Wolfgang Schweer · Wolfgang Schweer · Wolfgang Schweer · Wolfgang Schweer · Wolfgang Schweer · 735bb126
--- a/cf3/cf.workarounds
+++ b/cf3/cf.workarounds
@@ -22,5 +22,13 @@ files:
    "/etc/resolvconf/update-libc.d/squid"
      link_from => ln_s("/usr/share/debian-edu-config/squid.resolvconf"),
      move_obstructions => "true";
+
+commands:
+
+  debian.xfce.(ltspclient|ltspserver).installation::
+  # Provide a screensaver as a workaround for #922718 (fixed in experimental
+  # but not in Buster). FIXME: Check if this is still needed for Bullseye.
+    "/usr/bin/apt-get install -y xscreensaver"
+      contain => in_shell;
 }

--- a/debian/changelog
+++ b/debian/changelog
 debian-edu-config (2.10.61) UNRELEASED; urgency=medium

+  [ Holger Levsen ]
  * www/index* and www/*.po: replace http://popcon.skolelinux.org with
    https://popcon.debian.org as the former is unmaintained.

+  [ Wolfgang Schweer ]
+  * cf3/cf.workarounds:
+    - Provide Xfce screensaver for LTSP clients (workaround for bug #922718,
+      fixed in experimental but unlikely to be fixed in Buster).
+  * Improve LDAP server certificate check:
+    - tools/create-debian-edu-certs:
+      Make /etc/debian-edu/www/debian-edu-bundle.{crt,pem} downloadable.
+    - debian-edu-config.fetch-ldap-cert:
+      Verify the LDAP server cert using the downloaded Debian-Edu_rootCa one.
+  * testsuite/{ldap-client,ldap-server,sudo,webcache,webserver}:
+    - Fix scripts to match the recent configuration changes.
+
 -- Holger Levsen <holger@debian.org>  Fri, 15 Feb 2019 11:58:26 +0100

 debian-edu-config (2.10.60) unstable; urgency=medium

--- a/debian/debian-edu-config.fetch-ldap-cert
+++ b/debian/debian-edu-config.fetch-ldap-cert
@@ -22,6 +22,7 @@ set -e
 . /lib/lsb/init-functions

 CERTFILE=/etc/ssl/certs/debian-edu-server.crt
+BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt

 do_start() {
    # Locate LDAP server
@@ -38,11 +39,13 @@ do_start() {
 	    return 1
 	fi
 	[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate."
-	/usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new
+	if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT ; then
+	gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new ldap.intern < /dev/null
+	fi
 	if test -s $CERTFILE.new ; then
 	    mv $CERTFILE.new $CERTFILE
 	    [ "$VERBOSE" != no ] && log_action_end_msg 0
-	    logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER."
+	    logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER."
 	else
 	    rm $CERTFILE.new
 	    log_action_end_msg 1

--- a/share/debian-edu-config/tools/create-debian-edu-certs
+++ b/share/debian-edu-config/tools/create-debian-edu-certs
@@ -72,6 +72,7 @@ generate() {
    # available via web-server.
    cp /etc/ssl/certs/debian-edu-bundle.crt /etc/debian-edu/www
    cp /etc/ssl/certs/debian-edu-bundle.pem /etc/debian-edu/www
+    chmod 644 /etc/debian-edu/www/debian-edu-bundle.*
    logger -t create-debian-edu-certs "Certs with both .crt and .pem extension made available in /etc/debian-edu/www."
 }


--- a/testsuite/ldap-client
+++ b/testsuite/ldap-client
@@ -51,7 +51,7 @@ for file in nslcd.conf ; do
 done

 # Verify that NSS is properly configured for netgroups in LDAP.
-if egrep -q '^netgroup: +files *.* +(ldap|sss)$' /etc/nsswitch.conf ; then
+if egrep -q '^netgroup: +nis *.* +(ldap|sss)$' /etc/nsswitch.conf ; then
    success "NSS netgroup setting is correct in /etc/nsswitch.conf"
 else
    error "NSS netgroup setting is wrong in /etc/nsswitch.conf"
@@ -71,14 +71,14 @@ fi
 host -a -t srv _ldap._tcp | sed "s/^/info: SRV record from DNS: /"
 host -a "$ldap_server" | sed "s/^/info: LDAP server from DNS: /"

-if [ -f /etc/ldap/ldap.conf ] ; then
-    if egrep -q "^HOST (ldap|$ldap_server)" /etc/ldap/ldap.conf ; then
+if [ -f /etc/nslcd.conf ] ; then
+    if egrep -q "^uri (ldap|$ldap_server)" /etc/nslcd.conf ; then
        :
    else
        error "ldap/ldap.conf misses definition of HOST ldap"
    fi
 else
-    error "/etc/ldap/ldap.conf is missing."
+    error "/etc/nslcd.conf is missing."
 fi

 # test netgroups
@@ -150,25 +150,13 @@ else
    error "Missing /usr/bin/ldapsearch "
 fi

-pubcert=/etc/ldap/ssl/ldap-server-pubkey.pem
-privcert=/etc/ldap/ssl/slapd.pem
-sedextract='/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p'
+pubcert=/etc/ssl/certs/debian-edu-server.crt
+cacert=/etc/ssl/certs/Debian-Edu_rootCA.crt
 if [ -s $pubcert ] ; then
-    if [ -f $privcert ] ; then
-	# Only compare the public part
-	if sed -n "$sedextract" < $privcert | \
-	    diff - $pubcert ; then
-	    success "Saved LDAP certificate matches slapd certificate"
+    if openssl verify -CAfile $cacert $pubcert; then
+	    success "LDAP certificate matches rootCA certificate"
 	else
-	    error "Saved LDAP certificate do not matches slapd certificate"
-	fi
-    else
-	if echo | openssl s_client -connect $ldap_server:ldaps 2>/dev/null | \
-	    sed -n "$sedextract" | diff - $pubcert ; then
-	    success "Fetched LDAP certificate matches slapd certificate"
-	else
-	    error "Fetched LDAP certificate do not matches slapd certificate"
-	fi
+	    error "LDAP certificate doesn't match rootCA certificate"
    fi
 else
    error "Missing LDAP certificate $pubcert"
@@ -220,7 +208,7 @@ fi

 if echo "$PROFILE" | egrep -q 'LTSP-Server' ; then
    check_file_perm \
-	/opt/ltsp/*/etc/ldap/ssl/ldap-server-pubkey.pem 644
+	/opt/ltsp/*/etc/ssl/certs/debian-edu-server.crt 644
 fi

 exit $RESULT
--- a/testsuite/ldap-server
+++ b/testsuite/ldap-server
@@ -36,7 +36,7 @@ fi

 RESULT=0

-for port in ldap ldaps ; do
+for port in ldap; do
    netstat_check $port tcp slapd || RESULT=1
 done

@@ -47,31 +47,18 @@ else
    RESULT=1
 fi

-if [ -f /etc/ldap/ssl/slapd.pem ] ; then
-    openssl verify  /etc/ldap/ssl/slapd.pem | 
-	  sed "s%^%info: $0: slapd.pem: %"
+if [ -f /etc/ssl/certs/debian-edu-server.crt ] ; then
+    if [ -f /etc/ssl/certs/Debian-Edu_rootCA.crt ] ; then
+        openssl verify -CAfile /etc/ssl/certs/Debian-Edu_rootCA.crt /etc/ssl/certs/debian-edu-server.crt |
+        sed "s%^%info: $0: debian-edu-server.crt: %"
+        echo "success: Certificate debian-edu-server.crt has been verified by Debian-Edu_rootCA.crt."
    else
-    echo "error: Missing /etc/ldap/ssl/slapd.pem"
-    RESULT=1
+        echo "error: Certificate /etc/ssl/certs/Debian-Edu_rootCA.crt is missing."
    fi
-
-# If the client certificate exist, verify that it is identical to the
-# server certificate.  If not, it was probably downloaded from the
-# wrong LDAP server.
-if [ -f /etc/ldap/ssl/ldap-server-pubkey.pem ] ; then
-    if awk '/^-----BEGIN CERTIFICATE-----$/ { yes=1 }
-            yes { print }
-           /^-----END CERTIFICATE-----$/ { yes=0 }' /etc/ldap/ssl/slapd.pem |
-	cmp -s /etc/ldap/ssl/ldap-server-pubkey.pem -
-    then
-	echo "success: Client certificate for LDAP server matches slapd cert."
 else
-	echo "error: Certificate in /etc/ldap/ssl/slapd.pem and /etc/ldap/ssl/ldap-server-pubkey.pem differ."
+    echo "error: Certificate /etc/ssl/certs/debian-edu-server.crt is missing."
    RESULT=1
 fi
-else
-    echo "warning: Missing /etc/ldap/ssl/ldap-server-pubkey.pem"
-fi

 echo "info: connection per ldap-client"
 netstat -a --numeric-hosts | grep :ldap |

--- a/testsuite/sudo
+++ b/testsuite/sudo
@@ -18,10 +18,10 @@ else
    echo "error: $0: sudoRole object for root missing in ldap"
 fi

-if grep -q '^sudoers_base' /etc/ldap/ldap.conf ; then
-    echo "success: $0: suduers_base is set in ldap.conf"
+if grep -q '^sudoers_base' /etc/sudo-ldap.conf ; then
+    echo "success: $0: suduers_base is set in sudo-ldap.conf"
 else
-    echo "error: $0: suduers_base is missing ldap.conf"
+    echo "error: $0: suduers_base is missing sudo-ldap.conf"
 fi

 if grep -q '^sudoers:.* ldap' /etc/nsswitch.conf ; then

--- a/testsuite/webcache
+++ b/testsuite/webcache
@@ -87,7 +87,7 @@ export http_proxy ftp_proxy

 url=https://www.intern/

-if HEAD $HEADOPTS $url 2>&1 | grep -q 'certificate verify' ; then
+if HEAD $HEADOPTS $url 2>&1 | grep -q '200 OK' ; then
    echo "success: $0: Valid response from '$url' using proxy '$http_proxy'."
 else
    echo "error: $0: Unable to connect to '$url' using proxy '$http_proxy'."

--- a/testsuite/webserver
+++ b/testsuite/webserver
@@ -25,7 +25,7 @@ fi
 server=www

 # Wait for 10 seconds
-HEADOPTS="-t 10"
+HEADOPTS="-t 10 -S"

 unset http_proxy || true
 unset https_proxy || true
@@ -47,7 +47,7 @@ if [ ! -x /usr/bin/HEAD ] ; then
 	exit 1
 else
    url=https://$server/
-    if HEAD $HEADOPTS $url 2>&1 | grep -q 'certificate verify' ; then
+    if HEAD $HEADOPTS $url 2>&1 | grep -q '200 OK' ; then
 	echo "success: $0: Apache is listening on '$url'."
    else
 	echo "error: $0: Apache is not listening on '$url'."
@@ -55,7 +55,7 @@ else

    for url in "https://$server/munin/" "https://$server/sitesummary/" \
 	"https://$server/debian-edu-doc/" ; do
-	if HEAD $HEADOPTS $url 2>&1 | grep -q 'certificate verify' ; then
+	if HEAD $HEADOPTS $url 2>&1 | grep -q '200 OK' ; then
 	    echo "success: $0: URL '$url' is working."
 	else
 	    echo "error: $0: URL '$url' is not working."