Hi Wolfgang, On Mi 12 Feb 2020 19:47:04 CET, Wolfgang Schweer wrote:
Moin Mike, On Mon, Feb 10, 2020 at 03:46:02PM +0000, Mike Gabriel wrote:Package: debian-edu-config Version: 2.11.12 Severity: wishlist Driving the fetch-ldap-cert logic another step forward. We should, on retrieval of Debian-Edu_rootCA.crt, move that file to /usr/local/share/ca-certificates/debian-edu/ and run update-ca-certificates afterwards. This assures that Debian-Edu_rootCA is available in the system-wide CA bundle in /etc/ssl/certs/ca-certificates.crt. This issue relates to #926388 (let Firefox trust /etc/ssl/certs/ca-certificates.crt)The attached fetch-ldap-cert script is stripped down quite much, but has been tested to work - also with both LTSP thin clients and diskless workstations. Please note that the LTSP NBD image needs to be updated. The LTSP clients will configure ca-certificates.crt in the overlay file system at runtime. No need to fiddle around like done until now. Also, the LDAP server certificate doesn't need to be downloaded and verified. The /etc/nslcd.conf file in Debian Edu 10 contains this setting: tls_reqcert demand This way the LDAP server is forced to send his certificate upon client connect. The connection is established only in case the certificate is valid, i.e. if the related rootCA certificate is contained in /etc/ssl/certs/ca-certificates. Please test. Wolfgang
The simpleness of the fetch-ldap-cert version you propose is tempting. But this version will only work against TJENERs that have a Debian-Edu_rootCA.crt exported via www.intern.
That is, we IMHO need to make sure, a Debian 11 client still works well with a Debian 9 server. Don't you think?
Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de
pgpWvevEiQoit.pgp
Description: Digitale PGP-Signatur