Hello, This patch adds ipa-advise plugins to help configure legacy clients for access to trusted domain resources. For more details, please read the commit message. Plugins are currently named "config-redhat-sssd-before-1-9" and "config-generic-sssd-before-1-9"; suggestions for better names are welcome.
Plugin content heavily inspired by https://fedoraproject.org/wiki/QA:Testcase_freeipa_use_legacy_sssd_to_give_access_to_trusted_domain_users. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc.
From 32cb59f102596f391226dd3106f91f406ea52659 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic <[email protected]> Date: Thu, 1 Aug 2013 14:12:39 +0200 Subject: [PATCH] Add ipa-advise plugins for legacy clients Old versions of SSSD do not directly support cross-realm trusts between IPA and AD. This patch introduces plugins for the ipa-advise tool, which should help with configuring an old version of SSSD (1.5-1.8) to gain access to resources in trusted domain. Since the configuration steps differ depending on whether the platform includes the authconfig tool, two plugins are needed: * config-redhat-sssd-before-1-9 - provides configuration for Red Hat based systems, as these system include the autconfig utility * config-generic-sssd-before-1-9 - provides configuration for other platforms https://fedorahosted.org/freeipa/ticket/3671 --- install/share/Makefile.am | 2 + install/share/pam.conf.template | 22 ++++++ install/share/sssd.conf.template | 12 +++ ipaserver/advise/plugins/legacy_clients.py | 117 +++++++++++++++++++++++++++++ 4 files changed, 153 insertions(+) create mode 100644 install/share/pam.conf.template create mode 100644 install/share/sssd.conf.template create mode 100644 ipaserver/advise/plugins/legacy_clients.py diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 1e56d2c530375c371cd5e66b4e83d2c13bc86e77..906f8a8b118ccd26bd19421047d14c09bec2f8f2 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -64,6 +64,8 @@ app_DATA = \ copy-schema-to-ca.py \ upload-cacert.ldif \ sasl-mapping-fallback.ldif \ + sssd.conf.template \ + pam.conf.template \ $(NULL) EXTRA_DIST = \ diff --git a/install/share/pam.conf.template b/install/share/pam.conf.template new file mode 100644 index 0000000000000000000000000000000000000000..bdd91821eb6d8259d7f03a6eac78fc264b0cafa8 --- /dev/null +++ b/install/share/pam.conf.template @@ -0,0 +1,22 @@ +auth required pam_env.so +auth sufficient pam_unix.so nullok try_first_pass +auth requisite pam_succeed_if.so uid >= 500 quiet +auth sufficient pam_sss.so use_first_pass +auth required pam_deny.so + +account required pam_unix.so broken_shadow +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 500 quiet +account [default=bad success=ok user_unknown=ignore] pam_sss.so +account required pam_permit.so + +password requisite pam_cracklib.so try_first_pass retry=3 type= +password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok +password sufficient pam_sss.so use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so +session optional pam_sss.so diff --git a/install/share/sssd.conf.template b/install/share/sssd.conf.template new file mode 100644 index 0000000000000000000000000000000000000000..764e853a42edd913d0a8138202b1fdd055ff2ff4 --- /dev/null +++ b/install/share/sssd.conf.template @@ -0,0 +1,12 @@ +[sssd] +services = nss, pam +config_file_version = 2 +domains = default +re_expression = (?P<name>.+) + +[domain/default] +cache_credentials = True +id_provider = ldap +auth_provider = ldap +ldap_uri = ldap://$IPA_SERVER_HOSTNAME +ldap_search_base = cn=compat,$BASE_DN diff --git a/ipaserver/advise/plugins/legacy_clients.py b/ipaserver/advise/plugins/legacy_clients.py new file mode 100644 index 0000000000000000000000000000000000000000..00b310bf42157e3084c3d3b6fc281c91df018724 --- /dev/null +++ b/ipaserver/advise/plugins/legacy_clients.py @@ -0,0 +1,117 @@ +# Authors: Ana Krivokapic <[email protected]> +# +# Copyright (C) 2013 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# +import os.path + +from ipalib import api +from ipalib.frontend import Advice +from ipapython.ipautil import template_file, SHARE_DIR + + +def generate_sssd_conf(): + sub_dict = dict( + IPA_SERVER_HOSTNAME=api.env.host, + BASE_DN=','. join(['dc=%s' % c for c in api.env.domain.split('.')]) + ) + template = os.path.join(SHARE_DIR, 'sssd.conf.template') + return template_file(template, sub_dict) + + +class config_redhat_sssd_before_1_9(Advice): + """ + Legacy client configuration for Red Hat based platforms. + """ + + description = ('Instructions for configuring a system with an old version ' + 'of SSSD (1.5-1.8) as a FreeIPA client. This set of ' + 'instructions is targeted for platforms that include ' + 'the authconfig utility, which are all Red Hat based ' + 'platforms.') + + def get_info(self): + self.log.comment('Install the sssd and authconfig packages via yum') + self.log.command('yum install -y sssd authconfig\n') + + self.log.comment('Download the CA certificate of the IPA server') + self.log.command('mkdir -p -m 755 /etc/openldap/cacerts') + self.log.command('wget http://%s/ipa/config/ca.crt -O ' + '/etc/openldap/cacerts/ipa.crt\n' % api.env.host) + + self.log.comment('Generate hashes for the openldap library') + self.log.command('cacertdir_rehash /etc/openldap/cacerts/\n') + + self.log.comment('Use the authconfig to configure nsswitch.conf ' + 'and the PAM stack') + self.log.command('authconfig --updateall --enablesssd ' + '--enablesssdauth\n') + + self.log.comment('Configure SSSD') + self.log.command('cat > /etc/sssd/sssd.conf << EOF \n' + '%s\nEOF' % generate_sssd_conf()) + self.log.command('chmod 0600 /etc/sssd/sssd.conf\n') + + self.log.comment('Start SSSD') + self.log.command('service sssd start') + + +api.register(config_redhat_sssd_before_1_9) + + +class config_generic_sssd_before_1_9(Advice): + """ + Legacy client configuration for non Red Hat based platforms. + """ + + description = ('Instructions for configuring a system with an old version ' + 'of SSSD (1.5-1.8) as a FreeIPA client. This set of ' + 'instructions is targeted for platforms that do not ' + 'include the authconfig utility.') + + def get_info(self): + with open(os.path.join(SHARE_DIR, 'pam.conf.template')) as fd: + pam_conf = fd.read() + + self.log.comment('Install the sssd package using your system\'s ' + 'package manager. E.g:') + self.log.command('apt-get -y install sssd\n') + + self.log.comment('Configure nsswitch.conf. Append sss to the lines ' + 'beginning with passwd and group. ') + self.log.command('grep "^passwd.*sss" /etc/nsswitch.conf') + self.log.command('if [ $? -ne 0 ] ; then sed -i ' + '\'/^passwd/s|$| sss|\' /etc/nsswitch.conf ; fi') + self.log.command('grep "^group.*sss" /etc/nsswitch.conf') + self.log.command('if [ $? -ne 0 ] ; then sed -i ' + '\'/^group/s|$| sss|\' /etc/nsswitch.conf ; fi\n') + + self.log.comment('Configure PAM. Configuring the PAM stack differs on ' + 'particular distributions. The resulting PAM stack ' + 'should look like this:') + self.log.command('cat > /etc/pam.conf << EOF \n' + '%s\nEOF\n' % pam_conf) + + self.log.comment('Configure SSSD') + self.log.command('cat > /etc/sssd/sssd.conf << EOF \n' + '%s\nEOF' % generate_sssd_conf()) + self.log.command('chmod 0600 /etc/sssd/sssd.conf\n') + + self.log.comment('Start SSSD') + self.log.command('service sssd start') + + +api.register(config_generic_sssd_before_1_9) -- 1.8.1.4
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
