diff options
Diffstat (limited to 'install')
| -rwxr-xr-x | install/tools/ipa-adtrust-install | 18 | ||||
| -rw-r--r-- | install/tools/man/ipa-adtrust-install.1 | 23 |
2 files changed, 40 insertions, 1 deletions
diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 5744c6f67..838f7226b 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -62,6 +62,9 @@ def parse_options(): parser.add_option("--add-sids", dest="add_sids", action="store_true", default=False, help="Add SIDs for existing users and" \ " groups as the final step") + parser.add_option("--enable-compat", + dest="enable_compat", default=False, action="store_true", + help="Enable support for trusted domains for old clients") options, args = parser.parse_args() safe_options = parser.get_safe_opts(options) @@ -194,6 +197,15 @@ def ensure_admin_kinit(admin_name, admin_password): return False return True +def enable_compat_tree(): + print "Do you want to enable support for trusted domains in Schema Compatibility plugin?" + print "This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users." + print "" + enable_compat = ipautil.user_input("Enable trusted domains support in slapi-nis?", default = False, allow_empty = False) + print "" + return enable_compat + + def main(): safe_options, options = parse_options() @@ -244,6 +256,9 @@ def main(): sys.exit("Aborting installation.") break + if not options.unattended and not options.enable_compat: + options.enable_compat = enable_compat_tree() + # Check we have a public IP that is associated with the hostname ip = None try: @@ -363,7 +378,8 @@ def main(): smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain, netbios_name, reset_netbios_name, options.rid_base, options.secondary_rid_base, - options.no_msdcs, options.add_sids) + options.no_msdcs, options.add_sids, + enable_compat = options.enable_compat) smb.find_local_id_range() smb.create_instance() diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1 index 38957f3a4..7f0566e13 100644 --- a/install/tools/man/ipa-adtrust-install.1 +++ b/install/tools/man/ipa-adtrust-install.1 @@ -106,6 +106,29 @@ The password of the user with administrative privileges for this IPA server. Wil .TP The credentials of the admin user will be used to obtain Kerberos ticket before configuring cross-realm trusts support and afterwards, to ensure that the ticket contains MS-PAC information required to actually add a trust with Active Directory domain via 'ipa trust-add --type=ad' command. .TP +\fB\-\-enable\-compat\fR +Enables support for trusted domains users for old clients through Schema Compatibility plugin. +SSSD supports trusted domains natively starting with version 1.9. For platforms that +lack SSSD or run older SSSD version one needs to use this option. When enabled, slapi\-nis package +needs to be installed and schema\-compat\-plugin will be configured to provide lookup of +users and groups from trusted domains via SSSD on IPA server. These users and groups will be +available under \fBcn=users,cn=compat,$SUFFIX\fR and \fBcn=groups,cn=compat,$SUFFIX\fR trees. +SSSD will normalize names of users and groups to lower case. +.IP +In addition to providing these users and groups through the compat tree, this option enables +authentication over LDAP for trusted domain users with DN under compat tree, i.e. using bind DN +\fBuid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX\fR. +.IP +LDAP authentication performed by the compat tree is done via PAM '\fBsystem\-auth\fR' service. +This service exists by default on Linux systems and is provided by pam package as /etc/pam.d/system\-auth. +If your IPA install does not have default HBAC rule 'allow_all' enabled, then make sure +to define in IPA special service called '\fBsystem\-auth\fR' and create an HBAC +rule to allow access to anyone to this rule on IPA masters. +.IP +As '\fBsystem\-auth\fR' PAM service is not used directly by any other +application, it is safe to use it for trusted domain users via compatibility +path. +.TP .SH "EXIT STATUS" 0 if the installation was successful |