ipa-adtrust-install: configure compatibility tree to serve trusted domain users

Enables  support  for  trusted  domains  users  for old clients through Schema
Compatibility plugin.  SSSD supports trusted domains natively starting with
version 1.9 platform. For platforms that lack SSSD or run older SSSD version
one needs  to  use  this  option.  When  enabled, slapi-nis  package  needs  to
be  installed  and schema-compat-plugin will be configured to provide lookup of
users and groups from trusted domains via SSSD on IPA server. These users and
groups will be available under  cn=users,cn=compat,$SUFFIX  and
cn=groups,cn=compat,$SUFFIX trees.  SSSD will normalize names of users and
groups to lower case.

In  addition  to  providing  these users and groups through the compat tree,
this option enables authentication over LDAP for trusted domain users with DN
under compat tree, i.e. using bind DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX.

This authentication  is related to  PAM  stack  using  'system-auth' PAM
service. If you have disabled HBAC rule 'allow_all', then make sure there is
special service called 'system-auth' created and HBAC rule to allow access to
anyone to this rule on IPA masters is added. Please note that system-auth PAM
service is  not used directly by any other application, therefore it is safe to
create one specifically to support trusted domain users via compatibility path.

https://fedorahosted.org/freeipa/ticket/3567

ipaserver/install/adtrustinstance.py

@@ -664,6 +664,20 @@ class ADTRUSTInstance(service.Service):
         except Exception, e:
             root_logger.critical("Checking replicas for cifs principals failed with error '%s'" % e)
 
+    def __enable_compat_tree(self):
+        try:
+            compat_plugin_dn = DN("cn=Schema Compatibility,cn=plugins,cn=config")
+            lookup_sssd_name = "schema-compat-lookup-sssd"
+            for config in (("cn=users", "user"), ("cn=groups", "group")):
+                entry_dn = DN(config[0], compat_plugin_dn)
+                current = self.admin_conn.get_entry(entry_dn)
+                lookup_sssd = current.get(lookup_sssd_name, [])
+                if not(config[1] in lookup_sssd):
+                    current[lookup_sssd_name] = [config[1]]
+                    self.admin_conn.update_entry(entry_dn, current)
+        except Exception, e:
+            root_logger.critical("Enabling SSSD support in slapi-nis failed with error '%s'" % e)
+
     def __start(self):
         try:
             self.start()
@@ -713,7 +727,7 @@ class ADTRUSTInstance(service.Service):
 
     def setup(self, fqdn, ip_address, realm_name, domain_name, netbios_name,
               reset_netbios_name, rid_base, secondary_rid_base,
-              no_msdcs=False, add_sids=False, smbd_user="samba"):
+              no_msdcs=False, add_sids=False, smbd_user="samba", enable_compat=False):
         self.fqdn = fqdn
         self.ip_address = ip_address
         self.realm = realm_name
@@ -724,6 +738,7 @@ class ADTRUSTInstance(service.Service):
         self.secondary_rid_base = secondary_rid_base
         self.no_msdcs = no_msdcs
         self.add_sids = add_sids
+        self.enable_compat = enable_compat
         self.smbd_user = smbd_user
         self.suffix = ipautil.realm_to_suffix(self.realm)
         self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % \
@@ -811,6 +826,11 @@ class ADTRUSTInstance(service.Service):
         self.step("configuring smbd to start on boot", self.__enable)
         self.step("adding special DNS service records", \
                   self.__add_dns_service_records)
+
+        if self.enable_compat:
+            self.step("enabling trusted domains support for older clients via Schema Compatibility plugin",
+                      self.__enable_compat_tree)
+
         self.step("restarting Directory Server to take MS PAC and LDAP plugins changes into account", \
                   self.__restart_dirsrv)
         self.step("adding fallback group", self.__add_fallback_group)