Package: debian-edu-config Version: 2.10.66 Severity: important The fetch-ldap-cert script should make sure that the LDAP server certificate is only downloaded once for both host and chroot.
It used to have independent conditions for these two cases in pre Buster
releases.
Now a global condition is used. If an LTSP chroot is re-generated or an
additional one is created, these chroots would never contain the LDAP
server certificate, i.e. the LDAP certificate will be fetched each time
an LTSP client is booted. So to really fix #931413 independent
conditions are needed.
Also, to be useful for the fixes for #332828 (Include the LDAP server
certificate in initial LTSP chroot image) and #933183 (Provide Debian
Edu RootCA certificate for download), some more changes are needed.
This change would fix all mentioned issues:
diff --git a/debian/debian-edu-config.fetch-ldap-cert
b/debian/debian-edu-config.fetch-ldap-cert
index dfec40da..cc83a2e1 100755
--- a/debian/debian-edu-config.fetch-ldap-cert
+++ b/debian/debian-edu-config.fetch-ldap-cert
@@ -23,14 +23,15 @@ set -e
CERTFILE=/etc/ssl/certs/debian-edu-server.crt
BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
+ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
do_start() {
# Locate LDAP server
LDAPSERVER=$(debian-edu-ldapserver)
-
+ LDAPPORT=636 # ldaps
ERROR=false
- if [ -f /etc/nslcd.conf ] &&
- grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
+ if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] &&
+ grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
if [ -z "$LDAPSERVER" ] ; then
msg="Failed to locate LDAP server"
log_action_begin_msg "$msg"
@@ -39,18 +40,43 @@ do_start() {
return 1
fi
[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL
certificate."
- if curl -f -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT ;
then
- gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new
ldap.intern < /dev/null
+ if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null
| grep RootCA ; then
+ if curl -sfk --head -o /dev/null https://www.intern ; then
+ if curl -k https://www.intern/Debian-Edu_rootCA.crt >
$ROOTCACRT && \
+ grep -q CERTIFICATE $ROOTCACRT ; then
+ gnutls-cli --x509cafile $ROOTCACRT
--save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
+ logger -t fetch-ldap-cert "Fetched rootCA certificate
from www.intern."
+ else
+ rm -f $ROOTCACRT
+ if curl -k https://www.intern/debian-edu-bundle.crt >
$BUNDLECRT && \
+ grep -q CERTIFICATE $BUNDLECRT ; then
+ gnutls-cli --x509cafile $BUNDLECRT
--save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
+ logger -t fetch-ldap-cert "Fetched bundle
certificate from www.intern."
+ else
+ rm -f $BUNDLECRT
+ logger -t fetch-ldap-cert "Failed to fetch certificates
from www.intern."
+ fi
+ fi
+ else
+ log_action_end_msg 1
+ logger -t fetch-ldap-cert "Failed to connect to www.intern,
maybe the web server down."
+ ERROR=true
+ fi
else
/usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER
> $CERTFILE.new
chmod 644 $CERTFILE.new
+ logger -t fetch-ldap-cert "Fetched pre Buster LDAP server
certificate."
fi
if test -s $CERTFILE.new ; then
mv $CERTFILE.new $CERTFILE
[ "$VERBOSE" != no ] && log_action_end_msg 0
- logger -t fetch-ldap-cert "Fetched and verified LDAP SSL
certificate from $LDAPSERVER."
+ if [ -f $BUNDLECRT ] ; then
+ logger -t fetch-ldap-cert "Fetched and verified LDAP SSL
certificate from $LDAPSERVER."
+ else
+ logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from
$LDAPSERVER."
+ fi
else
- rm $CERTFILE.new
+ rm -f $CERTFILE.new
log_action_end_msg 1
logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate
from $LDAPSERVER."
ERROR=true
@@ -64,10 +90,24 @@ do_start() {
log_action_begin_msg "Copying LDAP SSL certificate to
ltsp-chroot $ltsp_chroot "
if test -s $CERTFILE; then
cp $CERTFILE $ltsp_chroot$CERTFILE
+ [ "$VERBOSE" != no ] && log_action_end_msg 0
+ else
+ log_action_end_msg 1
+ ERROR=true
+ fi
+ log_action_begin_msg "Copying Debian Edu rootCA certificate to
ltsp-chroot $ltsp_chroot "
+ if test -s $ROOTCACRT; then
+ cp $ROOTCACRT $ltsp_chroot$ROOTCACRT
[ "$VERBOSE" != no ] && log_action_end_msg 0
else
+ log_action_begin_msg "Copying TLS certificate bundle to
ltsp-chroot $ltsp_chroot "
+ if test -s $BUNDLECRT; then
+ cp $BUNDLECRT $ltsp_chroot$BUNDLECRT
+ [ "$VERBOSE" != no ] && log_action_end_msg 0
+ else
log_action_end_msg 1
ERROR=true
+ fi
fi
fi
done
@@ -79,13 +119,7 @@ do_start() {
case "$1" in
start)
- # do absolutely nothing, if this host is already "attached" to
- # a Debian Edu network
- if [ -e /etc/ssl/certs/debian-edu-server.crt ]; then
- :
- else
- do_start
- fi
+ do_start
;;
stop)
;;
Please test. (script is attached)
Wolfgang
#!/bin/sh
### BEGIN INIT INFO
# Provides: fetch-ldap-cert
# Required-Start: $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# Should-Start: $network $syslog $named slapd
# Default-Start: 2 3 4 5
# Default-Stop:
# Short-Description: Fetch LDAP SSL public key from the server
# Description:
# Start before krb5-kdc to give slapd time to become operational
# before krb5-kdc try to connect to the LDAP server as a workaround
# for #589915.
# X-Start-Before: isc-dhcp-server krb5-kdc nslcd
### END INIT INFO
#
# Author: Petter Reinholdtsen <p...@hungry.com>
# Date: 2007-06-09
set -e
. /lib/lsb/init-functions
CERTFILE=/etc/ssl/certs/debian-edu-server.crt
BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
do_start() {
# Locate LDAP server
LDAPSERVER=$(debian-edu-ldapserver)
LDAPPORT=636 # ldaps
ERROR=false
if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] &&
grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
if [ -z "$LDAPSERVER" ] ; then
msg="Failed to locate LDAP server"
log_action_begin_msg "$msg"
log_action_end_msg 1
logger -t fetch-ldap-cert "$msg."
return 1
fi
[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL
certificate."
if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null
| grep RootCA ; then
if curl -sfk --head -o /dev/null https://www.intern ; then
if curl -k https://www.intern/Debian-Edu_rootCA.crt >
$ROOTCACRT && \
grep -q CERTIFICATE $ROOTCACRT ; then
gnutls-cli --x509cafile $ROOTCACRT
--save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
logger -t fetch-ldap-cert "Fetched rootCA certificate
from www.intern."
else
rm -f $ROOTCACRT
if curl -k https://www.intern/debian-edu-bundle.crt >
$BUNDLECRT && \
grep -q CERTIFICATE $BUNDLECRT ; then
gnutls-cli --x509cafile $BUNDLECRT
--save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
logger -t fetch-ldap-cert "Fetched bundle
certificate from www.intern."
else
rm -f $BUNDLECRT
logger -t fetch-ldap-cert "Failed to fetch certificates
from www.intern."
fi
fi
else
log_action_end_msg 1
logger -t fetch-ldap-cert "Failed to connect to www.intern,
maybe the web server down."
ERROR=true
fi
else
/usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER
> $CERTFILE.new
chmod 644 $CERTFILE.new
logger -t fetch-ldap-cert "Fetched pre Buster LDAP server
certificate."
fi
if test -s $CERTFILE.new ; then
mv $CERTFILE.new $CERTFILE
[ "$VERBOSE" != no ] && log_action_end_msg 0
if [ -f $BUNDLECRT ] ; then
logger -t fetch-ldap-cert "Fetched and verified LDAP SSL
certificate from $LDAPSERVER."
else
logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from
$LDAPSERVER."
fi
else
rm -f $CERTFILE.new
log_action_end_msg 1
logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate
from $LDAPSERVER."
ERROR=true
fi
fi
if [ -d /opt/ltsp ] ; then
for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
if [ ! -f $ltsp_chroot$CERTFILE ] && [ -f
$ltsp_chroot/etc/nslcd.conf ] &&
grep -q /etc/ssl/certs/debian-edu-server.crt
$ltsp_chroot/etc/nslcd.conf ; then
[ "$VERBOSE" != no ] &&
log_action_begin_msg "Copying LDAP SSL certificate to
ltsp-chroot $ltsp_chroot "
if test -s $CERTFILE; then
cp $CERTFILE $ltsp_chroot$CERTFILE
[ "$VERBOSE" != no ] && log_action_end_msg 0
else
log_action_end_msg 1
ERROR=true
fi
log_action_begin_msg "Copying Debian Edu rootCA certificate to
ltsp-chroot $ltsp_chroot "
if test -s $ROOTCACRT; then
cp $ROOTCACRT $ltsp_chroot$ROOTCACRT
[ "$VERBOSE" != no ] && log_action_end_msg 0
else
log_action_begin_msg "Copying TLS certificate bundle to
ltsp-chroot $ltsp_chroot "
if test -s $BUNDLECRT; then
cp $BUNDLECRT $ltsp_chroot$BUNDLECRT
[ "$VERBOSE" != no ] && log_action_end_msg 0
else
log_action_end_msg 1
ERROR=true
fi
fi
fi
done
fi
if $ERROR; then
return 1
fi
}
case "$1" in
start)
do_start
;;
stop)
;;
restart|force-reload)
;;
*)
echo "Usage: $0 {start|stop|restart|force-reload}"
exit 2
esac
exit 0
signature.asc
Description: PGP signature
