Attachment #4060 for bug #22190

(-)univention-thin-client-basesystem.info (+4 lines)

Lines 6-11	Link Here

Type: file

Type: file

File: etc/libnss-ldap.conf

File: etc/libnss-ldap.conf

Variables: ldap/server/addition

Variables: ldap/server/name

Type: file

Type: file

File: etc/nsswitch.conf

File: etc/nsswitch.conf

Lines 24-29	Link Here

Type: file

Type: file

File: etc/ldap/ldap.conf

File: etc/ldap/ldap.conf

Variables: ldap/server/name

Variables: ldap/server/addition

Type: file

Type: file

File: etc/resolv.conf

File: etc/resolv.conf




univention-thin-client-basesystem (9.1.3-1) unstable; urgency=low

  * merged changed from customer scope Ticket: #2011041210005499

 -- Felix Botner <botner@univention.de>  Mon, 15 Aug 2011 16:32:20 +0200

univention-thin-client-basesystem (9.1.2-2) unstable; urgency=low

  * run univention-find-ldapserver at the end of thin-client-network
    Ticket #2011030710000906 

 -- Felix Botner <botner@univention.de>  Wed, 13 Apr 2011 16:08:00 +0200

univention-thin-client-basesystem (9.1.2-1) unstable; urgency=low

  * ignore ldap server policy univentionLDAPServer Ticket #2011030710000906 

 -- Felix Botner <botner@univention.de>  Mon, 11 Apr 2011 14:51:39 +0200

univention-thin-client-basesystem (9.1.1-1) unstable; urgency=low

  * added univention-find-ldapserver into tc' chroot 
    Ticket #2011030710000906

 -- Felix Botner <botner@univention.de>  Mon, 11 Apr 2011 11:25:48 +0200

univention-thin-client-basesystem (9.1.0-1) unstable; urgency=low

  * support multiple ldap server in /proc/cmdline
  * support ldap/server/addition in thin client config
    and init scripts Ticket #2011030710000906

 -- Felix Botner <botner@univention.de>  Thu, 07 Apr 2011 11:28:38 +0200

univention-thin-client-basesystem (9.0.19-1) unstable; urgency=low

  * Only run join script in postinst on dc master and dc backup (Bug




# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#SASL_REALM @%@kerberos/realm@%@
TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem

@!@
print "HOST %s" % baseConfig.get('ldap/server/name', "") + " " + baseConfig.get('ldap/server/addition', "")
print "BASE %s" % baseConfig.get('ldap/base', "")
print "#SASL_MECH GSSAPI"
print "#SASL_REALM @%@kerberos/realm@%@"
@!@

(-)conffiles/etc/libnss-ldap.conf (-4 / +6 lines)

Lines 1-4	Link Here

host @%@ldap/server/name@%@

@!@

base @%@ldap/base@%@

print "host %s" % baseConfig.get('ldap/server/name', "") + " " + baseConfig.get('ldap/server/addition', "")

ldap_version 3

print "base %s" % baseConfig.get('ldap/base', "")

#ssl start_tls

print "ldap_version 3"

print "#ssl start_tls"

@!@




#!/usr/bin/python2.4
#
# Univention Client Basesystem
#  helper script finding the ldap server for a thin client
#
# Copyright 2011 Univention GmbH
#
# http://www.univention.de/
#
# All rights reserved.
#
# The source code of this program is made available
# under the terms of the GNU Affero General Public License version 3
# (GNU AGPL V3) as published by the Free Software Foundation.
#
# Binary versions of this program provided by Univention to you as
# well as other copyrighted, protected or trademarked materials like
# Logos, graphics, fonts, specific documentations and configurations,
# cryptographic keys etc. are subject to a license agreement between
# you and Univention and not subject to the GNU AGPL V3.
#
# In the case you use this program under the terms of the GNU AGPL V3,
# the program is provided in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License with the Debian GNU/Linux or Univention distribution in file
# /usr/share/common-licenses/AGPL-3; if not, see
# <http://www.gnu.org/licenses/>.

import ldap
import socket
import os
import re
import sys
import univention.config_registry

LDAP_OLD_CMDLINE = re.compile('.*ldapServer=([^ "]+).*')
LDAP_NEW_CMDLINE = re.compile('.*ldapServer="([^"]+)".*')
LDAP_PORT = re.compile('.*ldapPort=([^ ]+).*')
SOURCE = "/proc/cmdline"

def setTemporaryVarsAndExit (server, port, addition):

	if server: univention.config_registry.handler_set(['temporary/ldap/server=%s' % server])
	if addition: univention.config_registry.handler_set(['temporary/ldap/addition=%s' % " ".join(addition)])
	if port: univention.config_registry.handler_set(['temporary/ldap/port=%s' % port])

	sys.exit(0)

def ldapAvailable (ip, port):

	# test ldap port
	try:
		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		s.settimeout(1)
		s.connect((ip, int(port)))
	except Exception, e:
		return False

	# try simple bind
	try:
		lo = ldap.open(ip, port=int(port))
		lo.simple_bind_s()
	except Exception, e:
		return False

	return True

server = ""
servers = []
port = "389"

fh = open(SOURCE, "r")
for line in fh.readlines():

	line = line.rstrip('\n')

	# old cmdline style
	match = LDAP_OLD_CMDLINE.match(line)
	if match:
		server = match.group(1)

	# new style
	match = LDAP_NEW_CMDLINE.match(line)
	if match:
		servers = match.group(1).split(" ")

	# port
	match = LDAP_PORT.match(line)
	if match:
		port = match.group(1)
fh.close()

if server:
	setTemporaryVarsAndExit(server, port, [])

if servers:
	
	servers.reverse()
	addServer = []

	# test ldap servers
	while servers:
		server = servers.pop()
		if ldapAvailable(server, port):
			untested = servers
			untested.reverse()
			addServer = untested + addServer
			setTemporaryVarsAndExit(server, port, addServer)
		else:
			addServer.append(server)

	# multiple servers found but none available,
	# use first one
	server = addServer[0]
	del addServer[0]
	setTemporaryVarsAndExit(server, port, addServer)
  + *

(-)etc/init.d/thin-client-policies (+5 lines)

Lines 51-56	Link Here

	var="${line%%=*}"

	var="${line%%=*}"

	val="${line#*=}"

	val="${line#*=}"

	# ignore ldap server policy

	if [ "$var" == "univentionLDAPServer" ]; then

		continue

fi

	if [ -n "$var" ] && [ -n "$val" ]; then

	if [ -n "$var" ] && [ -n "$val" ]; then

		new_value=$(grep "$var=" /etc/univention/templates/mapping/* | head -n 1 | sed -e 's|.*=||;s|"||g')

		new_value=$(grep "$var=" /etc/univention/templates/mapping/* | head -n 1 | sed -e 's|.*=||;s|"||g')

fi

fi




		read
		halt
	fi

else
	# NFS BOOT
	echo "(NFS) ... " >>/dev/tty3 2>&1

	mymac=$(cat /sys/class/net/eth0/address)
	eval $(univention-config-registry shell thinclient/rollout/domainname \
		thinclient/rollout/nameserver thinclient/rollout/ldap/base)
	ldapServer=$(cat /proc/cmdline | grep ldapServer | sed -e 's|.*ldapServer=||;s| .*||')
	if [ -n "$thinclient_rollout_nameserver" ]; then
		nameserver="$thinclient_rollout_nameserver"
	fi

	# dns-lookup failed
	if [ -z "$fqn" ]; then

		# save available ldap server from /proc/cmdline in temporary ucr var for later use
		/usr/sbin/univention-find-ldapserver
		searchedForLdap="true"
		
		eval "$(univention-config-registry shell temporary/ldap/server temporary/ldap/port)"

		if [ -n "$temporary_ldap_server" ]; then
			# get ldap basedn (1) from $thinclient_rollout_ldap_base
			# (2) from ldapsearch namingContexts
			if [ -n "$thinclient_rollout_ldap_base" ]; then
				basedn="$thinclient_rollout_ldap_base"
			else
				basedn=$(ldapsearch -xLLL -h "$temporary_ldap_server" -p $temporary_ldap_port \
					-s base -b '' + | ldapsearch-wrapper | \
					grep ^namingContexts: | awk -F ": " {'print $2'})
			fi
			if [ -n "$basedn" ]; then
				hostname=$(ldapsearch -xLLL -h "$temporary_ldap_server" -p $temporary_ldap_port \
					-b "$basedn" macAddress="$mymac" cn | \
					ldapsearch-wrapper | grep ^cn:  | awk -F ": " {'print $2'})
				domainname=$(ldapsearch -xLLL -h "$temporary_ldap_server" -p $temporary_ldap_port \
					-b "$basedn" aRecord="$nameserver" \
					associatedDomain | ldapsearch-wrapper | grep ^associatedDomain: | \
					awk -F ": " {'print $2'})
			fi
			if [ -n "$thinclient_rollout_domainname" ]; then
				domainname="$thinclient_rollout_domainname"
			fi
			fqn="$hostname.$domainname"
		fi
		if [ -n "$basedn" ]; then
			hostname=$(ldapsearch -xLLL -h "$ldapServer" -b "$basedn" macAddress="$mymac" cn | \
				ldapsearch-wrapper | grep ^cn:  | awk -F ": " {'print $2'})
			domainname=$(ldapsearch -xLLL -h "$ldapServer" -b "$basedn" aRecord="$nameserver" \
				associatedDomain | ldapsearch-wrapper | grep ^associatedDomain: | \
				awk -F ": " {'print $2'})
		fi
		if [ -n "$thinclient_rollout_domainname" ]; then
			domainname="$thinclient_rollout_domainname"
		fi
		fqn="$hostname.$domainname"
	fi
fi


# bring up the loopback device
ifup lo

if [ -z "$searchedForLdap" ]; then
	# save available ldap server from /proc/cmdline in temporary ucr var for later use
	/usr/sbin/univention-find-ldapserver
fi


log_action_end_msg 0


(-)etc/init.d/thin-client-ldap (-8 / +18 lines)

Lines 31-43	Link Here

log_action_msg "Setting up Thin Client LDAP configuration"

log_action_msg "Setting up Thin Client LDAP configuration"

eval $(univention-baseconfig shell hostname domainname nameserver1 interfaces/eth0/address interfaces/eth0/netmask interfaces/eth0/network)

ldapServer=$(cat /proc/cmdline | grep ldapServer | sed -e 's|.*ldapServer=||;s| .*||')

eval $(univention-baseconfig shell hostname domainname nameserver1 interfaces/eth0/address interfaces/eth0/netmask interfaces/eth0/network temporary/ldap/server temporary/ldap/port temporary/ldap/addition)

if [ -n "$ldapServer" ]; then

	ldapPort=$(cat /proc/cmdline | grep ldapPort | sed -e 's|.*ldapPort=||;s| .*||')

# available ldap server in /proc/cmdline was already searched in thin-client-network

	if [ -z "$ldapPort" ]; then

# and saved in temporary ucr var temporary/ldap/server and temporary/ldap/port

		ldapPort=389

if [ -n "$temporary_ldap_server" ]; then

fi

	ldapServer="$temporary_ldap_server"

	ldapPort="$temporary_ldap_port"

	ldapServerAddition="$temporary_ldap_addition"

else

else

	# searching ldap server for this subnet

	# searching ldap server for this subnet

	res=$(/usr/bin/dns-lookup _ldap._tcp.$domainname srv | \

	res=$(/usr/bin/dns-lookup _ldap._tcp.$domainname srv | \

Lines 114-119	Link Here

114

mac_address=$(ip link show eth0 | grep link/ether | sed 's/.*link\/ether \([0-9a-f:]*\) .*/\1/')

116

mac_address=$(ip link show eth0 | grep link/ether | sed 's/.*link\/ether \([0-9a-f:]*\) .*/\1/')

115

hostdn=$(ldapsearch -x -h $ldapServer -p $ldapPort -b $ldapBase "(&(macAddress=${mac_address})(objectClass=univentionThinClient))" -LLL dn | ldapsearch-wrapper | sed -ne 's/dn: //p')

117

hostdn=$(ldapsearch -x -h $ldapServer -p $ldapPort -b $ldapBase "(&(macAddress=${mac_address})(objectClass=univentionThinClient))" -LLL dn | ldapsearch-wrapper | sed -ne 's/dn: //p')

116

118

117

univention-config-registry set ldap/server/name=$ldapServer ldap/port=$ldapPort ldap/base=$ldapBase ldap/hostdn="$hostdn" ldap/mydn="$hostdn" nsswitch/ldap=yes >>/dev/tty3 2>&1

119

univention-config-registry set \

120

	ldap/server/name=$ldapServer \

121

	ldap/port=$ldapPort \

122

	ldap/base=$ldapBase \

123

	ldap/hostdn="$hostdn" \

124

	ldap/mydn="$hostdn" \

125

	ldap/server/addition="$ldapServerAddition" \

126

	nsswitch/ldap=yes \

127

	>>/dev/tty3 2>&1

118

128

119

log_action_end_msg 0

129

log_action_end_msg 0

Return to bug 22190