Add ipa-advise plugins for legacy clients

Old versions of SSSD do not directly support cross-realm trusts between IPA
and AD. This patch introduces plugins for the ipa-advise tool, which should
help with configuring an old version of SSSD (1.5-1.8) to gain access to
resources in trusted domain.

Since the configuration steps differ depending on whether the platform includes
the authconfig tool, two plugins are needed:

* config-redhat-sssd-before-1-9 - provides configuration for Red Hat based
  systems, as these system include the autconfig utility
* config-generic-sssd-before-1-9 - provides configuration for other platforms

https://fedorahosted.org/freeipa/ticket/3671
https://fedorahosted.org/freeipa/ticket/3672

freeipa.spec.in

@@ -630,6 +630,9 @@ fi
 %{_usr}/share/ipa/*.ldif
 %{_usr}/share/ipa/*.uldif
 %{_usr}/share/ipa/*.template
+%dir %{_usr}/share/ipa/advise
+%dir %{_usr}/share/ipa/advise/legacy
+%{_usr}/share/ipa/advise/legacy/*.template
 %dir %{_usr}/share/ipa/ffextension
 %{_usr}/share/ipa/ffextension/bootstrap.js
 %{_usr}/share/ipa/ffextension/install.rdf

install/configure.ac

@@ -85,6 +85,8 @@ AC_CONFIG_FILES([
     html/Makefile
     migration/Makefile
     share/Makefile
+    share/advise/Makefile
+    share/advise/legacy/Makefile
     ui/Makefile
     ui/src/Makefile
     ui/src/libs/Makefile

install/share/Makefile.am

@@ -1,5 +1,9 @@
 NULL =
 
+SUBDIRS =  				\
+	advise				\
+	$(NULL)
+
 appdir = $(IPA_DATA_DIR)
 app_DATA =				\
 	05rfc2247.ldif			\

install/share/advise/Makefile.am

@@ -0,0 +1,17 @@
+NULL =
+
+SUBDIRS =  				\
+	legacy				\
+	$(NULL)
+
+appdir = $(IPA_DATA_DIR)/advise
+app_DATA =				\
+	$(NULL)
+
+EXTRA_DIST =				\
+	$(app_DATA)			\
+	$(NULL)
+
+MAINTAINERCLEANFILES =			\
+	*~				\
+	Makefile.in

install/share/advise/legacy/Makefile.am

@@ -0,0 +1,15 @@
+NULL =
+
+appdir = $(IPA_DATA_DIR)/advise/legacy
+app_DATA =				\
+	sssd.conf.template		\
+	pam.conf.template		\
+	$(NULL)
+
+EXTRA_DIST =				\
+	$(app_DATA)			\
+	$(NULL)
+
+MAINTAINERCLEANFILES =			\
+	*~				\
+	Makefile.in

install/share/advise/legacy/pam.conf.template

@@ -0,0 +1,22 @@
+auth        required      pam_env.so
+auth        sufficient    pam_unix.so nullok try_first_pass
+auth        requisite     pam_succeed_if.so uid >= 500 quiet
+auth        sufficient    pam_sss.so use_first_pass
+auth        required      pam_deny.so
+
+account     required      pam_unix.so broken_shadow
+account     sufficient    pam_localuser.so
+account     sufficient    pam_succeed_if.so uid < 500 quiet
+account     [default=bad success=ok user_unknown=ignore] pam_sss.so
+account     required      pam_permit.so
+
+password    requisite     pam_cracklib.so try_first_pass retry=3 type=
+password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+password    sufficient    pam_sss.so use_authtok
+password    required      pam_deny.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so
+session     optional      pam_sss.so

install/share/advise/legacy/sssd.conf.template

@@ -0,0 +1,13 @@
+[sssd]
+services = nss, pam
+config_file_version = 2
+domains = default
+re_expression = (?P<name>.+)
+
+[domain/default]
+cache_credentials = True
+id_provider = ldap
+auth_provider = ldap
+ldap_uri = ldap://$IPA_SERVER_HOSTNAME
+ldap_search_base = cn=compat,$BASE_DN
+ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt

ipaserver/advise/plugins/legacy_clients.py

@@ -0,0 +1,163 @@
+# Authors: Ana Krivokapic <akrivoka@redhat.com>
+#
+# Copyright (C) 2013  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+import os
+
+from ipalib import api
+from ipalib.frontend import Advice
+from ipapython.ipautil import template_file, SHARE_DIR
+
+
+class config_base_sssd_before_1_9(Advice):
+    def check_compat_plugin(self):
+        compat_is_enabled = api.Command['compat_is_enabled']()['result']
+        if not compat_is_enabled:
+            self.log.comment(
+                'Schema Compatibility plugin has not been configured '
+                'on this server. To configure it, run '
+                '"ipa-adtrust-install --enable-compat"\n'
+            )
+
+    def configure_ca_cert(self):
+        self.log.comment('Please note that this script assumes '
+                         '/etc/openldap/cacerts as the default CA certificate '
+                         'location. If this value is different on your system '
+                         'the script needs to be modified accordingly.\n')
+
+        cacertdir_rehash = ('https://fedorahosted.org/authconfig/browser/'
+                            'cacertdir_rehash?format=txt')
+        self.log.comment('Download the CA certificate of the IPA server')
+        self.log.command('mkdir -p -m 755 /etc/openldap/cacerts')
+        self.log.command('wget http://%s/ipa/config/ca.crt -O '
+                         '/etc/openldap/cacerts/ipa.crt\n' % api.env.host)
+
+        self.log.comment('Generate hashes for the openldap library')
+        self.log.command('which cacertdir_rehash')
+        self.log.command('if [ $? -ne 0 ] ; then')
+        self.log.command(' wget "%s" -O cacertdir_rehash ;' % cacertdir_rehash)
+        self.log.command(' chmod 755 ./cacertdir_rehash ;')
+        self.log.command(' ./cacertdir_rehash /etc/openldap/cacerts/ ;')
+        self.log.command('else')
+        self.log.command(' cacertdir_rehash /etc/openldap/cacerts/ ;')
+        self.log.command('fi\n')
+
+    def configure_and_start_sssd(self):
+        sub_dict = dict(
+            IPA_SERVER_HOSTNAME=api.env.host,
+            BASE_DN=','. join(['dc=%s' % c for c in api.env.domain.split('.')])
+        )
+        template = os.path.join(
+            SHARE_DIR,
+            'advise',
+            'legacy',
+            'sssd.conf.template'
+        )
+        sssd_conf = template_file(template, sub_dict)
+
+        self.log.comment('Configure SSSD')
+        self.log.command('cat > /etc/sssd/sssd.conf << EOF \n'
+                         '%s\nEOF' % sssd_conf)
+        self.log.command('chmod 0600 /etc/sssd/sssd.conf\n')
+
+        self.log.comment('Start SSSD')
+        self.log.command('service sssd start')
+
+
+class config_redhat_sssd_before_1_9(config_base_sssd_before_1_9):
+    """
+    Legacy client configuration for Red Hat based platforms.
+    """
+    description = ('Instructions for configuring a system with an old version '
+                   'of SSSD (1.5-1.8) as a FreeIPA client. This set of '
+                   'instructions is targeted for platforms that include '
+                   'the authconfig utility, which are all Red Hat based '
+                   'platforms.')
+
+    def get_info(self):
+        self.check_compat_plugin()
+
+        self.log.comment('Install required packages via yum')
+        self.log.command('yum install -y sssd authconfig wget openssl\n')
+
+        self.configure_ca_cert()
+
+        self.log.comment('Use the authconfig to configure nsswitch.conf '
+                         'and the PAM stack')
+        self.log.command('authconfig --updateall --enablesssd '
+                         '--enablesssdauth\n')
+
+        self.configure_and_start_sssd()
+
+
+api.register(config_redhat_sssd_before_1_9)
+
+
+class config_generic_sssd_before_1_9(config_base_sssd_before_1_9):
+    """
+    Legacy client configuration for non Red Hat based platforms.
+    """
+    description = ('Instructions for configuring a system with an old version '
+                   'of SSSD (1.5-1.8) as a FreeIPA client. This set of '
+                   'instructions is targeted for platforms that do not '
+                   'include the authconfig utility.')
+
+    def get_info(self):
+        self.check_compat_plugin()
+
+        with open(os.path.join(
+                SHARE_DIR,
+                'advise',
+                'legacy',
+                'pam.conf.template')) as fd:
+            pam_conf = fd.read()
+
+        self.log.comment('Install required packages using your system\'s '
+                         'package manager. E.g:')
+        self.log.command('apt-get -y install sssd wget openssl\n')
+
+        self.configure_ca_cert()
+
+        self.log.comment('Configure nsswitch.conf. Append sss to the lines '
+                         'beginning with passwd and group. ')
+        self.log.command('grep "^passwd.*sss" /etc/nsswitch.conf')
+        self.log.command('if [ $? -ne 0 ] ; then sed -i '
+                         '\'/^passwd/s|$| sss|\' /etc/nsswitch.conf ; fi')
+        self.log.command('grep "^group.*sss" /etc/nsswitch.conf')
+        self.log.command('if [ $? -ne 0 ] ; then sed -i '
+                         '\'/^group/s|$| sss|\' /etc/nsswitch.conf ; fi\n')
+
+        self.log.comment('Configure PAM. Configuring the PAM stack differs on '
+                         'particular distributions. The resulting PAM stack '
+                         'should look like this:')
+        self.log.command('cat > /etc/pam.conf << EOF \n'
+                         '%s\nEOF\n' % pam_conf)
+
+        self.configure_and_start_sssd()
+
+    def configure_ca_cert(self):
+        super(config_generic_sssd_before_1_9, self).configure_ca_cert()
+
+        self.log.comment('Configure ldap.conf. Set the value of '
+                         'TLS_CACERTDIR to /etc/openldap/cacerts. Make sure '
+                         'that the location of ldap.conf file matches your '
+                         'system\'s configuration.')
+        self.log.command('echo "TLS_CACERTDIR /etc/openldap/cacerts" >> '
+                         '/etc/ldap/ldap.conf\n')
+
+
+api.register(config_generic_sssd_before_1_9)