IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-26 08:51:50 -06:00
Code Issues Packages Projects Releases Wiki Activity
f5822e3a25
freeipa/ipaserver/advise/plugins/legacy_clients.py

381 lines
15 KiB
Python
Raw Normal View History

Add ipa-advise plugins for legacy clients Old versions of SSSD do not directly support cross-realm trusts between IPA and AD. This patch introduces plugins for the ipa-advise tool, which should help with configuring an old version of SSSD (1.5-1.8) to gain access to resources in trusted domain. Since the configuration steps differ depending on whether the platform includes the authconfig tool, two plugins are needed: * config-redhat-sssd-before-1-9 - provides configuration for Red Hat based systems, as these system include the autconfig utility * config-generic-sssd-before-1-9 - provides configuration for other platforms https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
2013-08-01 07:12:39 -05:00
# Authors: Ana Krivokapic <akrivoka@redhat.com>
#
# Copyright (C) 2013 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
Add absolute_import future imports Add absolute_import from __future__ so that pylint does not fail and to achieve python3 behavior in python2. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-04-05 02:21:16 -05:00
from __future__ import absolute_import
Add ipa-advise plugins for legacy clients Old versions of SSSD do not directly support cross-realm trusts between IPA and AD. This patch introduces plugins for the ipa-advise tool, which should help with configuring an old version of SSSD (1.5-1.8) to gain access to resources in trusted domain. Since the configuration steps differ depending on whether the platform includes the authconfig tool, two plugins are needed: * config-redhat-sssd-before-1-9 - provides configuration for Red Hat based systems, as these system include the autconfig utility * config-generic-sssd-before-1-9 - provides configuration for other platforms https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
2013-08-01 07:12:39 -05:00
import os
from ipalib import api
advise: Add separate API object for ipa-advise Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-02-16 10:34:01 -06:00
from ipalib.plugable import Registry
ipautil: remove SHARE_DIR and PLUGIN_SHARE_DIR SHARE_DIR and PLUGIN_SHARE_DIR depend on ipaplatform. Replace all uses of SHARE_DIR with paths.USR_SHARE_IPA_DIR and remove both SHARE_DIR and PLUGIN_SHARE_DIR. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-22 09:06:45 -06:00
from ipaplatform.paths import paths
advise: Add separate API object for ipa-advise Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-02-16 10:34:01 -06:00
from ipaserver.advise.base import Advice
ipautil: remove SHARE_DIR and PLUGIN_SHARE_DIR SHARE_DIR and PLUGIN_SHARE_DIR depend on ipaplatform. Replace all uses of SHARE_DIR with paths.USR_SHARE_IPA_DIR and remove both SHARE_DIR and PLUGIN_SHARE_DIR. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-22 09:06:45 -06:00
from ipapython.ipautil import template_file
Add ipa-advise plugins for legacy clients Old versions of SSSD do not directly support cross-realm trusts between IPA and AD. This patch introduces plugins for the ipa-advise tool, which should help with configuring an old version of SSSD (1.5-1.8) to gain access to resources in trusted domain. Since the configuration steps differ depending on whether the platform includes the authconfig tool, two plugins are needed: * config-redhat-sssd-before-1-9 - provides configuration for Red Hat based systems, as these system include the autconfig utility * config-generic-sssd-before-1-9 - provides configuration for other platforms https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
2013-08-01 07:12:39 -05:00
advise: Add separate API object for ipa-advise Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-02-16 10:34:01 -06:00
register = Registry()
ipa-advise: update url of cacerdir_rehash tool On legacy systems which don't have cacerdir_rehash tool (provided by authconfig) the generated advise script downloads this tool from project page and uses it. After decommision of Fedorahosted and move of authconfig project to Pagure, this url was not updated in FreeIPA project. This patch updates the url. https://pagure.io/freeipa/issue/7731 Signed-off-by: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-10-12 07:20:25 -05:00
CACERTDIR_REHASH_URL = ('https://pagure.io/authconfig/raw/master/f/'
'cacertdir_rehash')
Add ipa-advise plugins for legacy clients Old versions of SSSD do not directly support cross-realm trusts between IPA and AD. This patch introduces plugins for the ipa-advise tool, which should help with configuring an old version of SSSD (1.5-1.8) to gain access to resources in trusted domain. Since the configuration steps differ depending on whether the platform includes the authconfig tool, two plugins are needed: * config-redhat-sssd-before-1-9 - provides configuration for Red Hat based systems, as these system include the autconfig utility * config-generic-sssd-before-1-9 - provides configuration for other platforms https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
2013-08-01 07:12:39 -05:00
Add ipa-advise plugins for nss-pam-ldapd legacy clients Add three new ipa-advise plugins, to facilitate configuration of legacy clients using nss-pam-ldapd: * config-redhat-nss-pam-ldapd * config-generic-linux-nss-pam-ldapd * config-freebsd-nss-pam-ldapd https://fedorahosted.org/freeipa/ticket/3672
2013-10-17 14:58:00 -05:00
class config_base_legacy_client(Advice):
def get_uri_and_base(self):
uri = 'ldap://%s' % api.env.host
base = 'cn=compat,%s' % api.env.basedn
return uri, base
Add ipa-advise plugins for legacy clients Old versions of SSSD do not directly support cross-realm trusts between IPA and AD. This patch introduces plugins for the ipa-advise tool, which should help with configuring an old version of SSSD (1.5-1.8) to gain access to resources in trusted domain. Since the configuration steps differ depending on whether the platform includes the authconfig tool, two plugins are needed: * config-redhat-sssd-before-1-9 - provides configuration for Red Hat based systems, as these system include the autconfig utility * config-generic-sssd-before-1-9 - provides configuration for other platforms https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
2013-08-01 07:12:39 -05:00
def check_compat_plugin(self):
compat_is_enabled = api.Command['compat_is_enabled']()['result']
if not compat_is_enabled:
self.log.comment(
'Schema Compatibility plugin has not been configured '
'on this server. To configure it, run '
'"ipa-adtrust-install --enable-compat"\n'
)
def configure_ca_cert(self):
self.log.comment('Please note that this script assumes '
'/etc/openldap/cacerts as the default CA certificate '
'location. If this value is different on your system '
'the script needs to be modified accordingly.\n')
self.log.comment('Download the CA certificate of the IPA server')
self.log.command('mkdir -p -m 755 /etc/openldap/cacerts')
Migrate wget references and usage to curl https://fedorahosted.org/freeipa/ticket/5458 Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-12-04 15:52:03 -06:00
self.log.command('curl http://%s/ipa/config/ca.crt -o '
Add ipa-advise plugins for legacy clients Old versions of SSSD do not directly support cross-realm trusts between IPA and AD. This patch introduces plugins for the ipa-advise tool, which should help with configuring an old version of SSSD (1.5-1.8) to gain access to resources in trusted domain. Since the configuration steps differ depending on whether the platform includes the authconfig tool, two plugins are needed: * config-redhat-sssd-before-1-9 - provides configuration for Red Hat based systems, as these system include the autconfig utility * config-generic-sssd-before-1-9 - provides configuration for other platforms https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
2013-08-01 07:12:39 -05:00
'/etc/openldap/cacerts/ipa.crt\n' % api.env.host)
self.log.comment('Generate hashes for the openldap library')
ipatests: Use command -v instead of which in legacy client advice Part of: https://fedorahosted.org/freeipa/ticket/3833
2013-10-30 04:08:08 -05:00
self.log.command('command -v cacertdir_rehash')
Add ipa-advise plugins for legacy clients Old versions of SSSD do not directly support cross-realm trusts between IPA and AD. This patch introduces plugins for the ipa-advise tool, which should help with configuring an old version of SSSD (1.5-1.8) to gain access to resources in trusted domain. Since the configuration steps differ depending on whether the platform includes the authconfig tool, two plugins are needed: * config-redhat-sssd-before-1-9 - provides configuration for Red Hat based systems, as these system include the autconfig utility * config-generic-sssd-before-1-9 - provides configuration for other platforms https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
2013-08-01 07:12:39 -05:00
self.log.command('if [ $? -ne 0 ] ; then')
ipa-advise: update url of cacerdir_rehash tool On legacy systems which don't have cacerdir_rehash tool (provided by authconfig) the generated advise script downloads this tool from project page and uses it. After decommision of Fedorahosted and move of authconfig project to Pagure, this url was not updated in FreeIPA project. This patch updates the url. https://pagure.io/freeipa/issue/7731 Signed-off-by: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-10-12 07:20:25 -05:00
self.log.command(' curl "%s" -o cacertdir_rehash ;' %
CACERTDIR_REHASH_URL)
Add ipa-advise plugins for legacy clients Old versions of SSSD do not directly support cross-realm trusts between IPA and AD. This patch introduces plugins for the ipa-advise tool, which should help with configuring an old version of SSSD (1.5-1.8) to gain access to resources in trusted domain. Since the configuration steps differ depending on whether the platform includes the authconfig tool, two plugins are needed: * config-redhat-sssd-before-1-9 - provides configuration for Red Hat based systems, as these system include the autconfig utility * config-generic-sssd-before-1-9 - provides configuration for other platforms https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
2013-08-01 07:12:39 -05:00
self.log.command(' chmod 755 ./cacertdir_rehash ;')
self.log.command(' ./cacertdir_rehash /etc/openldap/cacerts/ ;')
self.log.command('else')
self.log.command(' cacertdir_rehash /etc/openldap/cacerts/ ;')
self.log.command('fi\n')
def configure_and_start_sssd(self):
Add ipa-advise plugins for nss-pam-ldapd legacy clients Add three new ipa-advise plugins, to facilitate configuration of legacy clients using nss-pam-ldapd: * config-redhat-nss-pam-ldapd * config-generic-linux-nss-pam-ldapd * config-freebsd-nss-pam-ldapd https://fedorahosted.org/freeipa/ticket/3672
2013-10-17 14:58:00 -05:00
uri, base = self.get_uri_and_base()
Add ipa-advise plugins for legacy clients Old versions of SSSD do not directly support cross-realm trusts between IPA and AD. This patch introduces plugins for the ipa-advise tool, which should help with configuring an old version of SSSD (1.5-1.8) to gain access to resources in trusted domain. Since the configuration steps differ depending on whether the platform includes the authconfig tool, two plugins are needed: * config-redhat-sssd-before-1-9 - provides configuration for Red Hat based systems, as these system include the autconfig utility * config-generic-sssd-before-1-9 - provides configuration for other platforms https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
2013-08-01 07:12:39 -05:00
template = os.path.join(
ipautil: remove SHARE_DIR and PLUGIN_SHARE_DIR SHARE_DIR and PLUGIN_SHARE_DIR depend on ipaplatform. Replace all uses of SHARE_DIR with paths.USR_SHARE_IPA_DIR and remove both SHARE_DIR and PLUGIN_SHARE_DIR. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-22 09:06:45 -06:00
paths.USR_SHARE_IPA_DIR,
Add ipa-advise plugins for legacy clients Old versions of SSSD do not directly support cross-realm trusts between IPA and AD. This patch introduces plugins for the ipa-advise tool, which should help with configuring an old version of SSSD (1.5-1.8) to gain access to resources in trusted domain. Since the configuration steps differ depending on whether the platform includes the authconfig tool, two plugins are needed: * config-redhat-sssd-before-1-9 - provides configuration for Red Hat based systems, as these system include the autconfig utility * config-generic-sssd-before-1-9 - provides configuration for other platforms https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
2013-08-01 07:12:39 -05:00
'advise',
'legacy',
'sssd.conf.template'
)
Add ipa-advise plugins for nss-pam-ldapd legacy clients Add three new ipa-advise plugins, to facilitate configuration of legacy clients using nss-pam-ldapd: * config-redhat-nss-pam-ldapd * config-generic-linux-nss-pam-ldapd * config-freebsd-nss-pam-ldapd https://fedorahosted.org/freeipa/ticket/3672
2013-10-17 14:58:00 -05:00
sssd_conf = template_file(template, dict(URI=uri, BASE=base))
Add ipa-advise plugins for legacy clients Old versions of SSSD do not directly support cross-realm trusts between IPA and AD. This patch introduces plugins for the ipa-advise tool, which should help with configuring an old version of SSSD (1.5-1.8) to gain access to resources in trusted domain. Since the configuration steps differ depending on whether the platform includes the authconfig tool, two plugins are needed: * config-redhat-sssd-before-1-9 - provides configuration for Red Hat based systems, as these system include the autconfig utility * config-generic-sssd-before-1-9 - provides configuration for other platforms https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
2013-08-01 07:12:39 -05:00
self.log.comment('Configure SSSD')
self.log.command('cat > /etc/sssd/sssd.conf << EOF \n'
'%s\nEOF' % sssd_conf)
self.log.command('chmod 0600 /etc/sssd/sssd.conf\n')
self.log.comment('Start SSSD')
self.log.command('service sssd start')
advise: Add separate API object for ipa-advise Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-02-16 10:34:01 -06:00
@register()
Add ipa-advise plugins for nss-pam-ldapd legacy clients Add three new ipa-advise plugins, to facilitate configuration of legacy clients using nss-pam-ldapd: * config-redhat-nss-pam-ldapd * config-generic-linux-nss-pam-ldapd * config-freebsd-nss-pam-ldapd https://fedorahosted.org/freeipa/ticket/3672
2013-10-17 14:58:00 -05:00
class config_redhat_sssd_before_1_9(config_base_legacy_client):
Add ipa-advise plugins for legacy clients Old versions of SSSD do not directly support cross-realm trusts between IPA and AD. This patch introduces plugins for the ipa-advise tool, which should help with configuring an old version of SSSD (1.5-1.8) to gain access to resources in trusted domain. Since the configuration steps differ depending on whether the platform includes the authconfig tool, two plugins are needed: * config-redhat-sssd-before-1-9 - provides configuration for Red Hat based systems, as these system include the autconfig utility * config-generic-sssd-before-1-9 - provides configuration for other platforms https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
2013-08-01 07:12:39 -05:00
"""
Add ipa-advise plugins for nss-pam-ldapd legacy clients Add three new ipa-advise plugins, to facilitate configuration of legacy clients using nss-pam-ldapd: * config-redhat-nss-pam-ldapd * config-generic-linux-nss-pam-ldapd * config-freebsd-nss-pam-ldapd https://fedorahosted.org/freeipa/ticket/3672
2013-10-17 14:58:00 -05:00
Legacy client configuration for Red Hat based systems, using SSSD.
Add ipa-advise plugins for legacy clients Old versions of SSSD do not directly support cross-realm trusts between IPA and AD. This patch introduces plugins for the ipa-advise tool, which should help with configuring an old version of SSSD (1.5-1.8) to gain access to resources in trusted domain. Since the configuration steps differ depending on whether the platform includes the authconfig tool, two plugins are needed: * config-redhat-sssd-before-1-9 - provides configuration for Red Hat based systems, as these system include the autconfig utility * config-generic-sssd-before-1-9 - provides configuration for other platforms https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
2013-08-01 07:12:39 -05:00
"""
description = ('Instructions for configuring a system with an old version '
'of SSSD (1.5-1.8) as a FreeIPA client. This set of '
'instructions is targeted for platforms that include '
'the authconfig utility, which are all Red Hat based '
'platforms.')
def get_info(self):
self.check_compat_plugin()
self.log.comment('Install required packages via yum')
Migrate wget references and usage to curl https://fedorahosted.org/freeipa/ticket/5458 Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-12-04 15:52:03 -06:00
self.log.command('yum install -y sssd authconfig curl openssl\n')
Add ipa-advise plugins for legacy clients Old versions of SSSD do not directly support cross-realm trusts between IPA and AD. This patch introduces plugins for the ipa-advise tool, which should help with configuring an old version of SSSD (1.5-1.8) to gain access to resources in trusted domain. Since the configuration steps differ depending on whether the platform includes the authconfig tool, two plugins are needed: * config-redhat-sssd-before-1-9 - provides configuration for Red Hat based systems, as these system include the autconfig utility * config-generic-sssd-before-1-9 - provides configuration for other platforms https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
2013-08-01 07:12:39 -05:00
self.configure_ca_cert()
self.log.comment('Use the authconfig to configure nsswitch.conf '
'and the PAM stack')
self.log.command('authconfig --updateall --enablesssd '
'--enablesssdauth\n')
self.configure_and_start_sssd()
Add ipa-advise plugins for nss-pam-ldapd legacy clients Add three new ipa-advise plugins, to facilitate configuration of legacy clients using nss-pam-ldapd: * config-redhat-nss-pam-ldapd * config-generic-linux-nss-pam-ldapd * config-freebsd-nss-pam-ldapd https://fedorahosted.org/freeipa/ticket/3672
2013-10-17 14:58:00 -05:00
def configure_ca_cert(self):
self.log.comment('NOTE: IPA certificate uses the SHA-256 hash '
'function. SHA-256 was introduced in RHEL5.2. '
'Therefore, clients older than RHEL5.2 will not be '
'able to interoperate with IPA server 3.x.')
super(config_redhat_sssd_before_1_9, self).configure_ca_cert()
Add ipa-advise plugins for legacy clients Old versions of SSSD do not directly support cross-realm trusts between IPA and AD. This patch introduces plugins for the ipa-advise tool, which should help with configuring an old version of SSSD (1.5-1.8) to gain access to resources in trusted domain. Since the configuration steps differ depending on whether the platform includes the authconfig tool, two plugins are needed: * config-redhat-sssd-before-1-9 - provides configuration for Red Hat based systems, as these system include the autconfig utility * config-generic-sssd-before-1-9 - provides configuration for other platforms https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
2013-08-01 07:12:39 -05:00
advise: Add separate API object for ipa-advise Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-02-16 10:34:01 -06:00
@register()
Add ipa-advise plugins for nss-pam-ldapd legacy clients Add three new ipa-advise plugins, to facilitate configuration of legacy clients using nss-pam-ldapd: * config-redhat-nss-pam-ldapd * config-generic-linux-nss-pam-ldapd * config-freebsd-nss-pam-ldapd https://fedorahosted.org/freeipa/ticket/3672
2013-10-17 14:58:00 -05:00
class config_generic_linux_sssd_before_1_9(config_base_legacy_client):
Add ipa-advise plugins for legacy clients Old versions of SSSD do not directly support cross-realm trusts between IPA and AD. This patch introduces plugins for the ipa-advise tool, which should help with configuring an old version of SSSD (1.5-1.8) to gain access to resources in trusted domain. Since the configuration steps differ depending on whether the platform includes the authconfig tool, two plugins are needed: * config-redhat-sssd-before-1-9 - provides configuration for Red Hat based systems, as these system include the autconfig utility * config-generic-sssd-before-1-9 - provides configuration for other platforms https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
2013-08-01 07:12:39 -05:00
"""
Add ipa-advise plugins for nss-pam-ldapd legacy clients Add three new ipa-advise plugins, to facilitate configuration of legacy clients using nss-pam-ldapd: * config-redhat-nss-pam-ldapd * config-generic-linux-nss-pam-ldapd * config-freebsd-nss-pam-ldapd https://fedorahosted.org/freeipa/ticket/3672
2013-10-17 14:58:00 -05:00
Legacy client configuration for non Red Hat based linux systems,
using SSSD.
Add ipa-advise plugins for legacy clients Old versions of SSSD do not directly support cross-realm trusts between IPA and AD. This patch introduces plugins for the ipa-advise tool, which should help with configuring an old version of SSSD (1.5-1.8) to gain access to resources in trusted domain. Since the configuration steps differ depending on whether the platform includes the authconfig tool, two plugins are needed: * config-redhat-sssd-before-1-9 - provides configuration for Red Hat based systems, as these system include the autconfig utility * config-generic-sssd-before-1-9 - provides configuration for other platforms https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
2013-08-01 07:12:39 -05:00
"""
description = ('Instructions for configuring a system with an old version '
'of SSSD (1.5-1.8) as a FreeIPA client. This set of '
Add ipa-advise plugins for nss-pam-ldapd legacy clients Add three new ipa-advise plugins, to facilitate configuration of legacy clients using nss-pam-ldapd: * config-redhat-nss-pam-ldapd * config-generic-linux-nss-pam-ldapd * config-freebsd-nss-pam-ldapd https://fedorahosted.org/freeipa/ticket/3672
2013-10-17 14:58:00 -05:00
'instructions is targeted for linux systems that do not '
Add ipa-advise plugins for legacy clients Old versions of SSSD do not directly support cross-realm trusts between IPA and AD. This patch introduces plugins for the ipa-advise tool, which should help with configuring an old version of SSSD (1.5-1.8) to gain access to resources in trusted domain. Since the configuration steps differ depending on whether the platform includes the authconfig tool, two plugins are needed: * config-redhat-sssd-before-1-9 - provides configuration for Red Hat based systems, as these system include the autconfig utility * config-generic-sssd-before-1-9 - provides configuration for other platforms https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
2013-08-01 07:12:39 -05:00
'include the authconfig utility.')
def get_info(self):
self.check_compat_plugin()
with open(os.path.join(
ipautil: remove SHARE_DIR and PLUGIN_SHARE_DIR SHARE_DIR and PLUGIN_SHARE_DIR depend on ipaplatform. Replace all uses of SHARE_DIR with paths.USR_SHARE_IPA_DIR and remove both SHARE_DIR and PLUGIN_SHARE_DIR. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-22 09:06:45 -06:00
paths.USR_SHARE_IPA_DIR,
Add ipa-advise plugins for legacy clients Old versions of SSSD do not directly support cross-realm trusts between IPA and AD. This patch introduces plugins for the ipa-advise tool, which should help with configuring an old version of SSSD (1.5-1.8) to gain access to resources in trusted domain. Since the configuration steps differ depending on whether the platform includes the authconfig tool, two plugins are needed: * config-redhat-sssd-before-1-9 - provides configuration for Red Hat based systems, as these system include the autconfig utility * config-generic-sssd-before-1-9 - provides configuration for other platforms https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
2013-08-01 07:12:39 -05:00
'advise',
'legacy',
Add ipa-advise plugins for nss-pam-ldapd legacy clients Add three new ipa-advise plugins, to facilitate configuration of legacy clients using nss-pam-ldapd: * config-redhat-nss-pam-ldapd * config-generic-linux-nss-pam-ldapd * config-freebsd-nss-pam-ldapd https://fedorahosted.org/freeipa/ticket/3672
2013-10-17 14:58:00 -05:00
'pam.conf.sssd.template')) as fd:
Add ipa-advise plugins for legacy clients Old versions of SSSD do not directly support cross-realm trusts between IPA and AD. This patch introduces plugins for the ipa-advise tool, which should help with configuring an old version of SSSD (1.5-1.8) to gain access to resources in trusted domain. Since the configuration steps differ depending on whether the platform includes the authconfig tool, two plugins are needed: * config-redhat-sssd-before-1-9 - provides configuration for Red Hat based systems, as these system include the autconfig utility * config-generic-sssd-before-1-9 - provides configuration for other platforms https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
2013-08-01 07:12:39 -05:00
pam_conf = fd.read()
self.log.comment('Install required packages using your system\'s '
'package manager. E.g:')
Migrate wget references and usage to curl https://fedorahosted.org/freeipa/ticket/5458 Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-12-04 15:52:03 -06:00
self.log.command('apt-get -y install sssd curl openssl\n')
Add ipa-advise plugins for legacy clients Old versions of SSSD do not directly support cross-realm trusts between IPA and AD. This patch introduces plugins for the ipa-advise tool, which should help with configuring an old version of SSSD (1.5-1.8) to gain access to resources in trusted domain. Since the configuration steps differ depending on whether the platform includes the authconfig tool, two plugins are needed: * config-redhat-sssd-before-1-9 - provides configuration for Red Hat based systems, as these system include the autconfig utility * config-generic-sssd-before-1-9 - provides configuration for other platforms https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
2013-08-01 07:12:39 -05:00
self.configure_ca_cert()
self.log.comment('Configure nsswitch.conf. Append sss to the lines '
'beginning with passwd and group. ')
self.log.command('grep "^passwd.*sss" /etc/nsswitch.conf')
self.log.command('if [ $? -ne 0 ] ; then sed -i '
'\'/^passwd/s|$| sss|\' /etc/nsswitch.conf ; fi')
self.log.command('grep "^group.*sss" /etc/nsswitch.conf')
self.log.command('if [ $? -ne 0 ] ; then sed -i '
'\'/^group/s|$| sss|\' /etc/nsswitch.conf ; fi\n')
self.log.comment('Configure PAM. Configuring the PAM stack differs on '
'particular distributions. The resulting PAM stack '
'should look like this:')
self.log.command('cat > /etc/pam.conf << EOF \n'
'%s\nEOF\n' % pam_conf)
self.configure_and_start_sssd()
def configure_ca_cert(self):
Add ipa-advise plugins for nss-pam-ldapd legacy clients Add three new ipa-advise plugins, to facilitate configuration of legacy clients using nss-pam-ldapd: * config-redhat-nss-pam-ldapd * config-generic-linux-nss-pam-ldapd * config-freebsd-nss-pam-ldapd https://fedorahosted.org/freeipa/ticket/3672
2013-10-17 14:58:00 -05:00
super(config_generic_linux_sssd_before_1_9, self).configure_ca_cert()
self.log.comment('Configure ldap.conf. Set the value of '
'TLS_CACERTDIR to /etc/openldap/cacerts. Make sure '
'that the location of ldap.conf file matches your '
'system\'s configuration.')
self.log.command('echo "TLS_CACERTDIR /etc/openldap/cacerts" >> '
'/etc/ldap/ldap.conf\n')
advise: Add separate API object for ipa-advise Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-02-16 10:34:01 -06:00
@register()
Add ipa-advise plugins for nss-pam-ldapd legacy clients Add three new ipa-advise plugins, to facilitate configuration of legacy clients using nss-pam-ldapd: * config-redhat-nss-pam-ldapd * config-generic-linux-nss-pam-ldapd * config-freebsd-nss-pam-ldapd https://fedorahosted.org/freeipa/ticket/3672
2013-10-17 14:58:00 -05:00
class config_redhat_nss_pam_ldapd(config_base_legacy_client):
"""
Legacy client configuration for Red Hat based systems,
using nss-pam-ldapd.
"""
description = ('Instructions for configuring a system with nss-pam-ldapd '
'as a FreeIPA client. This set of instructions is targeted '
'for platforms that include the authconfig utility, which '
'are all Red Hat based platforms.')
def get_info(self):
uri, base = self.get_uri_and_base()
self.check_compat_plugin()
self.log.comment('Install required packages via yum')
Migrate wget references and usage to curl https://fedorahosted.org/freeipa/ticket/5458 Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-12-04 15:52:03 -06:00
self.log.command('yum install -y curl openssl nss-pam-ldapd pam_ldap '
Add ipa-advise plugins for nss-pam-ldapd legacy clients Add three new ipa-advise plugins, to facilitate configuration of legacy clients using nss-pam-ldapd: * config-redhat-nss-pam-ldapd * config-generic-linux-nss-pam-ldapd * config-freebsd-nss-pam-ldapd https://fedorahosted.org/freeipa/ticket/3672
2013-10-17 14:58:00 -05:00
'authconfig\n')
self.configure_ca_cert()
self.log.comment('Use the authconfig to configure nsswitch.conf '
'and the PAM stack')
advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap plugins authconfig in config_redhat_nss_ldap and config_redhat_nss_pam_ldapd got new option --enableldaptls It should have effect primarily on el5 systems. https://fedorahosted.org/freeipa/ticket/5654 Reviewed-By: Tomas Babej <tbabej@redhat.com>
2016-02-25 08:25:12 -06:00
self.log.command('authconfig --updateall --enableldap --enableldaptls '
Add ipa-advise plugins for nss-pam-ldapd legacy clients Add three new ipa-advise plugins, to facilitate configuration of legacy clients using nss-pam-ldapd: * config-redhat-nss-pam-ldapd * config-generic-linux-nss-pam-ldapd * config-freebsd-nss-pam-ldapd https://fedorahosted.org/freeipa/ticket/3672
2013-10-17 14:58:00 -05:00
'--enableldapauth --ldapserver=%s --ldapbasedn=%s\n'
% (uri, base))
def configure_ca_cert(self):
self.log.comment('NOTE: IPA certificate uses the SHA-256 hash '
'function. SHA-256 was introduced in RHEL5.2. '
'Therefore, clients older than RHEL5.2 will not be '
'able to interoperate with IPA server 3.x.')
super(config_redhat_nss_pam_ldapd, self).configure_ca_cert()
advise: Add separate API object for ipa-advise Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-02-16 10:34:01 -06:00
@register()
Add ipa-advise plugins for nss-pam-ldapd legacy clients Add three new ipa-advise plugins, to facilitate configuration of legacy clients using nss-pam-ldapd: * config-redhat-nss-pam-ldapd * config-generic-linux-nss-pam-ldapd * config-freebsd-nss-pam-ldapd https://fedorahosted.org/freeipa/ticket/3672
2013-10-17 14:58:00 -05:00
class config_generic_linux_nss_pam_ldapd(config_base_legacy_client):
"""
Legacy client configuration for non Red Hat based linux systems,
using nss-pam-ldapd.
"""
description = ('Instructions for configuring a system with nss-pam-ldapd. '
'This set of instructions is targeted for linux systems '
'that do not include the authconfig utility.')
def get_info(self):
uri, base = self.get_uri_and_base()
self.check_compat_plugin()
with open(os.path.join(
ipautil: remove SHARE_DIR and PLUGIN_SHARE_DIR SHARE_DIR and PLUGIN_SHARE_DIR depend on ipaplatform. Replace all uses of SHARE_DIR with paths.USR_SHARE_IPA_DIR and remove both SHARE_DIR and PLUGIN_SHARE_DIR. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-22 09:06:45 -06:00
paths.USR_SHARE_IPA_DIR,
Add ipa-advise plugins for nss-pam-ldapd legacy clients Add three new ipa-advise plugins, to facilitate configuration of legacy clients using nss-pam-ldapd: * config-redhat-nss-pam-ldapd * config-generic-linux-nss-pam-ldapd * config-freebsd-nss-pam-ldapd https://fedorahosted.org/freeipa/ticket/3672
2013-10-17 14:58:00 -05:00
'advise',
'legacy',
'pam.conf.nss_pam_ldapd.template')) as fd:
pam_conf = fd.read()
nslcd_conf = 'uri %s\nbase %s' % (uri, base)
self.log.comment('Install required packages using your system\'s '
'package manager. E.g:')
Migrate wget references and usage to curl https://fedorahosted.org/freeipa/ticket/5458 Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-12-04 15:52:03 -06:00
self.log.command('apt-get -y install curl openssl libnss-ldapd '
Add ipa-advise plugins for nss-pam-ldapd legacy clients Add three new ipa-advise plugins, to facilitate configuration of legacy clients using nss-pam-ldapd: * config-redhat-nss-pam-ldapd * config-generic-linux-nss-pam-ldapd * config-freebsd-nss-pam-ldapd https://fedorahosted.org/freeipa/ticket/3672
2013-10-17 14:58:00 -05:00
'libpam-ldapd nslcd\n')
self.configure_ca_cert()
self.log.comment('Configure nsswitch.conf. Append ldap to the lines '
'beginning with passwd and group. ')
self.log.command('grep "^passwd.*ldap" /etc/nsswitch.conf')
self.log.command('if [ $? -ne 0 ] ; then sed -i '
'\'/^passwd/s|$| ldap|\' /etc/nsswitch.conf ; fi')
self.log.command('grep "^group.*ldap" /etc/nsswitch.conf')
self.log.command('if [ $? -ne 0 ] ; then sed -i '
'\'/^group/s|$| ldap|\' /etc/nsswitch.conf ; fi\n')
self.log.comment('Configure PAM. Configuring the PAM stack differs on '
'particular distributions. The resulting PAM stack '
'should look like this:')
self.log.command('cat > /etc/pam.conf << EOF \n'
'%s\nEOF\n' % pam_conf)
self.log.comment('Configure nslcd.conf:')
self.log.command('cat > /etc/nslcd.conf << EOF \n'
'%s\nEOF\n' % nslcd_conf)
self.log.comment('Configure pam_ldap.conf:')
self.log.command('cat > /etc/pam_ldap.conf << EOF \n'
'%s\nEOF\n' % nslcd_conf)
self.log.comment('Stop nscd and restart nslcd')
self.log.command('service nscd stop && service nslcd restart')
def configure_ca_cert(self):
super(config_generic_linux_nss_pam_ldapd, self).configure_ca_cert()
Add ipa-advise plugins for legacy clients Old versions of SSSD do not directly support cross-realm trusts between IPA and AD. This patch introduces plugins for the ipa-advise tool, which should help with configuring an old version of SSSD (1.5-1.8) to gain access to resources in trusted domain. Since the configuration steps differ depending on whether the platform includes the authconfig tool, two plugins are needed: * config-redhat-sssd-before-1-9 - provides configuration for Red Hat based systems, as these system include the autconfig utility * config-generic-sssd-before-1-9 - provides configuration for other platforms https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
2013-08-01 07:12:39 -05:00
self.log.comment('Configure ldap.conf. Set the value of '
'TLS_CACERTDIR to /etc/openldap/cacerts. Make sure '
'that the location of ldap.conf file matches your '
'system\'s configuration.')
self.log.command('echo "TLS_CACERTDIR /etc/openldap/cacerts" >> '
'/etc/ldap/ldap.conf\n')
advise: Add separate API object for ipa-advise Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-02-16 10:34:01 -06:00
@register()
Add ipa-advise plugins for nss-pam-ldapd legacy clients Add three new ipa-advise plugins, to facilitate configuration of legacy clients using nss-pam-ldapd: * config-redhat-nss-pam-ldapd * config-generic-linux-nss-pam-ldapd * config-freebsd-nss-pam-ldapd https://fedorahosted.org/freeipa/ticket/3672
2013-10-17 14:58:00 -05:00
class config_freebsd_nss_pam_ldapd(config_base_legacy_client):
"""
Legacy client configuration for FreeBSD, using nss-pam-ldapd.
"""
description = ('Instructions for configuring a FreeBSD system with '
'nss-pam-ldapd. ')
def get_info(self):
uri, base = self.get_uri_and_base()
cacrt = '/usr/local/etc/ipa.crt'
self.check_compat_plugin()
with open(os.path.join(
ipautil: remove SHARE_DIR and PLUGIN_SHARE_DIR SHARE_DIR and PLUGIN_SHARE_DIR depend on ipaplatform. Replace all uses of SHARE_DIR with paths.USR_SHARE_IPA_DIR and remove both SHARE_DIR and PLUGIN_SHARE_DIR. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-22 09:06:45 -06:00
paths.USR_SHARE_IPA_DIR,
Add ipa-advise plugins for nss-pam-ldapd legacy clients Add three new ipa-advise plugins, to facilitate configuration of legacy clients using nss-pam-ldapd: * config-redhat-nss-pam-ldapd * config-generic-linux-nss-pam-ldapd * config-freebsd-nss-pam-ldapd https://fedorahosted.org/freeipa/ticket/3672
2013-10-17 14:58:00 -05:00
'advise',
'legacy',
'pam_conf_sshd.template')) as fd:
pam_conf = fd.read()
self.log.comment('Install required packages')
self.log.command('pkg_add -r nss-pam-ldapd curl\n')
self.configure_ca_cert(cacrt)
self.log.comment('Configure nsswitch.conf')
self.log.command('sed -i \'\' -e \'s/^passwd:/passwd: files ldap/\' '
'/etc/nsswitch.conf')
self.log.command('sed -i \'\' -e \'s/^group:/group: files ldap/\' '
'/etc/nsswitch.conf\n')
self.log.comment('Configure PAM stack for the sshd service')
self.log.command('cat > /etc/pam.d/sshd << EOF \n'
'%s\nEOF\n' % pam_conf)
self.log.comment('Add automated start of nslcd to /etc/rc.conf')
self.log.command('echo \'nslcd_enable="YES"\nnslcd_debug="NO"\' >> '
'/etc/rc.conf')
self.log.comment('Configure nslcd.conf:')
self.log.command('echo "uid nslcd\n'
'gid nslcd\n'
'uri %s\n'
'base %s\n'
'scope sub\n'
'base group cn=groups,%s\n'
'base passwd cn=users,%s\n'
'base shadow cn=users,%s\n'
'ssl start_tls\n'
'tls_cacertfile %s\n" > /usr/local/etc/nslcd.conf'
% ((uri,) + (base,)*4 + (cacrt,)))
self.log.comment('Configure ldap.conf:')
self.log.command('echo "uri %s\nbase %s\nssl start_tls\ntls_cacert %s"'
'> /usr/local/etc/ldap.conf' % (uri, base, cacrt))
self.log.comment('Restart nslcd')
self.log.command('/usr/local/etc/rc.d/nslcd restart')
def configure_ca_cert(self, cacrt):
self.log.comment('Download the CA certificate of the IPA server')
self.log.command('curl -k https://%s/ipa/config/ca.crt > '
'%s' % (api.env.host, cacrt))
advice: Add legacy client configuration script using nss-ldap Part of: https://fedorahosted.org/freeipa/ticket/3833
2013-10-30 11:17:19 -05:00
advise: Add separate API object for ipa-advise Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-02-16 10:34:01 -06:00
@register()
advice: Add legacy client configuration script using nss-ldap Part of: https://fedorahosted.org/freeipa/ticket/3833
2013-10-30 11:17:19 -05:00
class config_redhat_nss_ldap(config_base_legacy_client):
"""
Legacy client configuration for Red Hat based systems,
using nss-ldap.
"""
description = ('Instructions for configuring a system with nss-ldap '
'as a FreeIPA client. This set of instructions is targeted '
'for platforms that include the authconfig utility, which '
'are all Red Hat based platforms.')
def get_info(self):
uri, base = self.get_uri_and_base()
self.check_compat_plugin()
self.log.comment('Install required packages via yum')
Migrate wget references and usage to curl https://fedorahosted.org/freeipa/ticket/5458 Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-12-04 15:52:03 -06:00
self.log.command('yum install -y curl openssl nss_ldap '
ipatests: Use command -v instead of which in legacy client advice Part of: https://fedorahosted.org/freeipa/ticket/3833
2013-10-30 04:08:08 -05:00
'authconfig\n')
advice: Add legacy client configuration script using nss-ldap Part of: https://fedorahosted.org/freeipa/ticket/3833
2013-10-30 11:17:19 -05:00
self.configure_ca_cert()
self.log.comment('Use the authconfig to configure nsswitch.conf '
'and the PAM stack')
advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap plugins authconfig in config_redhat_nss_ldap and config_redhat_nss_pam_ldapd got new option --enableldaptls It should have effect primarily on el5 systems. https://fedorahosted.org/freeipa/ticket/5654 Reviewed-By: Tomas Babej <tbabej@redhat.com>
2016-02-25 08:25:12 -06:00
self.log.command('authconfig --updateall --enableldap --enableldaptls '
advice: Add legacy client configuration script using nss-ldap Part of: https://fedorahosted.org/freeipa/ticket/3833
2013-10-30 11:17:19 -05:00
'--enableldapauth --ldapserver=%s --ldapbasedn=%s\n'
% (uri, base))
def configure_ca_cert(self):
self.log.comment('NOTE: IPA certificate uses the SHA-256 hash '
'function. SHA-256 was introduced in RHEL5.2. '
'Therefore, clients older than RHEL5.2 will not be '
'able to interoperate with IPA server 3.x.')
super(config_redhat_nss_ldap, self).configure_ca_cert()
Reference in New Issue Copy Permalink