Bug#935080: slapcat used in gosa hook script gosa-modify-host
Package: debian-edu-config Severity: important Version: 2.10.67 Hi all, the gosa-modify-host script utilizes slapcat to check LDAP for removed hosts: ``` www-data@tjener:~$ /usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-modify-host && echo TRUE + slapcat + grep dell007.intern. + grep -q dhcp + kadmin.local delprinc host/dell007.intern..intern@INTERN delete_principal: Principal does not exist while deleting principal "host/dell007.intern..intern@INTERN" ``` 1. The slapcat tool is an offline administration tool for LDAP and should not be used for day-to-day online tasks. The part where it is used is about cleaning up the /etc/debian-edu/host-keytabs/ directory. The better approach here is going over all files in that folder and doing an ldapsearch query for each host. 2. Furthermore, this should not be done in gosa-modify-host, but in a separate CRON job that does not inflict on the execution time of the script. 3. Last but not least, the loop over all slapcat'ed hosts aborts if some error occurs and thus ends in the middle of the run. This needs some more love, I guess. Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpzOM8aFsrjh.pgp Description: Digitale PGP-Signatur
Bug#935080: slapcat used in gosa hook script gosa-modify-host
[Mike Gabriel] > The slapcat tool is an offline administration tool for LDAP and should > not be used for day-to-day online tasks. Care to explain this argument a bit more? I fail to see why slapcat should have a different status from any other tools available, for use in day-to-day tasks as the developer see fit. Is there some other reason not to use slapcat, in addition to it 'should not be used for day-to-day online tasks'? Note, I have no idea why slapcat is used in the script to locate hosts: # cleanup from leftover host principals and keytab file: for i in $(basename -a /etc/debian-edu/host-keytabs/* | sed 's#.intern.keytab##') ; do if slapcat | grep $i | grep -q dhcp ; then : else kadmin.local delprinc host/$i.intern@INTERN kadmin.local delprinc nfs/$i.intern@INTERN rm /etc/debian-edu/host-keytabs/$i.intern.keytab fi done I have no idea why Wolfgang decided to use slapcat instead of ldapsearch here. Perhaps to make sure he is operating on the local LDAP database, or because he did not have the LDAP connection details available in the script? -- Vennlig hilsen Petter Reinholdtsen
Bug#935080: slapcat used in gosa hook script gosa-modify-host
Hi Petter, On Mo 19 Aug 2019 12:56:11 CEST, Petter Reinholdtsen wrote: [Mike Gabriel] The slapcat tool is an offline administration tool for LDAP and should not be used for day-to-day online tasks. Care to explain this argument a bit more? I fail to see why slapcat should have a different status from any other tools available, for use in day-to-day tasks as the developer see fit. When using slapcat, you always dump the full local DB rather than searching for what you are looking for and leave the search to the DB. The loop quoted below dumps the full LDAP db for each host listed in /etc/debian-edu/host-keytabs. This is something between 80-100 hosts here. And this happens whenever the admin clicks "OK" on a GOsa system (for modifications). So, this scales badly. Is there some other reason not to use slapcat, in addition to it 'should not be used for day-to-day online tasks'? The script runs as "root" and everything in LDAP gets shown to the script with slapcat (and is grepped out, but still). Furthermore, the full DB gets dumped several times repetetively and the script runs (after clicking "OK" on a GOsa system) whenever a host gets modified (which causes a long delay on a populated school LDAP DB. Note, I have no idea why slapcat is used in the script to locate hosts: # cleanup from leftover host principals and keytab file: for i in $(basename -a /etc/debian-edu/host-keytabs/* | sed 's#.intern.keytab##') ; do if slapcat | grep $i | grep -q dhcp ; then : else kadmin.local delprinc host/$i.intern@INTERN kadmin.local delprinc nfs/$i.intern@INTERN rm /etc/debian-edu/host-keytabs/$i.intern.keytab fi done Using slapcat here is wrong, it should be proper LDAP db queries with specific search pattern. I have no idea why Wolfgang decided to use slapcat instead of ldapsearch here. Perhaps to make sure he is operating on the local LDAP database, or because he did not have the LDAP connection details available in the script? IMHO, the LDAP db will answer anonymous queries just right when it comes to DHCP hosts. @Wolfgang: feedback? Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpD8BmzXXSu5.pgp Description: Digitale PGP-Signatur
Re: debian-edu-doc 2.10.19: Please update debconf PO translation for the package debian-edu-doc
Hi Claudio, On Mon, Aug 19, 2019 at 06:48:01PM +0200, Claudio Carboncini wrote: > Here it is. thank you, commited to git. -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable
Hi Holger, hi Wolfgang, On Fr 16 Aug 2019 21:43:05 CEST, Holger Levsen wrote: Hi Mike, On Fri, Aug 16, 2019 at 05:43:42PM +, mike.gabr...@das-netzwerkteam.de wrote: I can do that after the weekend. I have put in in my calendar for Monday morning. great, thank you! I have put together a buster branch for debian-edu-config. At the end of this mail find a .diff between buster..master. I wasn't sure about the D-I / entropy related changes between 2.10.65 and 2.10.67 and if they were actually being targetted for the buster-pu or just for stable. Please let me know, if "those" entropy commits need to get included or not. Once we have agreed on a package version to upload to buster, I will compose the buster srm bug report for it. Please give feedback. Thanks! Mike ``` [mike@minobo d-e-c (buster)]$ git diff buster..master | cat diff --git a/debian/changelog b/debian/changelog index b78cc1b7..c4c58cf2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,59 +1,14 @@ -debian-edu-config (2.10.65+deb10u1) UNRELEASED; urgency=medium +debian-edu-config (2.10.67) unstable; urgency=medium [ Wolfgang Schweer ] - * Adjust ltsp-build-client/Debian-custom/001-ltsp-setting. (Closes: #928756) -- Use PXE option 'ipappend 2' for LTSP client boot. This option makes sure - that all DHCP server information is getting through to LTSP clients. - (LTSP used this option before, but switched to 'ipappend 3' during the - Buster development cycle to ease setups with ProxyDHCP.) - * Adjust share/debian-edu-config/sudo-ldap.conf. (Closes: #929964) -- Fix sudo-ldap configuration. (The LDAP URI is needed on LDAP clients.) - * Set environment variable to deal with Firefox profile. (Closes: #930122) -This is a workaround for bug #930125, preventing firefox-esr startup issues -if the mozilla profile is on an NFS share). -- Ship share/debian-edu-config/edu-firefox-nfs with NSS_SDB_USE_CACHE="yes" - as content. Thanks to Mike Gabriel for spotting the issue and providing - this information. -- Add instructions to cf3/cf.workarounds to link the 'edu-firefox-nfs' file - to appropriate files below '/etc/X11/Xsession.d' and '/etc/profile.d'. - * Adjust cf3/cf.homes: Set correct LTSP chroot path. (Closes: #931680) -- While the reported arch is i686, LTSP uses i386. Set arch accordingly. - * Adjust share/debian-edu-config/tools/kerberos-kdc-init. (Closes: #931366) -- Remove outdated (and now wrong) logging section. - * Fix loss of dynamically allocated v4 IP address. (Closes: #933580) -- Drop etc/network/if-up.d/hostname. This script doesn't work anymore due - to changed behaviour of the ifupdown/dhclient/systemd combination and now - also causes the loss of a dynamically allocated ipv4 IP address after 20 - to 30 minutes after booting. -- Add code to d/debian-edu-config.postinstall to implement the intended - hostname update just after rebooting the system after a change. -- Adjust Makefile. - * Provide Debian Edu RootCA certificate for download. (Closes: #933183) -- Adjust share/debian-edu-config/tools/create-debian-edu-certs to copy the - rootCA file to the web server directory at certificate generation time. -- Adjust cf3/cf.finalize to care for the rootCA file as well. -- Adjust cf3/cf.workarounds to copy the rootCA file to the web server - directory upon main server upgrade. - * Add LDAP server certificate to the initial LTSP NBD image. (Closes: #932828) -- etc/ltsp/ltsp-build-client.conf: Don't create the image by default. -- cf3/edu.cf: Define new class 'ltspimages'. -- cf3/cf.finalize: Add code to include the LDAP server certificate for all - possible use cases, to generate the image and to adjust various rights. - * Changes to debian-edu-config.fetch-ldap-cert from 2.10.67). + * Adjust debian/debian-edu-config.fetch-ldap-cert. (Closes: #934380) - Use independent conditions to make sure that the LDAP server certificate - is only downloaded once for both host and LTSP chroot. (Closes: #934380) + is only downloaded once for both host and LTSP chroot. - Add code to validate the LDAP server certificate in case the Debian Edu RootCA certificate is available for download. [ Mike Gabriel ] - * Changes to debian-edu-config.fetch-ldap-cert (from 2.10.66): -- Make the script (and with it Debian Edu buster workstations) work in a - Debian Edu environment where the main server (TJENER) is still on Debian - Edu 8 or 9. (Closes: #926933) -- Retrieve TJENER's PKI server certificate only once per host to improve - security. This re-introduces the behaviour of fetch-ldap-cert in stretch - and earlier. (Closes: #931413). - * Changes to debian-edu-config.fetch-ldap-cert (from 2.10.67): + * Code review debian-edu-config.fetch-ldap-cert: - White-space-only change: Fix broken and
Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable
Hi Mike, On Mon, Aug 19, 2019 at 08:00:05PM +, Mike Gabriel wrote: > I have put together a buster branch for debian-edu-config. At the end of > this mail find a .diff between buster..master. cool, thanks for this! (I wont have time for review now though, cccamp is being too noisy atm.) > I wasn't sure about the D-I / entropy related changes between 2.10.65 and > 2.10.67 and if they were actually being targetted for the buster-pu or just > for stable. > > Please let me know, if "those" entropy commits need to get included or not. I believe either is fine. > Once we have agreed on a package version to upload to buster, I will compose > the buster srm bug report for it. 2.10.65+deb10u1 is good. -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
