mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
ipa-adtrust-install: configure compatibility tree to serve trusted domain users
Enables support for trusted domains users for old clients through Schema Compatibility plugin. SSSD supports trusted domains natively starting with version 1.9 platform. For platforms that lack SSSD or run older SSSD version one needs to use this option. When enabled, slapi-nis package needs to be installed and schema-compat-plugin will be configured to provide lookup of users and groups from trusted domains via SSSD on IPA server. These users and groups will be available under cn=users,cn=compat,$SUFFIX and cn=groups,cn=compat,$SUFFIX trees. SSSD will normalize names of users and groups to lower case. In addition to providing these users and groups through the compat tree, this option enables authentication over LDAP for trusted domain users with DN under compat tree, i.e. using bind DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX. This authentication is related to PAM stack using 'system-auth' PAM service. If you have disabled HBAC rule 'allow_all', then make sure there is special service called 'system-auth' created and HBAC rule to allow access to anyone to this rule on IPA masters is added. Please note that system-auth PAM service is not used directly by any other application, therefore it is safe to create one specifically to support trusted domain users via compatibility path. https://fedorahosted.org/freeipa/ticket/3567
This commit is contained in:
parent
f98054a31a
commit
e95a7b1b8d
@ -62,6 +62,9 @@ def parse_options():
|
||||
parser.add_option("--add-sids", dest="add_sids", action="store_true",
|
||||
default=False, help="Add SIDs for existing users and" \
|
||||
" groups as the final step")
|
||||
parser.add_option("--enable-compat",
|
||||
dest="enable_compat", default=False, action="store_true",
|
||||
help="Enable support for trusted domains for old clients")
|
||||
|
||||
options, args = parser.parse_args()
|
||||
safe_options = parser.get_safe_opts(options)
|
||||
@ -194,6 +197,15 @@ def ensure_admin_kinit(admin_name, admin_password):
|
||||
return False
|
||||
return True
|
||||
|
||||
def enable_compat_tree():
|
||||
print "Do you want to enable support for trusted domains in Schema Compatibility plugin?"
|
||||
print "This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users."
|
||||
print ""
|
||||
enable_compat = ipautil.user_input("Enable trusted domains support in slapi-nis?", default = False, allow_empty = False)
|
||||
print ""
|
||||
return enable_compat
|
||||
|
||||
|
||||
def main():
|
||||
safe_options, options = parse_options()
|
||||
|
||||
@ -244,6 +256,9 @@ def main():
|
||||
sys.exit("Aborting installation.")
|
||||
break
|
||||
|
||||
if not options.unattended and not options.enable_compat:
|
||||
options.enable_compat = enable_compat_tree()
|
||||
|
||||
# Check we have a public IP that is associated with the hostname
|
||||
ip = None
|
||||
try:
|
||||
@ -363,7 +378,8 @@ def main():
|
||||
smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain,
|
||||
netbios_name, reset_netbios_name,
|
||||
options.rid_base, options.secondary_rid_base,
|
||||
options.no_msdcs, options.add_sids)
|
||||
options.no_msdcs, options.add_sids,
|
||||
enable_compat = options.enable_compat)
|
||||
smb.find_local_id_range()
|
||||
smb.create_instance()
|
||||
|
||||
|
@ -106,6 +106,29 @@ The password of the user with administrative privileges for this IPA server. Wil
|
||||
.TP
|
||||
The credentials of the admin user will be used to obtain Kerberos ticket before configuring cross-realm trusts support and afterwards, to ensure that the ticket contains MS-PAC information required to actually add a trust with Active Directory domain via 'ipa trust-add --type=ad' command.
|
||||
.TP
|
||||
\fB\-\-enable\-compat\fR
|
||||
Enables support for trusted domains users for old clients through Schema Compatibility plugin.
|
||||
SSSD supports trusted domains natively starting with version 1.9. For platforms that
|
||||
lack SSSD or run older SSSD version one needs to use this option. When enabled, slapi\-nis package
|
||||
needs to be installed and schema\-compat\-plugin will be configured to provide lookup of
|
||||
users and groups from trusted domains via SSSD on IPA server. These users and groups will be
|
||||
available under \fBcn=users,cn=compat,$SUFFIX\fR and \fBcn=groups,cn=compat,$SUFFIX\fR trees.
|
||||
SSSD will normalize names of users and groups to lower case.
|
||||
.IP
|
||||
In addition to providing these users and groups through the compat tree, this option enables
|
||||
authentication over LDAP for trusted domain users with DN under compat tree, i.e. using bind DN
|
||||
\fBuid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX\fR.
|
||||
.IP
|
||||
LDAP authentication performed by the compat tree is done via PAM '\fBsystem\-auth\fR' service.
|
||||
This service exists by default on Linux systems and is provided by pam package as /etc/pam.d/system\-auth.
|
||||
If your IPA install does not have default HBAC rule 'allow_all' enabled, then make sure
|
||||
to define in IPA special service called '\fBsystem\-auth\fR' and create an HBAC
|
||||
rule to allow access to anyone to this rule on IPA masters.
|
||||
.IP
|
||||
As '\fBsystem\-auth\fR' PAM service is not used directly by any other
|
||||
application, it is safe to use it for trusted domain users via compatibility
|
||||
path.
|
||||
.TP
|
||||
.SH "EXIT STATUS"
|
||||
0 if the installation was successful
|
||||
|
||||
|
@ -664,6 +664,20 @@ class ADTRUSTInstance(service.Service):
|
||||
except Exception, e:
|
||||
root_logger.critical("Checking replicas for cifs principals failed with error '%s'" % e)
|
||||
|
||||
def __enable_compat_tree(self):
|
||||
try:
|
||||
compat_plugin_dn = DN("cn=Schema Compatibility,cn=plugins,cn=config")
|
||||
lookup_sssd_name = "schema-compat-lookup-sssd"
|
||||
for config in (("cn=users", "user"), ("cn=groups", "group")):
|
||||
entry_dn = DN(config[0], compat_plugin_dn)
|
||||
current = self.admin_conn.get_entry(entry_dn)
|
||||
lookup_sssd = current.get(lookup_sssd_name, [])
|
||||
if not(config[1] in lookup_sssd):
|
||||
current[lookup_sssd_name] = [config[1]]
|
||||
self.admin_conn.update_entry(entry_dn, current)
|
||||
except Exception, e:
|
||||
root_logger.critical("Enabling SSSD support in slapi-nis failed with error '%s'" % e)
|
||||
|
||||
def __start(self):
|
||||
try:
|
||||
self.start()
|
||||
@ -713,7 +727,7 @@ class ADTRUSTInstance(service.Service):
|
||||
|
||||
def setup(self, fqdn, ip_address, realm_name, domain_name, netbios_name,
|
||||
reset_netbios_name, rid_base, secondary_rid_base,
|
||||
no_msdcs=False, add_sids=False, smbd_user="samba"):
|
||||
no_msdcs=False, add_sids=False, smbd_user="samba", enable_compat=False):
|
||||
self.fqdn = fqdn
|
||||
self.ip_address = ip_address
|
||||
self.realm = realm_name
|
||||
@ -724,6 +738,7 @@ class ADTRUSTInstance(service.Service):
|
||||
self.secondary_rid_base = secondary_rid_base
|
||||
self.no_msdcs = no_msdcs
|
||||
self.add_sids = add_sids
|
||||
self.enable_compat = enable_compat
|
||||
self.smbd_user = smbd_user
|
||||
self.suffix = ipautil.realm_to_suffix(self.realm)
|
||||
self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % \
|
||||
@ -811,6 +826,11 @@ class ADTRUSTInstance(service.Service):
|
||||
self.step("configuring smbd to start on boot", self.__enable)
|
||||
self.step("adding special DNS service records", \
|
||||
self.__add_dns_service_records)
|
||||
|
||||
if self.enable_compat:
|
||||
self.step("enabling trusted domains support for older clients via Schema Compatibility plugin",
|
||||
self.__enable_compat_tree)
|
||||
|
||||
self.step("restarting Directory Server to take MS PAC and LDAP plugins changes into account", \
|
||||
self.__restart_dirsrv)
|
||||
self.step("adding fallback group", self.__add_fallback_group)
|
||||
|
Loading…
Reference in New Issue
Block a user