[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#934380: fetch-ldap-cert should have independent conditions for both host and LTSP chroot

Package: debian-edu-config
Version: 2.10.66
Severity: important

The fetch-ldap-cert script should make sure that the LDAP server 
certificate is only downloaded once for both host and chroot.

It used to have independent conditions for these two cases in pre Buster 
releases.

Now a global condition is used. If an LTSP chroot is re-generated or an 
additional one is created, these chroots would never contain the LDAP 
server certificate, i.e. the LDAP certificate will be fetched each time 
an LTSP client is booted. So to really fix #931413 independent 
conditions are needed.

Also, to be useful for the fixes for #332828 (Include the LDAP server 
certificate in initial LTSP chroot image) and #933183 (Provide Debian 
Edu RootCA certificate for download), some more changes are needed.

This change would fix all mentioned issues:

diff --git a/debian/debian-edu-config.fetch-ldap-cert b/debian/debian-edu-config.fetch-ldap-cert
index dfec40da..cc83a2e1 100755
--- a/debian/debian-edu-config.fetch-ldap-cert
+++ b/debian/debian-edu-config.fetch-ldap-cert
@@ -23,14 +23,15 @@ set -e
 
 CERTFILE=/etc/ssl/certs/debian-edu-server.crt
 BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
+ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
 
 do_start() {
     # Locate LDAP server
     LDAPSERVER=$(debian-edu-ldapserver)
-
+    LDAPPORT=636 # ldaps
     ERROR=false
-    if [ -f /etc/nslcd.conf ] &&
-       grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
+    if [ ! -f $CERTFILE ] &&  [ -f /etc/nslcd.conf ] &&
+        grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
 	if [ -z "$LDAPSERVER" ] ; then
 	    msg="Failed to locate LDAP server"
 	    log_action_begin_msg "$msg"
@@ -39,18 +40,43 @@ do_start() {
 	    return 1
 	fi
 	[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate."
-	if curl -f -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT ; then
-	    gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new ldap.intern < /dev/null
+	if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null | grep RootCA ; then
+	    if curl -sfk --head -o /dev/null https://www.intern ; then
+		if curl -k https://www.intern/Debian-Edu_rootCA.crt > $ROOTCACRT && \
+		    grep -q CERTIFICATE $ROOTCACRT ; then
+			gnutls-cli --x509cafile $ROOTCACRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
+			logger -t fetch-ldap-cert "Fetched rootCA certificate from www.intern."
+		    else
+			rm -f $ROOTCACRT
+			if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT && \
+			    grep -q CERTIFICATE $BUNDLECRT ; then
+				gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
+				logger -t fetch-ldap-cert "Fetched bundle certificate from www.intern."
+		else
+		    rm -f $BUNDLECRT
+		    logger -t fetch-ldap-cert "Failed to fetch certificates from www.intern."
+		fi
+	    fi
+	    else
+		log_action_end_msg 1
+		logger -t fetch-ldap-cert "Failed to connect to www.intern, maybe the web server down."
+	        ERROR=true
+	    fi
 	else
 	    /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new
 	    chmod 644 $CERTFILE.new
+	    logger -t fetch-ldap-cert "Fetched pre Buster LDAP server certificate."
 	fi
 	if test -s $CERTFILE.new ; then
 	    mv $CERTFILE.new $CERTFILE
 	    [ "$VERBOSE" != no ] && log_action_end_msg 0
-	    logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER."
+	    if [ -f $BUNDLECRT ] ; then
+	        logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER."
+	    else
+	        logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER."
+	    fi
 	else
-	    rm $CERTFILE.new
+	    rm -f $CERTFILE.new
 	    log_action_end_msg 1
 	    logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER."
 	    ERROR=true
@@ -64,10 +90,24 @@ do_start() {
 		log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot "
 		if test -s $CERTFILE; then
 		    cp $CERTFILE $ltsp_chroot$CERTFILE
+		[ "$VERBOSE" != no ] && log_action_end_msg 0
+		else
+		    log_action_end_msg 1
+		    ERROR=true
+		fi
+		log_action_begin_msg "Copying Debian Edu rootCA certificate to ltsp-chroot $ltsp_chroot "
+		if test -s $ROOTCACRT; then
+		    cp $ROOTCACRT $ltsp_chroot$ROOTCACRT
 		    [ "$VERBOSE" != no ] && log_action_end_msg 0
 		else
+		    log_action_begin_msg "Copying TLS certificate bundle to ltsp-chroot $ltsp_chroot "
+		    if test -s $BUNDLECRT; then
+			cp $BUNDLECRT $ltsp_chroot$BUNDLECRT
+			[ "$VERBOSE" != no ] && log_action_end_msg 0
+		    else
 		    log_action_end_msg 1
 		    ERROR=true
+		    fi
 		fi
 	    fi
 	done
@@ -79,13 +119,7 @@ do_start() {
 
 case "$1" in
     start)
-	# do absolutely nothing, if this host is already "attached" to
-	# a Debian Edu network
-	if [ -e /etc/ssl/certs/debian-edu-server.crt ]; then
-	    :
-	else
-	    do_start
-	fi
+	do_start
 	;;
     stop)
 	;;


Please test. (script is attached)

Wolfgang

#!/bin/sh
### BEGIN INIT INFO
# Provides:          fetch-ldap-cert
# Required-Start:    $local_fs $remote_fs
# Required-Stop:     $local_fs $remote_fs
# Should-Start:      $network $syslog $named slapd
# Default-Start:     2 3 4 5
# Default-Stop:
# Short-Description: Fetch LDAP SSL public key from the server
# Description:
#   Start before krb5-kdc to give slapd time to become operational
#   before krb5-kdc try to connect to the LDAP server as a workaround
#   for #589915.
# X-Start-Before:    isc-dhcp-server krb5-kdc nslcd
### END INIT INFO
#
# Author: Petter Reinholdtsen <pere@hungry.com>
# Date:   2007-06-09

set -e

. /lib/lsb/init-functions

CERTFILE=/etc/ssl/certs/debian-edu-server.crt
BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt

do_start() {
    # Locate LDAP server
    LDAPSERVER=$(debian-edu-ldapserver)
    LDAPPORT=636 # ldaps
    ERROR=false
    if [ ! -f $CERTFILE ] &&  [ -f /etc/nslcd.conf ] &&
        grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
	if [ -z "$LDAPSERVER" ] ; then
	    msg="Failed to locate LDAP server"
	    log_action_begin_msg "$msg"
	    log_action_end_msg 1
	    logger -t fetch-ldap-cert "$msg."
	    return 1
	fi
	[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate."
	if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null | grep RootCA ; then
	    if curl -sfk --head -o /dev/null https://www.intern ; then
		if curl -k https://www.intern/Debian-Edu_rootCA.crt > $ROOTCACRT && \
		    grep -q CERTIFICATE $ROOTCACRT ; then
			gnutls-cli --x509cafile $ROOTCACRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
			logger -t fetch-ldap-cert "Fetched rootCA certificate from www.intern."
		    else
			rm -f $ROOTCACRT
			if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT && \
			    grep -q CERTIFICATE $BUNDLECRT ; then
				gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
				logger -t fetch-ldap-cert "Fetched bundle certificate from www.intern."
		else
		    rm -f $BUNDLECRT
		    logger -t fetch-ldap-cert "Failed to fetch certificates from www.intern."
		fi
	    fi
	    else
		log_action_end_msg 1
		logger -t fetch-ldap-cert "Failed to connect to www.intern, maybe the web server down."
	        ERROR=true
	    fi
	else
	    /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new
	    chmod 644 $CERTFILE.new
	    logger -t fetch-ldap-cert "Fetched pre Buster LDAP server certificate."
	fi
	if test -s $CERTFILE.new ; then
	    mv $CERTFILE.new $CERTFILE
	    [ "$VERBOSE" != no ] && log_action_end_msg 0
	    if [ -f $BUNDLECRT ] ; then
	        logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER."
	    else
	        logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER."
	    fi
	else
	    rm -f $CERTFILE.new
	    log_action_end_msg 1
	    logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER."
	    ERROR=true
	fi
    fi
    if [ -d /opt/ltsp ] ; then
	for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
	    if [ ! -f $ltsp_chroot$CERTFILE ] && [ -f $ltsp_chroot/etc/nslcd.conf ] &&
		grep -q /etc/ssl/certs/debian-edu-server.crt $ltsp_chroot/etc/nslcd.conf ; then
		[ "$VERBOSE" != no ] && 
		log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot "
		if test -s $CERTFILE; then
		    cp $CERTFILE $ltsp_chroot$CERTFILE
		[ "$VERBOSE" != no ] && log_action_end_msg 0
		else
		    log_action_end_msg 1
		    ERROR=true
		fi
		log_action_begin_msg "Copying Debian Edu rootCA certificate to ltsp-chroot $ltsp_chroot "
		if test -s $ROOTCACRT; then
		    cp $ROOTCACRT $ltsp_chroot$ROOTCACRT
		    [ "$VERBOSE" != no ] && log_action_end_msg 0
		else
		    log_action_begin_msg "Copying TLS certificate bundle to ltsp-chroot $ltsp_chroot "
		    if test -s $BUNDLECRT; then
			cp $BUNDLECRT $ltsp_chroot$BUNDLECRT
			[ "$VERBOSE" != no ] && log_action_end_msg 0
		    else
		    log_action_end_msg 1
		    ERROR=true
		    fi
		fi
	    fi
	done
    fi
    if $ERROR; then
	return 1
    fi
}

case "$1" in
    start)
	do_start
	;;
    stop)
	;;
    restart|force-reload)
	;;
    *)
	echo "Usage: $0 {start|stop|restart|force-reload}"
	exit 2
esac
exit 0

Attachment: signature.asc
Description: PGP signature

Reply to: