEASED; urgency=medium
+debian-edu-config (2.12.34) UNRELEASED; urgency=medium
 
-  * Start 2.12.33 development. d/changelog entries will be written on
-    release using the git commit messages.
+  * Start 2.12.34 development.
 
- -- Holger Levsen <holger at debian.org>  Thu, 08 Jun 2023 11:21:21 +0200
+    d/changelog entries will be written on release
+    using the git commit messages.
+
+    Use 'gbp dch --since 2.12.33'
+    to write d/changelog entries since that last release.
+
+ -- Mike Gabriel <sunweaver at debian.org>  Sat, 01 Jul 2023 06:05:45 +0200
+
+debian-edu-config (2.12.33) unstable; urgency=medium
+
+  [ Guido Berhoerster ]
+  * Adapt ntp configuration for ntpsec. Closes: #1038881.
+    ntpsec has replaced ntp in bookworm, adapt configuration and add a
+    drop-in file instead of editing the configuration file. Drop insserv
+    overrides for ntp, the ntpsec systemd unit has an ordering dependency
+    on nss-lookup.target equivalent to the "$named" facility.
+  * Set up database for icingaweb2
+    Starting with version 2.11 user preferences must be stored in the DB.
+  * Fix permissions issue preventing icingaweb2 from reading the backend config
+    The /etc/icingaweb2/modules directory ends up with "drwxrwSrwx" permissions,
+    missing the "x" bit preventing icingaweb2 from reading the monitoring backend
+    configuration in /etc/icingaweb2/modules/monitoring/. Instead of adjusting
+    single files and directories, enforce sensible permissions on all directories
+    and configuration files. Closes: #1039475.
+
+ -- Mike Gabriel <sunweaver at debian.org>  Sat, 01 Jul 2023 05:41:56 +0200
 
 debian-edu-config (2.12.32) unstable; urgency=medium
 


=====================================
debian/debian-edu-config.chromium-ldapconf
=====================================
@@ -20,31 +20,9 @@ set -e
 
 . /lib/lsb/init-functions
 
-if [ -e /etc/debian-edu/config ] ; then
-    . /etc/debian-edu/config
-fi
-
-do_start() {
-    # Skip this on LTSP chroots
-    if [ -e /etc/ltsp_chroot ] ; then
-        return
-    fi
-
-    # Only networked profiles use LDAP
-    if echo "$PROFILE" | egrep -q 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Thin-Client-Server|Minimal' ; then
-	/usr/share/debian-edu-config/tools/update-chromium-homepage ldap:homepage
-    fi
-
-    if echo "$PROFILE" | grep -q LTSP-Server  && [ -d /opt/ltsp ] ; then
-	for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
-	    chroot $ltsp_chroot /usr/share/debian-edu-config/tools/update-chromium-homepage ldap:homepage
-	done
-    fi
-}
-
 case "$1" in
     start)
-	do_start
+	/usr/share/debian-edu-config/tools/chromium-ldapconf
 	;;
     stop)
 	;;


=====================================
debian/debian-edu-config.chromium-ldapconf.service
=====================================
@@ -0,0 +1,12 @@
+[Unit]
+Description=Update firefox configuration from LDAP
+After=network-online.target remote-fs.target nss-lookup.target slapd.service fetch-ldap-cert.service
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/share/debian-edu-config/tools/firefox-ldapconf
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target


=====================================
debian/debian-edu-config.enable-nat.service
=====================================
@@ -0,0 +1,14 @@
+[Unit]
+Description=Enables NAT for clients in the thin clients network
+After=remote-fs.target network-online.target
+Wants=remote-fs.target
+ConditionFileIsExecutable=/usr/sbin/iptables
+
+[Service]
+Type=oneshot
+ExecStart=/usr/share/debian-edu-config/tools/nat enable
+ExecStop=/usr/share/debian-edu-config/tools/nat disable
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target


=====================================
debian/debian-edu-config.fetch-ldap-cert deleted
=====================================
@@ -1,135 +0,0 @@
-#!/bin/sh
-### BEGIN INIT INFO
-# Provides:          fetch-ldap-cert
-# Required-Start:    $local_fs $remote_fs
-# Required-Stop:     $local_fs $remote_fs
-# Should-Start:      $network $syslog $named slapd
-# Default-Start:     2 3 4 5
-# Default-Stop:
-# Short-Description: Fetch LDAP SSL public key from the server
-# Description:
-#   Start before krb5-kdc to give slapd time to become operational
-#   before krb5-kdc try to connect to the LDAP server as a workaround
-#   for #589915.
-# X-Start-Before:    isc-dhcp-server krb5-kdc nslcd
-### END INIT INFO
-#
-# Author: Petter Reinholdtsen <pere at hungry.com>
-# Date:   2007-06-09
-#
-# Author: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
-# Date:   2022-01-06
-
-###
-### FIXME: Legacy init script for Debian Edu clients.
-###
-###        --- Remove for Debian Edu bookworm+1 ---
-###
-###        Warning: Removing this script will drop support for clients running
-###        against Debian Edu main servers based on Debian Edu stretch and
-###        earlier.
-###
-
-set -e
-
-. /lib/lsb/init-functions
-
-CERTFILE=/etc/ssl/certs/debian-edu-server.crt
-
-do_start() {
-
-	# Locate LDAP server
-	LDAPSERVER=$(debian-edu-ldapserver)
-	LDAPPORT=636 # ldaps
-	ERROR=false
-
-	###
-	### PHASE 1: LDAP server cert retrieval
-	###
-
-	if ( [ ! -f $CERTFILE ] || [ ! -f $ROOTCACRT ] ) && [ -f /etc/nslcd.conf ] &&
-	    grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
-
-		# LDAP server host not known/found, bailing out...
-		if [ -z "$LDAPSERVER" ] ; then
-			msg="Failed to locate LDAP server"
-			log_action_begin_msg "$msg"
-			log_action_end_msg 1
-			logger -t fetch-ldap-cert "$msg."
-			return 1
-		fi
-
-		[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate."
-
-		# Fetch LDAP certificate from the Debian Edu main server (i.e. from the LDAP server)
-		/usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new
-		chmod 644 $CERTFILE.new
-
-		if test -s $CERTFILE.new ; then
-			mv $CERTFILE.new $CERTFILE
-			[ "$VERBOSE" != no ] && log_action_end_msg 0
-			logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER."
-		else
-			# We obviously have failed in some way if the CERTFILE.new is empty (zero size).
-			# Something went wrong, if we end up here...
-			rm -f $CERTFILE.new
-			log_action_end_msg 1
-			logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER."
-			ERROR=true
-		fi
-
-	fi
-
-	###
-	### PHASE 2: Deploy the obtained CERTFILE to LTSP chroots, if any are present.
-	###
-
-	if [ -d /opt/ltsp ] && [ "$ERROR" = "false" ]; then
-
-		# Loop over all to be found LTSP chroots...
-		for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
-
-			if [ ! -d $ltsp_chroot/etc/ssl/certs/ ]; then
-				# likely not a chroot dir, skipping...
-				continue
-			fi
-
-			# Only install the CERTFILE into this chroot, if not already present...
-			if [ ! -f $ltsp_chroot$CERTFILE ] && [ -f $ltsp_chroot/etc/nslcd.conf ] &&
-			    grep -q /etc/ssl/certs/debian-edu-server.crt $ltsp_chroot/etc/nslcd.conf ; then
-
-				# Copy the obtained CERTFILE into the LTSP chroot (containing the LDAP server's
-				# certificate.
-				log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot "
-				[ "$VERBOSE" != no ] &&
-				if test -s $CERTFILE; then
-					cp $CERTFILE $ltsp_chroot$CERTFILE
-					[ "$VERBOSE" != no ] && log_action_end_msg 0
-				else
-					log_action_end_msg 1
-					ERROR=true
-				fi
-			fi
-
-		done
-	fi
-
-	if [ "$ERROR" = "true" ]; then
-		return 1
-	fi
-}
-
-case "$1" in
-	start)
-		do_start
-		;;
-	stop)
-		;;
-	restart|force-reload)
-		;;
-	*)
-		echo "Usage: $0 {start|stop|restart|force-reload}"
-		exit 2
-esac
-
-exit 0


=====================================
debian/debian-edu-config.fetch-rootca-cert
=====================================
@@ -19,68 +19,10 @@ set -e
 
 . /lib/lsb/init-functions
 
-if [ -r /etc/debian-edu/config ] ; then
-	. /etc/debian-edu/config
-fi
-
-BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
-ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
-LOCALCACRT=/usr/local/share/ca-certificates/Debian-Edu_rootCA.crt
-
-do_start() {
-
-	ERROR=false
-
-	# Remove no longer used certificate file
-	rm -f $BUNDLECRT
-
-	# RootCA cert retrieval (avoid execution on the main server, things are in place)
-	if echo "$PROFILE" | egrep -q 'Main-Server' ; then
-		logger -t fetch-rootca-cert "Running on the main server, exiting."
-		exit 0
-	fi
-	if [ ! -f $LOCALCACRT ] || [ ! -s $LOCALCACRT ] ; then
-		# Since Debian Edu 10, the RootCA file is distributed
-		# over http (always via the host serving www.intern, by default: TJENER)
-		#
-		# We do an availability check for the webserver first, to provide proper
-		# error reporting (see below). So, the following check merely discovers,
-		# if the webserver is online at all.
-		if curl -sfk --head -o /dev/null https://www.intern 2>/dev/null; then
-			# Now let's see if the webserver has the "Debian Edu RootCA" file.
-			# This has been the case for Debian Edu main servers (TJENER) since
-			# Debian Edu 10.1.
-			if curl -fk https://www.intern/Debian-Edu_rootCA.crt > $LOCALCACRT 2>/dev/null && \
-				grep -q CERTIFICATE $LOCALCACRT ; then
-				# Make rootCA certificate available in /etc/ssl/certs/
-				ln -nsf $LOCALCACRT $ROOTCACRT
-				# Integrate the rootCA certificate into /etc/ssl/certs/ca-certificates
-				update-ca-certificates
-				logger -t fetch-rootca-cert "Deploy the Debian Edu rootCA certificate fetched from www.intern systemwide."
-			else
-				# Drop $ROOTCACRT and $LOCALCACRT files, as they probably only contain some
-				# 404 http error message in html.
-				rm -f $LOCALCACRT
-				rm -f $ROOTCACRT
-				logger -t fetch-rootca-cert "Failed to fetch rootCA certificate from www.intern."
-			fi
-		else
-			# Report an error, if www.intern is down http-wise. This can happen and is probably
-			# a temporary problem that needs an admin to fix it.
-			log_action_end_msg 1
-			logger -t fetch-rootca-cert "Failed to connect to www.intern, maybe the web server is down."
-			ERROR=true
-		fi
-	fi
-
-	if $ERROR; then
-		return 1
-	fi
-}
-
 case "$1" in
 	start)
-		do_start
+		/usr/share/debian-edu-config/tools/fetch-rootca-cert
+		exit $?
 		;;
 	stop)
 		;;


=====================================
debian/debian-edu-config.fetch-rootca-cert.service
=====================================
@@ -0,0 +1,13 @@
+[Unit]
+Description=Fetch Debian Edu rootCA certificate from the main server
+After=remote-fs.target network-online.target
+Before=nslcd.service
+Wants=remote-fs.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/share/debian-edu-config/tools/fetch-rootca-cert
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target


=====================================
debian/debian-edu-config.firefox-ldapconf
=====================================
@@ -20,31 +20,9 @@ set -e
 
 . /lib/lsb/init-functions
 
-if [ -e /etc/debian-edu/config ] ; then
-    . /etc/debian-edu/config
-fi
-
-do_start() {
-    # Skip this on LTSP chroots
-    if [ -e /etc/ltsp_chroot ] ; then
-        return
-    fi
-
-    # Only networked profiles use LDAP
-    if echo "$PROFILE" | egrep -q 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Thin-Client-Server|Minimal' ; then
-	/usr/share/debian-edu-config/tools/update-firefox-homepage ldap:homepage
-    fi
-
-    if echo "$PROFILE" | grep -q LTSP-Server  && [ -d /opt/ltsp ] ; then
-	for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
-	    chroot $ltsp_chroot /usr/share/debian-edu-config/tools/update-firefox-homepage ldap:homepage
-	done
-    fi
-}
-
 case "$1" in
     start)
-	do_start
+	/usr/share/debian-edu-config/tools/firefox-ldapconf
 	;;
     stop)
 	;;


=====================================
debian/debian-edu-config.firefox-ldapconf.service
=====================================
@@ -0,0 +1,12 @@
+[Unit]
+Description=Update firefox configuration from LDAP
+After=network-online.target remote-fs.target nss-lookup.target slapd.service fetch-ldap-cert.service
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/share/debian-edu-config/tools/firefox-ldapconf
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target


=====================================
debian/rules
=====================================
@@ -10,13 +10,18 @@ override_dh_auto_install:
 
 override_dh_installinit:
 	# Start it after 15bind9 and 19slapd
-	dh_installinit --init-script fetch-ldap-cert -r --no-start
 	dh_installinit --init-script fetch-rootca-cert -r --no-start
 	# Start it after 15bind9, 19slapd and 95fetch-ldap-cert, and add some to be sure
 	dh_installinit --init-script firefox-ldapconf -r --no-start
 	dh_installinit --init-script chromium-ldapconf -r --no-start
 	dh_installinit --init-script enable-nat --no-start
 
+override_dh_installsystemd:
+	dh_installsystemd --no-start --name chromium-ldapconf
+	dh_installsystemd --no-start --name enable-nat
+	dh_installsystemd --no-start --name fetch-rootca-cert
+	dh_installsystemd --no-start --name firefox-ldapconf
+
 override_dh_installman:
 	dh_installman
 	help2man -N -n "ldap-add-host-to-netgroup - Adds a host as a member in the given netgroup" \


=====================================
etc/dhcp/dhcpd-debian-edu.conf
=====================================
@@ -1,5 +1,5 @@
 lease-file-name "/var/lib/dhcp/dhcpd.leases";
-ldap-server "ldap";
+ldap-server "ldap.intern";
 ldap-port 389;
 ldap-base-dn  "dc=skole,dc=skolelinux,dc=no";
 ldap-dhcp-server-cn "tjener";


=====================================
share/debian-edu-config/tools/chromium-ldapconf
=====================================
@@ -0,0 +1,23 @@
+#!/bin/sh
+#
+# Update Chromium configuration from LDAP
+#
+
+if [ -e /etc/debian-edu/config ] ; then
+    . /etc/debian-edu/config
+fi
+
+# Only networked profiles use LDAP
+case $PROFILE in
+    *Main-Server*|*Workstation*|*LTSP-Server*|*Thin-Client-Server*|*Minimal*)
+        /usr/share/debian-edu-config/tools/update-chromium-homepage ldap:homepage
+        ;;
+esac
+
+case $PROFILE in
+    *LTSP-Server*)
+        if [ -d /opt/ltsp ]; then
+            find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d -exec chroot {} /usr/share/debian-edu-config/tools/update-chromium-homepage ldap:homepage \;
+        fi
+        ;;
+esac


=====================================
share/debian-edu-config/tools/fetch-rootca-cert
=====================================
@@ -0,0 +1,60 @@
+#!/bin/sh
+#
+# Fetches Debian Edu rootCA certificate from the main server
+#
+# Author: Wolfgang Schweer, <wschweer at arcor.de>
+# Date:   2020-02-14
+#
+
+if [ -r /etc/debian-edu/config ] ; then
+    . /etc/debian-edu/config
+fi
+
+BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
+ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
+LOCALCACRT=/usr/local/share/ca-certificates/Debian-Edu_rootCA.crt
+
+# Remove no longer used certificate file
+rm -f $BUNDLECRT
+
+# RootCA cert retrieval (avoid execution on the main server, things are in place)
+case $PROFILE in
+*Main-Server*)
+    logger -t fetch-rootca-cert "Running on the main server, exiting."
+    exit 0
+    ;;
+esac
+
+if [ ! -f $LOCALCACRT ] || [ ! -s $LOCALCACRT ] ; then
+    # Since Debian Edu 10, the RootCA file is distributed
+    # over http (always via the host serving www.intern, by default: TJENER)
+    #
+    # We do an availability check for the webserver first, to provide proper
+    # error reporting (see below). So, the following check merely discovers,
+    # if the webserver is online at all.
+    if curl -sfk --head -o /dev/null https://www.intern 2>/dev/null; then
+        # Now let's see if the webserver has the "Debian Edu RootCA" file.
+        # This has been the case for Debian Edu main servers (TJENER) since
+        # Debian Edu 10.1.
+        if curl -fk https://www.intern/Debian-Edu_rootCA.crt > $LOCALCACRT 2>/dev/null && \
+            grep -q CERTIFICATE $LOCALCACRT ; then
+            # Make rootCA certificate available in /etc/ssl/certs/
+            ln -nsf $LOCALCACRT $ROOTCACRT
+            # Integrate the rootCA certificate into /etc/ssl/certs/ca-certificates
+            update-ca-certificates
+            logger -t fetch-rootca-cert "Deploy the Debian Edu rootCA certificate fetched from www.intern systemwide."
+        else
+            # Drop $ROOTCACRT and $LOCALCACRT files, as they probably only contain some
+            # 404 http error message in html.
+            rm -f $LOCALCACRT
+            rm -f $ROOTCACRT
+            logger -t fetch-rootca-cert "Failed to fetch rootCA certificate from www.intern."
+        fi
+    else
+        # Report an error, if www.intern is down http-wise. This can happen and is probably
+        # a temporary problem that needs an admin to fix it.
+        log_action_end_msg 1
+        logger -t fetch-rootca-cert "Failed to connect to www.intern, maybe the web server is down."
+        exit 1
+    fi
+fi


=====================================
share/debian-edu-config/tools/firefox-ldapconf
=====================================
@@ -0,0 +1,23 @@
+#!/bin/sh
+#
+# Update Firefox configuration from LDAP
+#
+
+if [ -e /etc/debian-edu/config ] ; then
+    . /etc/debian-edu/config
+fi
+
+# Only networked profiles use LDAP
+case $PROFILE in
+    *Main-Server*|*Workstation*|*LTSP-Server*|*Thin-Client-Server*|*Minimal*)
+        /usr/share/debian-edu-config/tools/update-firefox-homepage ldap:homepage
+        ;;
+esac
+
+case $PROFILE in
+    *LTSP-Server*)
+        if [ -d /opt/ltsp ]; then
+            find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d -exec chroot {} /usr/share/debian-edu-config/tools/update-firefox-homepage ldap:homepage \;
+        fi
+        ;;
+esac


=====================================
share/debian-edu-config/tools/nat
=====================================
@@ -0,0 +1,47 @@
+#!/bin/sh
+
+IPTABLES=/usr/sbin/iptables
+
+NETWORK_TO_NAT=
+OUTSIDE_IF=eth0
+
+[ -x $IPTABLES ] || exit 1
+
+# Only enable by default if LTSP is installed
+if [ -e /srv/ltsp ] ; then
+    NETWORK_TO_NAT="192.168.0.0/24"
+fi
+
+if [ -f /etc/default/enable-nat ] ; then
+    . /etc/default/enable-nat
+fi
+
+# Bail out if no network is configured
+[ -n "$NETWORK_TO_NAT" ] || exit 0
+
+case $1 in
+enable)
+    # Exit if already enabled
+    $IPTABLES -t nat -n -L POSTROUTING | \
+        awk -v net="$NETWORK_TO_NAT" '
+        NR > 2 && $1 == "MASQUERADE" && $4 == net {
+            found=1
+            exit
+        }
+        END {
+            exit(!found)
+        }' && exit 0
+
+    $IPTABLES -t nat -A POSTROUTING -s "$NETWORK_TO_NAT" -o "$OUTSIDE_IF" -j MASQUERADE
+
+    # Enable IP-forwarding if it isn't enabled already.
+    sysctl -wq net.ipv4.ip_forward=1
+    ;;
+disable)
+    $IPTABLES -F -t nat
+    ;;
+*)
+    printf 'usage: %s [enable|disable]\n' "$(basename "$0")" >&2
+    exit 1
+    ;;
+esac



View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/4d1a73132df0b213ac40afcc0d7b0ade60ab6ee4...a1ef48e01db551bd5e0971c6d08184e4e074f3b6

-- 
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/4d1a73132df0b213ac40afcc0d7b0ade60ab6ee4...a1ef48e01db551bd5e0971c6d08184e4e074f3b6
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20230719/65aecd30/attachment-0001.htm>


More information about the debian-edu-commits mailing list