[Freeipa-devel] [PATCH] 0075 Add ipa-advise plugins for nss-pam-ldapd legacy clients

Thu Oct 17 20:29:38 UTC 2013

On Thu, 17 Oct 2013, Ana Krivokapic wrote:

>Hello,
>
>This patch adds ipa-advise plugins for configuring legacy clients using
>nss-pam-ldapd.
>
>https://fedorahosted.org/freeipa/ticket/3672
Thanks. Looks good. I have one comment below

>+class config_freebsd_nss_pam_ldapd(config_base_legacy_client):
>+    """
>+    Legacy client configuration for FreeBSD, using nss-pam-ldapd.
>+    """
>+    description = ('Instructions for configuring a FreeBSD system with '
>+                   'nss-pam-ldapd. ')
>+
>+    def get_info(self):
>+        uri, base = self.get_uri_and_base()
>+        cacrt = '/usr/local/etc/ipatest.crt'
Is the cert file name is correct? 'ipatest.crt'? Perhaps 'ipaca.crt'
would be a better name?

>+
>+        self.check_compat_plugin()
>+
>+        with open(os.path.join(
>+                SHARE_DIR,
>+                'advise',
>+                'legacy',
>+                'pam_conf_sshd.template')) as fd:
>+            pam_conf = fd.read()
>+
>+        self.log.comment('Install required packages')
>+        self.log.command('pkg_add -r nss-pam-ldapd curl\n')
>+
>+        self.configure_ca_cert(cacrt)
>+
>+        self.log.comment('Configure nsswitch.conf')
>+        self.log.command('sed -i \'\' -e \'s/^passwd:/passwd: files ldap/\' '
>+                         '/etc/nsswitch.conf')
>+        self.log.command('sed -i \'\' -e \'s/^group:/group: files ldap/\' '
>+                         '/etc/nsswitch.conf\n')
>+
>+        self.log.comment('Configure PAM stack for the sshd service')
>+        self.log.command('cat > /etc/pam.d/sshd << EOF \n'
>+                         '%s\nEOF\n' % pam_conf)
>+
>+        self.log.comment('Add automated start of nslcd to /etc/rc.conf')
>+        self.log.command('echo \'nslcd_enable="YES"\nnslcd_debug="NO"\' >> '
>+                         '/etc/rc.conf')
>+
>+        self.log.comment('Configure nslcd.conf:')
>+        self.log.command('echo "uid nslcd\n'
>+                         'gid nslcd\n'
>+                         'uri %s\n'
>+                         'base %s\n'
>+                         'scope sub\n'
>+                         'base group cn=groups,%s\n'
>+                         'base passwd cn=users,%s\n'
>+                         'base shadow cn=users,%s\n'
>+                         'ssl start_tls\n'
>+                         'tls_cacertfile %s\n" >  /usr/local/etc/nslcd.conf'
>+                         % ((uri,) + (base,)*4 + (cacrt,)))
>+
>+        self.log.comment('Configure ldap.conf:')
>+        self.log.command('echo "uri %s\nbase %s\nssl start_tls\ntls_cacert %s"'
>+                         '> /usr/local/etc/ldap.conf' % (uri, base, cacrt))
>+
>+        self.log.comment('Restart nslcd')
>+        self.log.command('/usr/local/etc/rc.d/nslcd restart')
>+
>+    def configure_ca_cert(self, cacrt):
>+        self.log.comment('Download the CA certificate of the IPA server')
>+        self.log.command('curl -k https://%s/ipa/config/ca.crt > '
>+                         '%s' % (api.env.host, cacrt))
>+
>+
>+api.register(config_freebsd_nss_pam_ldapd)

-- 
/ Alexander Bokovoy