On 10/18/2013 01:31 PM, Ana Krivokapic wrote: > On 10/18/2013 09:48 AM, Martin Kosek wrote: >> On 10/17/2013 10:29 PM, Alexander Bokovoy wrote: >>> On Thu, 17 Oct 2013, Ana Krivokapic wrote: >>> >>>> Hello, >>>> >>>> This patch adds ipa-advise plugins for configuring legacy clients using >>>> nss-pam-ldapd. >>>> >>>> https://fedorahosted.org/freeipa/ticket/3672 >>> Thanks. Looks good. I have one comment below >>> >>>> +class config_freebsd_nss_pam_ldapd(config_base_legacy_client): >>>> + """ >>>> + Legacy client configuration for FreeBSD, using nss-pam-ldapd. >>>> + """ >>>> + description = ('Instructions for configuring a FreeBSD system with ' >>>> + 'nss-pam-ldapd. ') >>>> + >>>> + def get_info(self): >>>> + uri, base = self.get_uri_and_base() >>>> + cacrt = '/usr/local/etc/ipatest.crt' >>> Is the cert file name is correct? 'ipatest.crt'? Perhaps 'ipaca.crt' >>> would be a better name? >> Or simply ipa.crt since it is the filename used everywhere else... >> >> Martin > Cert file name changed to ipa.crt. > > Comment added about AES not being available on RHEL5. > > Updated patch attached. > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel
This updated patch improves the note about possible issues regarding encryption algorithms. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc.
From 2e84774f3a2045c48bbb3b229c9292793505681c Mon Sep 17 00:00:00 2001 From: Ana Krivokapic <akriv...@redhat.com> Date: Thu, 17 Oct 2013 21:58:00 +0200 Subject: [PATCH] Add ipa-advise plugins for nss-pam-ldapd legacy clients Add three new ipa-advise plugins, to facilitate configuration of legacy clients using nss-pam-ldapd: * config-redhat-nss-pam-ldapd * config-generic-linux-nss-pam-ldapd * config-freebsd-nss-pam-ldapd https://fedorahosted.org/freeipa/ticket/3672 --- install/share/advise/legacy/Makefile.am | 4 +- ...nf.template => pam.conf.nss_pam_ldapd.template} | 8 +- .../{pam.conf.template => pam.conf.sssd.template} | 0 install/share/advise/legacy/pam_conf_sshd.template | 25 +++ install/share/advise/legacy/sssd.conf.template | 4 +- ipaserver/advise/plugins/legacy_clients.py | 212 +++++++++++++++++++-- 6 files changed, 232 insertions(+), 21 deletions(-) copy install/share/advise/legacy/{pam.conf.template => pam.conf.nss_pam_ldapd.template} (79%) rename install/share/advise/legacy/{pam.conf.template => pam.conf.sssd.template} (100%) create mode 100644 install/share/advise/legacy/pam_conf_sshd.template diff --git a/install/share/advise/legacy/Makefile.am b/install/share/advise/legacy/Makefile.am index 73cd2718c343b2f3382a92f0ec8b19fb29a15c58..412185171beca7a74fcebd8bfd5cded8ca0ea62c 100644 --- a/install/share/advise/legacy/Makefile.am +++ b/install/share/advise/legacy/Makefile.am @@ -3,7 +3,9 @@ NULL = appdir = $(IPA_DATA_DIR)/advise/legacy app_DATA = \ sssd.conf.template \ - pam.conf.template \ + pam.conf.sssd.template \ + pam.conf.nss_pam_ldapd.template \ + pam_conf_sshd.template \ $(NULL) EXTRA_DIST = \ diff --git a/install/share/advise/legacy/pam.conf.template b/install/share/advise/legacy/pam.conf.nss_pam_ldapd.template similarity index 79% copy from install/share/advise/legacy/pam.conf.template copy to install/share/advise/legacy/pam.conf.nss_pam_ldapd.template index bdd91821eb6d8259d7f03a6eac78fc264b0cafa8..9c60c27ef6c299a1ad2776b87ae4551fca3e1b64 100644 --- a/install/share/advise/legacy/pam.conf.template +++ b/install/share/advise/legacy/pam.conf.nss_pam_ldapd.template @@ -1,22 +1,22 @@ auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet -auth sufficient pam_sss.so use_first_pass +auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet -account [default=bad success=ok user_unknown=ignore] pam_sss.so +account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok -password sufficient pam_sss.so use_authtok +password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so -session optional pam_sss.so +session optional pam_ldap.so diff --git a/install/share/advise/legacy/pam.conf.template b/install/share/advise/legacy/pam.conf.sssd.template similarity index 100% rename from install/share/advise/legacy/pam.conf.template rename to install/share/advise/legacy/pam.conf.sssd.template diff --git a/install/share/advise/legacy/pam_conf_sshd.template b/install/share/advise/legacy/pam_conf_sshd.template new file mode 100644 index 0000000000000000000000000000000000000000..488f4998bae5ea95849a84f17a305d6fd8d1c872 --- /dev/null +++ b/install/share/advise/legacy/pam_conf_sshd.template @@ -0,0 +1,25 @@ +# PAM configuration for the "sshd" service +# + +# auth +auth sufficient pam_opie.so no_warn no_fake_prompts +auth requisite pam_opieaccess.so no_warn allow_local +#auth sufficient pam_krb5.so no_warn try_first_pass +#auth sufficient pam_ssh.so no_warn try_first_pass +auth sufficient /usr/local/lib/pam_ldap.so no_warn +auth required pam_unix.so no_warn try_first_pass + +# account +account required pam_nologin.so +#account required pam_krb5.so +account required /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user +account required pam_login_access.so +account required pam_unix.so + +# session +#session optional pam_ssh.so want_agent +session required pam_permit.so + +# password +#password sufficient pam_krb5.so no_warn try_first_pass +password required pam_unix.so no_warn try_first_pass diff --git a/install/share/advise/legacy/sssd.conf.template b/install/share/advise/legacy/sssd.conf.template index 28f9c115d8c2df1f669fca535d401e24d38fdf38..87084870a6c242038f75c9f984d13eb17282a6d0 100644 --- a/install/share/advise/legacy/sssd.conf.template +++ b/install/share/advise/legacy/sssd.conf.template @@ -8,6 +8,6 @@ re_expression = (?P<name>.+) cache_credentials = True id_provider = ldap auth_provider = ldap -ldap_uri = ldap://$IPA_SERVER_HOSTNAME -ldap_search_base = cn=compat,$BASE_DN +ldap_uri = $URI +ldap_search_base = $BASE ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt diff --git a/ipaserver/advise/plugins/legacy_clients.py b/ipaserver/advise/plugins/legacy_clients.py index f58af9b9f3ba9049a0160aabeae20a44f14ba195..c81fcf8b29d38aa34cadaab030b0e0095e980c5e 100644 --- a/ipaserver/advise/plugins/legacy_clients.py +++ b/ipaserver/advise/plugins/legacy_clients.py @@ -23,7 +23,12 @@ from ipapython.ipautil import template_file, SHARE_DIR -class config_base_sssd_before_1_9(Advice): +class config_base_legacy_client(Advice): + def get_uri_and_base(self): + uri = 'ldap://%s' % api.env.host + base = 'cn=compat,%s' % api.env.basedn + return uri, base + def check_compat_plugin(self): compat_is_enabled = api.Command['compat_is_enabled']()['result'] if not compat_is_enabled: @@ -57,17 +62,14 @@ def configure_ca_cert(self): self.log.command('fi\n') def configure_and_start_sssd(self): - sub_dict = dict( - IPA_SERVER_HOSTNAME=api.env.host, - BASE_DN=','. join(['dc=%s' % c for c in api.env.domain.split('.')]) - ) + uri, base = self.get_uri_and_base() template = os.path.join( SHARE_DIR, 'advise', 'legacy', 'sssd.conf.template' ) - sssd_conf = template_file(template, sub_dict) + sssd_conf = template_file(template, dict(URI=uri, BASE=base)) self.log.comment('Configure SSSD') self.log.command('cat > /etc/sssd/sssd.conf << EOF \n' @@ -78,9 +80,9 @@ def configure_and_start_sssd(self): self.log.command('service sssd start') -class config_redhat_sssd_before_1_9(config_base_sssd_before_1_9): +class config_redhat_sssd_before_1_9(config_base_legacy_client): """ - Legacy client configuration for Red Hat based platforms. + Legacy client configuration for Red Hat based systems, using SSSD. """ description = ('Instructions for configuring a system with an old version ' 'of SSSD (1.5-1.8) as a FreeIPA client. This set of ' @@ -103,17 +105,25 @@ def get_info(self): self.configure_and_start_sssd() + def configure_ca_cert(self): + self.log.comment('NOTE: IPA certificate uses the SHA-256 hash ' + 'function. SHA-256 was introduced in RHEL5.2. ' + 'Therefore, clients older than RHEL5.2 will not be ' + 'able to interoperate with IPA server 3.x.') + super(config_redhat_sssd_before_1_9, self).configure_ca_cert() + api.register(config_redhat_sssd_before_1_9) -class config_generic_sssd_before_1_9(config_base_sssd_before_1_9): +class config_generic_linux_sssd_before_1_9(config_base_legacy_client): """ - Legacy client configuration for non Red Hat based platforms. + Legacy client configuration for non Red Hat based linux systems, + using SSSD. """ description = ('Instructions for configuring a system with an old version ' 'of SSSD (1.5-1.8) as a FreeIPA client. This set of ' - 'instructions is targeted for platforms that do not ' + 'instructions is targeted for linux systems that do not ' 'include the authconfig utility.') def get_info(self): @@ -123,7 +133,7 @@ def get_info(self): SHARE_DIR, 'advise', 'legacy', - 'pam.conf.template')) as fd: + 'pam.conf.sssd.template')) as fd: pam_conf = fd.read() self.log.comment('Install required packages using your system\'s ' @@ -150,7 +160,7 @@ def get_info(self): self.configure_and_start_sssd() def configure_ca_cert(self): - super(config_generic_sssd_before_1_9, self).configure_ca_cert() + super(config_generic_linux_sssd_before_1_9, self).configure_ca_cert() self.log.comment('Configure ldap.conf. Set the value of ' 'TLS_CACERTDIR to /etc/openldap/cacerts. Make sure ' @@ -160,4 +170,178 @@ def configure_ca_cert(self): '/etc/ldap/ldap.conf\n') -api.register(config_generic_sssd_before_1_9) +api.register(config_generic_linux_sssd_before_1_9) + + +class config_redhat_nss_pam_ldapd(config_base_legacy_client): + """ + Legacy client configuration for Red Hat based systems, + using nss-pam-ldapd. + """ + description = ('Instructions for configuring a system with nss-pam-ldapd ' + 'as a FreeIPA client. This set of instructions is targeted ' + 'for platforms that include the authconfig utility, which ' + 'are all Red Hat based platforms.') + + def get_info(self): + uri, base = self.get_uri_and_base() + self.check_compat_plugin() + + self.log.comment('Install required packages via yum') + self.log.command('yum install -y wget openssl nss-pam-ldapd pam_ldap ' + 'authconfig\n') + + self.configure_ca_cert() + + self.log.comment('Use the authconfig to configure nsswitch.conf ' + 'and the PAM stack') + self.log.command('authconfig --updateall --enableldap ' + '--enableldapauth --ldapserver=%s --ldapbasedn=%s\n' + % (uri, base)) + + def configure_ca_cert(self): + self.log.comment('NOTE: IPA certificate uses the SHA-256 hash ' + 'function. SHA-256 was introduced in RHEL5.2. ' + 'Therefore, clients older than RHEL5.2 will not be ' + 'able to interoperate with IPA server 3.x.') + super(config_redhat_nss_pam_ldapd, self).configure_ca_cert() + + +api.register(config_redhat_nss_pam_ldapd) + + +class config_generic_linux_nss_pam_ldapd(config_base_legacy_client): + """ + Legacy client configuration for non Red Hat based linux systems, + using nss-pam-ldapd. + """ + description = ('Instructions for configuring a system with nss-pam-ldapd. ' + 'This set of instructions is targeted for linux systems ' + 'that do not include the authconfig utility.') + + def get_info(self): + uri, base = self.get_uri_and_base() + self.check_compat_plugin() + + with open(os.path.join( + SHARE_DIR, + 'advise', + 'legacy', + 'pam.conf.nss_pam_ldapd.template')) as fd: + pam_conf = fd.read() + + nslcd_conf = 'uri %s\nbase %s' % (uri, base) + + self.log.comment('Install required packages using your system\'s ' + 'package manager. E.g:') + self.log.command('apt-get -y install wget openssl libnss-ldapd ' + 'libpam-ldapd nslcd\n') + + self.configure_ca_cert() + + self.log.comment('Configure nsswitch.conf. Append ldap to the lines ' + 'beginning with passwd and group. ') + self.log.command('grep "^passwd.*ldap" /etc/nsswitch.conf') + self.log.command('if [ $? -ne 0 ] ; then sed -i ' + '\'/^passwd/s|$| ldap|\' /etc/nsswitch.conf ; fi') + self.log.command('grep "^group.*ldap" /etc/nsswitch.conf') + self.log.command('if [ $? -ne 0 ] ; then sed -i ' + '\'/^group/s|$| ldap|\' /etc/nsswitch.conf ; fi\n') + + self.log.comment('Configure PAM. Configuring the PAM stack differs on ' + 'particular distributions. The resulting PAM stack ' + 'should look like this:') + self.log.command('cat > /etc/pam.conf << EOF \n' + '%s\nEOF\n' % pam_conf) + + self.log.comment('Configure nslcd.conf:') + self.log.command('cat > /etc/nslcd.conf << EOF \n' + '%s\nEOF\n' % nslcd_conf) + + self.log.comment('Configure pam_ldap.conf:') + self.log.command('cat > /etc/pam_ldap.conf << EOF \n' + '%s\nEOF\n' % nslcd_conf) + + self.log.comment('Stop nscd and restart nslcd') + self.log.command('service nscd stop && service nslcd restart') + + def configure_ca_cert(self): + super(config_generic_linux_nss_pam_ldapd, self).configure_ca_cert() + + self.log.comment('Configure ldap.conf. Set the value of ' + 'TLS_CACERTDIR to /etc/openldap/cacerts. Make sure ' + 'that the location of ldap.conf file matches your ' + 'system\'s configuration.') + self.log.command('echo "TLS_CACERTDIR /etc/openldap/cacerts" >> ' + '/etc/ldap/ldap.conf\n') + + +api.register(config_generic_linux_nss_pam_ldapd) + + +class config_freebsd_nss_pam_ldapd(config_base_legacy_client): + """ + Legacy client configuration for FreeBSD, using nss-pam-ldapd. + """ + description = ('Instructions for configuring a FreeBSD system with ' + 'nss-pam-ldapd. ') + + def get_info(self): + uri, base = self.get_uri_and_base() + cacrt = '/usr/local/etc/ipa.crt' + + self.check_compat_plugin() + + with open(os.path.join( + SHARE_DIR, + 'advise', + 'legacy', + 'pam_conf_sshd.template')) as fd: + pam_conf = fd.read() + + self.log.comment('Install required packages') + self.log.command('pkg_add -r nss-pam-ldapd curl\n') + + self.configure_ca_cert(cacrt) + + self.log.comment('Configure nsswitch.conf') + self.log.command('sed -i \'\' -e \'s/^passwd:/passwd: files ldap/\' ' + '/etc/nsswitch.conf') + self.log.command('sed -i \'\' -e \'s/^group:/group: files ldap/\' ' + '/etc/nsswitch.conf\n') + + self.log.comment('Configure PAM stack for the sshd service') + self.log.command('cat > /etc/pam.d/sshd << EOF \n' + '%s\nEOF\n' % pam_conf) + + self.log.comment('Add automated start of nslcd to /etc/rc.conf') + self.log.command('echo \'nslcd_enable="YES"\nnslcd_debug="NO"\' >> ' + '/etc/rc.conf') + + self.log.comment('Configure nslcd.conf:') + self.log.command('echo "uid nslcd\n' + 'gid nslcd\n' + 'uri %s\n' + 'base %s\n' + 'scope sub\n' + 'base group cn=groups,%s\n' + 'base passwd cn=users,%s\n' + 'base shadow cn=users,%s\n' + 'ssl start_tls\n' + 'tls_cacertfile %s\n" > /usr/local/etc/nslcd.conf' + % ((uri,) + (base,)*4 + (cacrt,))) + + self.log.comment('Configure ldap.conf:') + self.log.command('echo "uri %s\nbase %s\nssl start_tls\ntls_cacert %s"' + '> /usr/local/etc/ldap.conf' % (uri, base, cacrt)) + + self.log.comment('Restart nslcd') + self.log.command('/usr/local/etc/rc.d/nslcd restart') + + def configure_ca_cert(self, cacrt): + self.log.comment('Download the CA certificate of the IPA server') + self.log.command('curl -k https://%s/ipa/config/ca.crt > ' + '%s' % (api.env.host, cacrt)) + + +api.register(config_freebsd_nss_pam_ldapd) -- 1.8.3.1
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
