#!/bin/bash # Copyright (C) 2023 Pädagogisches Landesinstitut Rheinland-Pfalz # Copyright (C) 2023 Mike Gabriel # Copyright (C) 2023 Daniel Teichmann # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the # Free Software Foundation, Inc., # 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. # postinst script for debian-edu-router-plugin.ldap-connector # # see: dh_installdeb(1) set -e . /usr/share/debconf/confmodule || exit 255 if [ -e /etc/debian-edu/router.conf ]; then source /etc/debian-edu/router.conf fi PRODUCTNAME="${PRODUCTNAME:-"Debian Edu Router"}" PRODUCTNAME_PLUGIN_SUFFIX="${PRODUCTNAME_PLUGIN_SUFFIX:-"Plugin"}" PRODUCTNAME_PLUGIN="${PRODUCTNAME_PLUGIN:-"${PRODUCTNAME} ${PRODUCTNAME_PLUGIN_SUFFIX}: LDAP+AD Connector"}" PRODUCTVERSION=$(dpkg-query --show --showformat='${Version}' "${DPKG_MAINTSCRIPT_PACKAGE}" 2>/dev/null || echo "UNKNOWN") db_title "${PRODUCTNAME_PLUGIN}" common_file="/usr/share/debian-edu-router/debian-edu-router.common" # Load common functions, variables and stuff. if [ -s "$common_file" ]; then source "$common_file" else echo "Could not load common file at "$common_file"." exit 0; fi db_version 2.0 db_capb backup escape # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-remove' # * `abort-deconfigure' `in-favour' # `removing' # # for details, see https://www.debian.org/doc/debian-policy/ or # the debian-policy package CONFIG_BACKUP_DIR="$(mktemp -d --suffix -debian-edu-router-plugin.ldap-connector_CONFIG_BACKUP)" DEBUG_CONFIG_DIR="$(mktemp -d --suffix -debian-edu-router-plugin.ldap-connector_DEBUG_CONFIG)" # Where (root or intermediate) CA certificate should be stored at. CA_CERT_FILE="/var/lib/debian-edu-router/certs/D-E-R-P.L-C_LDAP_CA.crt" LDAP_CONFIG_FILE="/etc/debian-edu-router/ldap.d/ldap_d-e-r-p.l-c.conf" LDAP_SECRET_FILE="/etc/debian-edu-router/ldap.d/ldap_d-e-r-p.l-c.secret" LDAP_GROUP_MATCHING_CFG_FILE="/etc/debian-edu-router/ldap.d/ldap-groups-to-squid-acl-matching.sh" # Load LDAP Connector dialog answers db_get debian-edu-router-plugin.ldap-connector/ldap-connector-enabled || true ldap_connector_enabled="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-uri || true ldap_uri="${RET}" parse_ldap_uri # ldap_port and ldap_host db_get debian-edu-router-plugin.ldap-connector/ldap-base || true ldap_base="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-user-searchfilter || true ldap_user_searchfilter="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-auth-type || true ldap_auth_type="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-binddn || true ldap_binddn="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-sasl-mech || true ldap_sasl_mech="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-sasl-realm || true ldap_sasl_realm="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-sasl-authcid || true ldap_sasl_authcid="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-bindpw || true ldap_bindpw="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-sasl-authzid || true ldap_sasl_authzid="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-sasl-secprops || true ldap_sasl_secprops="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-sasl-krb5-ccname || true ldap_sasl_krb5_ccname="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-starttls || true ldap_starttls="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-reqcert || true ldap_reqcert="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-install-cert-type || true ldap_install_cert_type="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-cacertfile || true ldap_cacertfile="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-dns-servers || true ldap_dns_servers="${RET}" db_get debian-edu-router-plugin.content-filter/dns-servers || true content_filter_dns_servers="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-refresh-filterlists || true ldap_refresh_filterlists="${RET}" # Proxy*{Client, User}: LDAP GROUP TYPES db_get debian-edu-router-plugin.ldap-connector/ldap-groups-type-nisNetgroup || true ldap_groups_type_nisNetgroup=( ${RET} ) db_get debian-edu-router-plugin.ldap-connector/ldap-groups-type-group || true ldap_groups_type_group=( ${RET} ) db_get debian-edu-router-plugin.ldap-connector/ldap-groups-type-groupOfNames || true ldap_groups_type_groupOfNames=( ${RET} ) db_get debian-edu-router-plugin.ldap-connector/ldap-groups-type-posixGroup || true ldap_groups_type_posixGroup=( ${RET} ) # GROUPS NAME: Clients (used for nisNetgroup, group and groupOfNames) db_get debian-edu-router-plugin.ldap-connector/ldap-group-name-ProxyTrustedClient || true ldap_group_name_proxytrustedclient="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-group-name-ProxyAllowClient || true ldap_group_name_proxyallowclient="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-group-name-ProxyDenyClient || true ldap_group_name_proxydenyclient="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-group-name-ProxyBlacklistClient || true ldap_group_name_proxyblacklistclient="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-group-name-ProxyWhitelistClient || true ldap_group_name_proxywhitelistclient="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-group-name-ProxyNoauthClient || true ldap_group_name_proxynoauthclient="${RET}" # GROUPS NAME: Users (used for nisNetgroup, posixGroup, group and groupOfNames) db_get debian-edu-router-plugin.ldap-connector/ldap-group-name-ProxyTrustedUser || true ldap_group_name_proxytrusteduser="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-group-name-ProxyAllowUser || true ldap_group_name_proxyallowuser="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-group-name-ProxyDenyUser || true ldap_group_name_proxydenyuser="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-group-name-ProxyBlacklistUser || true ldap_group_name_proxyblacklistuser="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-group-name-ProxyWhitelistUser || true ldap_group_name_proxywhitelistuser="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-groups-search-via-base-dn || true ldap_groups_search_via_base_dn="${RET}" # GROUPS BASE DN: Clients (used for Search-via-BaseDN only) db_get debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-ProxyTrustedClient || true ldap_group_base_dn_proxytrustedclient="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-ProxyAllowClient || true ldap_group_base_dn_proxyallowclient="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-ProxyDenyClient || true ldap_group_base_dn_proxydenyclient="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-ProxyBlacklistClient || true ldap_group_base_dn_proxyblacklistclient="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-ProxyWhitelistClient || true ldap_group_base_dn_proxywhitelistclient="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-ProxyNoauthClient || true ldap_group_base_dn_proxynoauthclient="${RET}" # GROUPS BASE DN: Users (used for Search-via-BaseDN only) db_get debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-ProxyTrustedUser || true ldap_group_base_dn_proxytrusteduser="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-ProxyAllowUser || true ldap_group_base_dn_proxyallowuser="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-ProxyDenyUser || true ldap_group_base_dn_proxydenyuser="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-ProxyBlacklistUser || true ldap_group_base_dn_proxyblacklistuser="${RET}" db_get debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-ProxyWhitelistUser || true ldap_group_base_dn_proxywhitelistuser="${RET}" function fill_ld_matching_cfg_file() { local FILTERLISTS_PATH="/var/lib/debian-edu-router/filterlists.d" local FILTERLISTS_SUFFIX=".ldap" echo "#" 1> "${LDAP_GROUP_MATCHING_CFG_FILE}" echo "# $PRODUCTNAME_PLUGIN" >> "${LDAP_GROUP_MATCHING_CFG_FILE}" echo "#" >> "${LDAP_GROUP_MATCHING_CFG_FILE}" echo "# THIS FILE MAY GET OVERWRITTEN. Please reconfigure this plugin" >> "${LDAP_GROUP_MATCHING_CFG_FILE}" echo "# using the loginmenu or via 'dpkg-reconfigure debian-edu-router-plugin.ldap-connector'." >> "${LDAP_GROUP_MATCHING_CFG_FILE}" ALL_PROXY_GROUPS=( ProxyTrustedClient, ProxyAllowClient, ProxyDenyClient, ProxyDenyUser, ProxyBlacklistClient, ProxyWhitelistClient, ProxyNoauthClient, ProxyTrustedUser, ProxyAllowUser, ProxyBlacklistUser, ProxyWhitelistUser ) local all_proxy_groups_sb="ALL_PROXY_GROUPS=(" for proxy_group in "${ALL_PROXY_GROUPS[@]}"; do local proxy_group="$(tr -d ',' <<< ${proxy_group})" # Remove trailing ',' # These are the NAMES of the variables we want to read from using parameter expansion (hence var_ prefix). # NOTE: This is the same for the for-loop below. local var_ldap_group_name="ldap_group_name_${proxy_group,,}" local var_ldap_group_base_dn="ldap_group_base_dn_${proxy_group,,}" local proxy_group_type="$( find_proxy_group_type "${proxy_group}" )" if [[ -z "${proxy_group_type}" ]]; then warning_log "Proxy group '${proxy_group}' has no LDAP group type selected, skipping." echo "# Proxy group '${proxy_group}' was left unselected/unconfigured." >> "${LDAP_GROUP_MATCHING_CFG_FILE}" echo >> "${LDAP_GROUP_MATCHING_CFG_FILE}" all_proxy_groups_sb="${all_proxy_groups_sb} # $(printf "%-21s" "\"${proxy_group}\"")\t\t\\" continue else all_proxy_groups_sb="${all_proxy_groups_sb} $(printf "%-24s" "\"${proxy_group}\"")\t\t\\" fi debug_log "Selecting LDAP group type '$proxy_group_type' for proxy group '${proxy_group}'." echo "ProxyGroupsTypes[\"${proxy_group}\"]=\"${proxy_group_type}\"" >> "${LDAP_GROUP_MATCHING_CFG_FILE}" echo "ProxyGroupLDGrpNames[\"${proxy_group}\"]=\"${!var_ldap_group_name}\"" >> "${LDAP_GROUP_MATCHING_CFG_FILE}" echo "ProxyGroupsPaths[\"${proxy_group}\"]=\"${FILTERLISTS_PATH}/${proxy_group}${FILTERLISTS_SUFFIX}\"" >> "${LDAP_GROUP_MATCHING_CFG_FILE}" if echo "${ldap_groups_search_via_base_dn}" | grep -qiF "${proxy_group}"; then echo "ProxyGroupsBaseDNs[\"${proxy_group}\"]=\"${!var_ldap_group_base_dn}\"" >> "${LDAP_GROUP_MATCHING_CFG_FILE}" fi echo >> "${LDAP_GROUP_MATCHING_CFG_FILE}" done all_proxy_groups_sb="${all_proxy_groups_sb} )\n" echo -e "${all_proxy_groups_sb}" >> "${LDAP_GROUP_MATCHING_CFG_FILE}" local dns_servers=() dns_servers+=(${ldap_dns_servers}) dns_servers+=(${content_filter_dns_servers}) # Remove duplicates. dns_servers="$(echo "${dns_servers[@]}" | tr ' ' '\n' | sort | uniq | tr '\n' ' ' | sed -e 's/[[:space:]]*$//')" echo "LDAP_DNS_SERVERS=(${dns_servers})" >> "${LDAP_GROUP_MATCHING_CFG_FILE}" debug_log "Wrote $(cat "${LDAP_GROUP_MATCHING_CFG_FILE}" | wc -l) lines to LDAP_GROUP_MATCHING_CFG_FILE at '${LDAP_GROUP_MATCHING_CFG_FILE}'." } function create_config_backup() { chmod -R 0700 "${CONFIG_BACKUP_DIR}" # Creating a backup of old d-e-r config files. # FIXME: Add files: # - $LDAP_GROUP_MATCHING_CFG_FILE # - $LDAP_SECRET_FILE # - $LDAP_CONFIG_FILE mkdir -p ${CONFIG_BACKUP_DIR}/etc/ldap-connector/conf.d/ cp /etc/ldap/ldap_d-e-r.conf ${CONFIG_BACKUP_DIR}/etc/ldap-connector/conf.d/ &> /dev/null || true } function restore_config_backup() { error_log "New configuration for '$1' failed while restarting the service." error_log "Restoring configuration backup now..." if [ -n "${D_E_R_DEBUG}" ]; then config_files=( "/etc/ldap" ) for conf_file in "${config_files[@]}"; do mkdir -p "${DEBUG_CONFIG_DIR}/$conf_file" # Move new and broken conf files into tmp folder. mv -v "$conf_file"/ldap_d-e-r.conf "${DEBUG_CONFIG_DIR}$conf_file" || true done debug_log "Generated config files are now located at: '${cyan}${DEBUG_CONFIG_DIR}${green}'." else # Delete new and broken d-e-r config files. rm -fv /etc/ldap/ldap_d-e-r.conf || true debug_log "Generated config files were purged from the system." fi # Copying old and hopefully working d-e-r config files. cp -fv ${CONFIG_BACKUP_DIR}/etc/ldap/ldap_d-e-r.conf /etc/ldap/ || true debug_log "Old config files are installed again." # Hopefully everything should be alright now. exit 1 } function validate_working_ldap_connection() { if ! ping -c1 "$ldap_host" > /dev/null; then error_log "Connection to LDAP host '$ldap_host' could not be established!" # Check if $ldap_host is in /etc/hosts and is not an IP address, to give this tip. if ! getent hosts | awk -v host="$ldap_host" '{for(i=1;i<=NF;i++){if($i==host){print $i;e=1}}}END{exit !e}'; then if ! is_address_v4 "$ldap_host" && ! is_address_v6 "$ldap_host"; then error_log "Please add the IP address of your LDAP host '$ldap_host' to /etc/hosts." error_log "Finally reconfigure the debian-edu-router-plugin.ldap-connector package afterwards." fi fi return fi if test_ldap_connection; then notice_log "Detected working LDAP connection." return fi if [ "$ldap_install_cert_type" != "manually" ]; then error_log "Could not establish working LDAP connection!" error_log "Debugging information:" error_log " - LDAP SSL certificate obtaining behavior is: '$ldap_install_cert_type'." error_log " - LDAP SSL CA certificate store is: '$ldap_cacertfile'." if [ "$ldap_install_cert_type" = "ee-cert" ] && [[ "${ldap_reqcert}" = "try" || "${ldap_reqcert}" = "demand" ]]; then error_log " - installed LDAP EE certificate file to:" error_log " - $ldap_cacertfile" fi error_log " - Used LDAP uri: $ldap_uri" error_log " - Is the certificate even issued for $ldap_host?" error_log " - ldapsearch-wrapper used: /usr/sbin/debian-edu-router_ldapsearch" error_log " - ldapsearch-wrapper user config: $LDAP_CONFIG_FILE" error_log " - ldapsearch-wrapper user secrets: $LDAP_SECRET_FILE" else error_log "A connection to the LDAP server could not be established!" error_log "Loading clients or users from LDAP won't be possible, until fixed." fi } function install_ldap_ca_certificate() { BONDING_SCRIPTS="/usr/share/debian-edu-router/ldap-connector/ca-cert-bonding-scripts/" mkdir -p "$BONDING_SCRIPTS" # Select the last one (alphanum sorted). bonding_script="$(find "$BONDING_SCRIPTS" -maxdepth 1 -name "*.sh" -type f -executable | sort | tail -n1)" if [ -z "${bonding_script}" ] && [ -s "${bonding_script}" ]; then error_log "Could not find any CA certificate bonding script at $BONDING_SCRIPTS." exit 0 fi set +e # Do not exit, if script returned non-zero. TMP_ERR="$(mktemp)" CERT="$("$bonding_script" 2> "$TMP_ERR")" if [[ "$?" -ne 0 || -z "$CERT" ]]; then error_log "Could not execute CA certificate bonding script at:" error_log "$bonding_script" error_log "Errors from bonding script (stderr):" error_log "$(cat "$TMP_ERR")" error_log "" error_log "Certificate returned by bonding script:" error_log "$CERT" error_log "" exit 0 fi rm -f "$TMP_ERR" set -e echo "$CERT" > "$CA_CERT_FILE" if ! is_pem_format "${CA_CERT_FILE}"; then convert_certificate_to_pem "${CA_CERT_FILE}" CA_CERT_FILE="${CONVERT_CERTIFICATE_TO_PEM_RESULT}" fi if ! test_x509_certificate "${CA_CERT_FILE}"; then error_log "Failed to verify certificate, which was obtained by bonding script:" error_log "$bonding_script" error_log "Certificate returned by bonding script:" error_log "$CERT" error_log "" rm -rf "${CA_CERT_FILE}" exit 0 fi update-ca-certificates --localcertsdir "/var/lib/debian-edu-router/certs/" # Reset $ldap_cacertfile question, to ensure that ldapsearch uses # /etc/ssl/certs/ca-certificates.crt as the CA cert store even in the next # reconfigures. db_set debian-edu-router-plugin.ldap-connector/ldap-cacertfile "/etc/ssl/certs/ca-certificates.crt" ldap_cacertfile="/etc/ssl/certs/ca-certificates.crt" } # $1: Name of file to install certificate to. # $ldap_uri, $ldap_host and $ldap_port must be set. function install_ldap_end_entity_certificate() { local ee_cert_file ee_cert_file="$1" debug_log "Trying to download SSL EE certificate from LDAP server '$ldap_host:$ldap_port'." # Fetch using openssl directly from the server (strip useless info away). # Make sure it's signed with the servername the $ldap_uri uses. # In other words: If $ldap_uri is something like ldaps://randomhost.intern:636 and # the server answers with a certificate that is NOT issued for 'randomhost.intern', abort. CERT="$(openssl s_client -connect $ldap_host:$ldap_port -servername $ldap_host 2>/dev/null "${ee_cert_file}" if ! is_pem_format "${ee_cert_file}"; then convert_certificate_to_pem "${ee_cert_file}" ee_cert_file="${CONVERT_CERTIFICATE_TO_PEM_RESULT}" fi if ! test_x509_certificate "${ee_cert_file}"; then warning_log "Failed to verify downloaded SSL EE certificate!" warning_log "Certificate returned:" warning_log "$CERT" warning_log "" rm -rf "${ee_cert_file}" exit 0; fi if ! [[ -s "${ee_cert_file}" ]]; then error_log "Could not get LDAP end-entity certificate from LDAP server using URI: '$ldap_uri'." error_log "Please make sure that the LDAP server ($ldap_host) is reachable on port '$ldap_port' and works as expected." rm -f "${ee_cert_file}" exit 0; fi } function install_ssl_certificates() { debug_log "We got called by the loginmenu, checking if CA certificates can be installed..." # Make sure SSL cert should be requested and checked before installing any certificates. if [ "${ldap_reqcert}" != "try" ] && [ "${ldap_reqcert}" != "demand" ]; then notice_log "Skipping installation of certificates, since they are not requested/checked anyway." return fi if [ "$ldap_install_cert_type" = "manually" ]; then notice_log "LDAP SSL CA or EE certificate is managed manually." notice_log "The certificate should be stored at: '$ldap_cacertfile'." if test_x509_certificate "${ldap_cacertfile}"; then notice_log "Installing LDAP SSL CA (certificate-authority) certificate succeeded." else error_log "Installing LDAP SSL CA from file failed (not a valid SSL certificate): '${ldap_cacertfile}'." exit 1 fi exit 0 fi if [ "$ldap_install_cert_type" = "ee-cert" ]; then ldap_cacertfile="/usr/share/debian-edu-router/ldap-connector/LDAP-server_end-entity.crt" install_ldap_end_entity_certificate "$ldap_cacertfile" # Won't return, if failure. notice_log "Installing LDAP SSL EE (end-entity) certificate succeeded." elif [ "$ldap_install_cert_type" = "ca-cert" ]; then install_ldap_ca_certificate "$ldap_host" "$ldap_port" # Won't return, if failure. notice_log "Installing LDAP SSL CA (certificate-authority) certificate succeeded." else error_log "Unknown behavior for LDAP certificate installation: '$ldap_install_cert_type'." exit 0; fi } function check_ldap_refresh_filterlists() { if [ -n "$FORCE_SWITCH_REFRESH_FILTERLISTS" ]; then db_get debian-edu-router-plugin.ldap-connector/ldap-refresh-filterlists ldap_refresh_filterlists_then="${RET}" if [ "$ldap_refresh_filterlists" = "true" ]; then if [ "$ldap_refresh_filterlists_then" = "true" ]; then notice_log "Switching LDAP filterlists auto-refresh tasks off." db_set debian-edu-router-plugin.ldap-connector/ldap-refresh-filterlists false fi rm -f /var/lib/debian-edu-router/d-e-r-p.l-c/autorefresh_LDAP_filterlists.enabled else if [ "$ldap_refresh_filterlists_then" = "false" ]; then notice_log "Switching LDAP filterlists auto-refresh tasks on." db_set debian-edu-router-plugin.ldap-connector/ldap-refresh-filterlists true fi echo "# This file indicates that the blacklists auto-refresh task is turned ON. (Used in loginmenu)" > \ /var/lib/debian-edu-router/d-e-r-p.c-f/autorefresh_LDAP_filterlists.enabled fi db_get debian-edu-router-plugin.ldap-connector/ldap-refresh-filterlists ldap_refresh_filterlists="${RET}" fi if [ "$ldap_refresh_filterlists" = "true" ]; then if [ -d /run/systemd/system ]; then # Checks if systemd is available. notice_log "Enabling systemd service for auto-refreshing LDAP filterlists." manage_unit enable squid_d-e-r_refresh-ldap-filterlists.service manage_unit enablenow squid_d-e-r_refresh-ldap-filterlists.timer rm -fv /etc/cron.d/d-e-r-p.l-c_refresh-ldap-filterlists || true else notice_log "Enabling auto-refreshing filterlists cron job (for now)." cp -v /usr/share/debian-edu-router/templates/cron.d/d-e-r-p.l-c_refresh-ldap-filterlists /etc/cron.d/ fi else warning_log "LDAP filterlists auto-refreshing is disabled!" notice_log "To update filterlists manually from LDAP, execute '/usr/sbin/debian-edu-router_refresh-ldap-filterlists'." notice_log "or just open the loginmenu and press 'r' in the ${PRODUCTNAME_PLUGIN} submenu." manage_unit disablenow squid_d-e-r_refresh-ldap-filterlists.service manage_unit disablenow squid_d-e-r_refresh-ldap-filterlists.timer rm -f /etc/cron.d/d-e-r-p.l-c_refresh-ldap-filterlists || true fi } function test_ldap_connection() { debian-edu-router_ldapsearch -x > /dev/null return $? } # $1 x509 certificate in PEM format. function test_x509_certificate() { if openssl x509 -dates -in "$1" -nocert -text -certopt no_sigdump,no_pubkey; then return 0 else return 1 fi } function process_services_answers() { # # LDAP client configuration (ldap-connector service) # # There are some user-only options like 'BINDDN'. This means we can't use a systemwide # config in /etc/ldap/. Instead we use a root-user-only solution. # Call ldapsearch with debian-edu-router_ldapsearch wrapper. # https://www.openldap.org/software/man.cgi?query=ldap.conf mkdir -p "$(dirname $LDAP_CONFIG_FILE)" || true # Just to be extra sure. mkdir -p "$(dirname $LDAP_SECRET_FILE)" || true # Just to be extra sure. # Initialize file with right permissions before writing secret stuff to it. touch "${LDAP_CONFIG_FILE}" chown root:root "${LDAP_CONFIG_FILE}" chmod 0600 "${LDAP_CONFIG_FILE}" echo "###" 1> "${LDAP_CONFIG_FILE}" echo "### $PRODUCTNAME_PLUGIN" >> "${LDAP_CONFIG_FILE}" echo "###" >> "${LDAP_CONFIG_FILE}" echo >> "${LDAP_CONFIG_FILE}" echo "### DON'T MODIFY THIS FILE, CHANGES MAY GET OVERWRITTEN!" >> "${LDAP_CONFIG_FILE}" echo "### Run dpkg-reconfigure 'debian-edu-router-plugin.ldap-connector' instead." >> "${LDAP_CONFIG_FILE}" echo >> "${LDAP_CONFIG_FILE}" config_file_content=$( cat <<- ENDOFMESSAGE BASE ${ldap_base} URI ${ldap_uri} # https://www.openldap.org/doc/admin26/limits.html # Please submit bug report, if you believe these values should be revisited. SIZELIMIT size.soft=4000 SIZELIMIT size.hard=5000 TIMELIMIT time.soft=600 TIMELIMIT time.hard=3600 #DEREF never # TLS certificates (needed for GnuGLTS) TLS_REQCERT ${ldap_reqcert} ENDOFMESSAGE ) echo -e "$config_file_content" >> "${LDAP_CONFIG_FILE}" if [ "${ldap_reqcert}" != "never" ] && [ -e ${ldap_cacertfile} ]; then echo -e "TLS_CACERT ${ldap_cacertfile}" >> "${LDAP_CONFIG_FILE}" fi echo >> "${LDAP_CONFIG_FILE}" if [ "${ldap_auth_type}" = "simple" ]; then echo -e "BINDDN ${ldap_binddn}" >> "${LDAP_CONFIG_FILE}" echo -e "# The bind password is located at ${LDAP_SECRET_FILE}." >> "${LDAP_CONFIG_FILE}" touch "${LDAP_SECRET_FILE}" chown root:proxy "${LDAP_SECRET_FILE}" chmod 0640 "${LDAP_SECRET_FILE}" echo -n "${ldap_bindpw}" 1> "${LDAP_SECRET_FILE}" elif [ "${ldap_auth_type}" = "SASL" ]; then echo -e "# SASL options #" >> "${LDAP_CONFIG_FILE}" echo -e "SASL_MECH ${ldap_sasl_mech}" >> "${LDAP_CONFIG_FILE}" echo -e "SASL_REALM ${ldap_sasl_realm}" >> "${LDAP_CONFIG_FILE}" if [ "${ldap_sasl_mech}" != "GSSAPI" ]; then echo -e "SASL_AUTHCID ${ldap_sasl_authcid}" >> "${LDAP_CONFIG_FILE}" echo -e "#BINDPW ${ldap_bindpw}" >> "${LDAP_CONFIG_FILE}" else echo -e "SASL_AUTHZID ${ldap_sasl_authzid}" >> "${LDAP_CONFIG_FILE}" echo -e "#KRB5_CCNAME ${ldap_sasl_krb5_ccname}" >> "${LDAP_CONFIG_FILE}" fi if [ -n "${ldap_sasl_secprops}" ]; then echo -e "SASL_SECPROPS ${ldap_sasl_secprops}" >> "${LDAP_CONFIG_FILE}" fi fi fill_ld_matching_cfg_file } function prepare_squid_filterlists() { # Prepare empty .ldap filter lists for being maintained by site admins. for filterlist in ProxyNoauthClient.ldap \ ProxyTrustedClient.ldap \ ProxyAllowClient.ldap \ ProxyDenyClient.ldap \ ProxyBlacklistClient.ldap \ ProxyWhitelistClient.ldap \ ProxyTrustedUser.ldap \ ProxyAllowUser.ldap \ ProxyDenyUser.ldap \ ProxyBlacklistUser.ldap \ ProxyWhitelistUser.ldap; do if [ ! -e "/var/lib/debian-edu-router/filterlists.d/${filterlist}" ]; then cp /usr/share/debian-edu-router/templates/ProxyHeader.ldap "/var/lib/debian-edu-router/filterlists.d/${filterlist}" fi done } function check_plugin_enabled() { if [ "$ldap_connector_enabled" = "false" ]; then if [ "${D_E_R_LOGINMENU}" = "true" ] && [ "$CONFIGURE_ONLY" != "ONOFF" ]; then error_log "$PRODUCTNAME_PLUGIN is turned off! Please re-enable it via 't', before retrying." exit 0 fi # Force DISABLING auto-refreshing of LDAP filterlists. ldap_refresh_filterlists="true"; FORCE_SWITCH_REFRESH_FILTERLISTS="true" check_ldap_refresh_filterlists # Remove our config files. rm -f /etc/debian-edu-router/squid-snippets.d/*d-e-r-p.l-c.conf || true # Disable user filterlists. rm -f /var/lib/debian-edu-router/filterlists.d/*.ldap || true prepare_squid_filterlists rm -f /var/lib/debian-edu-router/d-e-r-p.l-c/enabled notice_log "Deactivating ${PRODUCTNAME_PLUGIN}..." exit 0 else echo "${PRODUCTNAME_PLUGIN} is enabled." > /var/lib/debian-edu-router/d-e-r-p.l-c/enabled fi } function main() { check_plugin_enabled # may never come back (exit 0)... if [ -n "$INSTALL_SSLCERTS_LDAP" ]; then install_ssl_certificates else debug_log "Skipping installation of CA certificates." fi # Prepare arguments to replace @@-strings in templates. ldap_starttls_arg="" if [ "$ldap_starttls" = "true" ]; then ldap_starttls_arg="-ZZZ" fi if [ "${ldap_auth_type}" = "simple" ]; then ldap_secret_file_arg="-W ${LDAP_SECRET_FILE}" ldap_simple_bind_arg="-x" else ldap_secret_file_arg="" ldap_simple_bind_arg="" fi sbin_templates_dir="/usr/share/debian-edu-router/templates/sbin/d-e-r-p.l-c/" for executable_tpl in $(ls ${sbin_templates_dir}/*.in); do # Cut .in and .sh suffix executable="/usr/sbin/$(basename ${executable_tpl/.in/})" executable="/usr/sbin/$(basename ${executable/.sh/})" cp "${executable_tpl}" "${executable}" sed -i "${executable}" -e "s/@PRODUCTNAME@/${PRODUCTNAME_PLUGIN}/" \ -e "s|@LDAP_SIMPLE_BIND_ARG@|${ldap_simple_bind_arg}|" \ -e "s|@LDAP_CONFIG_FILE@|${LDAP_CONFIG_FILE}|" \ -e "s|@LDAP_SECRET_FILE@|${LDAP_SECRET_FILE}|" \ ${NULL} chmod +x "${executable}" done snippets_templates_dir="/usr/share/debian-edu-router/templates/squid/snippets.d/d-e-r-p.l-c/" for snippet_tpl in $(ls ${snippets_templates_dir}/*.in); do snippet="/etc/debian-edu-router/squid-snippets.d/$(basename ${snippet_tpl/.in/})" cp "${snippet_tpl}" "${snippet}" sed -i "${snippet}" -e "s/@PRODUCTNAME@/${PRODUCTNAME_PLUGIN}/" \ -e "s/@DNS_SERVERS_LC@/${ldap_dns_servers}/" \ -e "s|@LDAP_URI@|${ldap_uri}|" \ -e "s|@LDAP_PORT@|${ldap_port}|" \ -e "s|@LDAP_BASE@|${ldap_base}|" \ -e "s|@LDAP_BINDDN@|${ldap_binddn}|" \ -e "s|@LDAP_FILTER@|${ldap_user_searchfilter}|" \ -e "s|@LDAP_STARTTLS_ARG@|${ldap_starttls_arg}|" \ -e "s|@LDAP_SECRET_FILE_ARG@|${ldap_secret_file_arg}|" \ ${NULL} done # Making sure temporary backup folder isn't accessible to others if [ -n "${CONFIG_BACKUP_DIR}" ]; then create_config_backup else error_log "\${CONFIG_BACKUP_DIR} is not initialized! Can't create backup!" exit 1 fi prepare_squid_filterlists # process service settings and restart related services process_services_answers if [ -n "$INSTALL_SSLCERTS_LDAP" ]; then validate_working_ldap_connection else debug_log "Skipping check whether LDAP connection works." fi check_ldap_refresh_filterlists debug_log "Configuration of '$PRODUCTNAME_PLUGIN' finished." } configure_package="" if [[ "$1" == "triggered" ]]; then debug_log "Reconfiguring since trigger '$2' got activated. This $( )probably means, the admin reconfigures d-e-r-c currently." configure_package="true" fi if [[ "$1" == "configure" ]] || [[ "$configure_package" == "true" ]]; then main else error_log "postinst called with unknown argument \`$1'" >&2 exit 1 fi # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. # Automatically added by dh_installsystemd/13.24.2 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then # The following line should be removed in trixie or trixie+1 deb-systemd-helper unmask 'squid_d-e-r_refresh-ldap-filterlists.service' >/dev/null || true # was-enabled defaults to true, so new installations run enable. if deb-systemd-helper --quiet was-enabled 'squid_d-e-r_refresh-ldap-filterlists.service'; then # Enables the unit on first installation, creates new # symlinks on upgrades if the unit file has changed. deb-systemd-helper enable 'squid_d-e-r_refresh-ldap-filterlists.service' >/dev/null || true else # Update the statefile to add new symlinks (if any), which need to be # cleaned up on purge. Also remove old symlinks. deb-systemd-helper update-state 'squid_d-e-r_refresh-ldap-filterlists.service' >/dev/null || true fi fi # End automatically added section # Automatically added by dh_installsystemd/13.24.2 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then # The following line should be removed in trixie or trixie+1 deb-systemd-helper unmask 'squid_d-e-r_refresh-ldap-filterlists.timer' >/dev/null || true # was-enabled defaults to true, so new installations run enable. if deb-systemd-helper --quiet was-enabled 'squid_d-e-r_refresh-ldap-filterlists.timer'; then # Enables the unit on first installation, creates new # symlinks on upgrades if the unit file has changed. deb-systemd-helper enable 'squid_d-e-r_refresh-ldap-filterlists.timer' >/dev/null || true else # Update the statefile to add new symlinks (if any), which need to be # cleaned up on purge. Also remove old symlinks. deb-systemd-helper update-state 'squid_d-e-r_refresh-ldap-filterlists.timer' >/dev/null || true fi fi # End automatically added section # Automatically added by dh_installsystemd/13.24.2 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then if [ -d /run/systemd/system ]; then systemctl --system daemon-reload >/dev/null || true if [ -n "$2" ]; then _dh_action=restart else _dh_action=start fi deb-systemd-invoke $_dh_action 'squid_d-e-r_refresh-ldap-filterlists.service' 'squid_d-e-r_refresh-ldap-filterlists.timer' >/dev/null || true fi fi # End automatically added section exit 0