Re: [Freeipa-devel] [PATCH] 0052 Add ipa-advise plugins for legacy clients
On Tue, 06 Aug 2013, Ana Krivokapic wrote: On 08/06/2013 12:15 AM, Jakub Hrozek wrote: On Mon, Aug 05, 2013 at 09:55:26PM +0300, Alexander Bokovoy wrote: On Mon, 05 Aug 2013, Ana Krivokapic wrote: +except errors.NotFound: +return dict(result=False) + +attr = groups_entry.get('schema-compat-lookup-sssd') same here. It needs my patch 0112 too -- it changes ipa-adtrust-install to write proper configuration options to slapi-nis configs. Done. Also, references to both relevant tickets https://fedorahosted.org/freeipa/ticket/3671 and https://fedorahosted.org/freeipa/ticket/3672 added to commit messages. Updated patches attached. Thanks. Few more comments now that I've ran the ipa-advise with the plugins: 1. We need to put downloading the certificate to both plugins. Right, this is something that was documented on the wiki during the test day and I agree with Alexander it makes sense to be present in the advise tool as well. Fixed. cacertdir_rehash script is also downloaded if necessary. 2. The certificate needs to be specified in sssd.conf as well as ldap.conf Wouldn't it be better to just say that you need to make sure that the certicicates are present on openldap's configured directories? That would cover not only the SSSD but also all the tool like ldapsearch the admin might want to run for troubleshooting. Maybe a hint to run cacertdir_rehash would be nice. Fixed. We agreed it is best to specify the defaults explicitly in config files, while including a comment about a possible need for manual modification of the script. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Patch 52 is updated, patch 53 needed a rebase. The whole updated patch set is attached. Thanks, looks more complete now. ACK -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0052 Add ipa-advise plugins for legacy clients
On 08/07/2013 08:48 AM, Alexander Bokovoy wrote: On Tue, 06 Aug 2013, Ana Krivokapic wrote: On 08/06/2013 12:15 AM, Jakub Hrozek wrote: On Mon, Aug 05, 2013 at 09:55:26PM +0300, Alexander Bokovoy wrote: On Mon, 05 Aug 2013, Ana Krivokapic wrote: +except errors.NotFound: +return dict(result=False) + +attr = groups_entry.get('schema-compat-lookup-sssd') same here. It needs my patch 0112 too -- it changes ipa-adtrust-install to write proper configuration options to slapi-nis configs. Done. Also, references to both relevant tickets https://fedorahosted.org/freeipa/ticket/3671 and https://fedorahosted.org/freeipa/ticket/3672 added to commit messages. Updated patches attached. Thanks. Few more comments now that I've ran the ipa-advise with the plugins: 1. We need to put downloading the certificate to both plugins. Right, this is something that was documented on the wiki during the test day and I agree with Alexander it makes sense to be present in the advise tool as well. Fixed. cacertdir_rehash script is also downloaded if necessary. 2. The certificate needs to be specified in sssd.conf as well as ldap.conf Wouldn't it be better to just say that you need to make sure that the certicicates are present on openldap's configured directories? That would cover not only the SSSD but also all the tool like ldapsearch the admin might want to run for troubleshooting. Maybe a hint to run cacertdir_rehash would be nice. Fixed. We agreed it is best to specify the defaults explicitly in config files, while including a comment about a possible need for manual modification of the script. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Patch 52 is updated, patch 53 needed a rebase. The whole updated patch set is attached. Thanks, looks more complete now. ACK Looks good! Pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0052 Add ipa-advise plugins for legacy clients
On 08/05/2013 08:55 PM, Alexander Bokovoy wrote: On Mon, 05 Aug 2013, Ana Krivokapic wrote: +except errors.NotFound: +return dict(result=False) + +attr = groups_entry.get('schema-compat-lookup-sssd') same here. It needs my patch 0112 too -- it changes ipa-adtrust-install to write proper configuration options to slapi-nis configs. Done. Also, references to both relevant tickets https://fedorahosted.org/freeipa/ticket/3671 and https://fedorahosted.org/freeipa/ticket/3672 added to commit messages. Updated patches attached. Thanks. Few more comments now that I've ran the ipa-advise with the plugins: 1. We need to put downloading the certificate to both plugins. 2. The certificate needs to be specified in sssd.conf as well as ldap.conf Also it would be nice to actually reformat comments to be shorter. I think it should be done on a framework level -- we have the code for that already in the CLI handlers. Additionally, plugin writers may want to have 'verbatim' comments, i.e. which would resist reformatting. The patch 0088 should fix that. Adds a wrapped flag to the log.comment command. The same reformatting should be applied to the list of advises shown by 'ipa-advise' by default. It is now a bit unreadable. The patch 0089 should fix that. Tomas -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0052 Add ipa-advise plugins for legacy clients
On 08/06/2013 12:15 AM, Jakub Hrozek wrote: On Mon, Aug 05, 2013 at 09:55:26PM +0300, Alexander Bokovoy wrote: On Mon, 05 Aug 2013, Ana Krivokapic wrote: +except errors.NotFound: +return dict(result=False) + +attr = groups_entry.get('schema-compat-lookup-sssd') same here. It needs my patch 0112 too -- it changes ipa-adtrust-install to write proper configuration options to slapi-nis configs. Done. Also, references to both relevant tickets https://fedorahosted.org/freeipa/ticket/3671 and https://fedorahosted.org/freeipa/ticket/3672 added to commit messages. Updated patches attached. Thanks. Few more comments now that I've ran the ipa-advise with the plugins: 1. We need to put downloading the certificate to both plugins. Right, this is something that was documented on the wiki during the test day and I agree with Alexander it makes sense to be present in the advise tool as well. Fixed. cacertdir_rehash script is also downloaded if necessary. 2. The certificate needs to be specified in sssd.conf as well as ldap.conf Wouldn't it be better to just say that you need to make sure that the certicicates are present on openldap's configured directories? That would cover not only the SSSD but also all the tool like ldapsearch the admin might want to run for troubleshooting. Maybe a hint to run cacertdir_rehash would be nice. Fixed. We agreed it is best to specify the defaults explicitly in config files, while including a comment about a possible need for manual modification of the script. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Patch 52 is updated, patch 53 needed a rebase. The whole updated patch set is attached. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. From 2858f368ceb504540b67d83d9abb550178354687 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic akriv...@redhat.com Date: Thu, 1 Aug 2013 14:12:39 +0200 Subject: [PATCH] Add ipa-advise plugins for legacy clients Old versions of SSSD do not directly support cross-realm trusts between IPA and AD. This patch introduces plugins for the ipa-advise tool, which should help with configuring an old version of SSSD (1.5-1.8) to gain access to resources in trusted domain. Since the configuration steps differ depending on whether the platform includes the authconfig tool, two plugins are needed: * config-redhat-sssd-before-1-9 - provides configuration for Red Hat based systems, as these system include the autconfig utility * config-generic-sssd-before-1-9 - provides configuration for other platforms https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672 --- freeipa.spec.in| 3 + install/configure.ac | 2 + install/share/Makefile.am | 4 + install/share/advise/Makefile.am | 17 +++ install/share/advise/legacy/Makefile.am| 15 +++ install/share/advise/legacy/pam.conf.template | 22 install/share/advise/legacy/sssd.conf.template | 13 ++ ipaserver/advise/plugins/legacy_clients.py | 163 + 8 files changed, 239 insertions(+) create mode 100644 install/share/advise/Makefile.am create mode 100644 install/share/advise/legacy/Makefile.am create mode 100644 install/share/advise/legacy/pam.conf.template create mode 100644 install/share/advise/legacy/sssd.conf.template create mode 100644 ipaserver/advise/plugins/legacy_clients.py diff --git a/freeipa.spec.in b/freeipa.spec.in index 0afcdae86ee2b9a7b603df3d3bdb1499916ecd0c..d4f90c7d8dceab61095e477d5daaec1cfe4eebec 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -630,6 +630,9 @@ fi %{_usr}/share/ipa/*.ldif %{_usr}/share/ipa/*.uldif %{_usr}/share/ipa/*.template +%dir %{_usr}/share/ipa/advise +%dir %{_usr}/share/ipa/advise/legacy +%{_usr}/share/ipa/advise/legacy/*.template %dir %{_usr}/share/ipa/ffextension %{_usr}/share/ipa/ffextension/bootstrap.js %{_usr}/share/ipa/ffextension/install.rdf diff --git a/install/configure.ac b/install/configure.ac index fca4c6991db63de17c47aa8d86e1d910ac09d47e..29254e6edfb9874ead9b37cc2d310a86fbfa0060 100644 --- a/install/configure.ac +++ b/install/configure.ac @@ -85,6 +85,8 @@ AC_CONFIG_FILES([ html/Makefile migration/Makefile share/Makefile +share/advise/Makefile +share/advise/legacy/Makefile ui/Makefile ui/src/Makefile ui/src/libs/Makefile diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 1e56d2c530375c371cd5e66b4e83d2c13bc86e77..5fff55bd1281d232858df679e7dfd9f84e4545ec 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -1,5 +1,9 @@ NULL = +SUBDIRS = \ + advise\ + $(NULL) + appdir = $(IPA_DATA_DIR) app_DATA =\ 05rfc2247.ldif \ diff --git a/install/share/advise/Makefile.am
Re: [Freeipa-devel] [PATCH] 0052 Add ipa-advise plugins for legacy clients
On Fri, 02 Aug 2013, Ana Krivokapic wrote: On 08/01/2013 04:13 PM, Alexander Bokovoy wrote: Hi! On Thu, 01 Aug 2013, Ana Krivokapic wrote: Hello, Thanks Alexander for the quick review! This patch adds ipa-advise plugins to help configure legacy clients for access to trusted domain resources. For more details, please read the commit message. Plugins are currently named config-redhat-sssd-before-1-9 and config-generic-sssd-before-1-9; suggestions for better names are welcome. Plugin content heavily inspired by https://fedoraproject.org/wiki/QA:Testcase_freeipa_use_legacy_sssd_to_give_access_to_trusted_domain_users. I think it is a good start. Comments inline. https://fedorahosted.org/freeipa/ticket/3671 --- install/share/Makefile.am | 2 + install/share/pam.conf.template| 22 ++ install/share/sssd.conf.template | 12 +++ I would imagine we would have multiple plugins that need their own templates for pam.conf/sssd.conf. What about introducing to avoid conflicts? In this case you use the same templates for both plugins so you might have name as 'legacy', for example. Another way is to have plugin name in the template, e.g. legacy.sssd.conf.template. Done. I opted for the install/share/advise/name/*.template option. The changes are in the updated patch 52. +class config_redhat_sssd_before_1_9(Advice): + +Legacy client configuration for Red Hat based platforms. + + +description = ('Instructions for configuring a system with an old version ' + 'of SSSD (1.5-1.8) as a FreeIPA client. This set of ' + 'instructions is targeted for platforms that include ' + 'the authconfig utility, which are all Red Hat based ' + 'platforms.') You need to check that Schema Compatibility plugin is configured to serve trusted domain users and groups. We have two trees: dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config In both of the trees there should be schema-compat-lookup-sssd: user|group attribute, with the value according to the tree (i.e. user for cn=users). If not, then suggest to run 'ipa-adtrust-install --enable-compat=true' on the IPA server. Done. I added a new API command 'compat-is-enabled' (similar to 'adtrust-is-enabled') to facilitate checking whether the Schema Compatibility plugin is configured. 'compat-is-enabled' is called from the ipa-advise plugin and the suggestion to run 'ipa-adtrust-install --enable-compat' is printed as the first piece of advice, when appropriate. Patch 54 adds the new API command 'compat-is-enabled', while patch 53 is a small fix which enables IPA API commands to be run from the ipa-advise plugins. + +def get_info(self): +self.log.comment('Install the sssd and authconfig packages via yum') +self.log.command('yum install -y sssd authconfig\n') You are using 'wget' below, it might make sense to add it into the above line too. Fixed in patch 52. + +self.log.comment('Download the CA certificate of the IPA server') +self.log.command('mkdir -p -m 755 /etc/openldap/cacerts') +self.log.command('wget http://%s/ipa/config/ca.crt -O ' + '/etc/openldap/cacerts/ipa.crt\n' % api.env.host) + +self.log.comment('Generate hashes for the openldap library') +self.log.command('cacertdir_rehash /etc/openldap/cacerts/\n') + +self.log.comment('Use the authconfig to configure nsswitch.conf ' + 'and the PAM stack') +self.log.command('authconfig --updateall --enablesssd ' + '--enablesssdauth\n') + +self.log.comment('Configure SSSD') +self.log.command('cat /etc/sssd/sssd.conf EOF \n' + '%s\nEOF' % generate_sssd_conf()) +self.log.command('chmod 0600 /etc/sssd/sssd.conf\n') + +self.log.comment('Start SSSD') +self.log.command('service sssd start') Would it make sense to also add instructions to restore SELinux context (if needed)? I'm not sure, just throwing the idea for consideration. I am not sure about this either so I will wait for more opinions about this. Same comments go for the second plugin. I also refactored the plugin a bit (added a new base class to avoid code duplication). Updated patches are attached. Patch 52 depends on patches 53 and 54. One small comment: I've refactored slapi-nis code to make it more generic and references to sssd in the configuration options went away, so please change this part too: +attr = users_entry.get('schema-compat-lookup-sssd') to +attr = users_entry.get('schema-compat-lookup-nsswitch') +if not attr or 'user' not in attr: +return dict(result=False) + +try: +groups_entry = ldap.get_entry(groups_dn) +except errors.NotFound: +return
Re: [Freeipa-devel] [PATCH] 0052 Add ipa-advise plugins for legacy clients
On 08/05/2013 02:57 PM, Alexander Bokovoy wrote: On Fri, 02 Aug 2013, Ana Krivokapic wrote: On 08/01/2013 04:13 PM, Alexander Bokovoy wrote: Hi! On Thu, 01 Aug 2013, Ana Krivokapic wrote: Hello, Thanks Alexander for the quick review! This patch adds ipa-advise plugins to help configure legacy clients for access to trusted domain resources. For more details, please read the commit message. Plugins are currently named config-redhat-sssd-before-1-9 and config-generic-sssd-before-1-9; suggestions for better names are welcome. Plugin content heavily inspired by https://fedoraproject.org/wiki/QA:Testcase_freeipa_use_legacy_sssd_to_give_access_to_trusted_domain_users. I think it is a good start. Comments inline. https://fedorahosted.org/freeipa/ticket/3671 --- install/share/Makefile.am | 2 + install/share/pam.conf.template| 22 ++ install/share/sssd.conf.template | 12 +++ I would imagine we would have multiple plugins that need their own templates for pam.conf/sssd.conf. What about introducing to avoid conflicts? In this case you use the same templates for both plugins so you might have name as 'legacy', for example. Another way is to have plugin name in the template, e.g. legacy.sssd.conf.template. Done. I opted for the install/share/advise/name/*.template option. The changes are in the updated patch 52. +class config_redhat_sssd_before_1_9(Advice): + +Legacy client configuration for Red Hat based platforms. + + +description = ('Instructions for configuring a system with an old version ' + 'of SSSD (1.5-1.8) as a FreeIPA client. This set of ' + 'instructions is targeted for platforms that include ' + 'the authconfig utility, which are all Red Hat based ' + 'platforms.') You need to check that Schema Compatibility plugin is configured to serve trusted domain users and groups. We have two trees: dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config In both of the trees there should be schema-compat-lookup-sssd: user|group attribute, with the value according to the tree (i.e. user for cn=users). If not, then suggest to run 'ipa-adtrust-install --enable-compat=true' on the IPA server. Done. I added a new API command 'compat-is-enabled' (similar to 'adtrust-is-enabled') to facilitate checking whether the Schema Compatibility plugin is configured. 'compat-is-enabled' is called from the ipa-advise plugin and the suggestion to run 'ipa-adtrust-install --enable-compat' is printed as the first piece of advice, when appropriate. Patch 54 adds the new API command 'compat-is-enabled', while patch 53 is a small fix which enables IPA API commands to be run from the ipa-advise plugins. + +def get_info(self): +self.log.comment('Install the sssd and authconfig packages via yum') +self.log.command('yum install -y sssd authconfig\n') You are using 'wget' below, it might make sense to add it into the above line too. Fixed in patch 52. + +self.log.comment('Download the CA certificate of the IPA server') +self.log.command('mkdir -p -m 755 /etc/openldap/cacerts') +self.log.command('wget http://%s/ipa/config/ca.crt -O ' + '/etc/openldap/cacerts/ipa.crt\n' % api.env.host) + +self.log.comment('Generate hashes for the openldap library') +self.log.command('cacertdir_rehash /etc/openldap/cacerts/\n') + +self.log.comment('Use the authconfig to configure nsswitch.conf ' + 'and the PAM stack') +self.log.command('authconfig --updateall --enablesssd ' + '--enablesssdauth\n') + +self.log.comment('Configure SSSD') +self.log.command('cat /etc/sssd/sssd.conf EOF \n' + '%s\nEOF' % generate_sssd_conf()) +self.log.command('chmod 0600 /etc/sssd/sssd.conf\n') + +self.log.comment('Start SSSD') +self.log.command('service sssd start') Would it make sense to also add instructions to restore SELinux context (if needed)? I'm not sure, just throwing the idea for consideration. I am not sure about this either so I will wait for more opinions about this. Same comments go for the second plugin. I also refactored the plugin a bit (added a new base class to avoid code duplication). Updated patches are attached. Patch 52 depends on patches 53 and 54. One small comment: I've refactored slapi-nis code to make it more generic and references to sssd in the configuration options went away, so please change this part too: +attr = users_entry.get('schema-compat-lookup-sssd') to +attr = users_entry.get('schema-compat-lookup-nsswitch') +if not attr or 'user' not in attr: +return
Re: [Freeipa-devel] [PATCH] 0052 Add ipa-advise plugins for legacy clients
On Mon, 05 Aug 2013, Ana Krivokapic wrote: +except errors.NotFound: +return dict(result=False) + +attr = groups_entry.get('schema-compat-lookup-sssd') same here. It needs my patch 0112 too -- it changes ipa-adtrust-install to write proper configuration options to slapi-nis configs. Done. Also, references to both relevant tickets https://fedorahosted.org/freeipa/ticket/3671 and https://fedorahosted.org/freeipa/ticket/3672 added to commit messages. Updated patches attached. Thanks. Few more comments now that I've ran the ipa-advise with the plugins: 1. We need to put downloading the certificate to both plugins. 2. The certificate needs to be specified in sssd.conf as well as ldap.conf Also it would be nice to actually reformat comments to be shorter. I think it should be done on a framework level -- we have the code for that already in the CLI handlers. Additionally, plugin writers may want to have 'verbatim' comments, i.e. which would resist reformatting. The same reformatting should be applied to the list of advises shown by 'ipa-advise' by default. It is now a bit unreadable. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0052 Add ipa-advise plugins for legacy clients
On Mon, Aug 05, 2013 at 09:55:26PM +0300, Alexander Bokovoy wrote: On Mon, 05 Aug 2013, Ana Krivokapic wrote: +except errors.NotFound: +return dict(result=False) + +attr = groups_entry.get('schema-compat-lookup-sssd') same here. It needs my patch 0112 too -- it changes ipa-adtrust-install to write proper configuration options to slapi-nis configs. Done. Also, references to both relevant tickets https://fedorahosted.org/freeipa/ticket/3671 and https://fedorahosted.org/freeipa/ticket/3672 added to commit messages. Updated patches attached. Thanks. Few more comments now that I've ran the ipa-advise with the plugins: 1. We need to put downloading the certificate to both plugins. Right, this is something that was documented on the wiki during the test day and I agree with Alexander it makes sense to be present in the advise tool as well. 2. The certificate needs to be specified in sssd.conf as well as ldap.conf Wouldn't it be better to just say that you need to make sure that the certicicates are present on openldap's configured directories? That would cover not only the SSSD but also all the tool like ldapsearch the admin might want to run for troubleshooting. Maybe a hint to run cacertdir_rehash would be nice. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0052 Add ipa-advise plugins for legacy clients
On 08/01/2013 04:13 PM, Alexander Bokovoy wrote: Hi! On Thu, 01 Aug 2013, Ana Krivokapic wrote: Hello, Thanks Alexander for the quick review! This patch adds ipa-advise plugins to help configure legacy clients for access to trusted domain resources. For more details, please read the commit message. Plugins are currently named config-redhat-sssd-before-1-9 and config-generic-sssd-before-1-9; suggestions for better names are welcome. Plugin content heavily inspired by https://fedoraproject.org/wiki/QA:Testcase_freeipa_use_legacy_sssd_to_give_access_to_trusted_domain_users. I think it is a good start. Comments inline. https://fedorahosted.org/freeipa/ticket/3671 --- install/share/Makefile.am | 2 + install/share/pam.conf.template| 22 ++ install/share/sssd.conf.template | 12 +++ I would imagine we would have multiple plugins that need their own templates for pam.conf/sssd.conf. What about introducing to avoid conflicts? In this case you use the same templates for both plugins so you might have name as 'legacy', for example. Another way is to have plugin name in the template, e.g. legacy.sssd.conf.template. Done. I opted for the install/share/advise/name/*.template option. The changes are in the updated patch 52. +class config_redhat_sssd_before_1_9(Advice): + +Legacy client configuration for Red Hat based platforms. + + +description = ('Instructions for configuring a system with an old version ' + 'of SSSD (1.5-1.8) as a FreeIPA client. This set of ' + 'instructions is targeted for platforms that include ' + 'the authconfig utility, which are all Red Hat based ' + 'platforms.') You need to check that Schema Compatibility plugin is configured to serve trusted domain users and groups. We have two trees: dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config In both of the trees there should be schema-compat-lookup-sssd: user|group attribute, with the value according to the tree (i.e. user for cn=users). If not, then suggest to run 'ipa-adtrust-install --enable-compat=true' on the IPA server. Done. I added a new API command 'compat-is-enabled' (similar to 'adtrust-is-enabled') to facilitate checking whether the Schema Compatibility plugin is configured. 'compat-is-enabled' is called from the ipa-advise plugin and the suggestion to run 'ipa-adtrust-install --enable-compat' is printed as the first piece of advice, when appropriate. Patch 54 adds the new API command 'compat-is-enabled', while patch 53 is a small fix which enables IPA API commands to be run from the ipa-advise plugins. + +def get_info(self): +self.log.comment('Install the sssd and authconfig packages via yum') +self.log.command('yum install -y sssd authconfig\n') You are using 'wget' below, it might make sense to add it into the above line too. Fixed in patch 52. + +self.log.comment('Download the CA certificate of the IPA server') +self.log.command('mkdir -p -m 755 /etc/openldap/cacerts') +self.log.command('wget http://%s/ipa/config/ca.crt -O ' + '/etc/openldap/cacerts/ipa.crt\n' % api.env.host) + +self.log.comment('Generate hashes for the openldap library') +self.log.command('cacertdir_rehash /etc/openldap/cacerts/\n') + +self.log.comment('Use the authconfig to configure nsswitch.conf ' + 'and the PAM stack') +self.log.command('authconfig --updateall --enablesssd ' + '--enablesssdauth\n') + +self.log.comment('Configure SSSD') +self.log.command('cat /etc/sssd/sssd.conf EOF \n' + '%s\nEOF' % generate_sssd_conf()) +self.log.command('chmod 0600 /etc/sssd/sssd.conf\n') + +self.log.comment('Start SSSD') +self.log.command('service sssd start') Would it make sense to also add instructions to restore SELinux context (if needed)? I'm not sure, just throwing the idea for consideration. I am not sure about this either so I will wait for more opinions about this. Same comments go for the second plugin. I also refactored the plugin a bit (added a new base class to avoid code duplication). Updated patches are attached. Patch 52 depends on patches 53 and 54. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. From 51aecf2a07bc889737ddda4a882e400030c57944 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic akriv...@redhat.com Date: Thu, 1 Aug 2013 14:12:39 +0200 Subject: [PATCH] Add ipa-advise plugins for legacy clients Old versions of SSSD do not directly support cross-realm trusts between IPA and AD. This patch introduces plugins for the ipa-advise tool, which should help with configuring an old version of SSSD (1.5-1.8) to
[Freeipa-devel] [PATCH] 0052 Add ipa-advise plugins for legacy clients
Hello, This patch adds ipa-advise plugins to help configure legacy clients for access to trusted domain resources. For more details, please read the commit message. Plugins are currently named config-redhat-sssd-before-1-9 and config-generic-sssd-before-1-9; suggestions for better names are welcome. Plugin content heavily inspired by https://fedoraproject.org/wiki/QA:Testcase_freeipa_use_legacy_sssd_to_give_access_to_trusted_domain_users. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. From 32cb59f102596f391226dd3106f91f406ea52659 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic akriv...@redhat.com Date: Thu, 1 Aug 2013 14:12:39 +0200 Subject: [PATCH] Add ipa-advise plugins for legacy clients Old versions of SSSD do not directly support cross-realm trusts between IPA and AD. This patch introduces plugins for the ipa-advise tool, which should help with configuring an old version of SSSD (1.5-1.8) to gain access to resources in trusted domain. Since the configuration steps differ depending on whether the platform includes the authconfig tool, two plugins are needed: * config-redhat-sssd-before-1-9 - provides configuration for Red Hat based systems, as these system include the autconfig utility * config-generic-sssd-before-1-9 - provides configuration for other platforms https://fedorahosted.org/freeipa/ticket/3671 --- install/share/Makefile.am | 2 + install/share/pam.conf.template| 22 ++ install/share/sssd.conf.template | 12 +++ ipaserver/advise/plugins/legacy_clients.py | 117 + 4 files changed, 153 insertions(+) create mode 100644 install/share/pam.conf.template create mode 100644 install/share/sssd.conf.template create mode 100644 ipaserver/advise/plugins/legacy_clients.py diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 1e56d2c530375c371cd5e66b4e83d2c13bc86e77..906f8a8b118ccd26bd19421047d14c09bec2f8f2 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -64,6 +64,8 @@ app_DATA =\ copy-schema-to-ca.py \ upload-cacert.ldif \ sasl-mapping-fallback.ldif \ + sssd.conf.template \ + pam.conf.template \ $(NULL) EXTRA_DIST =\ diff --git a/install/share/pam.conf.template b/install/share/pam.conf.template new file mode 100644 index ..bdd91821eb6d8259d7f03a6eac78fc264b0cafa8 --- /dev/null +++ b/install/share/pam.conf.template @@ -0,0 +1,22 @@ +authrequired pam_env.so +authsufficientpam_unix.so nullok try_first_pass +authrequisite pam_succeed_if.so uid = 500 quiet +authsufficientpam_sss.so use_first_pass +authrequired pam_deny.so + +account required pam_unix.so broken_shadow +account sufficientpam_localuser.so +account sufficientpam_succeed_if.so uid 500 quiet +account [default=bad success=ok user_unknown=ignore] pam_sss.so +account required pam_permit.so + +passwordrequisite pam_cracklib.so try_first_pass retry=3 type= +passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok +passwordsufficientpam_sss.so use_authtok +passwordrequired pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so +session optional pam_sss.so diff --git a/install/share/sssd.conf.template b/install/share/sssd.conf.template new file mode 100644 index ..764e853a42edd913d0a8138202b1fdd055ff2ff4 --- /dev/null +++ b/install/share/sssd.conf.template @@ -0,0 +1,12 @@ +[sssd] +services = nss, pam +config_file_version = 2 +domains = default +re_expression = (?Pname.+) + +[domain/default] +cache_credentials = True +id_provider = ldap +auth_provider = ldap +ldap_uri = ldap://$IPA_SERVER_HOSTNAME +ldap_search_base = cn=compat,$BASE_DN diff --git a/ipaserver/advise/plugins/legacy_clients.py b/ipaserver/advise/plugins/legacy_clients.py new file mode 100644 index ..00b310bf42157e3084c3d3b6fc281c91df018724 --- /dev/null +++ b/ipaserver/advise/plugins/legacy_clients.py @@ -0,0 +1,117 @@ +# Authors: Ana Krivokapic akriv...@redhat.com +# +# Copyright (C) 2013 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +#
Re: [Freeipa-devel] [PATCH] 0052 Add ipa-advise plugins for legacy clients
Hi! On Thu, 01 Aug 2013, Ana Krivokapic wrote: Hello, This patch adds ipa-advise plugins to help configure legacy clients for access to trusted domain resources. For more details, please read the commit message. Plugins are currently named config-redhat-sssd-before-1-9 and config-generic-sssd-before-1-9; suggestions for better names are welcome. Plugin content heavily inspired by https://fedoraproject.org/wiki/QA:Testcase_freeipa_use_legacy_sssd_to_give_access_to_trusted_domain_users. I think it is a good start. Comments inline. https://fedorahosted.org/freeipa/ticket/3671 --- install/share/Makefile.am | 2 + install/share/pam.conf.template| 22 ++ install/share/sssd.conf.template | 12 +++ I would imagine we would have multiple plugins that need their own templates for pam.conf/sssd.conf. What about introducing install/share/advise/name/*.template to avoid conflicts? In this case you use the same templates for both plugins so you might have name as 'legacy', for example. Another way is to have plugin name in the template, e.g. legacy.sssd.conf.template. +class config_redhat_sssd_before_1_9(Advice): + +Legacy client configuration for Red Hat based platforms. + + +description = ('Instructions for configuring a system with an old version ' + 'of SSSD (1.5-1.8) as a FreeIPA client. This set of ' + 'instructions is targeted for platforms that include ' + 'the authconfig utility, which are all Red Hat based ' + 'platforms.') You need to check that Schema Compatibility plugin is configured to serve trusted domain users and groups. We have two trees: dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config In both of the trees there should be schema-compat-lookup-sssd: user|group attribute, with the value according to the tree (i.e. user for cn=users). If not, then suggest to run 'ipa-adtrust-install --enable-compat=true' on the IPA server. + +def get_info(self): +self.log.comment('Install the sssd and authconfig packages via yum') +self.log.command('yum install -y sssd authconfig\n') You are using 'wget' below, it might make sense to add it into the above line too. + +self.log.comment('Download the CA certificate of the IPA server') +self.log.command('mkdir -p -m 755 /etc/openldap/cacerts') +self.log.command('wget http://%s/ipa/config/ca.crt -O ' + '/etc/openldap/cacerts/ipa.crt\n' % api.env.host) + +self.log.comment('Generate hashes for the openldap library') +self.log.command('cacertdir_rehash /etc/openldap/cacerts/\n') + +self.log.comment('Use the authconfig to configure nsswitch.conf ' + 'and the PAM stack') +self.log.command('authconfig --updateall --enablesssd ' + '--enablesssdauth\n') + +self.log.comment('Configure SSSD') +self.log.command('cat /etc/sssd/sssd.conf EOF \n' + '%s\nEOF' % generate_sssd_conf()) +self.log.command('chmod 0600 /etc/sssd/sssd.conf\n') + +self.log.comment('Start SSSD') +self.log.command('service sssd start') Would it make sense to also add instructions to restore SELinux context (if needed)? I'm not sure, just throwing the idea for consideration. Same comments go for the second plugin. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel