[Freeipa-users] FreeIPA + Foreman 1.5

Fri Apr 25 07:44:37 UTC 2014

On 25.4.2014 09:07, Martin Kosek wrote:
> On 04/24/2014 10:46 PM, Dmitri Pal wrote:
>> On 04/23/2014 07:23 PM, Stephen Benjamin wrote:
> ...
>>>> I am not sure it is doing the right thing. In the blog you specify
>>>> bindpw for SUDO, this means you are configuring SUDO without SSSD
>>>> integration. If you use IPA it is a command switch on the
>>>> ipa-client-install command to enable sudo, ssh or automount integration
>>>> (at least in the latest versions of IPA). I think we should focus on that.
>>> I'm very interested in this...
>>>
>>> I wrote the ipaclient module a year ago to suit a specific need for me.
>>> I have some consulting customers who use it, but I haven't had much
>>> feedback about it from anyone. Suggestions for changes to how I do
>>> things would be much appreciated.
>>>
>>> The way ipaclient is doing things works on *everything*, from a 2-year
>>> old release of RH IdM, to the 3.4 nightly I tested not too long ago.
>>
>> Right. So this is where instead of relying on the command switches it might
>> make sense to run commands (if they are available).
>> I do not recall what the commands and switches are. This is where I need help
>> from Martin and Honza.
>> I know there is ipa-client-automount but I do not remember the names of the
>> similar commands for SSH, SUDO and SELinux integration.
>
> I updated FreeIPA.org Client article to hold the integration information:
>
> http://www.freeipa.org/page/Client#Integration

Updated the bit about SSHFP and added markup to prevent line wrapping in 
the middle of command and option names.

>
>>> It's used in the wild, so I can't just break the compatability there -- but,
>>> can I use SSSD setup even on the older versions of IPA?  Do you have
>>> some info about how to get that working? If so, I'll gladly go to
>>> that.
>>
>> I need help here. Martin?
>
> I am not sure I understand the question. FreeIPA client compatibility is
> described on the wiki:
>
> http://www.freeipa.org/page/Client#Compatibility
>
> Are we talking about ipa-client-install options compatibility, or sssd.conf
> compatibility or even FreeIPA API compatibility?
>
>>>> https://fedorahosted.org/freeipa/ticket/3740
>
> This is just a convenient command to ipa-client-install. Separate
> ipa-client-automount is there since FreeIPA 3.0.
>
>>>> https://fedorahosted.org/freeipa/ticket/3358 <- but one can run command
>>>> after install to enable integration with SUDO
>>>>
>>>> Honza, martin can you please add the details about SSH and SELinux
>>>> integration
>
> Sorry I did not spot the question earlier, please see the referred article I
> just wrote. If there are question, ask.

What Martin said.

>
>>>>> I haven't investigated automount, maybe it's something I can
>>>>> consider adding to the ipaclient puppet module.
>>>> I see it more as apart of the initial client setup and check boxes: do
>>>> you want SUDO integration y/n; do you want automount y/n; do you want
>>>> SELinux user mapping y/n; Do you want SSH integration y/n. Once you
>>>> deploy you usually do not change these things because they are dictated
>>>> by general policy rather than something that you turn on and off.
>>> Right, for this we'd need to extend the freeipa_snippet, and
>>> use Foreman parameters for these options.  I think it's a great idea,
>>> and something I'd gladly implement.  For Foreman 1.5, we've really
>>> fixed the templates now for the release, but this is something
>>> that could probably go into 1.5.1 if the details are hammered out.
>>
>> Martin & Honza please suggest how this can be accomplished using our commands.
>> I would assume we can assume we are dealing with 6.4 and later, right?
>
> If talking about IPA in 6.4 and older:
>
> automount - run ipa-client-automount after ipa-client-install
> SUDO - configure manually (details in
> https://fedorahosted.org/freeipa/ticket/3358). Though I am afraid that sssd in
> 6.4 does not have ipa sudo provider.

AFAIK you can use ldap sudo provider with IPA, see e.g. 
<http://fedoraproject.org/wiki/QA:Testcase_freeipav3_sudo_sssd#Configure_SSSD>

> SSH - ready after ipa-client-install
> SELinux - this comes with ipa-client-install automatically, though I think it
> was very limited before 6.5 (https://bugzilla.redhat.com/show_bug.cgi?id=914433)
>
>>
>>>
>>> I'd really appreciate an issue opened about this.
>>
>> Where?
>>
>>>
>>> How do older versions of IPA respond to unknown options (say, if they don't
>>> support sudoers)?  I guess I need some kind of matrix of
>>> what's supported for each version, so that I can do the appropriate
>>> things.
>
> ipa-client-install will fail if unknown option is passed.
>
> # ipa-client-install --foo
> Usage: ipa-client-install [options]
>
> ipa-client-install: error: no such option: --foo
>
>
>>
>> Yes we should pass right options to the right clients but may be we can do some
>> kind of introspaction based on the package version.
>> Something like:
>>
>> if ipa-client package version is greater than X:
>>     add options k, l, m
>> otherwise
>>    log that options k, l, m are not supported on the version
>>
>> if ipa-client package version is greater than Y:
>>     add options n, o, q, p
>> otherwise
>>    log that options n, o, q, p are not supported on the version
>>
>> That might be a script that is run on the system rather than a part of the
>> template and it would check the package version available and use only
>> applicable options. Again here I would like to hear the opinion of the list.
>
> It seems to me that all integration options are available in 6.4 (see above).
> The only exception is SUDO which needs to be configured manuallyP:
>    - /etc/nsswitch.conf
>    - NIS domain name
>    - /etc/sssd/sssd.conf - configuration is different based on SSSD version. In
> 6.4 and 6.4, you need to manually configure SSSD SUDO LDAP provider (slide 12
> in http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf), in
> 6.6/7.0 you will be able to just add sudo service in SSSD and utilize SSSD SUDO
> IPA provider. With FreeIPA 4.0, you do not need to do anything, you have SUDO
> client configuration for free.
>
> HTH,
> Martin
>

-- 
Jan Cholasta