IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Add ipa-advise plugins for nss-pam-ldapd legacy clients

Browse Source 
Add three new ipa-advise plugins, to facilitate configuration of
legacy clients using nss-pam-ldapd:

* config-redhat-nss-pam-ldapd
* config-generic-linux-nss-pam-ldapd
* config-freebsd-nss-pam-ldapd

https://fedorahosted.org/freeipa/ticket/3672
This commit is contained in:
Ana Krivokapic
2013-10-17 21:58:00 +02:00
committed by Petr Viktorin
parent c97f4e8a66
commit 92cd987e0a
6 changed files with 250 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
install/share/advise/legacy/Makefile.am
View File

@@ -3,7 +3,9 @@ NULL =
appdir = $(IPA_DATA_DIR)/advise/legacy appdir = $(IPA_DATA_DIR)/advise/legacy
app_DATA = \ app_DATA = \
sssd.conf.template \ sssd.conf.template \
pam.conf.template \ pam.conf.sssd.template \
pam.conf.nss_pam_ldapd.template \
pam_conf_sshd.template \
$(NULL) $(NULL)
EXTRA_DIST = \ EXTRA_DIST = \

22
install/share/advise/legacy/pam.conf.nss_pam_ldapd.template Normal file
View File

@@ -0,0 +1,22 @@
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so

0
install/share/advise/legacy/pam.conf.template → install/share/advise/legacy/pam.conf.sssd.template
View File

25
install/share/advise/legacy/pam_conf_sshd.template Normal file
View File

@@ -0,0 +1,25 @@
# PAM configuration for the "sshd" service
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so no_warn
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account required /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass

4
install/share/advise/legacy/sssd.conf.template
View File

@@ -8,6 +8,6 @@ re_expression = (?P<name>.+)
cache_credentials = True cache_credentials = True
id_provider = ldap id_provider = ldap
auth_provider = ldap auth_provider = ldap
ldap_uri = ldap://$IPA_SERVER_HOSTNAME ldap_uri = $URI
ldap_search_base = cn=compat,$BASE_DN ldap_search_base = $BASE
ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt

212
ipaserver/advise/plugins/legacy_clients.py
View File

@@ -23,7 +23,12 @@ from ipalib.frontend import Advice
from ipapython.ipautil import template_file, SHARE_DIR from ipapython.ipautil import template_file, SHARE_DIR
class config_base_sssd_before_1_9(Advice): class config_base_legacy_client(Advice):
def get_uri_and_base(self):
uri = 'ldap://%s' % api.env.host
base = 'cn=compat,%s' % api.env.basedn
return uri, base
def check_compat_plugin(self): def check_compat_plugin(self):
compat_is_enabled = api.Command['compat_is_enabled']()['result'] compat_is_enabled = api.Command['compat_is_enabled']()['result']
if not compat_is_enabled: if not compat_is_enabled:
@@ -57,17 +62,14 @@ class config_base_sssd_before_1_9(Advice):
self.log.command('fi\n') self.log.command('fi\n')
def configure_and_start_sssd(self): def configure_and_start_sssd(self):
sub_dict = dict( uri, base = self.get_uri_and_base()
IPA_SERVER_HOSTNAME=api.env.host,
BASE_DN=','. join(['dc=%s' % c for c in api.env.domain.split('.')])
)
template = os.path.join( template = os.path.join(
SHARE_DIR, SHARE_DIR,
'advise', 'advise',
'legacy', 'legacy',
'sssd.conf.template' 'sssd.conf.template'
) )
sssd_conf = template_file(template, sub_dict) sssd_conf = template_file(template, dict(URI=uri, BASE=base))
self.log.comment('Configure SSSD') self.log.comment('Configure SSSD')
self.log.command('cat > /etc/sssd/sssd.conf << EOF \n' self.log.command('cat > /etc/sssd/sssd.conf << EOF \n'
@@ -78,9 +80,9 @@ class config_base_sssd_before_1_9(Advice):
self.log.command('service sssd start') self.log.command('service sssd start')
class config_redhat_sssd_before_1_9(config_base_sssd_before_1_9): class config_redhat_sssd_before_1_9(config_base_legacy_client):
""" """
Legacy client configuration for Red Hat based platforms. Legacy client configuration for Red Hat based systems, using SSSD.
""" """
description = ('Instructions for configuring a system with an old version ' description = ('Instructions for configuring a system with an old version '
'of SSSD (1.5-1.8) as a FreeIPA client. This set of ' 'of SSSD (1.5-1.8) as a FreeIPA client. This set of '
@@ -103,17 +105,25 @@ class config_redhat_sssd_before_1_9(config_base_sssd_before_1_9):
self.configure_and_start_sssd() self.configure_and_start_sssd()
def configure_ca_cert(self):
self.log.comment('NOTE: IPA certificate uses the SHA-256 hash '
'function. SHA-256 was introduced in RHEL5.2. '
'Therefore, clients older than RHEL5.2 will not be '
'able to interoperate with IPA server 3.x.')
super(config_redhat_sssd_before_1_9, self).configure_ca_cert()
api.register(config_redhat_sssd_before_1_9) api.register(config_redhat_sssd_before_1_9)
class config_generic_sssd_before_1_9(config_base_sssd_before_1_9): class config_generic_linux_sssd_before_1_9(config_base_legacy_client):
""" """
Legacy client configuration for non Red Hat based platforms. Legacy client configuration for non Red Hat based linux systems,
using SSSD.
""" """
description = ('Instructions for configuring a system with an old version ' description = ('Instructions for configuring a system with an old version '
'of SSSD (1.5-1.8) as a FreeIPA client. This set of ' 'of SSSD (1.5-1.8) as a FreeIPA client. This set of '
'instructions is targeted for platforms that do not ' 'instructions is targeted for linux systems that do not '
'include the authconfig utility.') 'include the authconfig utility.')
def get_info(self): def get_info(self):
@@ -123,7 +133,7 @@ class config_generic_sssd_before_1_9(config_base_sssd_before_1_9):
SHARE_DIR, SHARE_DIR,
'advise', 'advise',
'legacy', 'legacy',
'pam.conf.template')) as fd: 'pam.conf.sssd.template')) as fd:
pam_conf = fd.read() pam_conf = fd.read()
self.log.comment('Install required packages using your system\'s ' self.log.comment('Install required packages using your system\'s '
@@ -150,7 +160,7 @@ class config_generic_sssd_before_1_9(config_base_sssd_before_1_9):
self.configure_and_start_sssd() self.configure_and_start_sssd()
def configure_ca_cert(self): def configure_ca_cert(self):
super(config_generic_sssd_before_1_9, self).configure_ca_cert() super(config_generic_linux_sssd_before_1_9, self).configure_ca_cert()
self.log.comment('Configure ldap.conf. Set the value of ' self.log.comment('Configure ldap.conf. Set the value of '
'TLS_CACERTDIR to /etc/openldap/cacerts. Make sure ' 'TLS_CACERTDIR to /etc/openldap/cacerts. Make sure '
@@ -160,4 +170,178 @@ class config_generic_sssd_before_1_9(config_base_sssd_before_1_9):
'/etc/ldap/ldap.conf\n') '/etc/ldap/ldap.conf\n')
api.register(config_generic_sssd_before_1_9) api.register(config_generic_linux_sssd_before_1_9)
class config_redhat_nss_pam_ldapd(config_base_legacy_client):
"""
Legacy client configuration for Red Hat based systems,
using nss-pam-ldapd.
"""
description = ('Instructions for configuring a system with nss-pam-ldapd '
'as a FreeIPA client. This set of instructions is targeted '
'for platforms that include the authconfig utility, which '
'are all Red Hat based platforms.')
def get_info(self):
uri, base = self.get_uri_and_base()
self.check_compat_plugin()
self.log.comment('Install required packages via yum')
self.log.command('yum install -y wget openssl nss-pam-ldapd pam_ldap '
'authconfig\n')
self.configure_ca_cert()
self.log.comment('Use the authconfig to configure nsswitch.conf '
'and the PAM stack')
self.log.command('authconfig --updateall --enableldap '
'--enableldapauth --ldapserver=%s --ldapbasedn=%s\n'
% (uri, base))
def configure_ca_cert(self):
self.log.comment('NOTE: IPA certificate uses the SHA-256 hash '
'function. SHA-256 was introduced in RHEL5.2. '
'Therefore, clients older than RHEL5.2 will not be '
'able to interoperate with IPA server 3.x.')
super(config_redhat_nss_pam_ldapd, self).configure_ca_cert()
api.register(config_redhat_nss_pam_ldapd)
class config_generic_linux_nss_pam_ldapd(config_base_legacy_client):
"""
Legacy client configuration for non Red Hat based linux systems,
using nss-pam-ldapd.
"""
description = ('Instructions for configuring a system with nss-pam-ldapd. '
'This set of instructions is targeted for linux systems '
'that do not include the authconfig utility.')
def get_info(self):
uri, base = self.get_uri_and_base()
self.check_compat_plugin()
with open(os.path.join(
SHARE_DIR,
'advise',
'legacy',
'pam.conf.nss_pam_ldapd.template')) as fd:
pam_conf = fd.read()
nslcd_conf = 'uri %s\nbase %s' % (uri, base)
self.log.comment('Install required packages using your system\'s '
'package manager. E.g:')
self.log.command('apt-get -y install wget openssl libnss-ldapd '
'libpam-ldapd nslcd\n')
self.configure_ca_cert()
self.log.comment('Configure nsswitch.conf. Append ldap to the lines '
'beginning with passwd and group. ')
self.log.command('grep "^passwd.*ldap" /etc/nsswitch.conf')
self.log.command('if [ $? -ne 0 ] ; then sed -i '
'\'/^passwd/s|$| ldap|\' /etc/nsswitch.conf ; fi')
self.log.command('grep "^group.*ldap" /etc/nsswitch.conf')
self.log.command('if [ $? -ne 0 ] ; then sed -i '
'\'/^group/s|$| ldap|\' /etc/nsswitch.conf ; fi\n')
self.log.comment('Configure PAM. Configuring the PAM stack differs on '
'particular distributions. The resulting PAM stack '
'should look like this:')
self.log.command('cat > /etc/pam.conf << EOF \n'
'%s\nEOF\n' % pam_conf)
self.log.comment('Configure nslcd.conf:')
self.log.command('cat > /etc/nslcd.conf << EOF \n'
'%s\nEOF\n' % nslcd_conf)
self.log.comment('Configure pam_ldap.conf:')
self.log.command('cat > /etc/pam_ldap.conf << EOF \n'
'%s\nEOF\n' % nslcd_conf)
self.log.comment('Stop nscd and restart nslcd')
self.log.command('service nscd stop && service nslcd restart')
def configure_ca_cert(self):
super(config_generic_linux_nss_pam_ldapd, self).configure_ca_cert()
self.log.comment('Configure ldap.conf. Set the value of '
'TLS_CACERTDIR to /etc/openldap/cacerts. Make sure '
'that the location of ldap.conf file matches your '
'system\'s configuration.')
self.log.command('echo "TLS_CACERTDIR /etc/openldap/cacerts" >> '
'/etc/ldap/ldap.conf\n')
api.register(config_generic_linux_nss_pam_ldapd)
class config_freebsd_nss_pam_ldapd(config_base_legacy_client):
"""
Legacy client configuration for FreeBSD, using nss-pam-ldapd.
"""
description = ('Instructions for configuring a FreeBSD system with '
'nss-pam-ldapd. ')
def get_info(self):
uri, base = self.get_uri_and_base()
cacrt = '/usr/local/etc/ipa.crt'
self.check_compat_plugin()
with open(os.path.join(
SHARE_DIR,
'advise',
'legacy',
'pam_conf_sshd.template')) as fd:
pam_conf = fd.read()
self.log.comment('Install required packages')
self.log.command('pkg_add -r nss-pam-ldapd curl\n')
self.configure_ca_cert(cacrt)
self.log.comment('Configure nsswitch.conf')
self.log.command('sed -i \'\' -e \'s/^passwd:/passwd: files ldap/\' '
'/etc/nsswitch.conf')
self.log.command('sed -i \'\' -e \'s/^group:/group: files ldap/\' '
'/etc/nsswitch.conf\n')
self.log.comment('Configure PAM stack for the sshd service')
self.log.command('cat > /etc/pam.d/sshd << EOF \n'
'%s\nEOF\n' % pam_conf)
self.log.comment('Add automated start of nslcd to /etc/rc.conf')
self.log.command('echo \'nslcd_enable="YES"\nnslcd_debug="NO"\' >> '
'/etc/rc.conf')
self.log.comment('Configure nslcd.conf:')
self.log.command('echo "uid nslcd\n'
'gid nslcd\n'
'uri %s\n'
'base %s\n'
'scope sub\n'
'base group cn=groups,%s\n'
'base passwd cn=users,%s\n'
'base shadow cn=users,%s\n'
'ssl start_tls\n'
'tls_cacertfile %s\n" > /usr/local/etc/nslcd.conf'
% ((uri,) + (base,)*4 + (cacrt,)))
self.log.comment('Configure ldap.conf:')
self.log.command('echo "uri %s\nbase %s\nssl start_tls\ntls_cacert %s"'
'> /usr/local/etc/ldap.conf' % (uri, base, cacrt))
self.log.comment('Restart nslcd')
self.log.command('/usr/local/etc/rc.d/nslcd restart')
def configure_ca_cert(self, cacrt):
self.log.comment('Download the CA certificate of the IPA server')
self.log.command('curl -k https://%s/ipa/config/ca.crt > '
'%s' % (api.env.host, cacrt))
api.register(config_freebsd_nss_pam_ldapd)