Hi Wolfgang, On Mi 24 Jul 2019 16:05:13 CEST, Wolfgang Schweer wrote:
On Mon, Jul 22, 2019 at 07:38:53PM +0000, Holger Levsen wrote:On Mon, Jul 22, 2019 at 06:32:47PM +0000, Mike Gabriel wrote: > The school I can test this on is currently powered down due to maintenance > work on the electric wiring in the building that hosts the server chamber. > It's on the list... do you have an ETA for this?
I am waiting for the system to come online again fully. The admin teacher at that school has been pinged/pong.
currently the next point release is planned for August 31 or September 7...We should really get this into 10.1; as the real world test date appears
Yes!
to be uncertain, I've now tested the fetch-ldap-script in two virtual Edu networks with buster and stretch workstations against both buster and pre buster main servers. Everything works like expected; see logs from various scenarios further below to get the picture.
Nice!
(Compared to my previous version there are a few cosmetic changes, also logging has been improved a bit.)
Ok.
This is the diff against the current version in Git:diff --git a/debian/debian-edu-config.fetch-ldap-cert b/debian/debian-edu-config.fetch-ldap-certindex dfec40da..4a4f5585 100755 --- a/debian/debian-edu-config.fetch-ldap-cert +++ b/debian/debian-edu-config.fetch-ldap-cert
[...]
[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate."- if curl -f -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT ; then- gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new ldap.intern < /dev/null + if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null | grep RootCA ; then+ if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT && \
+ grep -v -q 404 $BUNDLECRT ; then
WARNING: you dropped the "-f" parameter from curl. Without "-f" curl always exits with exit code 0, we should rather have curl to fail properly on connection problems, DNS problems, etc. Further above, in the remove curl call, I had added the "-f" option especially for better exit result handling.
Capturing curl issues by grepping for a 404 is IMHO incomplete. (Turn of Apache2 and you won't get the 404 and curl | grep ends in some untested realm).
+ gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null+ logger -t fetch-ldap-cert "Fetched bundle certificate from www.intern." + else + rm $BUNDLECRT+ logger -t fetch-ldap-cert "Failed to fetch bundle certificate from www.intern."+ fi
[...]
Furthermore, you operate on the bundle certificate file still for buster<->buster setups.
Have you tested with distributing just the rootCA file to the clients? Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de
pgpAJpEUzimv2.pgp
Description: Digitale PGP-Signatur
