On 08/06/2013 12:15 AM, Jakub Hrozek wrote:
> On Mon, Aug 05, 2013 at 09:55:26PM +0300, Alexander Bokovoy wrote:
>> On Mon, 05 Aug 2013, Ana Krivokapic wrote:
>>>>> + except errors.NotFound:
>>>>> + return dict(result=False)
>>>>> +
>>>>> + attr = groups_entry.get('schema-compat-lookup-sssd')
>>>> same here.
>>>>
>>>> It needs my patch 0112 too -- it changes ipa-adtrust-install to write
>>>> proper configuration options to slapi-nis configs.
>>> Done.
>>>
>>> Also, references to both relevant tickets
>>> https://fedorahosted.org/freeipa/ticket/3671 and
>>> https://fedorahosted.org/freeipa/ticket/3672 added to commit messages.
>>>
>>> Updated patches attached.
>> Thanks. Few more comments now that I've ran the ipa-advise with the
>> plugins:
>>
>> 1. We need to put downloading the certificate to both plugins.
> Right, this is something that was documented on the wiki during the test
> day and I agree with Alexander it makes sense to be present in the
> advise tool as well.
Fixed. cacertdir_rehash script is also downloaded if necessary.
>
>> 2. The certificate needs to be specified in sssd.conf as well as ldap.conf
> Wouldn't it be better to just say that you need to make sure that the
> certicicates are present on openldap's configured directories? That
> would cover not only the SSSD but also all the tool like ldapsearch the
> admin might want to run for troubleshooting. Maybe a hint to run
> cacertdir_rehash would be nice.
Fixed. We agreed it is best to specify the defaults explicitly in config files,
while including a comment about a possible need for manual modification of the
script.
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
Patch 52 is updated, patch 53 needed a rebase. The whole updated patch set is
attached.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
From 2858f368ceb504540b67d83d9abb550178354687 Mon Sep 17 00:00:00 2001
From: Ana Krivokapic <akriv...@redhat.com>
Date: Thu, 1 Aug 2013 14:12:39 +0200
Subject: [PATCH] Add ipa-advise plugins for legacy clients
Old versions of SSSD do not directly support cross-realm trusts between IPA
and AD. This patch introduces plugins for the ipa-advise tool, which should
help with configuring an old version of SSSD (1.5-1.8) to gain access to
resources in trusted domain.
Since the configuration steps differ depending on whether the platform includes
the authconfig tool, two plugins are needed:
* config-redhat-sssd-before-1-9 - provides configuration for Red Hat based
systems, as these system include the autconfig utility
* config-generic-sssd-before-1-9 - provides configuration for other platforms
https://fedorahosted.org/freeipa/ticket/3671
https://fedorahosted.org/freeipa/ticket/3672
---
freeipa.spec.in | 3 +
install/configure.ac | 2 +
install/share/Makefile.am | 4 +
install/share/advise/Makefile.am | 17 +++
install/share/advise/legacy/Makefile.am | 15 +++
install/share/advise/legacy/pam.conf.template | 22 ++++
install/share/advise/legacy/sssd.conf.template | 13 ++
ipaserver/advise/plugins/legacy_clients.py | 163 +++++++++++++++++++++++++
8 files changed, 239 insertions(+)
create mode 100644 install/share/advise/Makefile.am
create mode 100644 install/share/advise/legacy/Makefile.am
create mode 100644 install/share/advise/legacy/pam.conf.template
create mode 100644 install/share/advise/legacy/sssd.conf.template
create mode 100644 ipaserver/advise/plugins/legacy_clients.py
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 0afcdae86ee2b9a7b603df3d3bdb1499916ecd0c..d4f90c7d8dceab61095e477d5daaec1cfe4eebec 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -630,6 +630,9 @@ fi
%{_usr}/share/ipa/*.ldif
%{_usr}/share/ipa/*.uldif
%{_usr}/share/ipa/*.template
+%dir %{_usr}/share/ipa/advise
+%dir %{_usr}/share/ipa/advise/legacy
+%{_usr}/share/ipa/advise/legacy/*.template
%dir %{_usr}/share/ipa/ffextension
%{_usr}/share/ipa/ffextension/bootstrap.js
%{_usr}/share/ipa/ffextension/install.rdf
diff --git a/install/configure.ac b/install/configure.ac
index fca4c6991db63de17c47aa8d86e1d910ac09d47e..29254e6edfb9874ead9b37cc2d310a86fbfa0060 100644
--- a/install/configure.ac
+++ b/install/configure.ac
@@ -85,6 +85,8 @@ AC_CONFIG_FILES([
html/Makefile
migration/Makefile
share/Makefile
+ share/advise/Makefile
+ share/advise/legacy/Makefile
ui/Makefile
ui/src/Makefile
ui/src/libs/Makefile
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 1e56d2c530375c371cd5e66b4e83d2c13bc86e77..5fff55bd1281d232858df679e7dfd9f84e4545ec 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -1,5 +1,9 @@
NULL =
+SUBDIRS = \
+ advise \
+ $(NULL)
+
appdir = $(IPA_DATA_DIR)
app_DATA = \
05rfc2247.ldif \
diff --git a/install/share/advise/Makefile.am b/install/share/advise/Makefile.am
new file mode 100644
index 0000000000000000000000000000000000000000..877f91ce8926e002582fad859da1b604e623ed38
--- /dev/null
+++ b/install/share/advise/Makefile.am
@@ -0,0 +1,17 @@
+NULL =
+
+SUBDIRS = \
+ legacy \
+ $(NULL)
+
+appdir = $(IPA_DATA_DIR)/advise
+app_DATA = \
+ $(NULL)
+
+EXTRA_DIST = \
+ $(app_DATA) \
+ $(NULL)
+
+MAINTAINERCLEANFILES = \
+ *~ \
+ Makefile.in
diff --git a/install/share/advise/legacy/Makefile.am b/install/share/advise/legacy/Makefile.am
new file mode 100644
index 0000000000000000000000000000000000000000..73cd2718c343b2f3382a92f0ec8b19fb29a15c58
--- /dev/null
+++ b/install/share/advise/legacy/Makefile.am
@@ -0,0 +1,15 @@
+NULL =
+
+appdir = $(IPA_DATA_DIR)/advise/legacy
+app_DATA = \
+ sssd.conf.template \
+ pam.conf.template \
+ $(NULL)
+
+EXTRA_DIST = \
+ $(app_DATA) \
+ $(NULL)
+
+MAINTAINERCLEANFILES = \
+ *~ \
+ Makefile.in
diff --git a/install/share/advise/legacy/pam.conf.template b/install/share/advise/legacy/pam.conf.template
new file mode 100644
index 0000000000000000000000000000000000000000..bdd91821eb6d8259d7f03a6eac78fc264b0cafa8
--- /dev/null
+++ b/install/share/advise/legacy/pam.conf.template
@@ -0,0 +1,22 @@
+auth required pam_env.so
+auth sufficient pam_unix.so nullok try_first_pass
+auth requisite pam_succeed_if.so uid >= 500 quiet
+auth sufficient pam_sss.so use_first_pass
+auth required pam_deny.so
+
+account required pam_unix.so broken_shadow
+account sufficient pam_localuser.so
+account sufficient pam_succeed_if.so uid < 500 quiet
+account [default=bad success=ok user_unknown=ignore] pam_sss.so
+account required pam_permit.so
+
+password requisite pam_cracklib.so try_first_pass retry=3 type=
+password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+password sufficient pam_sss.so use_authtok
+password required pam_deny.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
+session optional pam_sss.so
diff --git a/install/share/advise/legacy/sssd.conf.template b/install/share/advise/legacy/sssd.conf.template
new file mode 100644
index 0000000000000000000000000000000000000000..28f9c115d8c2df1f669fca535d401e24d38fdf38
--- /dev/null
+++ b/install/share/advise/legacy/sssd.conf.template
@@ -0,0 +1,13 @@
+[sssd]
+services = nss, pam
+config_file_version = 2
+domains = default
+re_expression = (?P<name>.+)
+
+[domain/default]
+cache_credentials = True
+id_provider = ldap
+auth_provider = ldap
+ldap_uri = ldap://$IPA_SERVER_HOSTNAME
+ldap_search_base = cn=compat,$BASE_DN
+ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt
diff --git a/ipaserver/advise/plugins/legacy_clients.py b/ipaserver/advise/plugins/legacy_clients.py
new file mode 100644
index 0000000000000000000000000000000000000000..f58af9b9f3ba9049a0160aabeae20a44f14ba195
--- /dev/null
+++ b/ipaserver/advise/plugins/legacy_clients.py
@@ -0,0 +1,163 @@
+# Authors: Ana Krivokapic <akriv...@redhat.com>
+#
+# Copyright (C) 2013 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+import os
+
+from ipalib import api
+from ipalib.frontend import Advice
+from ipapython.ipautil import template_file, SHARE_DIR
+
+
+class config_base_sssd_before_1_9(Advice):
+ def check_compat_plugin(self):
+ compat_is_enabled = api.Command['compat_is_enabled']()['result']
+ if not compat_is_enabled:
+ self.log.comment(
+ 'Schema Compatibility plugin has not been configured '
+ 'on this server. To configure it, run '
+ '"ipa-adtrust-install --enable-compat"\n'
+ )
+
+ def configure_ca_cert(self):
+ self.log.comment('Please note that this script assumes '
+ '/etc/openldap/cacerts as the default CA certificate '
+ 'location. If this value is different on your system '
+ 'the script needs to be modified accordingly.\n')
+
+ cacertdir_rehash = ('https://fedorahosted.org/authconfig/browser/'
+ 'cacertdir_rehash?format=txt')
+ self.log.comment('Download the CA certificate of the IPA server')
+ self.log.command('mkdir -p -m 755 /etc/openldap/cacerts')
+ self.log.command('wget http://%s/ipa/config/ca.crt -O '
+ '/etc/openldap/cacerts/ipa.crt\n' % api.env.host)
+
+ self.log.comment('Generate hashes for the openldap library')
+ self.log.command('which cacertdir_rehash')
+ self.log.command('if [ $? -ne 0 ] ; then')
+ self.log.command(' wget "%s" -O cacertdir_rehash ;' % cacertdir_rehash)
+ self.log.command(' chmod 755 ./cacertdir_rehash ;')
+ self.log.command(' ./cacertdir_rehash /etc/openldap/cacerts/ ;')
+ self.log.command('else')
+ self.log.command(' cacertdir_rehash /etc/openldap/cacerts/ ;')
+ self.log.command('fi\n')
+
+ def configure_and_start_sssd(self):
+ sub_dict = dict(
+ IPA_SERVER_HOSTNAME=api.env.host,
+ BASE_DN=','. join(['dc=%s' % c for c in api.env.domain.split('.')])
+ )
+ template = os.path.join(
+ SHARE_DIR,
+ 'advise',
+ 'legacy',
+ 'sssd.conf.template'
+ )
+ sssd_conf = template_file(template, sub_dict)
+
+ self.log.comment('Configure SSSD')
+ self.log.command('cat > /etc/sssd/sssd.conf << EOF \n'
+ '%s\nEOF' % sssd_conf)
+ self.log.command('chmod 0600 /etc/sssd/sssd.conf\n')
+
+ self.log.comment('Start SSSD')
+ self.log.command('service sssd start')
+
+
+class config_redhat_sssd_before_1_9(config_base_sssd_before_1_9):
+ """
+ Legacy client configuration for Red Hat based platforms.
+ """
+ description = ('Instructions for configuring a system with an old version '
+ 'of SSSD (1.5-1.8) as a FreeIPA client. This set of '
+ 'instructions is targeted for platforms that include '
+ 'the authconfig utility, which are all Red Hat based '
+ 'platforms.')
+
+ def get_info(self):
+ self.check_compat_plugin()
+
+ self.log.comment('Install required packages via yum')
+ self.log.command('yum install -y sssd authconfig wget openssl\n')
+
+ self.configure_ca_cert()
+
+ self.log.comment('Use the authconfig to configure nsswitch.conf '
+ 'and the PAM stack')
+ self.log.command('authconfig --updateall --enablesssd '
+ '--enablesssdauth\n')
+
+ self.configure_and_start_sssd()
+
+
+api.register(config_redhat_sssd_before_1_9)
+
+
+class config_generic_sssd_before_1_9(config_base_sssd_before_1_9):
+ """
+ Legacy client configuration for non Red Hat based platforms.
+ """
+ description = ('Instructions for configuring a system with an old version '
+ 'of SSSD (1.5-1.8) as a FreeIPA client. This set of '
+ 'instructions is targeted for platforms that do not '
+ 'include the authconfig utility.')
+
+ def get_info(self):
+ self.check_compat_plugin()
+
+ with open(os.path.join(
+ SHARE_DIR,
+ 'advise',
+ 'legacy',
+ 'pam.conf.template')) as fd:
+ pam_conf = fd.read()
+
+ self.log.comment('Install required packages using your system\'s '
+ 'package manager. E.g:')
+ self.log.command('apt-get -y install sssd wget openssl\n')
+
+ self.configure_ca_cert()
+
+ self.log.comment('Configure nsswitch.conf. Append sss to the lines '
+ 'beginning with passwd and group. ')
+ self.log.command('grep "^passwd.*sss" /etc/nsswitch.conf')
+ self.log.command('if [ $? -ne 0 ] ; then sed -i '
+ '\'/^passwd/s|$| sss|\' /etc/nsswitch.conf ; fi')
+ self.log.command('grep "^group.*sss" /etc/nsswitch.conf')
+ self.log.command('if [ $? -ne 0 ] ; then sed -i '
+ '\'/^group/s|$| sss|\' /etc/nsswitch.conf ; fi\n')
+
+ self.log.comment('Configure PAM. Configuring the PAM stack differs on '
+ 'particular distributions. The resulting PAM stack '
+ 'should look like this:')
+ self.log.command('cat > /etc/pam.conf << EOF \n'
+ '%s\nEOF\n' % pam_conf)
+
+ self.configure_and_start_sssd()
+
+ def configure_ca_cert(self):
+ super(config_generic_sssd_before_1_9, self).configure_ca_cert()
+
+ self.log.comment('Configure ldap.conf. Set the value of '
+ 'TLS_CACERTDIR to /etc/openldap/cacerts. Make sure '
+ 'that the location of ldap.conf file matches your '
+ 'system\'s configuration.')
+ self.log.command('echo "TLS_CACERTDIR /etc/openldap/cacerts" >> '
+ '/etc/ldap/ldap.conf\n')
+
+
+api.register(config_generic_sssd_before_1_9)
--
1.8.1.4
From d0626ce5271f3b385f48fa55e8918b916248059f Mon Sep 17 00:00:00 2001
From: Ana Krivokapic <akriv...@redhat.com>
Date: Fri, 2 Aug 2013 16:14:27 +0200
Subject: [PATCH] Add new command compat-is-enabled
Add a new API command 'compat-is-enabled' which can be used to determine
whether Schema Compatibility plugin is configured to serve trusted domain
users and groups. The new command is not visible in IPA CLI.
https://fedorahosted.org/freeipa/ticket/3671
https://fedorahosted.org/freeipa/ticket/3672
---
API.txt | 4 ++++
VERSION | 2 +-
ipalib/plugins/trust.py | 44 ++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 49 insertions(+), 1 deletion(-)
diff --git a/API.txt b/API.txt
index 47cf5411f1cfa600823d890308ca7504410f7d0b..5418f31dc8d936ee629155aff08c05577cf9c4ee 100644
--- a/API.txt
+++ b/API.txt
@@ -490,6 +490,10 @@ command: cert_status
arg: Str('request_id')
option: Str('version?', exclude='webui')
output: Output('result', None, None)
+command: compat_is_enabled
+args: 0,1,1
+option: Str('version?', exclude='webui')
+output: Output('result', None, None)
command: config_mod
args: 0,24,3
option: Str('addattr*', cli_name='addattr', exclude='webui')
diff --git a/VERSION b/VERSION
index 313d5f96ffdf025a3e97aa405d432fdae64d0d20..950e094d171534ada518a89d12ada4b0180c5c62 100644
--- a/VERSION
+++ b/VERSION
@@ -89,4 +89,4 @@ IPA_DATA_VERSION=20100614120000
# #
########################################################
IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=63
+IPA_API_VERSION_MINOR=64
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index b19a27ecabb62abdfbc3c7927a8f78e83ad6821d..8790dcd2a5d026c728c6468d5fb7c50f58d0908b 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -990,3 +990,47 @@ def execute(self, *keys, **options):
return dict(result=True)
api.register(adtrust_is_enabled)
+
+
+class compat_is_enabled(Command):
+ NO_CLI = True
+
+ __doc__ = _('Determine whether Schema Compatibility plugin is configured '
+ 'to serve trusted domain users and groups')
+
+ def execute(self, *keys, **options):
+ ldap = self.api.Backend.ldap2
+ users_dn = DN(
+ ('cn', 'users'),
+ ('cn', 'Schema Compatibility'),
+ ('cn', 'plugins'),
+ ('cn', 'config')
+ )
+ groups_dn = DN(
+ ('cn', 'groups'),
+ ('cn', 'Schema Compatibility'),
+ ('cn', 'plugins'),
+ ('cn', 'config')
+ )
+
+ try:
+ users_entry = ldap.get_entry(users_dn)
+ except errors.NotFound:
+ return dict(result=False)
+
+ attr = users_entry.get('schema-compat-lookup-nsswitch')
+ if not attr or 'user' not in attr:
+ return dict(result=False)
+
+ try:
+ groups_entry = ldap.get_entry(groups_dn)
+ except errors.NotFound:
+ return dict(result=False)
+
+ attr = groups_entry.get('schema-compat-lookup-nsswitch')
+ if not attr or 'group' not in attr:
+ return dict(result=False)
+
+ return dict(result=True)
+
+api.register(compat_is_enabled)
--
1.8.1.4
From db47e40f8acf402f06e5149682ed4944d1262c7b Mon Sep 17 00:00:00 2001
From: Ana Krivokapic <akriv...@redhat.com>
Date: Fri, 2 Aug 2013 16:11:16 +0200
Subject: [PATCH] Enable running API commands in ipa-advise plugins
https://fedorahosted.org/freeipa/ticket/3671
https://fedorahosted.org/freeipa/ticket/3672
---
ipalib/rpc.py | 4 ++--
ipaserver/advise/base.py | 2 ++
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 36daa8393108cf53052f0dfac9cb0eb84ba4bb54..81e7aa35fdf780b3dcd850cfcc3ba5285d71e461 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -621,7 +621,7 @@ def create_connection(self, ccache=None, verbose=False, fallback=True,
kw['transport'] = KerbTransport()
else:
kw['transport'] = LanguageAwareTransport()
- self.log.info('trying %s' % url)
+ self.log.debug('trying %s' % url)
setattr(context, 'request_url', url)
serverproxy = ServerProxy(url, **kw)
if len(urls) == 1:
@@ -697,7 +697,7 @@ def forward(self, name, *args, **kw):
'%s.forward(): %r not in api.Command' % (self.name, name)
)
server = getattr(context, 'request_url', None)
- self.info("Forwarding '%s' to server '%s'", name, server)
+ self.debug("Forwarding '%s' to server '%s'", name, server)
command = getattr(self.conn, name)
params = [args, kw]
try:
diff --git a/ipaserver/advise/base.py b/ipaserver/advise/base.py
index 4b6ee96f86465c85a9a24c578f20c355473a59b6..58d5738d569384f70decca63750b1a450e80668c 100644
--- a/ipaserver/advise/base.py
+++ b/ipaserver/advise/base.py
@@ -150,7 +150,9 @@ def print_advice(self, keyword):
advice.set_options(self.options)
# Print out the actual advice
+ api.Backend.xmlclient.connect()
advice.get_info()
+ api.Backend.xmlclient.disconnect()
for line in advice.log.content:
print line
--
1.8.1.4
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
