summaryrefslogtreecommitdiffstats
path: root/ipa-client/ipa-install
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2010-02-03 15:41:02 -0500
committerRob Crittenden <rcritten@redhat.com>2010-02-03 15:41:02 -0500
commit3ff06c498b5f918bec65cbe20b40aedb37f475b6 (patch)
tree070b7d8787754b5ca365b1c3e1184a568fe09a45 /ipa-client/ipa-install
parent2416f92bee0b3dd11eccfbfdc6a61a6624540262 (diff)
downloadfreeipa-3ff06c498b5f918bec65cbe20b40aedb37f475b6.tar.gz
freeipa-3ff06c498b5f918bec65cbe20b40aedb37f475b6.tar.xz
freeipa-3ff06c498b5f918bec65cbe20b40aedb37f475b6.zip
Configure sssd and certmonger in ipa-client-install
This does a number of things under the hood: - Use authconfig to enable sssd in nss and pam - Configure /etc/sssd/sssd.conf to use our IPA provider - Enable the certmonger process and request a server cert - join the IPA domain and retrieve a principal. The clinet machine *must* exist in IPA to be able to do a join. - And then undo all this on uninstall
Diffstat (limited to 'ipa-client/ipa-install')
-rw-r--r--ipa-client/ipa-install/ipa-client-install102
1 files changed, 94 insertions, 8 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index f6157b210..066c5adbd 100644
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -35,6 +35,7 @@ try:
from ipapython.ipautil import run, user_input
from ipapython import sysrestore
from ipapython import version
+ import SSSDConfig
except ImportError:
print >> sys.stderr, """\
There was a problem importing one of the required Python modules. The
@@ -58,6 +59,8 @@ def parse_options():
action="store_true",
help="unattended installation never prompts the user")
parser.add_option("--ntp-server", dest="ntp_server", help="ntp server to use")
+ parser.add_option("-S", "--no-sssd", action="store_false",
+ help="do not configure sssd", default=True, dest="sssd")
parser.add_option("-N", "--no-ntp", action="store_false",
help="do not configure ntp", default=True, dest="conf_ntp")
parser.add_option("-w", "--password", dest="password",
@@ -69,6 +72,8 @@ def parse_options():
help="principal to use to join the IPA realm"),
parser.add_option("--on-master", dest="on_master", action="store_true",
help="use this option when run on a master", default=False)
+ parser.add_option("--permit", dest="permit", action="store_true",
+ help="disable access rules by default, permit all access.", default=False)
parser.add_option("", "--uninstall", dest="uninstall", action="store_true",
default=False, help="uninstall an existing installation")
@@ -110,9 +115,26 @@ def uninstall(options):
print "Restoring client configuration files"
fstore.restore_all_files()
+ # Remove our host cert
+ try:
+ run(["/usr/bin/ipa-getcert", "stop-tracking", "-d", "/etc/pki/nssdb", "-n", "Server-Cert"])
+ run(["/usr/bin/certutil", "-D", "-d", "/etc/pki/nssdb", "-n", "Server-Cert"])
+ except Exception, e:
+ print "Failed to remove Server-Cert from /etc/pki/nssdb: %s" % str(e)
+
+ try:
+ run(["/sbin/service", "certmonger", "stop"])
+ except:
+ print "Failed to stop the certmonger daemon"
+
+ try:
+ run(["/sbin/chkconfig", "certmonger", "off"])
+ except:
+ print "Failed to disable automatic startup of the certmonger daemon"
+
print "Disabling client Kerberos and Ldap configurations"
try:
- run(["/usr/sbin/authconfig", "--disableldap", "--disablekrb5", "--update"])
+ run(["/usr/sbin/authconfig", "--disableldap", "--disablekrb5", "--disablesssd", "--disablesssdauth", "--update"])
except Exception, e:
print "Failed to remove krb5/ldap configuration. " +str(e)
sys.exit(1)
@@ -277,6 +299,59 @@ def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, d
return 0
+def configure_certmonger(fstore, options):
+ started = True
+
+ try:
+ run(["/sbin/service", "certmonger", "restart"])
+ except:
+ print "Failed to start the certmonger daemon"
+ print "Automatic certificate management will not be available"
+ started = False
+
+ try:
+ run(["/sbin/chkconfig", "certmonger", "on"])
+ except:
+ print "Failed to configure automatic startup of the certmonger daemon"
+ print "Automatic certificate management will not be available"
+
+ # Request our host cert
+ if started:
+ try:
+ run(["ipa-getcert", "request", "-d", "/etc/pki/nssdb", "-n", "Server-Cert"])
+ except:
+ print "certmonger request for host certificate failed"
+
+def configure_sssd_conf(fstore, cli_domain, cli_server, options):
+ fstore.backup_file("/etc/sssd/sssd.conf")
+ sssdconfig = SSSDConfig.SSSDConfig()
+ sssdconfig.new_config()
+
+ domain = sssdconfig.new_domain(cli_domain)
+ domain.add_provider('ipa', 'id')
+
+ domain.set_option('ipa_server', cli_server)
+ domain.set_option('ipa_domain', cli_domain)
+
+ # Might need this if /bin/hostname doesn't return a FQDN
+ #domain.set_option('ipa_hostname', 'client.example.com')
+
+ domain.add_provider('ipa', 'auth')
+ domain.add_provider('ipa', 'chpass')
+ if not options.permit:
+ domain.add_provider('ipa', 'access')
+ else:
+ domain.add_provider('permit', 'access')
+
+ domain.set_option('cache_credentials', True)
+
+ domain.set_active(True)
+
+ sssdconfig.save_domain(domain)
+ sssdconfig.write("/etc/sssd/sssd.conf")
+
+ return 0
+
def main():
options = parse_options()
logging_setup(options)
@@ -424,10 +499,17 @@ def main():
configure_ipa_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server)
print "Created /etc/ipa/default.conf"
- # Configure ldap.conf
- if configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options):
- return 1
- print "Configured /etc/ldap.conf"
+ if options.sssd:
+ if configure_sssd_conf(fstore, cli_domain, cli_server, options):
+ return 1
+ print "Configured /etc/sssd/sssd.conf"
+ else:
+ if configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options):
+ return 1
+ print "Configured /etc/ldap.conf"
+
+ if not options.on_master:
+ configure_certmonger(fstore, options)
# If on master assume kerberos is already configured properly.
if not options.on_master:
@@ -438,9 +520,13 @@ def main():
print "Configured /etc/krb5.conf for IPA realm " + cli_realm
- # Modify nsswitch to add nss_ldap
- run(["/usr/sbin/authconfig", "--enableldap", "--update"])
- print "LDAP enabled"
+ # Modify nsswitch/pam stack
+ if options.sssd:
+ run(["/usr/sbin/authconfig", "--enablesssd", "--enablesssdauth", "--update"])
+ print "SSSD enabled"
+ else:
+ run(["/usr/sbin/authconfig", "--enableldap", "--update"])
+ print "LDAP enabled"
#Check nss_ldap is working properly
if not options.on_master: