Add ipa-advise plugins for nss-pam-ldapd legacy clients

Add three new ipa-advise plugins, to facilitate configuration of
legacy clients using nss-pam-ldapd:

* config-redhat-nss-pam-ldapd
* config-generic-linux-nss-pam-ldapd
* config-freebsd-nss-pam-ldapd

https://fedorahosted.org/freeipa/ticket/3672

1 files changed, 198 insertions, 14 deletions

diff --git a/ipaserver/advise/plugins/legacy_clients.py b/ipaserver/advise/plugins/legacy_clients.py
index f58af9b9..c81fcf8b 100644
--- a/ipaserver/advise/plugins/legacy_clients.py
+++ b/ipaserver/advise/plugins/legacy_clients.py
@@ -23,7 +23,12 @@ from ipalib.frontend import Advice
 from ipapython.ipautil import template_file, SHARE_DIR
 
 
-class config_base_sssd_before_1_9(Advice):
+class config_base_legacy_client(Advice):
+    def get_uri_and_base(self):
+        uri = 'ldap://%s' % api.env.host
+        base = 'cn=compat,%s' % api.env.basedn
+        return uri, base
+
     def check_compat_plugin(self):
         compat_is_enabled = api.Command['compat_is_enabled']()['result']
         if not compat_is_enabled:
@@ -57,17 +62,14 @@ class config_base_sssd_before_1_9(Advice):
         self.log.command('fi\n')
 
     def configure_and_start_sssd(self):
-        sub_dict = dict(
-            IPA_SERVER_HOSTNAME=api.env.host,
-            BASE_DN=','. join(['dc=%s' % c for c in api.env.domain.split('.')])
-        )
+        uri, base = self.get_uri_and_base()
         template = os.path.join(
             SHARE_DIR,
             'advise',
             'legacy',
             'sssd.conf.template'
         )
-        sssd_conf = template_file(template, sub_dict)
+        sssd_conf = template_file(template, dict(URI=uri, BASE=base))
 
         self.log.comment('Configure SSSD')
         self.log.command('cat > /etc/sssd/sssd.conf << EOF \n'
@@ -78,9 +80,9 @@ class config_base_sssd_before_1_9(Advice):
         self.log.command('service sssd start')
 
 
-class config_redhat_sssd_before_1_9(config_base_sssd_before_1_9):
+class config_redhat_sssd_before_1_9(config_base_legacy_client):
     """
-    Legacy client configuration for Red Hat based platforms.
+    Legacy client configuration for Red Hat based systems, using SSSD.
     """
     description = ('Instructions for configuring a system with an old version '
                    'of SSSD (1.5-1.8) as a FreeIPA client. This set of '
@@ -103,17 +105,25 @@ class config_redhat_sssd_before_1_9(config_base_sssd_before_1_9):
 
         self.configure_and_start_sssd()
 
+    def configure_ca_cert(self):
+        self.log.comment('NOTE: IPA certificate uses the SHA-256 hash '
+                         'function. SHA-256 was introduced in RHEL5.2. '
+                         'Therefore, clients older than RHEL5.2 will not be '
+                         'able to interoperate with IPA server 3.x.')
+        super(config_redhat_sssd_before_1_9, self).configure_ca_cert()
+
 
 api.register(config_redhat_sssd_before_1_9)
 
 
-class config_generic_sssd_before_1_9(config_base_sssd_before_1_9):
+class config_generic_linux_sssd_before_1_9(config_base_legacy_client):
     """
-    Legacy client configuration for non Red Hat based platforms.
+    Legacy client configuration for non Red Hat based linux systems,
+    using SSSD.
     """
     description = ('Instructions for configuring a system with an old version '
                    'of SSSD (1.5-1.8) as a FreeIPA client. This set of '
-                   'instructions is targeted for platforms that do not '
+                   'instructions is targeted for linux systems that do not '
                    'include the authconfig utility.')
 
     def get_info(self):
@@ -123,7 +133,7 @@ class config_generic_sssd_before_1_9(config_base_sssd_before_1_9):
                 SHARE_DIR,
                 'advise',
                 'legacy',
-                'pam.conf.template')) as fd:
+                'pam.conf.sssd.template')) as fd:
             pam_conf = fd.read()
 
         self.log.comment('Install required packages using your system\'s '
@@ -150,7 +160,113 @@ class config_generic_sssd_before_1_9(config_base_sssd_before_1_9):
         self.configure_and_start_sssd()
 
     def configure_ca_cert(self):
-        super(config_generic_sssd_before_1_9, self).configure_ca_cert()
+        super(config_generic_linux_sssd_before_1_9, self).configure_ca_cert()
+
+        self.log.comment('Configure ldap.conf. Set the value of '
+                         'TLS_CACERTDIR to /etc/openldap/cacerts. Make sure '
+                         'that the location of ldap.conf file matches your '
+                         'system\'s configuration.')
+        self.log.command('echo "TLS_CACERTDIR /etc/openldap/cacerts" >> '
+                         '/etc/ldap/ldap.conf\n')
+
+
+api.register(config_generic_linux_sssd_before_1_9)
+
+
+class config_redhat_nss_pam_ldapd(config_base_legacy_client):
+    """
+    Legacy client configuration for Red Hat based systems,
+    using nss-pam-ldapd.
+    """
+    description = ('Instructions for configuring a system with nss-pam-ldapd '
+                   'as a FreeIPA client. This set of instructions is targeted '
+                   'for platforms that include the authconfig utility, which '
+                   'are all Red Hat based platforms.')
+
+    def get_info(self):
+        uri, base = self.get_uri_and_base()
+        self.check_compat_plugin()
+
+        self.log.comment('Install required packages via yum')
+        self.log.command('yum install -y wget openssl nss-pam-ldapd pam_ldap '
+                         'authconfig\n')
+
+        self.configure_ca_cert()
+
+        self.log.comment('Use the authconfig to configure nsswitch.conf '
+                         'and the PAM stack')
+        self.log.command('authconfig --updateall --enableldap '
+                         '--enableldapauth --ldapserver=%s --ldapbasedn=%s\n'
+                         % (uri, base))
+
+    def configure_ca_cert(self):
+        self.log.comment('NOTE: IPA certificate uses the SHA-256 hash '
+                         'function. SHA-256 was introduced in RHEL5.2. '
+                         'Therefore, clients older than RHEL5.2 will not be '
+                         'able to interoperate with IPA server 3.x.')
+        super(config_redhat_nss_pam_ldapd, self).configure_ca_cert()
+
+
+api.register(config_redhat_nss_pam_ldapd)
+
+
+class config_generic_linux_nss_pam_ldapd(config_base_legacy_client):
+    """
+    Legacy client configuration for non Red Hat based linux systems,
+    using nss-pam-ldapd.
+    """
+    description = ('Instructions for configuring a system with nss-pam-ldapd. '
+                   'This set of instructions is targeted for linux systems '
+                   'that do not include the authconfig utility.')
+
+    def get_info(self):
+        uri, base = self.get_uri_and_base()
+        self.check_compat_plugin()
+
+        with open(os.path.join(
+                SHARE_DIR,
+                'advise',
+                'legacy',
+                'pam.conf.nss_pam_ldapd.template')) as fd:
+            pam_conf = fd.read()
+
+        nslcd_conf = 'uri %s\nbase %s' % (uri, base)
+
+        self.log.comment('Install required packages using your system\'s '
+                         'package manager. E.g:')
+        self.log.command('apt-get -y install wget openssl libnss-ldapd '
+                         'libpam-ldapd nslcd\n')
+
+        self.configure_ca_cert()
+
+        self.log.comment('Configure nsswitch.conf. Append ldap to the lines '
+                         'beginning with passwd and group. ')
+        self.log.command('grep "^passwd.*ldap" /etc/nsswitch.conf')
+        self.log.command('if [ $? -ne 0 ] ; then sed -i '
+                         '\'/^passwd/s|$| ldap|\' /etc/nsswitch.conf ; fi')
+        self.log.command('grep "^group.*ldap" /etc/nsswitch.conf')
+        self.log.command('if [ $? -ne 0 ] ; then sed -i '
+                         '\'/^group/s|$| ldap|\' /etc/nsswitch.conf ; fi\n')
+
+        self.log.comment('Configure PAM. Configuring the PAM stack differs on '
+                         'particular distributions. The resulting PAM stack '
+                         'should look like this:')
+        self.log.command('cat > /etc/pam.conf << EOF \n'
+                         '%s\nEOF\n' % pam_conf)
+
+        self.log.comment('Configure nslcd.conf:')
+        self.log.command('cat > /etc/nslcd.conf << EOF \n'
+                         '%s\nEOF\n' % nslcd_conf)
+
+        self.log.comment('Configure pam_ldap.conf:')
+        self.log.command('cat > /etc/pam_ldap.conf << EOF \n'
+                         '%s\nEOF\n' % nslcd_conf)
+
+        self.log.comment('Stop nscd and restart nslcd')
+        self.log.command('service nscd stop && service nslcd restart')
+
+    def configure_ca_cert(self):
+        super(config_generic_linux_nss_pam_ldapd, self).configure_ca_cert()
 
         self.log.comment('Configure ldap.conf. Set the value of '
                          'TLS_CACERTDIR to /etc/openldap/cacerts. Make sure '
@@ -160,4 +276,72 @@ class config_generic_sssd_before_1_9(config_base_sssd_before_1_9):
                          '/etc/ldap/ldap.conf\n')
 
 
-api.register(config_generic_sssd_before_1_9)
+api.register(config_generic_linux_nss_pam_ldapd)
+
+
+class config_freebsd_nss_pam_ldapd(config_base_legacy_client):
+    """
+    Legacy client configuration for FreeBSD, using nss-pam-ldapd.
+    """
+    description = ('Instructions for configuring a FreeBSD system with '
+                   'nss-pam-ldapd. ')
+
+    def get_info(self):
+        uri, base = self.get_uri_and_base()
+        cacrt = '/usr/local/etc/ipa.crt'
+
+        self.check_compat_plugin()
+
+        with open(os.path.join(
+                SHARE_DIR,
+                'advise',
+                'legacy',
+                'pam_conf_sshd.template')) as fd:
+            pam_conf = fd.read()
+
+        self.log.comment('Install required packages')
+        self.log.command('pkg_add -r nss-pam-ldapd curl\n')
+
+        self.configure_ca_cert(cacrt)
+
+        self.log.comment('Configure nsswitch.conf')
+        self.log.command('sed -i \'\' -e \'s/^passwd:/passwd: files ldap/\' '
+                         '/etc/nsswitch.conf')
+        self.log.command('sed -i \'\' -e \'s/^group:/group: files ldap/\' '
+                         '/etc/nsswitch.conf\n')
+
+        self.log.comment('Configure PAM stack for the sshd service')
+        self.log.command('cat > /etc/pam.d/sshd << EOF \n'
+                         '%s\nEOF\n' % pam_conf)
+
+        self.log.comment('Add automated start of nslcd to /etc/rc.conf')
+        self.log.command('echo \'nslcd_enable="YES"\nnslcd_debug="NO"\' >> '
+                         '/etc/rc.conf')
+
+        self.log.comment('Configure nslcd.conf:')
+        self.log.command('echo "uid nslcd\n'
+                         'gid nslcd\n'
+                         'uri %s\n'
+                         'base %s\n'
+                         'scope sub\n'
+                         'base group cn=groups,%s\n'
+                         'base passwd cn=users,%s\n'
+                         'base shadow cn=users,%s\n'
+                         'ssl start_tls\n'
+                         'tls_cacertfile %s\n" >  /usr/local/etc/nslcd.conf'
+                         % ((uri,) + (base,)*4 + (cacrt,)))
+
+        self.log.comment('Configure ldap.conf:')
+        self.log.command('echo "uri %s\nbase %s\nssl start_tls\ntls_cacert %s"'
+                         '> /usr/local/etc/ldap.conf' % (uri, base, cacrt))
+
+        self.log.comment('Restart nslcd')
+        self.log.command('/usr/local/etc/rc.d/nslcd restart')
+
+    def configure_ca_cert(self, cacrt):
+        self.log.comment('Download the CA certificate of the IPA server')
+        self.log.command('curl -k https://%s/ipa/config/ca.crt > '
+                         '%s' % (api.env.host, cacrt))
+
+
+api.register(config_freebsd_nss_pam_ldapd)