diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index fe3f0bb2b..28f23ecc5 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -45,6 +45,7 @@ from ipalib.util import ( verify_host_resolvable, ) from ipaplatform import services +from ipaplatform.constants import constants from ipaplatform.paths import paths from ipaplatform.tasks import tasks from ipapython import certdb, kernel_keyring, ipaldap, ipautil @@ -1036,8 +1037,13 @@ def sssd_enable_service(sssdconfig, name): return sssdconfig.get_service(name) -def sssd_enable_ifp(sssdconfig): +def sssd_enable_ifp(sssdconfig, allow_httpd=False): """Enable and configure libsss_simpleifp plugin + + Allow the ``ipaapi`` user to access IFP. In case allow_httpd is true, + the Apache HTTPd user is also allowed to access IFP. For smart card + authentication, mod_lookup_identity must be allowed to access user + information. """ service = sssd_enable_service(sssdconfig, 'ifp') if service is None: @@ -1056,6 +1062,8 @@ def sssd_enable_ifp(sssdconfig): uids.add('root') # allow IPA API to access IFP uids.add(IPAAPI_USER) + if allow_httpd: + uids.add(constants.HTTPD_USER) service.set_option('allowed_uids', ', '.join(sorted(uids))) sssdconfig.save_service(service) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 71bdd3670..4de7fd974 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1407,8 +1407,17 @@ def sssd_update(): domain.set_option('ipa_server_mode', 'True') domain.set_option('ipa_server', api.env.host) sssdconfig.save_domain(domain) + # check if service has ok_to_auth_as_delegate + service = 'HTTP/{}'.format(api.env.host) + result = api.Command.service_show(service, all=True) + flag = result['result'].get('ipakrboktoauthasdelegate', False) + if flag: + logger.debug( + "%s has ok_to_auth_as_delegate, allow Apache to access IFP", + services + ) # enable and configure IFP plugin - sssd_enable_ifp(sssdconfig) + sssd_enable_ifp(sssdconfig, allow_httpd=flag) # write config and restart service sssdconfig.write(paths.SSSD_CONF) sssd = services.service('sssd', api)