Fix support for nss-pam-ldapd

Client installation with --no-sssd option was broken if the client was based on a nss-pam-ldap instead of nss_ldap. The main issue is with authconfig rewriting the nslcd.conf after it has been configured by ipa-client-install. This has been fixed by changing an order of installation steps. Additionally, nslcd daemon needed for nss-pam-ldap function is correctly started. https://fedorahosted.org/freeipa/ticket/1235
2025-02-25 18:55:28 -06:00 · 2011-05-18 17:06:15 +02:00
parent 241ee334de
commit e773124474
1 changed files with 45 additions and 14 deletions
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -240,7 +240,7 @@ def uninstall(options, env):
            ipautil.service_restart('nscd')
        except:
            print "Failed to restart start the NSCD daemon"
-    
+
        try:
            ipautil.chkconfig_on('nscd')
        except:
@@ -249,6 +249,20 @@ def uninstall(options, env):
        # this is optional service, just log
        logging.info("NSCD daemon is not installed, skip configuration")

+    if ipautil.service_is_installed('nslcd'):
+        try:
+            ipautil.service_stop('nslcd')
+        except:
+            print "Failed to stop the NSLCD daemon"
+
+        try:
+            ipautil.chkconfig_off('nslcd')
+        except:
+            print "Failed to disable automatic startup of the NSLCD daemon"
+    else:
+        # this is optional service, just log
+        logging.info("NSLCD daemon is not installed, skip configuration")
+
    if not options.unattended:
        print "The original nsswitch.conf configuration has been restored."
        print "You may need to restart services or reboot the machine."
@@ -365,6 +379,20 @@ def configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server,
            print "Creation of %s: %s" % ('/etc/nslcd.conf', str(e))
            return 1

+    if ipautil.service_is_installed('nslcd'):
+        try:
+            ipautil.service_restart('nslcd')
+        except Exception, e:
+            logging.error("nslcd failed to restart: %s" % str(e))
+
+        try:
+            ipautil.chkconfig_on('nslcd')
+        except Exception, e:
+            print "Failed to configure automatic startup of the NSLCD daemon"
+            logging.error("Failed to enable automatic startup of the NSLCD daemon: %s" % str(e))
+    else:
+        logging.debug("NSLCD daemon is not installed, skip configuration")
+
    return 0

 def hardcode_ldap_server(cli_server):
@@ -667,7 +695,7 @@ def main():
    ds = ipaclient.ipadiscovery.IPADiscovery()

    ret = ds.search(domain=options.domain, server=options.server)
-    
+
    if ret == -10:
        print >>sys.stderr, "Can't get the fully qualified name of this host"
        print >>sys.stderr, "Please check that the client is properly configured"
@@ -684,7 +712,7 @@ def main():
            cli_domain = user_input("Please provide the domain name of your IPA server (ex: example.com)", allow_empty = False)
            logging.debug("will use domain: %s\n", cli_domain)
        ret = ds.search(domain=cli_domain, server=options.server)
-        
+
    if not cli_domain:
        if ds.getDomainName():
            cli_domain = ds.getDomainName()
@@ -856,12 +884,6 @@ def main():
        if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options):
            return 1
        print "Configured /etc/sssd/sssd.conf"
-    else:
-        if configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options):
-            return 1
-        if configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options):
-            return 1
-        print "Configured LDAP"

    # Add the CA to the default NSS database and trust it
    run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", "/etc/ipa/ca.crt"])
@@ -898,7 +920,7 @@ def main():
            print >>sys.stderr, "Failed to %s the NSCD daemon" % nscd_service_action
            if not options.sssd:
                print >>sys.stderr, "Caching of users/groups will not be available"
-    
+
        try:
            nscd_chkconfig_cmd('nscd')
        except:
@@ -922,6 +944,19 @@ def main():
    run(cmd)
    print message

+    #Modify pam to add pam_krb5
+    run(["/usr/sbin/authconfig", "--enablekrb5", "--update", "--nostart"])
+    print "Kerberos 5 enabled"
+
+    # Update non-SSSD LDAP configuration after authconfig calls as it would
+    # change its configuration otherways
+    if not options.sssd:
+        if configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options):
+            return 1
+        if configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options):
+            return 1
+        print "LDAP configured"
+
    #Check that nss is working properly
    if not options.on_master:
        n = 0
@@ -946,10 +981,6 @@ def main():
            except Exception, e:
                sys.exit("Adding hardcoded server name to /etc/ldap.conf failed: " + str(e))

-    #Modify pam to add pam_krb5
-    run(["/usr/sbin/authconfig", "--enablekrb5", "--update", "--nostart"])
-    print "Kerberos 5 enabled"
-
    if options.conf_ntp and not options.on_master:
        if options.ntp_server:
            ntp_server = options.ntp_server