mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 23:50:03 -06:00
ipa-advise: configure pam_cert_auth=True for smart card on client
ipa-advise config-client-for-smart-card-auth is now using authselect instead of authconfig, but authselect enable-feature with-smartcard does not set pam_cert_auth=True in /etc/sssd/sssd.conf. As a result, smart card auth on a client fails. The fix adds a step in ipa-advise to configure pam_cert_auth=True. The fix also forces the use of python3 interpreter, and handles newer versions of SSSD which use OpenSSL instead of NSS (the trusted CA certs must be put into /etc/sssd/pki/sssd_auth_ca_db.pem Fixes https://pagure.io/freeipa/issue/7532 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
parent
3e1a4a1d05
commit
7729bb73b4
@ -52,6 +52,9 @@ class common_smart_card_auth_config(Advice):
|
||||
)
|
||||
|
||||
def upload_smartcard_ca_certificates_to_systemwide_db(self):
|
||||
# Newer version of sssd use OpenSSL and read the CA certs
|
||||
# from /etc/sssd/pki/sssd_auth_ca_db.pem
|
||||
self.log.command('mkdir -p /etc/sssd/pki')
|
||||
with self.log.for_loop(
|
||||
self.single_ca_cert_variable_name,
|
||||
'${}'.format(self.smart_card_ca_certs_variable_name)):
|
||||
@ -61,6 +64,11 @@ class common_smart_card_auth_config(Advice):
|
||||
self.systemwide_nssdb, self.single_ca_cert_variable_name
|
||||
)
|
||||
)
|
||||
self.log.command(
|
||||
'cat ${} >> /etc/sssd/pki/sssd_auth_ca_db.pem'.format(
|
||||
self.single_ca_cert_variable_name
|
||||
)
|
||||
)
|
||||
|
||||
def install_smart_card_signing_ca_certs(self):
|
||||
with self.log.for_loop(
|
||||
@ -178,7 +186,7 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
|
||||
def record_httpd_ocsp_status(self):
|
||||
self.log.comment('store the OCSP upgrade state')
|
||||
self.log.command(
|
||||
"python -c 'from ipaserver.install import sysupgrade; "
|
||||
"python3 -c 'from ipaserver.install import sysupgrade; "
|
||||
"sysupgrade.set_upgrade_state(\"httpd\", "
|
||||
"\"{}\", True)'".format(OCSP_ENABLED))
|
||||
|
||||
@ -239,6 +247,7 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config):
|
||||
self.upload_smartcard_ca_certificates_to_systemwide_db()
|
||||
self.update_ipa_ca_certificate_store()
|
||||
self.run_authselect_to_configure_smart_card_auth()
|
||||
self.configure_pam_cert_auth()
|
||||
self.restart_sssd()
|
||||
|
||||
def check_and_remove_pam_pkcs11(self):
|
||||
@ -298,5 +307,13 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config):
|
||||
]
|
||||
)
|
||||
|
||||
def configure_pam_cert_auth(self):
|
||||
self.log.comment('Set pam_cert_auth=True in /etc/sssd/sssd.conf')
|
||||
self.log.command(
|
||||
"python3 -c 'from SSSDConfig import SSSDConfig; "
|
||||
"c = SSSDConfig(); c.import_config(); "
|
||||
"c.set(\"pam\", \"pam_cert_auth\", \"True\"); "
|
||||
"c.write()'")
|
||||
|
||||
def restart_sssd(self):
|
||||
self.log.command('systemctl restart sssd.service')
|
||||
|
Loading…
Reference in New Issue
Block a user