[debian-edu-commits] [Git][debian-edu/debian-edu-config][master] 6 commits: Rewrite testsuite/filesystems, add exception for /boot
Mike Gabriel (@sunweaver)
gitlab at salsa.debian.org
Thu Sep 21 07:18:00 BST 2023
Mike Gabriel pushed to branch master at Debian Edu / debian-edu-config
Commits:
47cc42ed by Guido Berhoerster at 2023-09-20T08:23:42+02:00
Rewrite testsuite/filesystems, add exception for /boot
Rewrite for clarity and robustness.
Add exception for /boot which may use ext2.
- - - - -
7584d0c4 by Guido Berhoerster at 2023-09-20T08:23:42+02:00
testsuite/ldap-client: fix invocation of ldapsearch
The -h command line option has been removed, ldapsearch now only accepts a LDAP
URI via the -H option. Use dig and awk instead of host and interpret the SRV
record properly.
- - - - -
92cba3da by Guido Berhoerster at 2023-09-20T08:23:42+02:00
testsuite/ldap-client: improve error message on PAM modules
Also do not use the deprecated egrep and get rid of unnecessary wc.
- - - - -
7b4304a4 by Guido Berhoerster at 2023-09-20T08:23:42+02:00
testsuite/ldap-server: fix invocation of ldapsearch
The -h command line option has been removed, ldapsearch now only accepts a LDAP
URI via the -H option.
- - - - -
3504627e by Guido Berhoerster at 2023-09-20T08:23:42+02:00
Fix remaining invocations of ldapsearch
- - - - -
6d803b3a by Guido Berhoerster at 2023-09-20T08:26:17+02:00
Disable the LDAP PAM module
- - - - -
6 changed files:
- README
- cf3/cf.ldapclient
- etc/ldap/rootDSE-debian-edu.ldif
- testsuite/filesystems
- testsuite/ldap-client
- testsuite/ldap-server
Changes:
=====================================
README
=====================================
@@ -277,7 +277,7 @@ by MS AD, by adding the _ldap._tcp SRV records, or just using our
- use _ldap._tcp SRV record to find LDAP server
- use ldap "root" object to find LDAP tree info (like AD
defaultNamingContext attribute)
- "ldapsearch -x -s base -h $server -b '' -x '*'"
+ "ldapsearch -x -s base -H ldap://$server -b '' -x '*'"
- subnet three with relevant information? AD have subtree
"CN=Subnets,CN=Sites,CN=Configuration,$base" with objectClass=subnet
objects.
=====================================
cf3/cf.ldapclient
=====================================
@@ -8,6 +8,12 @@ commands:
"/usr/share/debian-edu-config/tools/setup-roaming"
contain => in_shell;
+
+# remove PAM LDAP module
+ debian.!roaming.installation::
+
+ "/usr/sbin/pam-auth-update --disable ldap"
+ contain => in_shell;
}
bundle agent editline_ldapclient
=====================================
etc/ldap/rootDSE-debian-edu.ldif
=====================================
@@ -1,5 +1,5 @@
# This entry is available using
-# ldapsearch -LLL -h ldap -s base -b '' -x '*' +
+# ldapsearch -LLL -H ldap://ldap -s base -b '' -x '*' +
dn:
objectClass: labeledURIObject
labeledURI: http://www.skolelinux.org/ LDAP for Debian Edu/Skolelinux
=====================================
testsuite/filesystems
=====================================
@@ -1,58 +1,65 @@
#!/bin/sh
#
-# Check that we are using ext3, not ext2
+# Check that we are using ext3/4 filesystems with expected options
if test -r /etc/debian-edu/config ; then
. /etc/debian-edu/config
fi
-LANG=C
-export LANG
-
-awk "/ext2/ { print \"error: $0: Using ext2 on\",\$2 }" /proc/mounts
-awk "/ext3|ext4/ { print \"success: $0: Using ext3 on\",\$2 }" /proc/mounts
-
-# Check if the filesystems on the mountpoints support acls
-for f in `grep 'ext' /proc/mounts|awk '{print $1}'`; do
- if [ `chacl -l $f | grep 'cannot get'` ]; then
- echo "error: $0: $f doesn't support acls"
- else
- echo "success: $0: $f supports acls"
- fi
-done
-
-# Make sure all ext3/ext4 mount points are online resizable
-for p in `(df -Pt ext3 2>/dev/null;df -Pt ext4 2>/dev/null) | grep -v ^Filesystem |awk '{print $1}'`; do
- if tune2fs -l $p| grep features | grep -q resize_inode ; then
- :
- else
- echo "error: $0: Missing resize_inode in ext3/ext4 fs $p"
- fi
-done
+LC_ALL=C
+export LC_ALL
+
+scriptname="$0"
+
+while read -r line; do
+ set -- $line
+ case $3 in
+ ext2)
+ if [ $2 != '/boot' ]; then
+ printf 'error: %s: Using ext2 on %s\n' "${scriptname}" "$1"
+ fi
+ ;;
+ ext3|ext4)
+ printf 'success: %s: Using ext3/4 on %s\n' "${scriptname}" "$1"
-if echo "$PROFILE" | grep -q Main-Server ; then
+ # Check if the filesystems on the mountpoints support acls
+ if chacl -l "$1" >/dev/null 2>&1; then
+ printf "success: %s: %s supports acls\n" "${scriptname}" "$1"
+ else
+ printf "error: %s: %s doesn't support acls\n" "${scriptname}" "$1"
+ fi
+
+ # Make sure all ext3/ext4 mount points are online resizable
+ if ! tune2fs -l "$1" | grep -q '^Filesystem features:.* resize_inode'; then
+ printf 'error: %s: Missing resize_inode in ext3/ext4 fs %s\n' "${scriptname}" "$2"
+ fi
+ ;;
+ esac
+done </proc/mounts
+
+case $PROFILE in
+*Main-Server*)
# Make sure autofs do not hide the real file systems
if [ -d /skole/tjener/home0/lost+found ] ; then
- echo "success: $0: Found lost+found in /skole/tjener/home0/"
+ printf 'success: %s: Found lost+found in /skole/tjener/home0/\n' "${scriptname}"
else
- echo "error: $0: No lost+found in /skole/tjener/home0/. Blocked by autofs?"
+ printf 'error: %s: No lost+found in /skole/tjener/home0/. Blocked by autofs?\n' "${scriptname}"
fi
# Make sure home0 and backup have acl and user_xattr enabled. See
# if bug #638822 is present or not.
for dir in /skole/tjener/home0 /skole/backup; do
- dev="$(LC_ALL=C df -P /var/log|awk '/%/ {print $1}')"
- for opt in acl user_xattr ; do
- if LC_ALL=C tune2fs -l "$dev" | \
- grep 'Default mount' | \
- grep -qw $opt ; then
- echo "success: $0: Found option $opt in $dir."
- else
- echo "error: $0: Did not find option $opt in $dir."
- fi
- done
+ dev="$(findmnt -T "${dir}" -n -o SOURCE)"
+ for opt in acl user_xattr; do
+ if tune2fs -l "${dev}" | grep -q "^Default mount options:.* ${opt}"; then
+ printf "success: %s: Found option %s in %s.\n" "${scriptname}" "${opt}" "${dir}"
+ else
+ printf "error: %s: Did not find option %s in %s.\n" "${scriptname}" "${opt}" "${dir}"
+ fi
+ done
done
-fi
+ ;;
+esac
# Report too full file systems. Should have at least 20% free to
# avoid warning from Nagios, preferably between 20% and 25%.
=====================================
testsuite/ldap-client
=====================================
@@ -24,13 +24,20 @@ fi
RESULT=0
-# Locate LDAP server dynamically, by looking up SRV records. The -N 2
+# Locate LDAP server dynamically, by looking up SRV records. The +ndots=2
# argument is tested and found to work with the debian package
# bind9-host, and not with the host package.
-ldap_servers=$(host -N 2 -t srv _ldap._tcp | rev | awk '/VRS/ {print $1}' | cut -d. -f2- | rev)
-# Cut the list to one server as we do not handle redundant servers at
-# the moment.
-ldap_server=$(echo $ldap_servers | awk '{print $1}')
+ldap_server_port="$(dig +search +ndots=2 +short _ldap._tcp srv | awk '
+(t == "") || ($1 < prio) {
+ prio = $1
+ t = $4
+ sub(/\.$/,"",t)
+ p = $3
+}
+END { if (t != "") printf("%s:%d", t, p) }
+')"
+ldap_server="${ldap_server_port%:*}"
+ldap_server_uri="ldap://${ldap_server_port}"
# Test if LDAP server is reachable
if ping -c1 $ldap_server > /dev/null 2>&1 ; then
@@ -39,6 +46,7 @@ else
error "Dynamically located LDAP server '$ldap_server' is not pingable, continuing tests using DNS alias ldap."
# Autodetection failed, use hardcoded DNS name for the rest of the tests
ldap_server=ldap.intern
+ ldap_server_uri="ldap://${ldap_server}"
fi
for file in nslcd.conf ; do
@@ -68,8 +76,10 @@ else
SERVICES="$SERVICES nscd"
fi
-host -a -t srv _ldap._tcp | sed "s/^/info: SRV record from DNS: /"
-host -a "$ldap_server" | sed "s/^/info: LDAP server from DNS: /"
+printf 'info: SRV record from DNS: '
+dig +search +ndots=2 +noall +answer +nocomments _ldap._tcp srv
+printf 'info: LDAP server from DNS: '
+dig +noall +answer +nocomments "$ldap_server"
if [ -f /etc/nslcd.conf ] ; then
if grep -Eq "^uri (ldap|$ldap_server)" /etc/nslcd.conf ; then
@@ -116,13 +126,13 @@ done
if [ -x /usr/bin/ldapsearch ] ; then
namingContexts="$(
- ldapsearch -s base -h $ldap_server -b '' -x '*' '+' | \
+ ldapsearch -s base -H "${ldap_server_uri}" -b '' -x '*' '+' | \
awk '/^namingContexts:/ {print $2}' | head -1
)"
echo info: $0: LDAP rootDSE namingContext: $namingContexts
LDAP_MOUNTS="$(
- ldapsearch -LLL -h $ldap_server -b $namingContexts \
+ ldapsearch -LLL -H "${ldap_server_uri}" -b $namingContexts \
-x '(objectClass=automount)' |\
grep "^cn:" | while read attr val; do
echo "$val"
@@ -137,10 +147,10 @@ if [ -x /usr/bin/ldapsearch ] ; then
# Try a search using TLS too
group=admins
- if ldapsearch -ZZ -LLL -h $ldap_server -b $namingContexts \
+ if ldapsearch -ZZ -LLL -H "${ldap_server_uri}" -b $namingContexts \
-x "(&(cn=$group)(objectclass=posixGroup))" >/dev/null 2>&1 ; then
success "TLS search on $ldap_server for cn=$group returned OK exit code."
- elif ldapsearch -ZZ -LLL -h ldap.intern -b $namingContexts \
+ elif ldapsearch -ZZ -LLL -H ldap://ldap.intern -b $namingContexts \
-x "(&(cn=$group)(objectclass=posixGroup))" >/dev/null 2>&1 ; then
success "TLS search on ldap.intern for cn=$group returned OK exit code."
else
@@ -162,10 +172,10 @@ else
error "Missing LDAP certificate $pubcert"
fi
-if [ 1 -eq $(grep -v '^#' /etc/pam.d/common-auth | egrep 'pam_krb5.so|pam_ldap.so|pam_sss.so' | wc -l) ] ; then
+if [ 1 -eq $(grep -v '^#' /etc/pam.d/common-auth | grep -Ec 'pam_krb5.so|pam_ldap.so|pam_sss.so') ] ; then
success "Only one PAM module of krb5, ldap and sss is enabled"
else
- error "Not only one PAM module of krb5, ldap and sss is enabled"
+ error "More than one PAM module of krb5, ldap and sss is enabled"
fi
# Make sure winbind PAM module isn't active
=====================================
testsuite/ldap-server
=====================================
@@ -73,11 +73,11 @@ netstat -a --numeric-hosts | grep :ldap |
# limit (32768) file descriptors were tried but required incresing
# file-max, took very long and caused very high load on the server
# during testing.
-ldap_server=ldap
+ldap_server_uri=ldap
limit=1200
ulimit -n 2048
-if ldapsearch -s base -h $ldap_server -b '' -x '*' '+' > /dev/null 2>&1 ; then
+if ldapsearch -s base -H "ldap://$ldap_server" -b '' -x '*' '+' > /dev/null 2>&1 ; then
echo "success: $0: search work before flodding the LDAP server with $limit connections."
else
echo "error: $0: search fail before flodding the LDAP server with $limit connections"
@@ -86,7 +86,7 @@ fi
perl -MNet::LDAP -e "sleep(5); my @c; for my \$n (0 .. $limit) { \$c[\$n] = Net::LDAP->new('ldap://$ldap_server', onerror => undef); my \$root = \$c[\$n]->root_dse() if \$c[\$n]; } sleep(5);"
-if ldapsearch -s base -h $ldap_server -b '' -x '*' '+' > /dev/null 2>&1 ; then
+if ldapsearch -s base -H "ldap://$ldap_server" -b '' -x '*' '+' > /dev/null 2>&1 ; then
echo "success: $0: search work after flodding the LDAP server with $limit connections."
else
echo "error: $0: search fail after flodding the LDAP server with $limit connections"
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/fddcfc173f7bd469f2c625dd9c5fbdb564ebc1a9...6d803b3a9a42dad8a178a4a1b281a60a792e6ca5
--
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/fddcfc173f7bd469f2c625dd9c5fbdb564ebc1a9...6d803b3a9a42dad8a178a4a1b281a60a792e6ca5
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20230921/5ea5a2ac/attachment-0001.htm>
More information about the debian-edu-commits
mailing list