From 26d73164fda350f8853f393a806a1accf90c1844 Mon Sep 17 00:00:00 2001 Message-Id: <26d73164fda350f8853f393a806a1accf90c1844.1536671687.git.hahn@univention.de> From: Philipp Hahn Date: Tue, 11 Sep 2018 15:10:43 +0200 Subject: [PATCH] Bug #47781: Make time for password change check configurable Organization: Univention GmbH, Bremen, Germany --- .../conffiles/etc/cron.d/univention-server-backup | 2 +- .../conffiles/etc/cron.d/univention-server-master | 2 +- .../conffiles/etc/cron.d/univention-server-member | 2 +- .../conffiles/etc/cron.d/univention-server-slave | 2 +- base/univention-server/debian/changelog | 6 ++++++ ...-role-server-common.univention-config-registry-variables | 6 ++++++ .../debian/univention-server-backup.postinst | 1 + .../debian/univention-server-master.postinst | 1 + .../debian/univention-server-member.postinst | 1 + .../debian/univention-server-slave.postinst | 1 + doc/errata/staging/univention-server.yaml | 13 +++++++++++++ 11 files changed, 33 insertions(+), 4 deletions(-) create mode 100644 doc/errata/staging/univention-server.yaml diff --git a/base/univention-server/conffiles/etc/cron.d/univention-server-backup b/base/univention-server/conffiles/etc/cron.d/univention-server-backup index 562a639887..2ce8c456c9 100644 --- a/base/univention-server/conffiles/etc/cron.d/univention-server-backup +++ b/base/univention-server/conffiles/etc/cron.d/univention-server-backup @@ -1,4 +1,4 @@ @%@UCRWARNING=# @%@ PATH=/usr/sbin:/usr/bin:/sbin:/bin - 0 1 * * * root /usr/sbin/jitter 600 /usr/lib/univention-server/server_password_change +@%@server/password/cron@%@ root /usr/sbin/jitter 600 /usr/lib/univention-server/server_password_change diff --git a/base/univention-server/conffiles/etc/cron.d/univention-server-master b/base/univention-server/conffiles/etc/cron.d/univention-server-master index 562a639887..2ce8c456c9 100644 --- a/base/univention-server/conffiles/etc/cron.d/univention-server-master +++ b/base/univention-server/conffiles/etc/cron.d/univention-server-master @@ -1,4 +1,4 @@ @%@UCRWARNING=# @%@ PATH=/usr/sbin:/usr/bin:/sbin:/bin - 0 1 * * * root /usr/sbin/jitter 600 /usr/lib/univention-server/server_password_change +@%@server/password/cron@%@ root /usr/sbin/jitter 600 /usr/lib/univention-server/server_password_change diff --git a/base/univention-server/conffiles/etc/cron.d/univention-server-member b/base/univention-server/conffiles/etc/cron.d/univention-server-member index 562a639887..2ce8c456c9 100644 --- a/base/univention-server/conffiles/etc/cron.d/univention-server-member +++ b/base/univention-server/conffiles/etc/cron.d/univention-server-member @@ -1,4 +1,4 @@ @%@UCRWARNING=# @%@ PATH=/usr/sbin:/usr/bin:/sbin:/bin - 0 1 * * * root /usr/sbin/jitter 600 /usr/lib/univention-server/server_password_change +@%@server/password/cron@%@ root /usr/sbin/jitter 600 /usr/lib/univention-server/server_password_change diff --git a/base/univention-server/conffiles/etc/cron.d/univention-server-slave b/base/univention-server/conffiles/etc/cron.d/univention-server-slave index 562a639887..2ce8c456c9 100644 --- a/base/univention-server/conffiles/etc/cron.d/univention-server-slave +++ b/base/univention-server/conffiles/etc/cron.d/univention-server-slave @@ -1,4 +1,4 @@ @%@UCRWARNING=# @%@ PATH=/usr/sbin:/usr/bin:/sbin:/bin - 0 1 * * * root /usr/sbin/jitter 600 /usr/lib/univention-server/server_password_change +@%@server/password/cron@%@ root /usr/sbin/jitter 600 /usr/lib/univention-server/server_password_change diff --git a/base/univention-server/debian/changelog b/base/univention-server/debian/changelog index cc45e8640a..50559eeeed 100644 --- a/base/univention-server/debian/changelog +++ b/base/univention-server/debian/changelog @@ -1,3 +1,9 @@ +univention-server (13.0.0-7) unstable; urgency=low + + * Bug #47781: Make time for password change check configurable + + -- Philipp Hahn Tue, 11 Sep 2018 15:06:25 +0200 + univention-server (13.0.0-6) unstable; urgency=low * Bug #47581: improved check when to trigger OX schema issue cleanup diff --git a/base/univention-server/debian/univention-role-server-common.univention-config-registry-variables b/base/univention-server/debian/univention-role-server-common.univention-config-registry-variables index 95bb506267..4ebe530911 100644 --- a/base/univention-server/debian/univention-role-server-common.univention-config-registry-variables +++ b/base/univention-server/debian/univention-role-server-common.univention-config-registry-variables @@ -3,3 +3,9 @@ Description[de]=Das Password des Maschinenkontos (gespeichert in /etc/machine.se Description[en]=The password of the machine account is renewed regularly. This variable configures the rotation interval in days. Type=int Categories=system-base + +[server/password/cron] +Description[de]=Das Zeitpunkt für die Übperprüfung des Maschinenkontos auf Erneuerung. Die Konfiguration erfolgt in Cron-Syntax, siehe 'man 5 crontab' +Description[en]=The point in time for checking the machine account for renewal. The configuration is done in Cron syntax, see 'man 5 crontab'. +Type=str +Categories=service-ldap diff --git a/base/univention-server/debian/univention-server-backup.postinst b/base/univention-server/debian/univention-server-backup.postinst index 9aaf85720a..7179f99f21 100644 --- a/base/univention-server/debian/univention-server-backup.postinst +++ b/base/univention-server/debian/univention-server-backup.postinst @@ -35,6 +35,7 @@ ldap/server/port?7389 ldap/server/type?slave server/password/interval?21 server/role=domaincontroller_backup +server/password/cron?0 1 * * * __UCR__ mkdir -p /var/lib/samba/netlogon/scripts/ diff --git a/base/univention-server/debian/univention-server-master.postinst b/base/univention-server/debian/univention-server-master.postinst index 699df93fe7..1bc827b6a8 100644 --- a/base/univention-server/debian/univention-server-master.postinst +++ b/base/univention-server/debian/univention-server-master.postinst @@ -38,6 +38,7 @@ ldap/server/port?7389 ldap/server/type=master server/password/interval?21 server/role=domaincontroller_master +server/password/cron?0 1 * * * __UCR__ mkdir -p /var/lib/samba/netlogon/scripts/ diff --git a/base/univention-server/debian/univention-server-member.postinst b/base/univention-server/debian/univention-server-member.postinst index 8bf01d6787..ef97d9276d 100644 --- a/base/univention-server/debian/univention-server-member.postinst +++ b/base/univention-server/debian/univention-server-member.postinst @@ -35,6 +35,7 @@ samba/share/home?no samba/share/netlogon?no server/password/interval?21 server/role=memberserver +server/password/cron?0 1 * * * __UCR__ #DEBHELPER# diff --git a/base/univention-server/debian/univention-server-slave.postinst b/base/univention-server/debian/univention-server-slave.postinst index 6d80837d3f..3e93931cb7 100644 --- a/base/univention-server/debian/univention-server-slave.postinst +++ b/base/univention-server/debian/univention-server-slave.postinst @@ -35,6 +35,7 @@ ldap/server/port?7389 ldap/server/type?slave server/password/interval?21 server/role=domaincontroller_slave +server/password/cron?0 1 * * * __UCR__ #DEBHELPER# diff --git a/doc/errata/staging/univention-server.yaml b/doc/errata/staging/univention-server.yaml new file mode 100644 index 0000000000..9a0fee8a4c --- /dev/null +++ b/doc/errata/staging/univention-server.yaml @@ -0,0 +1,13 @@ +product: ucs +release: "4.3" +version: [2] +scope: ucs_4.3-0-errata4.3-2 +src: univention-server +fix: +desc: | + This update addresses the following issue: + * The machine account password is changed by default every 21 days. That + check is by default performed nightly a 01:00 by a cron job. That point of + time can now be configured through the new UCRV variable + 'server/password/cron'. +bug: [47781] -- 2.11.0