Moin Mike, On Mon, Feb 10, 2020 at 03:46:02PM +0000, Mike Gabriel wrote: > Package: debian-edu-config > Version: 2.11.12 > Severity: wishlist > > Driving the fetch-ldap-cert logic another step forward. We should, on > retrieval of Debian-Edu_rootCA.crt, move that file to > /usr/local/share/ca-certificates/debian-edu/ and run update-ca-certificates > afterwards. > > This assures that Debian-Edu_rootCA is available in the system-wide CA > bundle in /etc/ssl/certs/ca-certificates.crt. > > This issue relates to #926388 (let Firefox trust > /etc/ssl/certs/ca-certificates.crt)
The attached fetch-ldap-cert script is stripped down quite much, but has been tested to work - also with both LTSP thin clients and diskless workstations. Please note that the LTSP NBD image needs to be updated. The LTSP clients will configure ca-certificates.crt in the overlay file system at runtime. No need to fiddle around like done until now. Also, the LDAP server certificate doesn't need to be downloaded and verified. The /etc/nslcd.conf file in Debian Edu 10 contains this setting: tls_reqcert demand This way the LDAP server is forced to send his certificate upon client connect. The connection is established only in case the certificate is valid, i.e. if the related rootCA certificate is contained in /etc/ssl/certs/ca-certificates. Please test. Wolfgang
signature.asc
Description: PGP signature
