mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
ipa-advise: configure pam_cert_auth=True for smart card on client
ipa-advise config-client-for-smart-card-auth is now using authselect instead of authconfig, but authselect enable-feature with-smartcard does not set pam_cert_auth=True in /etc/sssd/sssd.conf. As a result, smart card auth on a client fails. The fix adds a step in ipa-advise to configure pam_cert_auth=True. The fix also forces the use of python3 interpreter, and handles newer versions of SSSD which use OpenSSL instead of NSS (the trusted CA certs must be put into /etc/sssd/pki/sssd_auth_ca_db.pem Fixes https://pagure.io/freeipa/issue/7532 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
parent
3e1a4a1d05
commit
7729bb73b4
@ -52,6 +52,9 @@ class common_smart_card_auth_config(Advice):
|
|||||||
)
|
)
|
||||||
|
|
||||||
def upload_smartcard_ca_certificates_to_systemwide_db(self):
|
def upload_smartcard_ca_certificates_to_systemwide_db(self):
|
||||||
|
# Newer version of sssd use OpenSSL and read the CA certs
|
||||||
|
# from /etc/sssd/pki/sssd_auth_ca_db.pem
|
||||||
|
self.log.command('mkdir -p /etc/sssd/pki')
|
||||||
with self.log.for_loop(
|
with self.log.for_loop(
|
||||||
self.single_ca_cert_variable_name,
|
self.single_ca_cert_variable_name,
|
||||||
'${}'.format(self.smart_card_ca_certs_variable_name)):
|
'${}'.format(self.smart_card_ca_certs_variable_name)):
|
||||||
@ -61,6 +64,11 @@ class common_smart_card_auth_config(Advice):
|
|||||||
self.systemwide_nssdb, self.single_ca_cert_variable_name
|
self.systemwide_nssdb, self.single_ca_cert_variable_name
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
|
self.log.command(
|
||||||
|
'cat ${} >> /etc/sssd/pki/sssd_auth_ca_db.pem'.format(
|
||||||
|
self.single_ca_cert_variable_name
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
def install_smart_card_signing_ca_certs(self):
|
def install_smart_card_signing_ca_certs(self):
|
||||||
with self.log.for_loop(
|
with self.log.for_loop(
|
||||||
@ -178,7 +186,7 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
|
|||||||
def record_httpd_ocsp_status(self):
|
def record_httpd_ocsp_status(self):
|
||||||
self.log.comment('store the OCSP upgrade state')
|
self.log.comment('store the OCSP upgrade state')
|
||||||
self.log.command(
|
self.log.command(
|
||||||
"python -c 'from ipaserver.install import sysupgrade; "
|
"python3 -c 'from ipaserver.install import sysupgrade; "
|
||||||
"sysupgrade.set_upgrade_state(\"httpd\", "
|
"sysupgrade.set_upgrade_state(\"httpd\", "
|
||||||
"\"{}\", True)'".format(OCSP_ENABLED))
|
"\"{}\", True)'".format(OCSP_ENABLED))
|
||||||
|
|
||||||
@ -239,6 +247,7 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config):
|
|||||||
self.upload_smartcard_ca_certificates_to_systemwide_db()
|
self.upload_smartcard_ca_certificates_to_systemwide_db()
|
||||||
self.update_ipa_ca_certificate_store()
|
self.update_ipa_ca_certificate_store()
|
||||||
self.run_authselect_to_configure_smart_card_auth()
|
self.run_authselect_to_configure_smart_card_auth()
|
||||||
|
self.configure_pam_cert_auth()
|
||||||
self.restart_sssd()
|
self.restart_sssd()
|
||||||
|
|
||||||
def check_and_remove_pam_pkcs11(self):
|
def check_and_remove_pam_pkcs11(self):
|
||||||
@ -298,5 +307,13 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config):
|
|||||||
]
|
]
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def configure_pam_cert_auth(self):
|
||||||
|
self.log.comment('Set pam_cert_auth=True in /etc/sssd/sssd.conf')
|
||||||
|
self.log.command(
|
||||||
|
"python3 -c 'from SSSDConfig import SSSDConfig; "
|
||||||
|
"c = SSSDConfig(); c.import_config(); "
|
||||||
|
"c.set(\"pam\", \"pam_cert_auth\", \"True\"); "
|
||||||
|
"c.write()'")
|
||||||
|
|
||||||
def restart_sssd(self):
|
def restart_sssd(self):
|
||||||
self.log.command('systemctl restart sssd.service')
|
self.log.command('systemctl restart sssd.service')
|
||||||
|
Loading…
Reference in New Issue
Block a user