Moin Mike, On Thu, Jul 11, 2019 at 08:14:20PM +0200, Wolfgang Schweer wrote: > On Thu, Jul 11, 2019 at 10:14:01AM +0000, Mike Gabriel wrote: > > I don't see a reason for updating the LDAP cert in the chroot on every boot > > of the ltspserver, either. > > Correct, it should only be fetched once. Thanks to Petter for explaining > how the LDAP server certificate prevents potential credential exposure and > that the 'fetch only once' is important for both host and chroot location. Please test the attached version of the fetch-ldap-cert init script against both buster and older main servers. (I've dropped the '-f' option to curl that you added in commit 0b71277 because we want to detect if the bundle certificate is provided.) Wolfgang
#!/bin/sh ### BEGIN INIT INFO # Provides: fetch-ldap-cert # Required-Start: $local_fs $remote_fs # Required-Stop: $local_fs $remote_fs # Should-Start: $network $syslog $named slapd # Default-Start: 2 3 4 5 # Default-Stop: # Short-Description: Fetch LDAP SSL public key from the server # Description: # Start before krb5-kdc to give slapd time to become operational # before krb5-kdc try to connect to the LDAP server as a workaround # for #589915. # X-Start-Before: isc-dhcp-server krb5-kdc nslcd ### END INIT INFO # # Author: Petter Reinholdtsen <pere@hungry.com> # Date: 2007-06-09 set -e . /lib/lsb/init-functions CERTFILE=/etc/ssl/certs/debian-edu-server.crt BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt do_start() { # Locate LDAP server LDAPSERVER=$(debian-edu-ldapserver) LDAPPORT=636 # ldaps ERROR=false if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] && grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then if [ -z "$LDAPSERVER" ] ; then msg="Failed to locate LDAP server" log_action_begin_msg "$msg" log_action_end_msg 1 logger -t fetch-ldap-cert "$msg." return 1 fi [ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate." if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null | grep RootCA ; then if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT && \ grep -v -q 404 $BUNDLECRT ; then gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null logger -t fetch-ldap-cert "Fetched bundle certificate from www.intern." else rm $BUNDLECRT fi else /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new chmod 644 $CERTFILE.new logger -t fetch-ldap-cert "Fetched old style LDAP certificate." fi if test -s $CERTFILE.new ; then mv $CERTFILE.new $CERTFILE [ "$VERBOSE" != no ] && log_action_end_msg 0 logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER." else rm -f $CERTFILE.new log_action_end_msg 1 logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER." ERROR=true fi fi if [ -d /opt/ltsp ] ; then for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do if [ ! -f $ltsp_chroot$CERTFILE ] && [ -f $ltsp_chroot/etc/nslcd.conf ] && grep -q /etc/ssl/certs/debian-edu-server.crt $ltsp_chroot/etc/nslcd.conf ; then [ "$VERBOSE" != no ] && log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot " if test -s $CERTFILE; then cp $CERTFILE $ltsp_chroot$CERTFILE [ "$VERBOSE" != no ] && log_action_end_msg 0 else log_action_end_msg 1 ERROR=true fi log_action_begin_msg "Copying TLS certificate bundle to ltsp-chroot $ltsp_chroot " if test -s $BUNDLECRT; then cp $BUNDLECRT $ltsp_chroot$BUNDLECRT [ "$VERBOSE" != no ] && log_action_end_msg 0 else log_action_end_msg 1 ERROR=true fi fi done fi if $ERROR; then return 1 fi } case "$1" in start) do_start ;; stop) ;; restart|force-reload) ;; *) echo "Usage: $0 {start|stop|restart|force-reload}" exit 2 esac exit 0
Attachment:
signature.asc
Description: PGP signature