Index: univention-thin-client-basesystem.info =================================================================== --- univention-thin-client-basesystem.info (Revision 26113) +++ univention-thin-client-basesystem.info (Revision 26115) @@ -6,6 +6,8 @@ Type: file File: etc/libnss-ldap.conf +Variables: ldap/server/addition +Variables: ldap/server/name Type: file File: etc/nsswitch.conf @@ -24,6 +26,8 @@ Type: file File: etc/ldap/ldap.conf +Variables: ldap/server/name +Variables: ldap/server/addition Type: file File: etc/resolv.conf Index: debian/changelog =================================================================== --- debian/changelog (Revision 26113) +++ debian/changelog (Revision 26115) @@ -1,3 +1,37 @@ +univention-thin-client-basesystem (9.1.3-1) unstable; urgency=low + + * merged changed from customer scope Ticket: #2011041210005499 + + -- Felix Botner Mon, 15 Aug 2011 16:32:20 +0200 + +univention-thin-client-basesystem (9.1.2-2) unstable; urgency=low + + * run univention-find-ldapserver at the end of thin-client-network + Ticket #2011030710000906 + + -- Felix Botner Wed, 13 Apr 2011 16:08:00 +0200 + +univention-thin-client-basesystem (9.1.2-1) unstable; urgency=low + + * ignore ldap server policy univentionLDAPServer Ticket #2011030710000906 + + -- Felix Botner Mon, 11 Apr 2011 14:51:39 +0200 + +univention-thin-client-basesystem (9.1.1-1) unstable; urgency=low + + * added univention-find-ldapserver into tc' chroot + Ticket #2011030710000906 + + -- Felix Botner Mon, 11 Apr 2011 11:25:48 +0200 + +univention-thin-client-basesystem (9.1.0-1) unstable; urgency=low + + * support multiple ldap server in /proc/cmdline + * support ldap/server/addition in thin client config + and init scripts Ticket #2011030710000906 + + -- Felix Botner Thu, 07 Apr 2011 11:28:38 +0200 + univention-thin-client-basesystem (9.0.19-1) unstable; urgency=low * Only run join script in postinst on dc master and dc backup (Bug Index: conffiles/etc/ldap/ldap.conf =================================================================== --- conffiles/etc/ldap/ldap.conf (Revision 26113) +++ conffiles/etc/ldap/ldap.conf (Revision 26115) @@ -1,5 +1,11 @@ -HOST @%@ldap/server/name@%@ -BASE @%@ldap/base@%@ -#SASL_MECH GSSAPI -#SASL_REALM @%@kerberos/realm@%@ +# See ldap.conf(5) for details +# This file should be world readable but not world writable. + TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem + +@!@ +print "HOST %s" % baseConfig.get('ldap/server/name', "") + " " + baseConfig.get('ldap/server/addition', "") +print "BASE %s" % baseConfig.get('ldap/base', "") +print "#SASL_MECH GSSAPI" +print "#SASL_REALM @%@kerberos/realm@%@" +@!@ Index: conffiles/etc/libnss-ldap.conf =================================================================== --- conffiles/etc/libnss-ldap.conf (Revision 26113) +++ conffiles/etc/libnss-ldap.conf (Revision 26115) @@ -1,4 +1,6 @@ -host @%@ldap/server/name@%@ -base @%@ldap/base@%@ -ldap_version 3 -#ssl start_tls +@!@ +print "host %s" % baseConfig.get('ldap/server/name', "") + " " + baseConfig.get('ldap/server/addition', "") +print "base %s" % baseConfig.get('ldap/base', "") +print "ldap_version 3" +print "#ssl start_tls" +@!@ Index: usr/sbin/univention-find-ldapserver =================================================================== --- usr/sbin/univention-find-ldapserver (Revision 0) +++ usr/sbin/univention-find-ldapserver (Revision 26115) @@ -0,0 +1,120 @@ +#!/usr/bin/python2.4 +# +# Univention Client Basesystem +# helper script finding the ldap server for a thin client +# +# Copyright 2011 Univention GmbH +# +# http://www.univention.de/ +# +# All rights reserved. +# +# The source code of this program is made available +# under the terms of the GNU Affero General Public License version 3 +# (GNU AGPL V3) as published by the Free Software Foundation. +# +# Binary versions of this program provided by Univention to you as +# well as other copyrighted, protected or trademarked materials like +# Logos, graphics, fonts, specific documentations and configurations, +# cryptographic keys etc. are subject to a license agreement between +# you and Univention and not subject to the GNU AGPL V3. +# +# In the case you use this program under the terms of the GNU AGPL V3, +# the program is provided in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public +# License with the Debian GNU/Linux or Univention distribution in file +# /usr/share/common-licenses/AGPL-3; if not, see +# . + +import ldap +import socket +import os +import re +import sys +import univention.config_registry + +LDAP_OLD_CMDLINE = re.compile('.*ldapServer=([^ "]+).*') +LDAP_NEW_CMDLINE = re.compile('.*ldapServer="([^"]+)".*') +LDAP_PORT = re.compile('.*ldapPort=([^ ]+).*') +SOURCE = "/proc/cmdline" + +def setTemporaryVarsAndExit (server, port, addition): + + if server: univention.config_registry.handler_set(['temporary/ldap/server=%s' % server]) + if addition: univention.config_registry.handler_set(['temporary/ldap/addition=%s' % " ".join(addition)]) + if port: univention.config_registry.handler_set(['temporary/ldap/port=%s' % port]) + + sys.exit(0) + +def ldapAvailable (ip, port): + + # test ldap port + try: + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.settimeout(1) + s.connect((ip, int(port))) + except Exception, e: + return False + + # try simple bind + try: + lo = ldap.open(ip, port=int(port)) + lo.simple_bind_s() + except Exception, e: + return False + + return True + +server = "" +servers = [] +port = "389" + +fh = open(SOURCE, "r") +for line in fh.readlines(): + + line = line.rstrip('\n') + + # old cmdline style + match = LDAP_OLD_CMDLINE.match(line) + if match: + server = match.group(1) + + # new style + match = LDAP_NEW_CMDLINE.match(line) + if match: + servers = match.group(1).split(" ") + + # port + match = LDAP_PORT.match(line) + if match: + port = match.group(1) +fh.close() + +if server: + setTemporaryVarsAndExit(server, port, []) + +if servers: + + servers.reverse() + addServer = [] + + # test ldap servers + while servers: + server = servers.pop() + if ldapAvailable(server, port): + untested = servers + untested.reverse() + addServer = untested + addServer + setTemporaryVarsAndExit(server, port, addServer) + else: + addServer.append(server) + + # multiple servers found but none available, + # use first one + server = addServer[0] + del addServer[0] + setTemporaryVarsAndExit(server, port, addServer) Eigenschaftsänderungen: usr/sbin/univention-find-ldapserver ___________________________________________________________________ Hinzugefügt: svn:executable + * Index: etc/init.d/thin-client-policies =================================================================== --- etc/init.d/thin-client-policies (Revision 26113) +++ etc/init.d/thin-client-policies (Revision 26115) @@ -51,6 +51,11 @@ var="${line%%=*}" val="${line#*=}" + # ignore ldap server policy + if [ "$var" == "univentionLDAPServer" ]; then + continue + fi + if [ -n "$var" ] && [ -n "$val" ]; then new_value=$(grep "$var=" /etc/univention/templates/mapping/* | head -n 1 | sed -e 's|.*=||;s|"||g') fi Index: etc/init.d/thin-client-network =================================================================== --- etc/init.d/thin-client-network (Revision 26113) +++ etc/init.d/thin-client-network (Revision 26115) @@ -86,7 +86,6 @@ read halt fi - else # NFS BOOT echo "(NFS) ... " >>/dev/tty3 2>&1 @@ -105,31 +104,43 @@ mymac=$(cat /sys/class/net/eth0/address) eval $(univention-config-registry shell thinclient/rollout/domainname \ thinclient/rollout/nameserver thinclient/rollout/ldap/base) - ldapServer=$(cat /proc/cmdline | grep ldapServer | sed -e 's|.*ldapServer=||;s| .*||') if [ -n "$thinclient_rollout_nameserver" ]; then nameserver="$thinclient_rollout_nameserver" fi + # dns-lookup failed - if [ -z "$fqn" -a -n "$ldapServer" ]; then - # get ldap basedn (1) from $thinclient_rollout_ldap_base - # (2) from ldapsearch namingContexts - if [ -n "$thinclient_rollout_ldap_base" ]; then - basedn="$thinclient_rollout_ldap_base" - else - basedn=$(ldapsearch -xLLL -h "$ldapServer" -s base -b '' + | ldapsearch-wrapper | \ - grep ^namingContexts: | awk -F ": " {'print $2'}) + if [ -z "$fqn" ]; then + + # save available ldap server from /proc/cmdline in temporary ucr var for later use + /usr/sbin/univention-find-ldapserver + searchedForLdap="true" + + eval "$(univention-config-registry shell temporary/ldap/server temporary/ldap/port)" + + if [ -n "$temporary_ldap_server" ]; then + # get ldap basedn (1) from $thinclient_rollout_ldap_base + # (2) from ldapsearch namingContexts + if [ -n "$thinclient_rollout_ldap_base" ]; then + basedn="$thinclient_rollout_ldap_base" + else + basedn=$(ldapsearch -xLLL -h "$temporary_ldap_server" -p $temporary_ldap_port \ + -s base -b '' + | ldapsearch-wrapper | \ + grep ^namingContexts: | awk -F ": " {'print $2'}) + fi + if [ -n "$basedn" ]; then + hostname=$(ldapsearch -xLLL -h "$temporary_ldap_server" -p $temporary_ldap_port \ + -b "$basedn" macAddress="$mymac" cn | \ + ldapsearch-wrapper | grep ^cn: | awk -F ": " {'print $2'}) + domainname=$(ldapsearch -xLLL -h "$temporary_ldap_server" -p $temporary_ldap_port \ + -b "$basedn" aRecord="$nameserver" \ + associatedDomain | ldapsearch-wrapper | grep ^associatedDomain: | \ + awk -F ": " {'print $2'}) + fi + if [ -n "$thinclient_rollout_domainname" ]; then + domainname="$thinclient_rollout_domainname" + fi + fqn="$hostname.$domainname" fi - if [ -n "$basedn" ]; then - hostname=$(ldapsearch -xLLL -h "$ldapServer" -b "$basedn" macAddress="$mymac" cn | \ - ldapsearch-wrapper | grep ^cn: | awk -F ": " {'print $2'}) - domainname=$(ldapsearch -xLLL -h "$ldapServer" -b "$basedn" aRecord="$nameserver" \ - associatedDomain | ldapsearch-wrapper | grep ^associatedDomain: | \ - awk -F ": " {'print $2'}) - fi - if [ -n "$thinclient_rollout_domainname" ]; then - domainname="$thinclient_rollout_domainname" - fi - fqn="$hostname.$domainname" fi fi @@ -163,5 +174,11 @@ # bring up the loopback device ifup lo +if [ -z "$searchedForLdap" ]; then + # save available ldap server from /proc/cmdline in temporary ucr var for later use + /usr/sbin/univention-find-ldapserver +fi + + log_action_end_msg 0 Index: etc/init.d/thin-client-ldap =================================================================== --- etc/init.d/thin-client-ldap (Revision 26113) +++ etc/init.d/thin-client-ldap (Revision 26115) @@ -31,13 +31,15 @@ log_action_msg "Setting up Thin Client LDAP configuration" -eval $(univention-baseconfig shell hostname domainname nameserver1 interfaces/eth0/address interfaces/eth0/netmask interfaces/eth0/network) -ldapServer=$(cat /proc/cmdline | grep ldapServer | sed -e 's|.*ldapServer=||;s| .*||') -if [ -n "$ldapServer" ]; then - ldapPort=$(cat /proc/cmdline | grep ldapPort | sed -e 's|.*ldapPort=||;s| .*||') - if [ -z "$ldapPort" ]; then - ldapPort=389 - fi + +eval $(univention-baseconfig shell hostname domainname nameserver1 interfaces/eth0/address interfaces/eth0/netmask interfaces/eth0/network temporary/ldap/server temporary/ldap/port temporary/ldap/addition) + +# available ldap server in /proc/cmdline was already searched in thin-client-network +# and saved in temporary ucr var temporary/ldap/server and temporary/ldap/port +if [ -n "$temporary_ldap_server" ]; then + ldapServer="$temporary_ldap_server" + ldapPort="$temporary_ldap_port" + ldapServerAddition="$temporary_ldap_addition" else # searching ldap server for this subnet res=$(/usr/bin/dns-lookup _ldap._tcp.$domainname srv | \ @@ -114,6 +116,14 @@ mac_address=$(ip link show eth0 | grep link/ether | sed 's/.*link\/ether \([0-9a-f:]*\) .*/\1/') hostdn=$(ldapsearch -x -h $ldapServer -p $ldapPort -b $ldapBase "(&(macAddress=${mac_address})(objectClass=univentionThinClient))" -LLL dn | ldapsearch-wrapper | sed -ne 's/dn: //p') -univention-config-registry set ldap/server/name=$ldapServer ldap/port=$ldapPort ldap/base=$ldapBase ldap/hostdn="$hostdn" ldap/mydn="$hostdn" nsswitch/ldap=yes >>/dev/tty3 2>&1 +univention-config-registry set \ + ldap/server/name=$ldapServer \ + ldap/port=$ldapPort \ + ldap/base=$ldapBase \ + ldap/hostdn="$hostdn" \ + ldap/mydn="$hostdn" \ + ldap/server/addition="$ldapServerAddition" \ + nsswitch/ldap=yes \ + >>/dev/tty3 2>&1 log_action_end_msg 0 Eigenschaftsänderungen: . ___________________________________________________________________ Gelöscht: svn:mergeinfo