diff options
author | Ana Krivokapic <akrivoka@redhat.com> | 2013-08-01 14:12:39 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2013-08-07 09:18:42 +0200 |
commit | fc3f3c90b94ef6d4d8f1e109655177412d52f36e (patch) | |
tree | 9baf657dade4c63a7d61b2bcb806af483cdc59e0 /install/share/advise | |
parent | 7ae58f0ca92e4a573e62aa4e770e12062bb2ddff (diff) | |
download | freeipa-fc3f3c90b94ef6d4d8f1e109655177412d52f36e.tar.gz freeipa-fc3f3c90b94ef6d4d8f1e109655177412d52f36e.tar.xz freeipa-fc3f3c90b94ef6d4d8f1e109655177412d52f36e.zip |
Add ipa-advise plugins for legacy clients
Old versions of SSSD do not directly support cross-realm trusts between IPA
and AD. This patch introduces plugins for the ipa-advise tool, which should
help with configuring an old version of SSSD (1.5-1.8) to gain access to
resources in trusted domain.
Since the configuration steps differ depending on whether the platform includes
the authconfig tool, two plugins are needed:
* config-redhat-sssd-before-1-9 - provides configuration for Red Hat based
systems, as these system include the autconfig utility
* config-generic-sssd-before-1-9 - provides configuration for other platforms
https://fedorahosted.org/freeipa/ticket/3671
https://fedorahosted.org/freeipa/ticket/3672
Diffstat (limited to 'install/share/advise')
-rw-r--r-- | install/share/advise/Makefile.am | 17 | ||||
-rw-r--r-- | install/share/advise/legacy/Makefile.am | 15 | ||||
-rw-r--r-- | install/share/advise/legacy/pam.conf.template | 22 | ||||
-rw-r--r-- | install/share/advise/legacy/sssd.conf.template | 13 |
4 files changed, 67 insertions, 0 deletions
diff --git a/install/share/advise/Makefile.am b/install/share/advise/Makefile.am new file mode 100644 index 000000000..877f91ce8 --- /dev/null +++ b/install/share/advise/Makefile.am @@ -0,0 +1,17 @@ +NULL = + +SUBDIRS = \ + legacy \ + $(NULL) + +appdir = $(IPA_DATA_DIR)/advise +app_DATA = \ + $(NULL) + +EXTRA_DIST = \ + $(app_DATA) \ + $(NULL) + +MAINTAINERCLEANFILES = \ + *~ \ + Makefile.in diff --git a/install/share/advise/legacy/Makefile.am b/install/share/advise/legacy/Makefile.am new file mode 100644 index 000000000..73cd2718c --- /dev/null +++ b/install/share/advise/legacy/Makefile.am @@ -0,0 +1,15 @@ +NULL = + +appdir = $(IPA_DATA_DIR)/advise/legacy +app_DATA = \ + sssd.conf.template \ + pam.conf.template \ + $(NULL) + +EXTRA_DIST = \ + $(app_DATA) \ + $(NULL) + +MAINTAINERCLEANFILES = \ + *~ \ + Makefile.in diff --git a/install/share/advise/legacy/pam.conf.template b/install/share/advise/legacy/pam.conf.template new file mode 100644 index 000000000..bdd91821e --- /dev/null +++ b/install/share/advise/legacy/pam.conf.template @@ -0,0 +1,22 @@ +auth required pam_env.so +auth sufficient pam_unix.so nullok try_first_pass +auth requisite pam_succeed_if.so uid >= 500 quiet +auth sufficient pam_sss.so use_first_pass +auth required pam_deny.so + +account required pam_unix.so broken_shadow +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 500 quiet +account [default=bad success=ok user_unknown=ignore] pam_sss.so +account required pam_permit.so + +password requisite pam_cracklib.so try_first_pass retry=3 type= +password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok +password sufficient pam_sss.so use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so +session optional pam_sss.so diff --git a/install/share/advise/legacy/sssd.conf.template b/install/share/advise/legacy/sssd.conf.template new file mode 100644 index 000000000..28f9c115d --- /dev/null +++ b/install/share/advise/legacy/sssd.conf.template @@ -0,0 +1,13 @@ +[sssd] +services = nss, pam +config_file_version = 2 +domains = default +re_expression = (?P<name>.+) + +[domain/default] +cache_credentials = True +id_provider = ldap +auth_provider = ldap +ldap_uri = ldap://$IPA_SERVER_HOSTNAME +ldap_search_base = cn=compat,$BASE_DN +ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt |