On Sat, Nov 08, 2014 at 01:17:27AM +0100, Wolfgang Schweer wrote:
> Package: debian-edu-config
> Version: 1.718
> Severity: important
> User: debian-edu@lists.debian.org
> Usertags: debian-edu
>
> After upgrading a Debian Edu Wheezy main server to the 7.7 point release
> and to d-e-config 1.718 the GOsa² gui fails to connect to LDAP (as
> reported by Giorgio Pioda on the debian-edu mailing list).
>
> The point release included ssl and php5 related changes which might
> cause the issue.
>
> Setting up a new gosa.conf file from scratch on a test server and
> replacing ldap with ldaps in the referral URI (in gosa.conf) seems to
> re-enable the LDAP connection.
>
> It should be figured out how d-e-config can cope with this problem.
After investigating further it seems to be that the mechanism using
encrypted passwords in gosa.conf is failing now.
(As far as I know the random cleartext password generated during setup
is encrypted using gosa-encrypt-passwords and a file gosa.secrets is
generated to let apache2 cope with the encrypted passwords.)
This seems to work getting an upgraded Wheezy main-server working again
(no need to generate a new gosa.conf):
(1) cat /dev/null > /etc/gosa/gosa.secrets
(2) take the random cleartext password from gosa.conf.orig and put it
instead of the encrypted long one into gosa.conf (actually twice:
adminPassword and snapshotAdminPassword)
(3) restart apache2
From a security point of view it's probably more than dubious...
Maybe gosa-encrypt-passwords has to be adjusted.
Wolfgang
Attachment:
signature.asc
Description: Digital signature