Package: debian-edu-config Version: 2.10.66 Severity: important The fetch-ldap-cert script should make sure that the LDAP server certificate is only downloaded once for both host and chroot.
It used to have independent conditions for these two cases in pre Buster
releases.
Now a global condition is used. If an LTSP chroot is re-generated or an
additional one is created, these chroots would never contain the LDAP
server certificate, i.e. the LDAP certificate will be fetched each time
an LTSP client is booted. So to really fix #931413 independent
conditions are needed.
Also, to be useful for the fixes for #332828 (Include the LDAP server
certificate in initial LTSP chroot image) and #933183 (Provide Debian
Edu RootCA certificate for download), some more changes are needed.
This change would fix all mentioned issues:
diff --git a/debian/debian-edu-config.fetch-ldap-cert
b/debian/debian-edu-config.fetch-ldap-cert
index dfec40da..cc83a2e1 100755
--- a/debian/debian-edu-config.fetch-ldap-cert
+++ b/debian/debian-edu-config.fetch-ldap-cert
@@ -23,14 +23,15 @@ set -e
CERTFILE=/etc/ssl/certs/debian-edu-server.crt
BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
+ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
do_start() {
# Locate LDAP server
LDAPSERVER=$(debian-edu-ldapserver)
-
+ LDAPPORT=636 # ldaps
ERROR=false
- if [ -f /etc/nslcd.conf ] &&
- grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
+ if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] &&
+ grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
if [ -z "$LDAPSERVER" ] ; then
msg="Failed to locate LDAP server"
log_action_begin_msg "$msg"
@@ -39,18 +40,43 @@ do_start() {
return 1
fi
[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL
certificate."
- if curl -f -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT ;
then
- gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new
ldap.intern < /dev/null
+ if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null
| grep RootCA ; then
+ if curl -sfk --head -o /dev/null https://www.intern ; then
+ if curl -k https://www.intern/Debian-Edu_rootCA.crt >
$ROOTCACRT && \
+ grep -q CERTIFICATE $ROOTCACRT ; then
+ gnutls-cli --x509cafile $ROOTCACRT
--save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
+ logger -t fetch-ldap-cert "Fetched rootCA certificate
from www.intern."
+ else
+ rm -f $ROOTCACRT
+ if curl -k https://www.intern/debian-edu-bundle.crt >
$BUNDLECRT && \
+ grep -q CERTIFICATE $BUNDLECRT ; then
+ gnutls-cli --x509cafile $BUNDLECRT
--save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
+ logger -t fetch-ldap-cert "Fetched bundle
certificate from www.intern."
+ else
+ rm -f $BUNDLECRT
+ logger -t fetch-ldap-cert "Failed to fetch certificates
from www.intern."
+ fi
+ fi
+ else
+ log_action_end_msg 1
+ logger -t fetch-ldap-cert "Failed to connect to www.intern,
maybe the web server down."
+ ERROR=true
+ fi
else
/usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER
> $CERTFILE.new
chmod 644 $CERTFILE.new
+ logger -t fetch-ldap-cert "Fetched pre Buster LDAP server
certificate."
fi
if test -s $CERTFILE.new ; then
mv $CERTFILE.new $CERTFILE
[ "$VERBOSE" != no ] && log_action_end_msg 0
- logger -t fetch-ldap-cert "Fetched and verified LDAP SSL
certificate from $LDAPSERVER."
+ if [ -f $BUNDLECRT ] ; then
+ logger -t fetch-ldap-cert "Fetched and verified LDAP SSL
certificate from $LDAPSERVER."
+ else
+ logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from
$LDAPSERVER."
+ fi
else
- rm $CERTFILE.new
+ rm -f $CERTFILE.new
log_action_end_msg 1
logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate
from $LDAPSERVER."
ERROR=true
@@ -64,10 +90,24 @@ do_start() {
log_action_begin_msg "Copying LDAP SSL certificate to
ltsp-chroot $ltsp_chroot "
if test -s $CERTFILE; then
cp $CERTFILE $ltsp_chroot$CERTFILE
+ [ "$VERBOSE" != no ] && log_action_end_msg 0
+ else
+ log_action_end_msg 1
+ ERROR=true
+ fi
+ log_action_begin_msg "Copying Debian Edu rootCA certificate to
ltsp-chroot $ltsp_chroot "
+ if test -s $ROOTCACRT; then
+ cp $ROOTCACRT $ltsp_chroot$ROOTCACRT
[ "$VERBOSE" != no ] && log_action_end_msg 0
else
+ log_action_begin_msg "Copying TLS certificate bundle to
ltsp-chroot $ltsp_chroot "
+ if test -s $BUNDLECRT; then
+ cp $BUNDLECRT $ltsp_chroot$BUNDLECRT
+ [ "$VERBOSE" != no ] && log_action_end_msg 0
+ else
log_action_end_msg 1
ERROR=true
+ fi
fi
fi
done
@@ -79,13 +119,7 @@ do_start() {
case "$1" in
start)
- # do absolutely nothing, if this host is already "attached" to
- # a Debian Edu network
- if [ -e /etc/ssl/certs/debian-edu-server.crt ]; then
- :
- else
- do_start
- fi
+ do_start
;;
stop)
;;
Please test. (script is attached)
Wolfgang
#!/bin/sh ### BEGIN INIT INFO # Provides: fetch-ldap-cert # Required-Start: $local_fs $remote_fs # Required-Stop: $local_fs $remote_fs # Should-Start: $network $syslog $named slapd # Default-Start: 2 3 4 5 # Default-Stop: # Short-Description: Fetch LDAP SSL public key from the server # Description: # Start before krb5-kdc to give slapd time to become operational # before krb5-kdc try to connect to the LDAP server as a workaround # for #589915. # X-Start-Before: isc-dhcp-server krb5-kdc nslcd ### END INIT INFO # # Author: Petter Reinholdtsen <[email protected]> # Date: 2007-06-09 set -e . /lib/lsb/init-functions CERTFILE=/etc/ssl/certs/debian-edu-server.crt BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt do_start() { # Locate LDAP server LDAPSERVER=$(debian-edu-ldapserver) LDAPPORT=636 # ldaps ERROR=false if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] && grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then if [ -z "$LDAPSERVER" ] ; then msg="Failed to locate LDAP server" log_action_begin_msg "$msg" log_action_end_msg 1 logger -t fetch-ldap-cert "$msg." return 1 fi [ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate." if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null | grep RootCA ; then if curl -sfk --head -o /dev/null https://www.intern ; then if curl -k https://www.intern/Debian-Edu_rootCA.crt > $ROOTCACRT && \ grep -q CERTIFICATE $ROOTCACRT ; then gnutls-cli --x509cafile $ROOTCACRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null logger -t fetch-ldap-cert "Fetched rootCA certificate from www.intern." else rm -f $ROOTCACRT if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT && \ grep -q CERTIFICATE $BUNDLECRT ; then gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null logger -t fetch-ldap-cert "Fetched bundle certificate from www.intern." else rm -f $BUNDLECRT logger -t fetch-ldap-cert "Failed to fetch certificates from www.intern." fi fi else log_action_end_msg 1 logger -t fetch-ldap-cert "Failed to connect to www.intern, maybe the web server down." ERROR=true fi else /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new chmod 644 $CERTFILE.new logger -t fetch-ldap-cert "Fetched pre Buster LDAP server certificate." fi if test -s $CERTFILE.new ; then mv $CERTFILE.new $CERTFILE [ "$VERBOSE" != no ] && log_action_end_msg 0 if [ -f $BUNDLECRT ] ; then logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER." else logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER." fi else rm -f $CERTFILE.new log_action_end_msg 1 logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER." ERROR=true fi fi if [ -d /opt/ltsp ] ; then for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do if [ ! -f $ltsp_chroot$CERTFILE ] && [ -f $ltsp_chroot/etc/nslcd.conf ] && grep -q /etc/ssl/certs/debian-edu-server.crt $ltsp_chroot/etc/nslcd.conf ; then [ "$VERBOSE" != no ] && log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot " if test -s $CERTFILE; then cp $CERTFILE $ltsp_chroot$CERTFILE [ "$VERBOSE" != no ] && log_action_end_msg 0 else log_action_end_msg 1 ERROR=true fi log_action_begin_msg "Copying Debian Edu rootCA certificate to ltsp-chroot $ltsp_chroot " if test -s $ROOTCACRT; then cp $ROOTCACRT $ltsp_chroot$ROOTCACRT [ "$VERBOSE" != no ] && log_action_end_msg 0 else log_action_begin_msg "Copying TLS certificate bundle to ltsp-chroot $ltsp_chroot " if test -s $BUNDLECRT; then cp $BUNDLECRT $ltsp_chroot$BUNDLECRT [ "$VERBOSE" != no ] && log_action_end_msg 0 else log_action_end_msg 1 ERROR=true fi fi fi done fi if $ERROR; then return 1 fi } case "$1" in start) do_start ;; stop) ;; restart|force-reload) ;; *) echo "Usage: $0 {start|stop|restart|force-reload}" exit 2 esac exit 0
signature.asc
Description: PGP signature
