Re: [Freeipa-devel] [PATCH] 0052 Add ipa-advise plugins for legacy clients
On Tue, 06 Aug 2013, Ana Krivokapic wrote:
On 08/06/2013 12:15 AM, Jakub Hrozek wrote:
On Mon, Aug 05, 2013 at 09:55:26PM +0300, Alexander Bokovoy wrote:
On Mon, 05 Aug 2013, Ana Krivokapic wrote:
+except errors.NotFound:
+return dict(result=False)
+
+attr = groups_entry.get('schema-compat-lookup-sssd')
same here.
It needs my patch 0112 too -- it changes ipa-adtrust-install to write
proper configuration options to slapi-nis configs.
Done.
Also, references to both relevant tickets
https://fedorahosted.org/freeipa/ticket/3671 and
https://fedorahosted.org/freeipa/ticket/3672 added to commit messages.
Updated patches attached.
Thanks. Few more comments now that I've ran the ipa-advise with the
plugins:
1. We need to put downloading the certificate to both plugins.
Right, this is something that was documented on the wiki during the test
day and I agree with Alexander it makes sense to be present in the
advise tool as well.
Fixed. cacertdir_rehash script is also downloaded if necessary.
2. The certificate needs to be specified in sssd.conf as well as ldap.conf
Wouldn't it be better to just say that you need to make sure that the
certicicates are present on openldap's configured directories? That
would cover not only the SSSD but also all the tool like ldapsearch the
admin might want to run for troubleshooting. Maybe a hint to run
cacertdir_rehash would be nice.
Fixed. We agreed it is best to specify the defaults explicitly in config files,
while including a comment about a possible need for manual modification of the
script.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Patch 52 is updated, patch 53 needed a rebase. The whole updated patch set is
attached.
Thanks, looks more complete now.
ACK
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0052 Add ipa-advise plugins for legacy clients
On 08/07/2013 08:48 AM, Alexander Bokovoy wrote:
On Tue, 06 Aug 2013, Ana Krivokapic wrote:
On 08/06/2013 12:15 AM, Jakub Hrozek wrote:
On Mon, Aug 05, 2013 at 09:55:26PM +0300, Alexander Bokovoy wrote:
On Mon, 05 Aug 2013, Ana Krivokapic wrote:
+except errors.NotFound:
+return dict(result=False)
+
+attr = groups_entry.get('schema-compat-lookup-sssd')
same here.
It needs my patch 0112 too -- it changes ipa-adtrust-install to write
proper configuration options to slapi-nis configs.
Done.
Also, references to both relevant tickets
https://fedorahosted.org/freeipa/ticket/3671 and
https://fedorahosted.org/freeipa/ticket/3672 added to commit messages.
Updated patches attached.
Thanks. Few more comments now that I've ran the ipa-advise with the
plugins:
1. We need to put downloading the certificate to both plugins.
Right, this is something that was documented on the wiki during the test
day and I agree with Alexander it makes sense to be present in the
advise tool as well.
Fixed. cacertdir_rehash script is also downloaded if necessary.
2. The certificate needs to be specified in sssd.conf as well as ldap.conf
Wouldn't it be better to just say that you need to make sure that the
certicicates are present on openldap's configured directories? That
would cover not only the SSSD but also all the tool like ldapsearch the
admin might want to run for troubleshooting. Maybe a hint to run
cacertdir_rehash would be nice.
Fixed. We agreed it is best to specify the defaults explicitly in config
files,
while including a comment about a possible need for manual modification of
the
script.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Patch 52 is updated, patch 53 needed a rebase. The whole updated patch set is
attached.
Thanks, looks more complete now.
ACK
Looks good! Pushed to master.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0052 Add ipa-advise plugins for legacy clients
On 08/05/2013 08:55 PM, Alexander Bokovoy wrote:
On Mon, 05 Aug 2013, Ana Krivokapic wrote:
+except errors.NotFound:
+return dict(result=False)
+
+attr = groups_entry.get('schema-compat-lookup-sssd')
same here.
It needs my patch 0112 too -- it changes ipa-adtrust-install to write
proper configuration options to slapi-nis configs.
Done.
Also, references to both relevant tickets
https://fedorahosted.org/freeipa/ticket/3671 and
https://fedorahosted.org/freeipa/ticket/3672 added to commit messages.
Updated patches attached.
Thanks. Few more comments now that I've ran the ipa-advise with the
plugins:
1. We need to put downloading the certificate to both plugins.
2. The certificate needs to be specified in sssd.conf as well as
ldap.conf
Also it would be nice to actually reformat comments to be shorter.
I think it should be done on a framework level -- we have the code for
that already in the CLI handlers. Additionally, plugin writers may want
to have 'verbatim' comments, i.e. which would resist reformatting.
The patch 0088 should fix that. Adds a wrapped flag to the log.comment
command.
The same reformatting should be applied to the list of advises shown by
'ipa-advise' by default. It is now a bit unreadable.
The patch 0089 should fix that.
Tomas
--
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0052 Add ipa-advise plugins for legacy clients
On 08/06/2013 12:15 AM, Jakub Hrozek wrote:
On Mon, Aug 05, 2013 at 09:55:26PM +0300, Alexander Bokovoy wrote:
On Mon, 05 Aug 2013, Ana Krivokapic wrote:
+except errors.NotFound:
+return dict(result=False)
+
+attr = groups_entry.get('schema-compat-lookup-sssd')
same here.
It needs my patch 0112 too -- it changes ipa-adtrust-install to write
proper configuration options to slapi-nis configs.
Done.
Also, references to both relevant tickets
https://fedorahosted.org/freeipa/ticket/3671 and
https://fedorahosted.org/freeipa/ticket/3672 added to commit messages.
Updated patches attached.
Thanks. Few more comments now that I've ran the ipa-advise with the
plugins:
1. We need to put downloading the certificate to both plugins.
Right, this is something that was documented on the wiki during the test
day and I agree with Alexander it makes sense to be present in the
advise tool as well.
Fixed. cacertdir_rehash script is also downloaded if necessary.
2. The certificate needs to be specified in sssd.conf as well as ldap.conf
Wouldn't it be better to just say that you need to make sure that the
certicicates are present on openldap's configured directories? That
would cover not only the SSSD but also all the tool like ldapsearch the
admin might want to run for troubleshooting. Maybe a hint to run
cacertdir_rehash would be nice.
Fixed. We agreed it is best to specify the defaults explicitly in config files,
while including a comment about a possible need for manual modification of the
script.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Patch 52 is updated, patch 53 needed a rebase. The whole updated patch set is
attached.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
From 2858f368ceb504540b67d83d9abb550178354687 Mon Sep 17 00:00:00 2001
From: Ana Krivokapic akriv...@redhat.com
Date: Thu, 1 Aug 2013 14:12:39 +0200
Subject: [PATCH] Add ipa-advise plugins for legacy clients
Old versions of SSSD do not directly support cross-realm trusts between IPA
and AD. This patch introduces plugins for the ipa-advise tool, which should
help with configuring an old version of SSSD (1.5-1.8) to gain access to
resources in trusted domain.
Since the configuration steps differ depending on whether the platform includes
the authconfig tool, two plugins are needed:
* config-redhat-sssd-before-1-9 - provides configuration for Red Hat based
systems, as these system include the autconfig utility
* config-generic-sssd-before-1-9 - provides configuration for other platforms
https://fedorahosted.org/freeipa/ticket/3671
https://fedorahosted.org/freeipa/ticket/3672
---
freeipa.spec.in| 3 +
install/configure.ac | 2 +
install/share/Makefile.am | 4 +
install/share/advise/Makefile.am | 17 +++
install/share/advise/legacy/Makefile.am| 15 +++
install/share/advise/legacy/pam.conf.template | 22
install/share/advise/legacy/sssd.conf.template | 13 ++
ipaserver/advise/plugins/legacy_clients.py | 163 +
8 files changed, 239 insertions(+)
create mode 100644 install/share/advise/Makefile.am
create mode 100644 install/share/advise/legacy/Makefile.am
create mode 100644 install/share/advise/legacy/pam.conf.template
create mode 100644 install/share/advise/legacy/sssd.conf.template
create mode 100644 ipaserver/advise/plugins/legacy_clients.py
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 0afcdae86ee2b9a7b603df3d3bdb1499916ecd0c..d4f90c7d8dceab61095e477d5daaec1cfe4eebec 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -630,6 +630,9 @@ fi
%{_usr}/share/ipa/*.ldif
%{_usr}/share/ipa/*.uldif
%{_usr}/share/ipa/*.template
+%dir %{_usr}/share/ipa/advise
+%dir %{_usr}/share/ipa/advise/legacy
+%{_usr}/share/ipa/advise/legacy/*.template
%dir %{_usr}/share/ipa/ffextension
%{_usr}/share/ipa/ffextension/bootstrap.js
%{_usr}/share/ipa/ffextension/install.rdf
diff --git a/install/configure.ac b/install/configure.ac
index fca4c6991db63de17c47aa8d86e1d910ac09d47e..29254e6edfb9874ead9b37cc2d310a86fbfa0060 100644
--- a/install/configure.ac
+++ b/install/configure.ac
@@ -85,6 +85,8 @@ AC_CONFIG_FILES([
html/Makefile
migration/Makefile
share/Makefile
+share/advise/Makefile
+share/advise/legacy/Makefile
ui/Makefile
ui/src/Makefile
ui/src/libs/Makefile
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 1e56d2c530375c371cd5e66b4e83d2c13bc86e77..5fff55bd1281d232858df679e7dfd9f84e4545ec 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -1,5 +1,9 @@
NULL =
+SUBDIRS = \
+ advise\
+ $(NULL)
+
appdir = $(IPA_DATA_DIR)
app_DATA =\
05rfc2247.ldif \
diff --git a/install/share/advise/Makefile.am
Re: [Freeipa-devel] [PATCH] 0052 Add ipa-advise plugins for legacy clients
On Fri, 02 Aug 2013, Ana Krivokapic wrote:
On 08/01/2013 04:13 PM, Alexander Bokovoy wrote:
Hi!
On Thu, 01 Aug 2013, Ana Krivokapic wrote:
Hello,
Thanks Alexander for the quick review!
This patch adds ipa-advise plugins to help configure legacy clients for access
to trusted domain resources. For more details, please read the commit message.
Plugins are currently named config-redhat-sssd-before-1-9 and
config-generic-sssd-before-1-9; suggestions for better names are welcome.
Plugin content heavily inspired by
https://fedoraproject.org/wiki/QA:Testcase_freeipa_use_legacy_sssd_to_give_access_to_trusted_domain_users.
I think it is a good start. Comments inline.
https://fedorahosted.org/freeipa/ticket/3671
---
install/share/Makefile.am | 2 +
install/share/pam.conf.template| 22 ++
install/share/sssd.conf.template | 12 +++
I would imagine we would have multiple plugins that need their own
templates for pam.conf/sssd.conf. What about introducing
to avoid conflicts?
In this case you use the same templates for both plugins so you might
have name as 'legacy', for example.
Another way is to have plugin name in the template, e.g.
legacy.sssd.conf.template.
Done. I opted for the install/share/advise/name/*.template option. The changes
are in the updated patch 52.
+class config_redhat_sssd_before_1_9(Advice):
+
+Legacy client configuration for Red Hat based platforms.
+
+
+description = ('Instructions for configuring a system with an old version '
+ 'of SSSD (1.5-1.8) as a FreeIPA client. This set of '
+ 'instructions is targeted for platforms that include '
+ 'the authconfig utility, which are all Red Hat based '
+ 'platforms.')
You need to check that Schema Compatibility plugin is configured to
serve trusted domain users and groups.
We have two trees:
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
In both of the trees there should be
schema-compat-lookup-sssd: user|group
attribute, with the value according to the tree (i.e. user for
cn=users).
If not, then suggest to run 'ipa-adtrust-install --enable-compat=true' on the
IPA server.
Done. I added a new API command 'compat-is-enabled' (similar to
'adtrust-is-enabled') to facilitate checking whether the Schema Compatibility
plugin is configured. 'compat-is-enabled' is called from the ipa-advise plugin
and the suggestion to run 'ipa-adtrust-install --enable-compat' is printed as
the first piece of advice, when appropriate.
Patch 54 adds the new API command 'compat-is-enabled', while patch 53 is a small
fix which enables IPA API commands to be run from the ipa-advise plugins.
+
+def get_info(self):
+self.log.comment('Install the sssd and authconfig packages via yum')
+self.log.command('yum install -y sssd authconfig\n')
You are using 'wget' below, it might make sense to add it into the above
line too.
Fixed in patch 52.
+
+self.log.comment('Download the CA certificate of the IPA server')
+self.log.command('mkdir -p -m 755 /etc/openldap/cacerts')
+self.log.command('wget http://%s/ipa/config/ca.crt -O '
+ '/etc/openldap/cacerts/ipa.crt\n' % api.env.host)
+
+self.log.comment('Generate hashes for the openldap library')
+self.log.command('cacertdir_rehash /etc/openldap/cacerts/\n')
+
+self.log.comment('Use the authconfig to configure nsswitch.conf '
+ 'and the PAM stack')
+self.log.command('authconfig --updateall --enablesssd '
+ '--enablesssdauth\n')
+
+self.log.comment('Configure SSSD')
+self.log.command('cat /etc/sssd/sssd.conf EOF \n'
+ '%s\nEOF' % generate_sssd_conf())
+self.log.command('chmod 0600 /etc/sssd/sssd.conf\n')
+
+self.log.comment('Start SSSD')
+self.log.command('service sssd start')
Would it make sense to also add instructions to restore SELinux context
(if needed)? I'm not sure, just throwing the idea for consideration.
I am not sure about this either so I will wait for more opinions about this.
Same comments go for the second plugin.
I also refactored the plugin a bit (added a new base class to avoid code
duplication).
Updated patches are attached. Patch 52 depends on patches 53 and 54.
One small comment:
I've refactored slapi-nis code to make it more generic and references to
sssd in the configuration options went away, so please change this part
too:
+attr = users_entry.get('schema-compat-lookup-sssd')
to
+attr = users_entry.get('schema-compat-lookup-nsswitch')
+if not attr or 'user' not in attr:
+return dict(result=False)
+
+try:
+groups_entry = ldap.get_entry(groups_dn)
+except errors.NotFound:
+return
Re: [Freeipa-devel] [PATCH] 0052 Add ipa-advise plugins for legacy clients
On 08/05/2013 02:57 PM, Alexander Bokovoy wrote:
On Fri, 02 Aug 2013, Ana Krivokapic wrote:
On 08/01/2013 04:13 PM, Alexander Bokovoy wrote:
Hi!
On Thu, 01 Aug 2013, Ana Krivokapic wrote:
Hello,
Thanks Alexander for the quick review!
This patch adds ipa-advise plugins to help configure legacy clients for
access
to trusted domain resources. For more details, please read the commit
message.
Plugins are currently named config-redhat-sssd-before-1-9 and
config-generic-sssd-before-1-9; suggestions for better names are welcome.
Plugin content heavily inspired by
https://fedoraproject.org/wiki/QA:Testcase_freeipa_use_legacy_sssd_to_give_access_to_trusted_domain_users.
I think it is a good start. Comments inline.
https://fedorahosted.org/freeipa/ticket/3671
---
install/share/Makefile.am | 2 +
install/share/pam.conf.template| 22 ++
install/share/sssd.conf.template | 12 +++
I would imagine we would have multiple plugins that need their own
templates for pam.conf/sssd.conf. What about introducing
to avoid conflicts?
In this case you use the same templates for both plugins so you might
have name as 'legacy', for example.
Another way is to have plugin name in the template, e.g.
legacy.sssd.conf.template.
Done. I opted for the install/share/advise/name/*.template option. The
changes
are in the updated patch 52.
+class config_redhat_sssd_before_1_9(Advice):
+
+Legacy client configuration for Red Hat based platforms.
+
+
+description = ('Instructions for configuring a system with an old
version '
+ 'of SSSD (1.5-1.8) as a FreeIPA client. This set of '
+ 'instructions is targeted for platforms that include '
+ 'the authconfig utility, which are all Red Hat based '
+ 'platforms.')
You need to check that Schema Compatibility plugin is configured to
serve trusted domain users and groups.
We have two trees:
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
In both of the trees there should be
schema-compat-lookup-sssd: user|group
attribute, with the value according to the tree (i.e. user for
cn=users).
If not, then suggest to run 'ipa-adtrust-install --enable-compat=true' on
the
IPA server.
Done. I added a new API command 'compat-is-enabled' (similar to
'adtrust-is-enabled') to facilitate checking whether the Schema Compatibility
plugin is configured. 'compat-is-enabled' is called from the ipa-advise
plugin
and the suggestion to run 'ipa-adtrust-install --enable-compat' is printed as
the first piece of advice, when appropriate.
Patch 54 adds the new API command 'compat-is-enabled', while patch 53 is a
small
fix which enables IPA API commands to be run from the ipa-advise plugins.
+
+def get_info(self):
+self.log.comment('Install the sssd and authconfig packages via
yum')
+self.log.command('yum install -y sssd authconfig\n')
You are using 'wget' below, it might make sense to add it into the above
line too.
Fixed in patch 52.
+
+self.log.comment('Download the CA certificate of the IPA server')
+self.log.command('mkdir -p -m 755 /etc/openldap/cacerts')
+self.log.command('wget http://%s/ipa/config/ca.crt -O '
+ '/etc/openldap/cacerts/ipa.crt\n' % api.env.host)
+
+self.log.comment('Generate hashes for the openldap library')
+self.log.command('cacertdir_rehash /etc/openldap/cacerts/\n')
+
+self.log.comment('Use the authconfig to configure nsswitch.conf '
+ 'and the PAM stack')
+self.log.command('authconfig --updateall --enablesssd '
+ '--enablesssdauth\n')
+
+self.log.comment('Configure SSSD')
+self.log.command('cat /etc/sssd/sssd.conf EOF \n'
+ '%s\nEOF' % generate_sssd_conf())
+self.log.command('chmod 0600 /etc/sssd/sssd.conf\n')
+
+self.log.comment('Start SSSD')
+self.log.command('service sssd start')
Would it make sense to also add instructions to restore SELinux context
(if needed)? I'm not sure, just throwing the idea for consideration.
I am not sure about this either so I will wait for more opinions about this.
Same comments go for the second plugin.
I also refactored the plugin a bit (added a new base class to avoid code
duplication).
Updated patches are attached. Patch 52 depends on patches 53 and 54.
One small comment:
I've refactored slapi-nis code to make it more generic and references to
sssd in the configuration options went away, so please change this part
too:
+attr = users_entry.get('schema-compat-lookup-sssd')
to +attr = users_entry.get('schema-compat-lookup-nsswitch')
+if not attr or 'user' not in attr:
+return
Re: [Freeipa-devel] [PATCH] 0052 Add ipa-advise plugins for legacy clients
On Mon, 05 Aug 2013, Ana Krivokapic wrote:
+except errors.NotFound:
+return dict(result=False)
+
+attr = groups_entry.get('schema-compat-lookup-sssd')
same here.
It needs my patch 0112 too -- it changes ipa-adtrust-install to write
proper configuration options to slapi-nis configs.
Done.
Also, references to both relevant tickets
https://fedorahosted.org/freeipa/ticket/3671 and
https://fedorahosted.org/freeipa/ticket/3672 added to commit messages.
Updated patches attached.
Thanks. Few more comments now that I've ran the ipa-advise with the
plugins:
1. We need to put downloading the certificate to both plugins.
2. The certificate needs to be specified in sssd.conf as well as ldap.conf
Also it would be nice to actually reformat comments to be shorter.
I think it should be done on a framework level -- we have the code for
that already in the CLI handlers. Additionally, plugin writers may want
to have 'verbatim' comments, i.e. which would resist reformatting.
The same reformatting should be applied to the list of advises shown by
'ipa-advise' by default. It is now a bit unreadable.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0052 Add ipa-advise plugins for legacy clients
On Mon, Aug 05, 2013 at 09:55:26PM +0300, Alexander Bokovoy wrote:
On Mon, 05 Aug 2013, Ana Krivokapic wrote:
+except errors.NotFound:
+return dict(result=False)
+
+attr = groups_entry.get('schema-compat-lookup-sssd')
same here.
It needs my patch 0112 too -- it changes ipa-adtrust-install to write
proper configuration options to slapi-nis configs.
Done.
Also, references to both relevant tickets
https://fedorahosted.org/freeipa/ticket/3671 and
https://fedorahosted.org/freeipa/ticket/3672 added to commit messages.
Updated patches attached.
Thanks. Few more comments now that I've ran the ipa-advise with the
plugins:
1. We need to put downloading the certificate to both plugins.
Right, this is something that was documented on the wiki during the test
day and I agree with Alexander it makes sense to be present in the
advise tool as well.
2. The certificate needs to be specified in sssd.conf as well as ldap.conf
Wouldn't it be better to just say that you need to make sure that the
certicicates are present on openldap's configured directories? That
would cover not only the SSSD but also all the tool like ldapsearch the
admin might want to run for troubleshooting. Maybe a hint to run
cacertdir_rehash would be nice.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0052 Add ipa-advise plugins for legacy clients
On 08/01/2013 04:13 PM, Alexander Bokovoy wrote:
Hi!
On Thu, 01 Aug 2013, Ana Krivokapic wrote:
Hello,
Thanks Alexander for the quick review!
This patch adds ipa-advise plugins to help configure legacy clients for
access
to trusted domain resources. For more details, please read the commit
message.
Plugins are currently named config-redhat-sssd-before-1-9 and
config-generic-sssd-before-1-9; suggestions for better names are welcome.
Plugin content heavily inspired by
https://fedoraproject.org/wiki/QA:Testcase_freeipa_use_legacy_sssd_to_give_access_to_trusted_domain_users.
I think it is a good start. Comments inline.
https://fedorahosted.org/freeipa/ticket/3671
---
install/share/Makefile.am | 2 +
install/share/pam.conf.template| 22 ++
install/share/sssd.conf.template | 12 +++
I would imagine we would have multiple plugins that need their own
templates for pam.conf/sssd.conf. What about introducing
to avoid conflicts?
In this case you use the same templates for both plugins so you might
have name as 'legacy', for example.
Another way is to have plugin name in the template, e.g.
legacy.sssd.conf.template.
Done. I opted for the install/share/advise/name/*.template option. The changes
are in the updated patch 52.
+class config_redhat_sssd_before_1_9(Advice):
+
+Legacy client configuration for Red Hat based platforms.
+
+
+description = ('Instructions for configuring a system with an old
version '
+ 'of SSSD (1.5-1.8) as a FreeIPA client. This set of '
+ 'instructions is targeted for platforms that include '
+ 'the authconfig utility, which are all Red Hat based '
+ 'platforms.')
You need to check that Schema Compatibility plugin is configured to
serve trusted domain users and groups.
We have two trees:
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
In both of the trees there should be
schema-compat-lookup-sssd: user|group
attribute, with the value according to the tree (i.e. user for
cn=users).
If not, then suggest to run 'ipa-adtrust-install --enable-compat=true' on the
IPA server.
Done. I added a new API command 'compat-is-enabled' (similar to
'adtrust-is-enabled') to facilitate checking whether the Schema Compatibility
plugin is configured. 'compat-is-enabled' is called from the ipa-advise plugin
and the suggestion to run 'ipa-adtrust-install --enable-compat' is printed as
the first piece of advice, when appropriate.
Patch 54 adds the new API command 'compat-is-enabled', while patch 53 is a small
fix which enables IPA API commands to be run from the ipa-advise plugins.
+
+def get_info(self):
+self.log.comment('Install the sssd and authconfig packages via yum')
+self.log.command('yum install -y sssd authconfig\n')
You are using 'wget' below, it might make sense to add it into the above
line too.
Fixed in patch 52.
+
+self.log.comment('Download the CA certificate of the IPA server')
+self.log.command('mkdir -p -m 755 /etc/openldap/cacerts')
+self.log.command('wget http://%s/ipa/config/ca.crt -O '
+ '/etc/openldap/cacerts/ipa.crt\n' % api.env.host)
+
+self.log.comment('Generate hashes for the openldap library')
+self.log.command('cacertdir_rehash /etc/openldap/cacerts/\n')
+
+self.log.comment('Use the authconfig to configure nsswitch.conf '
+ 'and the PAM stack')
+self.log.command('authconfig --updateall --enablesssd '
+ '--enablesssdauth\n')
+
+self.log.comment('Configure SSSD')
+self.log.command('cat /etc/sssd/sssd.conf EOF \n'
+ '%s\nEOF' % generate_sssd_conf())
+self.log.command('chmod 0600 /etc/sssd/sssd.conf\n')
+
+self.log.comment('Start SSSD')
+self.log.command('service sssd start')
Would it make sense to also add instructions to restore SELinux context
(if needed)? I'm not sure, just throwing the idea for consideration.
I am not sure about this either so I will wait for more opinions about this.
Same comments go for the second plugin.
I also refactored the plugin a bit (added a new base class to avoid code
duplication).
Updated patches are attached. Patch 52 depends on patches 53 and 54.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
From 51aecf2a07bc889737ddda4a882e400030c57944 Mon Sep 17 00:00:00 2001
From: Ana Krivokapic akriv...@redhat.com
Date: Thu, 1 Aug 2013 14:12:39 +0200
Subject: [PATCH] Add ipa-advise plugins for legacy clients
Old versions of SSSD do not directly support cross-realm trusts between IPA
and AD. This patch introduces plugins for the ipa-advise tool, which should
help with configuring an old version of SSSD (1.5-1.8) to
[Freeipa-devel] [PATCH] 0052 Add ipa-advise plugins for legacy clients
Hello, This patch adds ipa-advise plugins to help configure legacy clients for access to trusted domain resources. For more details, please read the commit message. Plugins are currently named config-redhat-sssd-before-1-9 and config-generic-sssd-before-1-9; suggestions for better names are welcome. Plugin content heavily inspired by https://fedoraproject.org/wiki/QA:Testcase_freeipa_use_legacy_sssd_to_give_access_to_trusted_domain_users. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. From 32cb59f102596f391226dd3106f91f406ea52659 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic akriv...@redhat.com Date: Thu, 1 Aug 2013 14:12:39 +0200 Subject: [PATCH] Add ipa-advise plugins for legacy clients Old versions of SSSD do not directly support cross-realm trusts between IPA and AD. This patch introduces plugins for the ipa-advise tool, which should help with configuring an old version of SSSD (1.5-1.8) to gain access to resources in trusted domain. Since the configuration steps differ depending on whether the platform includes the authconfig tool, two plugins are needed: * config-redhat-sssd-before-1-9 - provides configuration for Red Hat based systems, as these system include the autconfig utility * config-generic-sssd-before-1-9 - provides configuration for other platforms https://fedorahosted.org/freeipa/ticket/3671 --- install/share/Makefile.am | 2 + install/share/pam.conf.template| 22 ++ install/share/sssd.conf.template | 12 +++ ipaserver/advise/plugins/legacy_clients.py | 117 + 4 files changed, 153 insertions(+) create mode 100644 install/share/pam.conf.template create mode 100644 install/share/sssd.conf.template create mode 100644 ipaserver/advise/plugins/legacy_clients.py diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 1e56d2c530375c371cd5e66b4e83d2c13bc86e77..906f8a8b118ccd26bd19421047d14c09bec2f8f2 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -64,6 +64,8 @@ app_DATA =\ copy-schema-to-ca.py \ upload-cacert.ldif \ sasl-mapping-fallback.ldif \ + sssd.conf.template \ + pam.conf.template \ $(NULL) EXTRA_DIST =\ diff --git a/install/share/pam.conf.template b/install/share/pam.conf.template new file mode 100644 index ..bdd91821eb6d8259d7f03a6eac78fc264b0cafa8 --- /dev/null +++ b/install/share/pam.conf.template @@ -0,0 +1,22 @@ +authrequired pam_env.so +authsufficientpam_unix.so nullok try_first_pass +authrequisite pam_succeed_if.so uid = 500 quiet +authsufficientpam_sss.so use_first_pass +authrequired pam_deny.so + +account required pam_unix.so broken_shadow +account sufficientpam_localuser.so +account sufficientpam_succeed_if.so uid 500 quiet +account [default=bad success=ok user_unknown=ignore] pam_sss.so +account required pam_permit.so + +passwordrequisite pam_cracklib.so try_first_pass retry=3 type= +passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok +passwordsufficientpam_sss.so use_authtok +passwordrequired pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so +session optional pam_sss.so diff --git a/install/share/sssd.conf.template b/install/share/sssd.conf.template new file mode 100644 index ..764e853a42edd913d0a8138202b1fdd055ff2ff4 --- /dev/null +++ b/install/share/sssd.conf.template @@ -0,0 +1,12 @@ +[sssd] +services = nss, pam +config_file_version = 2 +domains = default +re_expression = (?Pname.+) + +[domain/default] +cache_credentials = True +id_provider = ldap +auth_provider = ldap +ldap_uri = ldap://$IPA_SERVER_HOSTNAME +ldap_search_base = cn=compat,$BASE_DN diff --git a/ipaserver/advise/plugins/legacy_clients.py b/ipaserver/advise/plugins/legacy_clients.py new file mode 100644 index ..00b310bf42157e3084c3d3b6fc281c91df018724 --- /dev/null +++ b/ipaserver/advise/plugins/legacy_clients.py @@ -0,0 +1,117 @@ +# Authors: Ana Krivokapic akriv...@redhat.com +# +# Copyright (C) 2013 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +#
Re: [Freeipa-devel] [PATCH] 0052 Add ipa-advise plugins for legacy clients
Hi!
On Thu, 01 Aug 2013, Ana Krivokapic wrote:
Hello,
This patch adds ipa-advise plugins to help configure legacy clients for access
to trusted domain resources. For more details, please read the commit message.
Plugins are currently named config-redhat-sssd-before-1-9 and
config-generic-sssd-before-1-9; suggestions for better names are welcome.
Plugin content heavily inspired by
https://fedoraproject.org/wiki/QA:Testcase_freeipa_use_legacy_sssd_to_give_access_to_trusted_domain_users.
I think it is a good start. Comments inline.
https://fedorahosted.org/freeipa/ticket/3671
---
install/share/Makefile.am | 2 +
install/share/pam.conf.template| 22 ++
install/share/sssd.conf.template | 12 +++
I would imagine we would have multiple plugins that need their own
templates for pam.conf/sssd.conf. What about introducing
install/share/advise/name/*.template to avoid conflicts?
In this case you use the same templates for both plugins so you might
have name as 'legacy', for example.
Another way is to have plugin name in the template, e.g.
legacy.sssd.conf.template.
+class config_redhat_sssd_before_1_9(Advice):
+
+Legacy client configuration for Red Hat based platforms.
+
+
+description = ('Instructions for configuring a system with an old version '
+ 'of SSSD (1.5-1.8) as a FreeIPA client. This set of '
+ 'instructions is targeted for platforms that include '
+ 'the authconfig utility, which are all Red Hat based '
+ 'platforms.')
You need to check that Schema Compatibility plugin is configured to
serve trusted domain users and groups.
We have two trees:
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
In both of the trees there should be
schema-compat-lookup-sssd: user|group
attribute, with the value according to the tree (i.e. user for
cn=users).
If not, then suggest to run 'ipa-adtrust-install --enable-compat=true'
on the IPA server.
+
+def get_info(self):
+self.log.comment('Install the sssd and authconfig packages via yum')
+self.log.command('yum install -y sssd authconfig\n')
You are using 'wget' below, it might make sense to add it into the above
line too.
+
+self.log.comment('Download the CA certificate of the IPA server')
+self.log.command('mkdir -p -m 755 /etc/openldap/cacerts')
+self.log.command('wget http://%s/ipa/config/ca.crt -O '
+ '/etc/openldap/cacerts/ipa.crt\n' % api.env.host)
+
+self.log.comment('Generate hashes for the openldap library')
+self.log.command('cacertdir_rehash /etc/openldap/cacerts/\n')
+
+self.log.comment('Use the authconfig to configure nsswitch.conf '
+ 'and the PAM stack')
+self.log.command('authconfig --updateall --enablesssd '
+ '--enablesssdauth\n')
+
+self.log.comment('Configure SSSD')
+self.log.command('cat /etc/sssd/sssd.conf EOF \n'
+ '%s\nEOF' % generate_sssd_conf())
+self.log.command('chmod 0600 /etc/sssd/sssd.conf\n')
+
+self.log.comment('Start SSSD')
+self.log.command('service sssd start')
Would it make sense to also add instructions to restore SELinux context
(if needed)? I'm not sure, just throwing the idea for consideration.
Same comments go for the second plugin.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
