On Thu, 17 Oct 2013, Ana Krivokapic wrote:

Hello,

This patch adds ipa-advise plugins for configuring legacy clients using
nss-pam-ldapd.

https://fedorahosted.org/freeipa/ticket/3672
Thanks. Looks good. I have one comment below

+class config_freebsd_nss_pam_ldapd(config_base_legacy_client):
+    """
+    Legacy client configuration for FreeBSD, using nss-pam-ldapd.
+    """
+    description = ('Instructions for configuring a FreeBSD system with '
+                   'nss-pam-ldapd. ')
+
+    def get_info(self):
+        uri, base = self.get_uri_and_base()
+        cacrt = '/usr/local/etc/ipatest.crt'
Is the cert file name is correct? 'ipatest.crt'? Perhaps 'ipaca.crt'
would be a better name?


+
+        self.check_compat_plugin()
+
+        with open(os.path.join(
+                SHARE_DIR,
+                'advise',
+                'legacy',
+                'pam_conf_sshd.template')) as fd:
+            pam_conf = fd.read()
+
+        self.log.comment('Install required packages')
+        self.log.command('pkg_add -r nss-pam-ldapd curl\n')
+
+        self.configure_ca_cert(cacrt)
+
+        self.log.comment('Configure nsswitch.conf')
+        self.log.command('sed -i \'\' -e \'s/^passwd:/passwd: files ldap/\' '
+                         '/etc/nsswitch.conf')
+        self.log.command('sed -i \'\' -e \'s/^group:/group: files ldap/\' '
+                         '/etc/nsswitch.conf\n')
+
+        self.log.comment('Configure PAM stack for the sshd service')
+        self.log.command('cat > /etc/pam.d/sshd << EOF \n'
+                         '%s\nEOF\n' % pam_conf)
+
+        self.log.comment('Add automated start of nslcd to /etc/rc.conf')
+        self.log.command('echo \'nslcd_enable="YES"\nnslcd_debug="NO"\' >> '
+                         '/etc/rc.conf')
+
+        self.log.comment('Configure nslcd.conf:')
+        self.log.command('echo "uid nslcd\n'
+                         'gid nslcd\n'
+                         'uri %s\n'
+                         'base %s\n'
+                         'scope sub\n'
+                         'base group cn=groups,%s\n'
+                         'base passwd cn=users,%s\n'
+                         'base shadow cn=users,%s\n'
+                         'ssl start_tls\n'
+                         'tls_cacertfile %s\n" >  /usr/local/etc/nslcd.conf'
+                         % ((uri,) + (base,)*4 + (cacrt,)))
+
+        self.log.comment('Configure ldap.conf:')
+        self.log.command('echo "uri %s\nbase %s\nssl start_tls\ntls_cacert %s"'
+                         '> /usr/local/etc/ldap.conf' % (uri, base, cacrt))
+
+        self.log.comment('Restart nslcd')
+        self.log.command('/usr/local/etc/rc.d/nslcd restart')
+
+    def configure_ca_cert(self, cacrt):
+        self.log.comment('Download the CA certificate of the IPA server')
+        self.log.command('curl -k https://%s/ipa/config/ca.crt > '
+                         '%s' % (api.env.host, cacrt))
+
+
+api.register(config_freebsd_nss_pam_ldapd)

--
/ Alexander Bokovoy

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to