Moin Mike, On Thu, Jul 11, 2019 at 08:14:20PM +0200, Wolfgang Schweer wrote: > On Thu, Jul 11, 2019 at 10:14:01AM +0000, Mike Gabriel wrote: > > I don't see a reason for updating the LDAP cert in the chroot on every boot > > of the ltspserver, either. > > Correct, it should only be fetched once. Thanks to Petter for explaining > how the LDAP server certificate prevents potential credential exposure and > that the 'fetch only once' is important for both host and chroot location. Please test the attached version of the fetch-ldap-cert init script against both buster and older main servers. (I've dropped the '-f' option to curl that you added in commit 0b71277 because we want to detect if the bundle certificate is provided.) Wolfgang
#!/bin/sh
### BEGIN INIT INFO
# Provides: fetch-ldap-cert
# Required-Start: $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# Should-Start: $network $syslog $named slapd
# Default-Start: 2 3 4 5
# Default-Stop:
# Short-Description: Fetch LDAP SSL public key from the server
# Description:
# Start before krb5-kdc to give slapd time to become operational
# before krb5-kdc try to connect to the LDAP server as a workaround
# for #589915.
# X-Start-Before: isc-dhcp-server krb5-kdc nslcd
### END INIT INFO
#
# Author: Petter Reinholdtsen <pere@hungry.com>
# Date: 2007-06-09
set -e
. /lib/lsb/init-functions
CERTFILE=/etc/ssl/certs/debian-edu-server.crt
BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
do_start() {
# Locate LDAP server
LDAPSERVER=$(debian-edu-ldapserver)
LDAPPORT=636 # ldaps
ERROR=false
if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] &&
grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
if [ -z "$LDAPSERVER" ] ; then
msg="Failed to locate LDAP server"
log_action_begin_msg "$msg"
log_action_end_msg 1
logger -t fetch-ldap-cert "$msg."
return 1
fi
[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate."
if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null | grep RootCA ; then
if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT && \
grep -v -q 404 $BUNDLECRT ; then
gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
logger -t fetch-ldap-cert "Fetched bundle certificate from www.intern."
else
rm $BUNDLECRT
fi
else
/usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new
chmod 644 $CERTFILE.new
logger -t fetch-ldap-cert "Fetched old style LDAP certificate."
fi
if test -s $CERTFILE.new ; then
mv $CERTFILE.new $CERTFILE
[ "$VERBOSE" != no ] && log_action_end_msg 0
logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER."
else
rm -f $CERTFILE.new
log_action_end_msg 1
logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER."
ERROR=true
fi
fi
if [ -d /opt/ltsp ] ; then
for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
if [ ! -f $ltsp_chroot$CERTFILE ] && [ -f $ltsp_chroot/etc/nslcd.conf ] &&
grep -q /etc/ssl/certs/debian-edu-server.crt $ltsp_chroot/etc/nslcd.conf ; then
[ "$VERBOSE" != no ] &&
log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot "
if test -s $CERTFILE; then
cp $CERTFILE $ltsp_chroot$CERTFILE
[ "$VERBOSE" != no ] && log_action_end_msg 0
else
log_action_end_msg 1
ERROR=true
fi
log_action_begin_msg "Copying TLS certificate bundle to ltsp-chroot $ltsp_chroot "
if test -s $BUNDLECRT; then
cp $BUNDLECRT $ltsp_chroot$BUNDLECRT
[ "$VERBOSE" != no ] && log_action_end_msg 0
else
log_action_end_msg 1
ERROR=true
fi
fi
done
fi
if $ERROR; then
return 1
fi
}
case "$1" in
start)
do_start
;;
stop)
;;
restart|force-reload)
;;
*)
echo "Usage: $0 {start|stop|restart|force-reload}"
exit 2
esac
exit 0
Attachment:
signature.asc
Description: PGP signature