[debian-lan-devel] [SCM] Debian-LAN development and packaging branch, master, updated. 0.7-26-g963f92d

Andreas B. Mundt andi at debian.org
Wed Feb 13 09:40:17 UTC 2013 

The following commit has been merged in the master branch:
commit 28f80e0c559db254c208f27ea1a071a27cf9a1c2
Author: Andreas B. Mundt <andi at debian.org>
Date:   Mon Feb 11 23:18:41 2013 +0100

    Kerberize web server access to icinga and munin.
    
    By default, all known users are allowed to access the monitoring
    sites.

diff --git a/fai/config/files/var/www/index.htm/GOSA b/fai/config/files/var/www/index.htm/GOSA
deleted file mode 100644
index bd892f6..0000000
--- a/fai/config/files/var/www/index.htm/GOSA
+++ /dev/null
@@ -1,14 +0,0 @@
-<html><body>
-<h1>Debian-LAN</h1>
-<p>This is the starting web page for the Debian-LAN mainserver.</p>
-<p>Available services:</p>
-<ul>
-<li><a href="https://mainserver/gosa">GOsa System Administration</a></li>
-<li><a href="http://mainserver/munin">Munin System Monitoring</a></li>
-<li><a href="http://mainserver/icinga">ICINGA System Monitoring</a></li>
-</ul>
-Login as 'admin' with the password provided during installation.  For
-more informations take a look at the <a
-href="http://wiki.debian.org/DebianLAN">Debian-LAN Wiki</a> and
-the resources listed there.
-</body></html>
diff --git a/fai/config/files/var/www/index.html/GOSA b/fai/config/files/var/www/index.html/GOSA
new file mode 100644
index 0000000..60e2f28
--- /dev/null
+++ b/fai/config/files/var/www/index.html/GOSA
@@ -0,0 +1,12 @@
+<html><body>
+<h1>Debian-LAN</h1>
+<p>This is the starting web page for the Debian-LAN mainserver.</p>
+<p>Available services:</p>
+<ul>
+<li><a href="https://www.intern/gosa">GOsa System Administration</a></li>
+<li><a href="https://syslog.intern/munin">Munin System Monitoring</a></li>
+<li><a href="https://syslog.intern/icinga">ICINGA System Monitoring</a></li>
+</ul>
+For more information, take a look at the
+<a href="http://wiki.debian.org/DebianLAN">Debian-LAN Wiki</a>.
+x</body></html>
diff --git a/fai/config/package_config/LOG_SERVER b/fai/config/package_config/LOG_SERVER
index 8d6a995..170a712 100644
--- a/fai/config/package_config/LOG_SERVER
+++ b/fai/config/package_config/LOG_SERVER
@@ -2,6 +2,7 @@
 ## Put all setup-dependent packages in the SETUP_* class.
 PACKAGES aptitude
 apache2
+libapache2-mod-auth-kerb
 munin
 munin-node
 icinga
diff --git a/fai/config/scripts/CLIENT_A/20-misc b/fai/config/scripts/CLIENT_A/20-misc
index 0f817e3..d529265 100755
--- a/fai/config/scripts/CLIENT_A/20-misc
+++ b/fai/config/scripts/CLIENT_A/20-misc
@@ -21,3 +21,7 @@ else
     ## default configuration to wpad.dat proxy:
     ainsl /etc/iceweasel/pref/iceweasel.js 'pref("network.proxy.type", 4);'
 fi
+
+## Allow SSO in iceweasel:
+ainsl /etc/iceweasel/pref/iceweasel.js 'pref("network.negotiate-auth.delegation-uris", "intern");'
+ainsl /etc/iceweasel/pref/iceweasel.js 'pref("network.negotiate-auth.trusted-uris", "intern");'
diff --git a/fai/config/scripts/KDC_LDAP/10-slapd-KDC b/fai/config/scripts/KDC_LDAP/10-slapd-KDC
index 79de82b..e74b3b6 100755
--- a/fai/config/scripts/KDC_LDAP/10-slapd-KDC
+++ b/fai/config/scripts/KDC_LDAP/10-slapd-KDC
@@ -145,7 +145,6 @@ init_KDC() {
     ## Add -minlength and -minclasses later (cf. below).
     $ROOTCMD kadmin.local -q "add_policy default"
 
-    ## needs root or kdc passwd:
     $ROOTCMD kadmin.local -q "addprinc -pw $LDAP_ADMIN_PW root/admin"
     $ROOTCMD kadmin.local -q "addprinc -pw $LDAP_ADMIN_PW root"
 
@@ -153,7 +152,6 @@ init_KDC() {
     $ROOTCMD kadmin.local -q "addprinc -randkey host/mainserver.intern"
     $ROOTCMD kadmin.local -q "ktadd host/mainserver.intern"
 
-    ## Create service principals and add them to the keytab:
     $ROOTCMD kadmin.local -q "addprinc -randkey nfs/mainserver.intern"
     $ROOTCMD kadmin.local -q "ktadd nfs/mainserver.intern"
 
@@ -168,11 +166,14 @@ init_KDC() {
 	done
     done
 
-    ## does ldap.intern also work?
     $ROOTCMD kadmin.local -q "addprinc -randkey ldap/mainserver.intern"
     $ROOTCMD kadmin.local -q "ktadd -k /etc/krb5.keytab.ldap ldap/mainserver.intern"
     $ROOTCMD chown -v openldap:openldap /etc/krb5.keytab.ldap
 
+    $ROOTCMD kadmin.local -q "addprinc -randkey HTTP/mainserver.intern"
+    $ROOTCMD kadmin.local -q "ktadd -k /etc/krb5.keytab.http HTTP/mainserver.intern"
+    $ROOTCMD chown -v www-data:www-data /etc/krb5.keytab.http
+
     if ifclass MAIL_SERVER ; then
 	$ROOTCMD kadmin.local -q "addprinc -randkey smtp/mainserver.intern"
 	$ROOTCMD kadmin.local -q "ktadd -k /etc/krb5.keytab.smtp smtp/mainserver.intern"
diff --git a/fai/config/scripts/LOG_SERVER/10-rsyslog_icinga.conf b/fai/config/scripts/LOG_SERVER/10-rsyslog_icinga.conf
index 7c21348..16f416a 100755
--- a/fai/config/scripts/LOG_SERVER/10-rsyslog_icinga.conf
+++ b/fai/config/scripts/LOG_SERVER/10-rsyslog_icinga.conf
@@ -14,5 +14,4 @@ if [ "$FAI_ACTION" == "install" ] || [ "$CONVERT" == "true" ] ; then
     ## Machines are added here, so do not overwrite them on softupdate:
     fcopy /etc/icinga/objects/hosts.cfg
     mv $target/etc/icinga/objects/localhost_icinga.cfg $target/etc/icinga/objects/localhost_icinga.cfg_orig
-    $ROOTCMD htpasswd -bc /etc/icinga/htpasswd.users admin "$ADMINPW"
 fi
diff --git a/fai/config/scripts/LOG_SERVER/30-kerberize b/fai/config/scripts/LOG_SERVER/30-kerberize
new file mode 100755
index 0000000..e55a18c
--- /dev/null
+++ b/fai/config/scripts/LOG_SERVER/30-kerberize
@@ -0,0 +1,34 @@
+#!/usr/sbin/cfagent -f
+#
+#  Kerberize access to icinga.
+#
+
+control:
+   any::
+   actionsequence = ( editfiles )
+   EditFileSize = ( 30000 )
+
+editfiles:
+   any::
+      { ${target}/etc/icinga/apache2.conf
+          ReplaceAll "AuthType Basic" With "AuthType Kerberos"
+          ReplaceAll "AuthUserFile .*" With "Krb5Keytab /etc/krb5.keytab.http"
+          # ReplaceAll "Require valid-user" With "Require user admin at INTERN"
+      }
+      { ${target}/etc/icinga/cgi.cfg
+          ReplaceAll "authorized_for_system_information=icingaadmin"
+                With "authorized_for_system_information=*"
+          ReplaceAll "authorized_for_configuration_information=icingaadmin"
+                With "authorized_for_configuration_information=*"
+          ReplaceAll "authorized_for_all_services=icingaadmin"
+                With "authorized_for_all_services=*"
+          ReplaceAll "authorized_for_all_hosts=icingaadmin"
+                With "authorized_for_all_hosts=*"
+      }
+      { ${target}/etc/munin/apache.conf
+          ReplaceAll "^[[:space:]]*Allow from localhost .*" With "	Allow from All"
+          ReplaceAll "# AuthUserFile .*" With "Krb5Keytab /etc/krb5.keytab.http"
+          ReplaceAll '# AuthName "Munin"' With 'AuthName "Munin Access"'
+          ReplaceAll "# AuthType Basic" With "AuthType Kerberos"
+          ReplaceAll "# require valid-user" With "Require valid-user"
+      }

-- 
Debian-LAN development and packaging

More information about the debian-lan-devel mailing list