Package: debian-edu-config Severity: serious Version: 2.10.65
The former version of fetch-ldap-cert (stretch and before) retrieved the LDAP servers pub cert only once, that is on first boot on the Debian Edu network. A machine booted in one network would not have been reusable in some other Debian Edu network.
The reasoning behind this was: ```11:54 < sunweaver> pere: the original approach of fetch-ldap-cert was: retrieve the cert from TJENER on first usage on the network and then remember it, right? 11:54 < sunweaver> So that a prepped notebook would belong to the first TJENER where it was first booted with. Right? 11:55 < sunweaver> The new fetch-ldap-cert always overwrites the LDAP cert and Debian Edu machines can migrate from one school to another.
11:55 < sunweaver> at least from what I read from the code... 11:55 < sunweaver> I found the previous approach more charming and "secure".11:56 < sunweaver> in a world where GRUB is md5 protected, you would not be able to retrieve local data from the notebook.
11:57 < pere> sunweaver: yes.11:58 < pere> sunweaver: the idea was that a stolen machine would not pass out and validate password from whoever happened to be able to provide a certificate, but stick to the one it was using during installation.
```For migrating a Debian Edu workstation from one D-E network to another, one would have had to remove the /etc/ldap/ssl/ldap-server-pubkey.pem and reboot the machine at the new location.
With the latest (Debian Edu buster) implementation, the debian-edu-bundle.crt file is retrieved on every reboot and replaces the previously fetch cert file. IMHO, we should consider this as a severe regression that needs to be fixed.
Feedback? Opinions?@Wolfgang: don't get me wrong, I am so happy about the new Debian Edu PKI stuff. That was really well done. I am just nitpicking on bits and pieces I stumble over while migrating a customer's network and report things here. Please don't take my "complaints" personally, only technically. Thank you!
Thanks+Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de
pgpev_Zh1XMKk.pgp
Description: Digitale PGP-Signatur
