Test hints: 1) Test with nss-ldap package - install nss-ldap on the client machine - install IPA client with --no-sssd option - `id admin', logging to the machine should work (even after the restart, i.e. correct services are run after the restart) 2) Test with nss-pam-ldapd - uninstall nss-ldap, install nss-pam-ldapd - install IPA client with --no-sssd option - `id admin', logging to the machine should work 3) Test with SSSD - install IPA client - `id admin', logging to the machine should work
--- Client installation with --no-sssd option was broken if the client was based on a nss-pam-ldap instead of nss_ldap. The main issue is with authconfig rewriting the nslcd.conf after it has been configured by ipa-client-install. This has been fixed by changing an order of installation steps. Additionally, nslcd daemon needed for nss-pam-ldap function is correctly started. https://fedorahosted.org/freeipa/ticket/1235
>From bf81eec9abd7686124a5184a3c5da35d5bf8f5c2 Mon Sep 17 00:00:00 2001 From: Martin Kosek <mko...@redhat.com> Date: Wed, 18 May 2011 17:06:15 +0200 Subject: [PATCH] Fix support for nss-pam-ldapd Client installation with --no-sssd option was broken if the client was based on a nss-pam-ldap instead of nss_ldap. The main issue is with authconfig rewriting the nslcd.conf after it has been configured by ipa-client-install. This has been fixed by changing an order of installation steps. Additionally, nslcd daemon needed for nss-pam-ldap function is correctly started. https://fedorahosted.org/freeipa/ticket/1235 --- ipa-client/ipa-install/ipa-client-install | 51 +++++++++++++++++++++++------ 1 files changed, 41 insertions(+), 10 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 67196022acb3057ebb74121550193dbb3010dbc9..467638940d86891b4e100106f5daf34363bb55ae 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -249,6 +249,20 @@ def uninstall(options, env): # this is optional service, just log logging.info("NSCD daemon is not installed, skip configuration") + if ipautil.service_is_installed('nslcd'): + try: + ipautil.service_stop('nslcd') + except: + print "Failed to stop the NSLCD daemon" + + try: + ipautil.chkconfig_off('nslcd') + except: + print "Failed to disable automatic startup of the NSLCD daemon" + else: + # this is optional service, just log + logging.info("NSLCD daemon is not installed, skip configuration") + if not options.unattended: print "The original nsswitch.conf configuration has been restored." print "You may need to restart services or reboot the machine." @@ -365,6 +379,20 @@ def configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, print "Creation of %s: %s" % ('/etc/nslcd.conf', str(e)) return 1 + if ipautil.service_is_installed('nslcd'): + try: + ipautil.service_restart('nslcd') + except Exception, e: + logging.error("nslcd failed to restart: %s" % str(e)) + + try: + ipautil.chkconfig_on('nslcd') + except Exception, e: + print "Failed to configure automatic startup of the NSLCD daemon" + logging.error("Failed to enable automatic startup of the NSLCD daemon: %s" % str(e)) + else: + logging.debug("NSLCD daemon is not installed, skip configuration") + return 0 def hardcode_ldap_server(cli_server): @@ -856,12 +884,6 @@ def main(): if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options): return 1 print "Configured /etc/sssd/sssd.conf" - else: - if configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options): - return 1 - if configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options): - return 1 - print "Configured LDAP" # Add the CA to the default NSS database and trust it run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", "/etc/ipa/ca.crt"]) @@ -922,6 +944,19 @@ def main(): run(cmd) print message + #Modify pam to add pam_krb5 + run(["/usr/sbin/authconfig", "--enablekrb5", "--update", "--nostart"]) + print "Kerberos 5 enabled" + + # Update non-SSSD LDAP configuration after authconfig calls as it would + # change its configuration otherways + if not options.sssd: + if configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options): + return 1 + if configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options): + return 1 + print "LDAP configured" + #Check that nss is working properly if not options.on_master: n = 0 @@ -946,10 +981,6 @@ def main(): except Exception, e: sys.exit("Adding hardcoded server name to /etc/ldap.conf failed: " + str(e)) - #Modify pam to add pam_krb5 - run(["/usr/sbin/authconfig", "--enablekrb5", "--update", "--nostart"]) - print "Kerberos 5 enabled" - if options.conf_ntp and not options.on_master: if options.ntp_server: ntp_server = options.ntp_server -- 1.7.5.2
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel