[debian-edu-commits] [Git][debian-edu/debian-edu-config][master] 6 commits: Rewrite testsuite/filesystems, add exception for /boot

Mike Gabriel (@sunweaver) gitlab at salsa.debian.org
Thu Sep 21 07:18:00 BST 2023



Mike Gabriel pushed to branch master at Debian Edu / debian-edu-config


Commits:
47cc42ed by Guido Berhoerster at 2023-09-20T08:23:42+02:00
Rewrite testsuite/filesystems, add exception for /boot

Rewrite for clarity and robustness.
Add exception for /boot which may use ext2.

- - - - -
7584d0c4 by Guido Berhoerster at 2023-09-20T08:23:42+02:00
testsuite/ldap-client: fix invocation of ldapsearch

The -h command line option has been removed, ldapsearch now only accepts a LDAP
URI via the -H option. Use dig and awk instead of host and interpret the SRV
record properly.

- - - - -
92cba3da by Guido Berhoerster at 2023-09-20T08:23:42+02:00
testsuite/ldap-client: improve error message on PAM modules

Also do not use the deprecated egrep and get rid of unnecessary wc.

- - - - -
7b4304a4 by Guido Berhoerster at 2023-09-20T08:23:42+02:00
testsuite/ldap-server: fix invocation of ldapsearch

The -h command line option has been removed, ldapsearch now only accepts a LDAP
URI via the -H option.

- - - - -
3504627e by Guido Berhoerster at 2023-09-20T08:23:42+02:00
Fix remaining invocations of ldapsearch

- - - - -
6d803b3a by Guido Berhoerster at 2023-09-20T08:26:17+02:00
Disable the LDAP PAM module

- - - - -


6 changed files:

- README
- cf3/cf.ldapclient
- etc/ldap/rootDSE-debian-edu.ldif
- testsuite/filesystems
- testsuite/ldap-client
- testsuite/ldap-server


Changes:

=====================================
README
=====================================
@@ -277,7 +277,7 @@ by MS AD, by adding the _ldap._tcp SRV records, or just using our
  - use _ldap._tcp SRV record to find LDAP server
  - use ldap "root" object to find LDAP tree info (like AD
    defaultNamingContext attribute)
-    "ldapsearch -x -s base -h $server -b '' -x '*'"
+    "ldapsearch -x -s base -H ldap://$server -b '' -x '*'"
  - subnet three with relevant information?  AD have subtree
      "CN=Subnets,CN=Sites,CN=Configuration,$base" with objectClass=subnet
      objects.


=====================================
cf3/cf.ldapclient
=====================================
@@ -8,6 +8,12 @@ commands:
 
     "/usr/share/debian-edu-config/tools/setup-roaming"
       contain => in_shell;
+
+# remove PAM LDAP module
+  debian.!roaming.installation::
+
+    "/usr/sbin/pam-auth-update --disable ldap"
+      contain => in_shell;
 }
 
 bundle agent editline_ldapclient


=====================================
etc/ldap/rootDSE-debian-edu.ldif
=====================================
@@ -1,5 +1,5 @@
 # This entry is available using
-#   ldapsearch -LLL -h ldap  -s base -b '' -x '*' +
+#   ldapsearch -LLL -H ldap://ldap  -s base -b '' -x '*' +
 dn:
 objectClass: labeledURIObject
 labeledURI: http://www.skolelinux.org/ LDAP for Debian Edu/Skolelinux


=====================================
testsuite/filesystems
=====================================
@@ -1,58 +1,65 @@
 #!/bin/sh
 #
-# Check that we are using ext3, not ext2
+# Check that we are using ext3/4 filesystems with expected options
 
 if test -r /etc/debian-edu/config ; then
     . /etc/debian-edu/config
 fi
 
-LANG=C
-export LANG
-
-awk "/ext2/ { print \"error: $0: Using ext2 on\",\$2 }" /proc/mounts
-awk "/ext3|ext4/ { print \"success: $0: Using ext3 on\",\$2 }" /proc/mounts
-
-# Check if the filesystems on the mountpoints support acls
-for f in `grep 'ext' /proc/mounts|awk '{print $1}'`; do
-     if [ `chacl -l $f | grep 'cannot get'` ]; then
-        echo "error: $0: $f doesn't support acls" 
-     else
-        echo "success: $0: $f supports acls"
-     fi
-done
-
-# Make sure all ext3/ext4 mount points are online resizable
-for p in `(df -Pt ext3 2>/dev/null;df -Pt ext4 2>/dev/null) | grep -v ^Filesystem |awk '{print $1}'`; do 
-    if tune2fs -l $p| grep features | grep -q resize_inode ; then
-	:
-    else
-	echo "error: $0: Missing resize_inode in ext3/ext4 fs $p"
-    fi
-done
+LC_ALL=C
+export LC_ALL
+
+scriptname="$0"
+
+while read -r line; do
+    set -- $line
+    case $3 in
+        ext2)
+            if [ $2 != '/boot' ]; then
+                printf 'error: %s: Using ext2 on %s\n' "${scriptname}" "$1"
+            fi
+            ;;
+        ext3|ext4)
+            printf 'success: %s: Using ext3/4 on %s\n' "${scriptname}" "$1"
 
-if echo "$PROFILE" | grep -q Main-Server ; then
+            # Check if the filesystems on the mountpoints support acls
+            if chacl -l "$1" >/dev/null 2>&1; then
+                printf "success: %s: %s supports acls\n" "${scriptname}" "$1"
+            else
+                printf "error: %s: %s doesn't support acls\n" "${scriptname}" "$1"
+            fi
+
+            # Make sure all ext3/ext4 mount points are online resizable
+            if ! tune2fs -l "$1" | grep -q '^Filesystem features:.* resize_inode'; then
+                printf 'error: %s: Missing resize_inode in ext3/ext4 fs %s\n' "${scriptname}" "$2"
+            fi
+            ;;
+    esac
+done </proc/mounts
+
+case $PROFILE in
+*Main-Server*)
     # Make sure autofs do not hide the real file systems
     if [ -d /skole/tjener/home0/lost+found ] ; then
-	echo "success: $0: Found lost+found in /skole/tjener/home0/"
+        printf 'success: %s: Found lost+found in /skole/tjener/home0/\n' "${scriptname}"
     else
-	echo "error: $0: No lost+found in /skole/tjener/home0/.  Blocked by autofs?"
+        printf 'error: %s: No lost+found in /skole/tjener/home0/.  Blocked by autofs?\n' "${scriptname}"
     fi
 
     # Make sure home0 and backup have acl and user_xattr enabled.  See
     # if bug #638822 is present or not.
     for dir in /skole/tjener/home0 /skole/backup; do
-	dev="$(LC_ALL=C df -P /var/log|awk '/%/ {print $1}')"
-	for opt in acl user_xattr ; do
-	    if LC_ALL=C tune2fs -l "$dev" | \
-		grep 'Default mount' | \
-		grep -qw $opt ; then
-		echo "success: $0: Found option $opt in $dir."
-	    else
-		echo "error: $0: Did not find option $opt in $dir."
-	    fi
-	done
+        dev="$(findmnt -T "${dir}" -n -o SOURCE)"
+        for opt in acl user_xattr; do
+            if tune2fs -l "${dev}" | grep -q "^Default mount options:.* ${opt}"; then
+                printf "success: %s: Found option %s in %s.\n" "${scriptname}" "${opt}" "${dir}"
+            else
+                printf "error: %s: Did not find option %s in %s.\n" "${scriptname}" "${opt}" "${dir}"
+            fi
+        done
     done
-fi
+    ;;
+esac
 
 # Report too full file systems.  Should have at least 20% free to
 # avoid warning from Nagios, preferably between 20% and 25%.


=====================================
testsuite/ldap-client
=====================================
@@ -24,13 +24,20 @@ fi
 
 RESULT=0
 
-# Locate LDAP server dynamically, by looking up SRV records.  The -N 2
+# Locate LDAP server dynamically, by looking up SRV records.  The +ndots=2
 # argument is tested and found to work with the debian package
 # bind9-host, and not with the host package.
-ldap_servers=$(host -N 2 -t srv _ldap._tcp | rev | awk '/VRS/ {print $1}' | cut -d. -f2- | rev)
-# Cut the list to one server as we do not handle redundant servers at
-# the moment.
-ldap_server=$(echo $ldap_servers | awk '{print $1}')
+ldap_server_port="$(dig +search +ndots=2 +short _ldap._tcp srv | awk '
+(t == "") || ($1 < prio) {
+    prio = $1
+    t = $4
+    sub(/\.$/,"",t)
+    p = $3
+}
+END { if (t != "") printf("%s:%d", t, p) }
+')"
+ldap_server="${ldap_server_port%:*}"
+ldap_server_uri="ldap://${ldap_server_port}"
 
 # Test if LDAP server is reachable
 if ping -c1 $ldap_server > /dev/null 2>&1 ; then
@@ -39,6 +46,7 @@ else
     error "Dynamically located LDAP server '$ldap_server' is not pingable, continuing tests using DNS alias ldap."
     # Autodetection failed, use hardcoded DNS name for the rest of the tests
     ldap_server=ldap.intern
+    ldap_server_uri="ldap://${ldap_server}"
 fi
 
 for file in nslcd.conf ; do
@@ -68,8 +76,10 @@ else
     SERVICES="$SERVICES nscd"
 fi
 
-host -a -t srv _ldap._tcp | sed "s/^/info: SRV record from DNS: /"
-host -a "$ldap_server" | sed "s/^/info: LDAP server from DNS: /"
+printf 'info: SRV record from DNS: '
+dig +search +ndots=2 +noall +answer +nocomments _ldap._tcp srv
+printf 'info: LDAP server from DNS: '
+dig +noall +answer +nocomments "$ldap_server"
 
 if [ -f /etc/nslcd.conf ] ; then
     if grep -Eq "^uri (ldap|$ldap_server)" /etc/nslcd.conf ; then
@@ -116,13 +126,13 @@ done
 
 if [ -x /usr/bin/ldapsearch ] ; then
     namingContexts="$(
-        ldapsearch -s base -h $ldap_server -b '' -x '*' '+' | \
+        ldapsearch -s base -H "${ldap_server_uri}" -b '' -x '*' '+' | \
             awk '/^namingContexts:/ {print $2}' | head -1
         )"
     echo info: $0: LDAP rootDSE namingContext: $namingContexts
 
     LDAP_MOUNTS="$(
-        ldapsearch -LLL -h $ldap_server -b $namingContexts \
+        ldapsearch -LLL -H "${ldap_server_uri}" -b $namingContexts \
                    -x '(objectClass=automount)' |\
             grep "^cn:" | while read attr val; do
                 echo "$val"
@@ -137,10 +147,10 @@ if [ -x /usr/bin/ldapsearch ] ; then
 
     # Try a search using TLS too
     group=admins
-    if ldapsearch -ZZ -LLL -h $ldap_server -b $namingContexts \
+    if ldapsearch -ZZ -LLL -H "${ldap_server_uri}" -b $namingContexts \
                   -x "(&(cn=$group)(objectclass=posixGroup))" >/dev/null 2>&1 ; then
         success "TLS search on $ldap_server for cn=$group returned OK exit code."
-    elif ldapsearch -ZZ -LLL -h ldap.intern -b $namingContexts \
+    elif ldapsearch -ZZ -LLL -H ldap://ldap.intern -b $namingContexts \
                   -x "(&(cn=$group)(objectclass=posixGroup))" >/dev/null 2>&1 ; then
         success "TLS search on ldap.intern for cn=$group returned OK exit code."
     else 
@@ -162,10 +172,10 @@ else
     error "Missing LDAP certificate $pubcert"
 fi
 
-if [ 1 -eq $(grep -v '^#' /etc/pam.d/common-auth | egrep 'pam_krb5.so|pam_ldap.so|pam_sss.so' | wc -l) ] ; then
+if [ 1 -eq $(grep -v '^#' /etc/pam.d/common-auth | grep -Ec 'pam_krb5.so|pam_ldap.so|pam_sss.so') ] ; then
     success "Only one PAM module of krb5, ldap and sss is enabled"
 else
-    error "Not only one PAM module of krb5, ldap and sss is enabled"
+    error "More than one PAM module of krb5, ldap and sss is enabled"
 fi
 
 # Make sure winbind PAM module isn't active


=====================================
testsuite/ldap-server
=====================================
@@ -73,11 +73,11 @@ netstat -a --numeric-hosts | grep :ldap |
 # limit (32768) file descriptors were tried but required incresing
 # file-max, took very long and caused very high load on the server
 # during testing.
-ldap_server=ldap
+ldap_server_uri=ldap
 limit=1200
 ulimit -n 2048
 
-if ldapsearch -s base -h $ldap_server -b '' -x '*' '+' > /dev/null 2>&1 ; then
+if ldapsearch -s base -H "ldap://$ldap_server" -b '' -x '*' '+' > /dev/null 2>&1 ; then
     echo "success: $0: search work before flodding the LDAP server with $limit connections."
 else 
     echo "error: $0: search fail before flodding the LDAP server with $limit connections"
@@ -86,7 +86,7 @@ fi
 
 perl -MNet::LDAP -e "sleep(5); my @c; for my \$n (0 .. $limit) { \$c[\$n] = Net::LDAP->new('ldap://$ldap_server', onerror => undef); my \$root = \$c[\$n]->root_dse() if \$c[\$n]; } sleep(5);"
 
-if ldapsearch -s base -h $ldap_server -b '' -x '*' '+' > /dev/null 2>&1 ; then
+if ldapsearch -s base -H "ldap://$ldap_server" -b '' -x '*' '+' > /dev/null 2>&1 ; then
     echo "success: $0: search work after flodding the LDAP server with $limit connections."
 else 
     echo "error: $0: search fail after flodding the LDAP server with $limit connections"



View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/fddcfc173f7bd469f2c625dd9c5fbdb564ebc1a9...6d803b3a9a42dad8a178a4a1b281a60a792e6ca5

-- 
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/fddcfc173f7bd469f2c625dd9c5fbdb564ebc1a9...6d803b3a9a42dad8a178a4a1b281a60a792e6ca5
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20230921/5ea5a2ac/attachment-0001.htm>


More information about the debian-edu-commits mailing list