diff options
author | Tomas Babej <tomasbabej@gmail.com> | 2013-11-21 13:09:28 +0100 |
---|---|---|
committer | Alexander Bokovoy <abokovoy@redhat.com> | 2014-05-09 13:57:04 +0300 |
commit | ef3c9d3bb00fb64c9eb97c17ae62e042d5091cc0 (patch) | |
tree | cf9cd1551ebf8ed03a56a7bbe0f41615afd758fe /ipa-client | |
parent | d90eb46cce788595edf50f4658e97a7dd8c3e9b8 (diff) | |
download | freeipa-ef3c9d3bb00fb64c9eb97c17ae62e042d5091cc0.tar.gz freeipa-ef3c9d3bb00fb64c9eb97c17ae62e042d5091cc0.tar.xz freeipa-ef3c9d3bb00fb64c9eb97c17ae62e042d5091cc0.zip |
ipa-client-install: Configure sudo to use SSSD as data source
Makes ipa-client-install configure SSSD as the data provider
for the sudo service by default. This behaviour can be disabled
by using --no-sudo flag.
https://fedorahosted.org/freeipa/ticket/3358
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Diffstat (limited to 'ipa-client')
-rwxr-xr-x | ipa-client/ipa-install/ipa-client-install | 84 | ||||
-rw-r--r-- | ipa-client/man/ipa-client-install.1 | 3 |
2 files changed, 86 insertions, 1 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 5fdd51520..6fd64d0d9 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -72,6 +72,8 @@ SSH_KNOWNHOSTSFILE = '/var/lib/sss/pubconf/known_hosts' client_nss_nickname_format = 'IPA Machine Certificate - %s' +NSSWITCH_CONF = '/etc/nsswitch.conf' + def parse_options(): def validate_ca_cert_file_option(option, opt, value, parser): if not os.path.exists(value): @@ -137,6 +139,9 @@ def parse_options(): help="do not configure OpenSSH client") basic_group.add_option("--no-sshd", dest="conf_sshd", default=True, action="store_false", help="do not configure OpenSSH server") + basic_group.add_option("--no-sudo", dest="conf_sudo", default=True, + action="store_false", + help="do not configure SSSD as data source for sudo") basic_group.add_option("--no-dns-sshfp", dest="create_sshfp", default=True, action="store_false", help="do not automatically create DNS SSHFP records") basic_group.add_option("--noac", dest="no_ac", default=False, action="store_true", @@ -352,6 +357,69 @@ def is_ipa_client_installed(on_master=False): return installed +def configure_nsswitch_database(fstore, database, services, preserve=True, + append=True, default_value=None): + """ + Edits the specified nsswitch.conf database (e.g. passwd, group, sudoers) + to use the specified service(s). + + Arguments: + fstore - FileStore to backup the nsswitch.conf + database - database configuration that should be ammended, e.g 'sudoers' + service - list of services that should be added, e.g. ['sss'] + preserve - if True, the already configured services will be preserved + + The next arguments modify the behaviour if preserve=True: + append - if True, the services will be appended, if False, prepended + default_value - list of services that are considered as default (if + the database is not mentioned in nsswitch.conf), e.g. + ['files'] + """ + + # Backup the original version of nsswitch.conf, we're going to edit it now + if not fstore.has_file(NSSWITCH_CONF): + fstore.backup_file(NSSWITCH_CONF) + + conf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer") + conf.setOptionAssignment(':') + + if preserve: + # Read the existing configuration + with open('/etc/nsswitch.conf', 'r') as f: + opts = conf.parse(f) + raw_database_entry = conf.findOpts(opts, 'option', database)[1] + + if not raw_database_entry: + # If there is no database entry, database is not present in + # the nsswitch.conf. Set the list of services to the + # default list, if passed. + configured_services = ' '.join(default_value or []) + else: + configured_services = raw_database_entry['value'].strip() + + if append: + new_services = ' ' + configured_services + ' ' + ' '.join(services) + else: + new_services = ' ' + ' '.join(services) + ' ' + configured_services + + else: + # Preserve not set, let's rewrite existing configuration + new_services = ' ' + ' '.join(services) + + # Set new services as sources for database + opts = [{'name': database, + 'type':'option', + 'action':'set', + 'value': new_services + }, + {'name':'empty', + 'type':'empty' + }] + + conf.changeConf(NSSWITCH_CONF, opts) + root_logger.info("Configured %s in %s" % (database, NSSWITCH_CONF)) + + def uninstall(options, env): if not is_ipa_client_installed(): @@ -1141,6 +1209,20 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, clie sssdconfig.activate_service('ssh') + if options.conf_sudo: + # Activate the service in the SSSD config + try: + sssdconfig.new_service('sudo') + except SSSDConfig.ServiceAlreadyExists: + pass + except SSSDConfig.ServiceNotRecognizedError: + root_logger.error("Unable to activate the SUDO service in " + "SSSD config.") + + sssdconfig.activate_service('sudo') + configure_nsswitch_database(fstore, 'sudoers', ['sss'], + default_value=['files']) + domain.add_provider('ipa', 'id') #add discovery domain if client domain different from server domain @@ -2265,7 +2347,7 @@ def install(options, env, fstore, statestore): # skip this step when run by ipa-server-install as it always configures # hostname if different from system hostname ipaservices.backup_and_replace_hostname(fstore, statestore, options.hostname) - + if not options.on_master: # Attempt to sync time with IPA server. # We assume that NTP servers are discoverable through SRV records in the DNS diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 index 3694fca4a..279d66ad6 100644 --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -140,6 +140,9 @@ Do not configure OpenSSH client. \fB\-\-no\-sshd\fR Do not configure OpenSSH server. .TP +\fB\-\-no\-sudo\fR +Do not configure SSSD as a data source for sudo. +.TP \fB\-\-no\-dns\-sshfp\fR Do not automatically create DNS SSHFP records. .TP |