mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
smart-card advises: configure systemwide NSS DB also on master
Previously the Smart card signing CA cert was uploaded to systemwide NSS DB only on the client, but it need to be added also to the server. Modify the advise plugins to allow for common configuration steps to occur in both cases. https://pagure.io/freeipa/issue/7036 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
parent
902f736a2b
commit
69ba5f9422
@ -10,8 +10,39 @@ from ipaserver.install.httpinstance import NSS_OCSP_ENABLED
|
||||
register = Registry()
|
||||
|
||||
|
||||
class common_smart_card_auth_config(Advice):
|
||||
"""
|
||||
Common steps required to properly configure both server and client for
|
||||
smart card auth
|
||||
"""
|
||||
|
||||
systemwide_nssdb = paths.NSS_DB_DIR
|
||||
smart_card_ca_cert_variable_name = "SC_CA_CERT"
|
||||
|
||||
def check_and_set_ca_cert_path(self):
|
||||
ca_path_variable = self.smart_card_ca_cert_variable_name
|
||||
self.log.command("{}=$1".format(ca_path_variable))
|
||||
self.log.exit_on_predicate(
|
||||
'[ -z "${}" ]'.format(ca_path_variable),
|
||||
['You need to provide the path to the PEM file containing CA '
|
||||
'signing the Smart Cards']
|
||||
)
|
||||
self.log.exit_on_predicate(
|
||||
'[ ! -f "${}" ]'.format(ca_path_variable),
|
||||
['Invalid CA certificate filename: ${}'.format(ca_path_variable),
|
||||
'Please check that the path exists and is a valid file']
|
||||
)
|
||||
|
||||
def upload_smartcard_ca_certificate_to_systemwide_db(self):
|
||||
self.log.command(
|
||||
'certutil -d {} -A -i ${} -n "Smart Card CA" -t CT,C,C'.format(
|
||||
self.systemwide_nssdb, self.smart_card_ca_cert_variable_name
|
||||
)
|
||||
)
|
||||
|
||||
|
||||
@register()
|
||||
class config_server_for_smart_card_auth(Advice):
|
||||
class config_server_for_smart_card_auth(common_smart_card_auth_config):
|
||||
"""
|
||||
Configures smart card authentication via Kerberos (PKINIT) and for WebUI
|
||||
"""
|
||||
@ -28,6 +59,7 @@ class config_server_for_smart_card_auth(Advice):
|
||||
|
||||
def get_info(self):
|
||||
self.log.exit_on_nonroot_euid()
|
||||
self.check_and_set_ca_cert_path()
|
||||
self.check_ccache_not_empty()
|
||||
self.check_hostname_is_in_masters()
|
||||
self.resolve_ipaca_records()
|
||||
@ -37,6 +69,7 @@ class config_server_for_smart_card_auth(Advice):
|
||||
self.record_httpd_ocsp_status()
|
||||
self.check_and_enable_pkinit()
|
||||
self.enable_ok_to_auth_as_delegate_on_http_principal()
|
||||
self.upload_smartcard_ca_certificate_to_systemwide_db()
|
||||
|
||||
def check_ccache_not_empty(self):
|
||||
self.log.comment('Check whether the credential cache is not empty')
|
||||
@ -162,11 +195,10 @@ class config_server_for_smart_card_auth(Advice):
|
||||
|
||||
|
||||
@register()
|
||||
class config_client_for_smart_card_auth(Advice):
|
||||
class config_client_for_smart_card_auth(common_smart_card_auth_config):
|
||||
"""
|
||||
Configures smart card authentication on FreeIPA client
|
||||
"""
|
||||
smart_card_ca_cert_variable_name = "SC_CA_CERT"
|
||||
|
||||
description = ("Instructions for enabling Smart Card authentication on "
|
||||
" a single FreeIPA client. Configures Smart Card daemon, "
|
||||
@ -190,20 +222,6 @@ class config_client_for_smart_card_auth(Advice):
|
||||
self.run_authconfig_to_configure_smart_card_auth()
|
||||
self.restart_sssd()
|
||||
|
||||
def check_and_set_ca_cert_path(self):
|
||||
ca_path_variable = self.smart_card_ca_cert_variable_name
|
||||
self.log.command("{}=$1".format(ca_path_variable))
|
||||
self.log.exit_on_predicate(
|
||||
'[ -z "${}" ]'.format(ca_path_variable),
|
||||
['You need to provide the path to the PEM file containing CA '
|
||||
'signing the Smart Cards']
|
||||
)
|
||||
self.log.exit_on_predicate(
|
||||
'[ ! -f "${}" ]'.format(ca_path_variable),
|
||||
['Invalid CA certificate filename: ${}'.format(ca_path_variable),
|
||||
'Please check that the path exists and is a valid file']
|
||||
)
|
||||
|
||||
def check_and_remove_pam_pkcs11(self):
|
||||
self.log.command('rpm -qi pam_pkcs11 > /dev/null')
|
||||
self.log.commands_on_predicate(
|
||||
@ -247,13 +265,6 @@ class config_client_for_smart_card_auth(Advice):
|
||||
]
|
||||
)
|
||||
|
||||
def upload_smartcard_ca_certificate_to_systemwide_db(self):
|
||||
self.log.command(
|
||||
'certutil -d {} -A -i ${} -n "Smart Card CA" -t CT,C,C'.format(
|
||||
self.systemwide_nssdb, self.smart_card_ca_cert_variable_name
|
||||
)
|
||||
)
|
||||
|
||||
def run_authconfig_to_configure_smart_card_auth(self):
|
||||
self.log.exit_on_failed_command(
|
||||
'authconfig --enablesmartcard --smartcardmodule=sssd --updateall',
|
||||
|
Loading…
Reference in New Issue
Block a user