ipa-advise: configure pam_cert_auth=True for smart card on client

ipa-advise config-client-for-smart-card-auth is now using authselect
instead of authconfig, but authselect enable-feature with-smartcard
does not set pam_cert_auth=True in /etc/sssd/sssd.conf.
As a result, smart card auth on a client fails.
The fix adds a step in ipa-advise to configure pam_cert_auth=True.

The fix also forces the use of python3 interpreter, and handles
newer versions of SSSD which use OpenSSL instead of NSS (the trusted
CA certs must be put into /etc/sssd/pki/sssd_auth_ca_db.pem

Fixes https://pagure.io/freeipa/issue/7532

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Florence Blanc-Renaud 2018-09-13 08:59:13 +02:00
parent 3e1a4a1d05
commit 7729bb73b4

View File

@ -52,6 +52,9 @@ class common_smart_card_auth_config(Advice):
)
def upload_smartcard_ca_certificates_to_systemwide_db(self):
# Newer version of sssd use OpenSSL and read the CA certs
# from /etc/sssd/pki/sssd_auth_ca_db.pem
self.log.command('mkdir -p /etc/sssd/pki')
with self.log.for_loop(
self.single_ca_cert_variable_name,
'${}'.format(self.smart_card_ca_certs_variable_name)):
@ -61,6 +64,11 @@ class common_smart_card_auth_config(Advice):
self.systemwide_nssdb, self.single_ca_cert_variable_name
)
)
self.log.command(
'cat ${} >> /etc/sssd/pki/sssd_auth_ca_db.pem'.format(
self.single_ca_cert_variable_name
)
)
def install_smart_card_signing_ca_certs(self):
with self.log.for_loop(
@ -178,7 +186,7 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
def record_httpd_ocsp_status(self):
self.log.comment('store the OCSP upgrade state')
self.log.command(
"python -c 'from ipaserver.install import sysupgrade; "
"python3 -c 'from ipaserver.install import sysupgrade; "
"sysupgrade.set_upgrade_state(\"httpd\", "
"\"{}\", True)'".format(OCSP_ENABLED))
@ -239,6 +247,7 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config):
self.upload_smartcard_ca_certificates_to_systemwide_db()
self.update_ipa_ca_certificate_store()
self.run_authselect_to_configure_smart_card_auth()
self.configure_pam_cert_auth()
self.restart_sssd()
def check_and_remove_pam_pkcs11(self):
@ -298,5 +307,13 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config):
]
)
def configure_pam_cert_auth(self):
self.log.comment('Set pam_cert_auth=True in /etc/sssd/sssd.conf')
self.log.command(
"python3 -c 'from SSSDConfig import SSSDConfig; "
"c = SSSDConfig(); c.import_config(); "
"c.set(\"pam\", \"pam_cert_auth\", \"True\"); "
"c.write()'")
def restart_sssd(self):
self.log.command('systemctl restart sssd.service')