[debian-edu-commits] [Git][debian-edu/debian-edu-config][mr/fix-dovecot-2.4-passdb-syntax] 6 commits: Add new file 'debian-edu-router.ldif'. Empty proxy groups should be installed on all new Tjeners.

Fri May 22 23:29:30 BST 2026


Mike Gabriel pushed to branch mr/fix-dovecot-2.4-passdb-syntax at Debian Edu / debian-edu-config


Commits:
e7f8fe8b by Daniel Teichmann at 2026-03-13T16:54:07+01:00
Add new file 'debian-edu-router.ldif'. Empty proxy groups should be installed on all new Tjeners.

These are preconfigured empty proxy groups for the use in Debian Edu Router.
See Debian Edu Router Plugin: Content filter at https://salsa.debian.org/debian-edu/debian-edu-router/-/tree/master/docs.

- - - - -
1342f54b by Daniel Teichmann at 2026-03-13T16:54:10+01:00
ldap-bootstrap/debian-edu-router.ldif: Add 'server-hosts' nisNetgroup to 'proxy-trusted' nisNetgroup, via 'memberNisNetgroup' attribute.

- - - - -
ae91d71a by Daniel Teichmann at 2026-03-13T16:54:10+01:00
share/debian-edu-config/gosa.conf.template: Activate nisNetgroup tab for user accounts.

This makes it possible to add a user into a nisNetgroup while editing a user.
This is a fine addition to the already present 'NIS Netgroup' tab on the left.

- - - - -
c53528cf by Mike Gabriel at 2026-05-07T22:28:30+02:00
share/debian-edu-config/tools/copy-host-keytab: Support SSH publickey login to tjener, if this is possible (e.g. if admin is using SSH agent forwarding).

- - - - -
b892e2fa by Daniel Teichmann at 2026-05-22T22:28:45+00:00
apache2 debian-edu-default.conf: Do not force HTTPS on *.crt (including Debian-Edu_rootCA.crt).

Closes: #1068388

- - - - -
a624dc1c by Daniel Teichmann at 2026-05-22T22:29:28+00:00
etc/dovecot/local.conf: Fix passdb block syntax for Dovecot 2.4.x compatibility.

Dovecot 2.4.x introduced a breaking change to the passdb/userdb
configuration block syntax. A prior commit 63523d4c partially adapted
etc/dovecot/local.conf to Dovecot 2.4.x by splitting mail_location
into mail_driver, mail_path, and mail_inbox_path, but did not update
the passdb block, leaving the configuration broken.

This causes Dovecot to fail immediately at startup with:
  - doveconf: Fatal: Error in configuration file /etc/dovecot/local.conf line 10: passdb { }
  - dovecot.service: Main process exited, code=exited, status=89/n/a

- - - - -


7 changed files:

- Makefile
- etc/apache2/sites-available/debian-edu-default.conf
- etc/dovecot/local.conf
- + ldap-bootstrap/debian-edu-router.ldif
- ldap-tools/ldap-debian-edu-install
- share/debian-edu-config/gosa.conf.template
- share/debian-edu-config/tools/copy-host-keytab


Changes:

=====================================
Makefile
=====================================
@@ -195,6 +195,7 @@ LDIFS = \
 	ltsp.ldif \
 	gosa.ldif \
 	gosa-server.ldif \
+	debian-edu-router.ldif \
 	$(NULL)
 
 LDAPPROGRAMS = \


=====================================
etc/apache2/sites-available/debian-edu-default.conf
=====================================
@@ -7,7 +7,9 @@
 	<Directory /etc/debian-edu/www/ >
 		RewriteEngine On
 		RewriteCond %{SERVER_PORT} 80
+		# HTTP only: wpad.dat + Debian-Edu_rootCA.crt
 		RewriteCond %{REQUEST_URI} !\.dat$
+		RewriteCond %{REQUEST_URI} !\.crt$
 		RewriteRule ^(.*)$ https://%{SERVER_ADDRESS}/$1 [R=301,L]
 		Options Indexes FollowSymLinks MultiViews
 		AllowOverride None


=====================================
etc/dovecot/local.conf
=====================================
@@ -7,8 +7,12 @@ auth_gssapi_hostname = postoffice.intern
 mail_driver = maildir
 mail_path = ~/Maildir
 mail_inbox_path = /var/mail/%u
-passdb {
-  args = uid=uid home=homeDirectory
-  driver = static
+
+passdb static {
+  fields {
+    uid = uid
+    home = homeDirectory
+  }
 }
+
 protocols = "imap"


=====================================
ldap-bootstrap/debian-edu-router.ldif
=====================================
@@ -0,0 +1,37 @@
+dn: cn=proxy-trusted,ou=netgroup,dc=skole,dc=skolelinux,dc=no
+objectClass: top
+objectClass: nisNetgroup
+cn: proxy-trusted
+description: Completely unfiltered internet access (+ bypasses NAT/T-P-M) - ProxyTrusted{User,Client} - Debian Edu Router Plugin: Content filter
+# This should enable direct unNAT'ted (bypasses transparent-proxy-mode) internet access to all internal servers in the Debian Edu network.
+memberNisNetgroup: server-hosts
+
+dn: cn=proxy-allow,ou=netgroup,dc=skole,dc=skolelinux,dc=no
+objectClass: top
+objectClass: nisNetgroup
+cn: proxy-allow
+description: Generally unfiltered internet access - ProxyAllow{User,Client} - Debian Edu Router Plugin: Content filter
+
+dn: cn=proxy-deny,ou=netgroup,dc=skole,dc=skolelinux,dc=no
+objectClass: top
+objectClass: nisNetgroup
+cn: proxy-deny
+description: Disables internet access completely - ProxyDeny{User,Client} - Debian Edu Router Plugin: Content filter
+
+dn: cn=proxy-blacklist,ou=netgroup,dc=skole,dc=skolelinux,dc=no
+objectClass: top
+objectClass: nisNetgroup
+cn: proxy-blacklist
+description: Allows all but specific blacklisted websites - ProxyBlacklist{User,Client} - Debian Edu Router Plugin: Content filter
+
+dn: cn=proxy-whitelist,ou=netgroup,dc=skole,dc=skolelinux,dc=no
+objectClass: top
+objectClass: nisNetgroup
+cn: proxy-whitelist
+description: Allows nothing but specific whitelisted websites - ProxyWhitelist{User,Client} - Debian Edu Router Plugin: Content filter
+
+dn: cn=proxy-noauth-client,ou=netgroup,dc=skole,dc=skolelinux,dc=no
+objectClass: top
+objectClass: nisNetgroup
+cn: proxy-noauth-client
+description: Fully disable auth. for these clients (BYOD Clients) - ProxyNoauthClient - Debian Edu Router Plugin: Content filter


=====================================
ldap-tools/ldap-debian-edu-install
=====================================
@@ -282,7 +282,8 @@ EOF
     /etc/ldap/gosa-server.ldif \
     /etc/ldap/ltsp.ldif \
     /etc/ldap/firstuser.ldif \
-    /etc/ldap/krb5.ldif
+    /etc/ldap/krb5.ldif \
+    /etc/ldap/debian-edu-router.ldif
   do
       if cat $ldif | sed -e "s:\$ROOTPWDHASH:$ROOTPWDHASH:" \
 	-e "s/\$MAC/$MAC/" \


=====================================
share/debian-edu-config/gosa.conf.template
=====================================
@@ -117,6 +117,7 @@
      <tab class="gofaxAccount" name="Fax" />
      <tab class="phoneAccount" name="Phone" />
      <tab class="nagiosAccount" name="Nagios" />
+     <tab class="netgroupAccount" name="NIS Netgroup" />
    </usertabs>
 
   <!-- User dialog -->


=====================================
share/debian-edu-config/tools/copy-host-keytab
=====================================
@@ -1,6 +1,21 @@
 #!/bin/sh
 set -e
-kinit
+
+if [ $(id -u) -gt 0 ]; then
+	echo "ERROR: This script has to run as super-user root."
+	exit 1
+fi
+
+# Attempt passwordless SSH login root at tjener (could be publickey, gssapi-keyex, or gssapi-with-mic)
+set +e
+ssh -o PasswordAuthentication=no -o KbdInteractiveAuthentication=no tjener "echo -n" 2>/dev/null
+ret=$?
+set -e
+if [ "${ret}" != "0" ]; then
+	# Try to get a Kerberos ticket for root instead to use GSSAPI login.
+	kinit root
+fi
+
 scp tjener:/var/lib/debian-edu/host-keytabs/$(hostname -s).intern.keytab /etc/krb5.keytab
 
 # Special case separate LTSP server.



View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/3c53bb0ef1ba86ae3dbfe5bbae2ac77b417b95b9...a624dc1c581a3ff6e36bd3018ecb6f81b5de01c2

-- 
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/3c53bb0ef1ba86ae3dbfe5bbae2ac77b417b95b9...a624dc1c581a3ff6e36bd3018ecb6f81b5de01c2
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20260522/fcad1ead/attachment-0001.htm>
