[Freeipa-devel] [PATCH] 0052 Add ipa-advise plugins for legacy clients

Alexander Bokovoy abokovoy at redhat.com
Thu Aug 1 14:13:07 UTC 2013 

Hi!

On Thu, 01 Aug 2013, Ana Krivokapic wrote:
>Hello,
>
>This patch adds ipa-advise plugins to help configure legacy clients for access
>to trusted domain resources. For more details, please read the commit message.
>Plugins are currently named "config-redhat-sssd-before-1-9" and
>"config-generic-sssd-before-1-9"; suggestions for better names are welcome.
>
>Plugin content heavily inspired by
>https://fedoraproject.org/wiki/QA:Testcase_freeipa_use_legacy_sssd_to_give_access_to_trusted_domain_users.
I think it is a good start. Comments inline.

>https://fedorahosted.org/freeipa/ticket/3671
>---
> install/share/Makefile.am                  |   2 +
> install/share/pam.conf.template            |  22 ++++++
> install/share/sssd.conf.template           |  12 +++
I would imagine we would have multiple plugins that need their own
templates for pam.conf/sssd.conf. What about introducing
install/share/advise/<name>/*.template to avoid conflicts?

In this case you use the same templates for both plugins so you might
have <name> as 'legacy', for example.

Another way is to have plugin name in the template, e.g.
legacy.sssd.conf.template.

>+class config_redhat_sssd_before_1_9(Advice):
>+    """
>+    Legacy client configuration for Red Hat based platforms.
>+    """
>+
>+    description = ('Instructions for configuring a system with an old version '
>+                   'of SSSD (1.5-1.8) as a FreeIPA client. This set of '
>+                   'instructions is targeted for platforms that include '
>+                   'the authconfig utility, which are all Red Hat based '
>+                   'platforms.')
You need to check that Schema Compatibility plugin is configured to
serve trusted domain users and groups.

We have two trees:
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config

In both of the trees there should be 

    schema-compat-lookup-sssd: <user|group>

attribute, with the value according to the tree (i.e. user for
cn=users).

If not, then suggest to run 'ipa-adtrust-install --enable-compat=true' 
on the IPA server.

>+
>+    def get_info(self):
>+        self.log.comment('Install the sssd and authconfig packages via yum')
>+        self.log.command('yum install -y sssd authconfig\n')
You are using 'wget' below, it might make sense to add it into the above
line too.

>+
>+        self.log.comment('Download the CA certificate of the IPA server')
>+        self.log.command('mkdir -p -m 755 /etc/openldap/cacerts')
>+        self.log.command('wget http://%s/ipa/config/ca.crt -O '
>+                         '/etc/openldap/cacerts/ipa.crt\n' % api.env.host)
>+
>+        self.log.comment('Generate hashes for the openldap library')
>+        self.log.command('cacertdir_rehash /etc/openldap/cacerts/\n')
>+
>+        self.log.comment('Use the authconfig to configure nsswitch.conf '
>+                         'and the PAM stack')
>+        self.log.command('authconfig --updateall --enablesssd '
>+                         '--enablesssdauth\n')
>+
>+        self.log.comment('Configure SSSD')
>+        self.log.command('cat > /etc/sssd/sssd.conf << EOF \n'
>+                         '%s\nEOF' % generate_sssd_conf())
>+        self.log.command('chmod 0600 /etc/sssd/sssd.conf\n')
>+
>+        self.log.comment('Start SSSD')
>+        self.log.command('service sssd start')
Would it make sense to also add instructions to restore SELinux context
(if needed)? I'm not sure, just throwing the idea for consideration.

Same comments go for the second plugin.

-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list