From f3aa3c4c8002aba1b40ad7c9aade2bcb4426dab2 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic Date: Thu, 17 Oct 2013 21:58:00 +0200 Subject: Add ipa-advise plugins for nss-pam-ldapd legacy clients Add three new ipa-advise plugins, to facilitate configuration of legacy clients using nss-pam-ldapd: * config-redhat-nss-pam-ldapd * config-generic-linux-nss-pam-ldapd * config-freebsd-nss-pam-ldapd https://fedorahosted.org/freeipa/ticket/3672 --- install/share/advise/legacy/Makefile.am | 4 +- .../advise/legacy/pam.conf.nss_pam_ldapd.template | 22 +++ install/share/advise/legacy/pam.conf.sssd.template | 22 +++ install/share/advise/legacy/pam.conf.template | 22 --- install/share/advise/legacy/pam_conf_sshd.template | 25 +++ install/share/advise/legacy/sssd.conf.template | 4 +- ipaserver/advise/plugins/legacy_clients.py | 212 +++++++++++++++++++-- 7 files changed, 272 insertions(+), 39 deletions(-) create mode 100644 install/share/advise/legacy/pam.conf.nss_pam_ldapd.template create mode 100644 install/share/advise/legacy/pam.conf.sssd.template delete mode 100644 install/share/advise/legacy/pam.conf.template create mode 100644 install/share/advise/legacy/pam_conf_sshd.template diff --git a/install/share/advise/legacy/Makefile.am b/install/share/advise/legacy/Makefile.am index 73cd2718..41218517 100644 --- a/install/share/advise/legacy/Makefile.am +++ b/install/share/advise/legacy/Makefile.am @@ -3,7 +3,9 @@ NULL = appdir = $(IPA_DATA_DIR)/advise/legacy app_DATA = \ sssd.conf.template \ - pam.conf.template \ + pam.conf.sssd.template \ + pam.conf.nss_pam_ldapd.template \ + pam_conf_sshd.template \ $(NULL) EXTRA_DIST = \ diff --git a/install/share/advise/legacy/pam.conf.nss_pam_ldapd.template b/install/share/advise/legacy/pam.conf.nss_pam_ldapd.template new file mode 100644 index 00000000..9c60c27e --- /dev/null +++ b/install/share/advise/legacy/pam.conf.nss_pam_ldapd.template @@ -0,0 +1,22 @@ +auth required pam_env.so +auth sufficient pam_unix.so nullok try_first_pass +auth requisite pam_succeed_if.so uid >= 500 quiet +auth sufficient pam_ldap.so use_first_pass +auth required pam_deny.so + +account required pam_unix.so broken_shadow +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 500 quiet +account [default=bad success=ok user_unknown=ignore] pam_ldap.so +account required pam_permit.so + +password requisite pam_cracklib.so try_first_pass retry=3 type= +password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok +password sufficient pam_ldap.so use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so +session optional pam_ldap.so diff --git a/install/share/advise/legacy/pam.conf.sssd.template b/install/share/advise/legacy/pam.conf.sssd.template new file mode 100644 index 00000000..bdd91821 --- /dev/null +++ b/install/share/advise/legacy/pam.conf.sssd.template @@ -0,0 +1,22 @@ +auth required pam_env.so +auth sufficient pam_unix.so nullok try_first_pass +auth requisite pam_succeed_if.so uid >= 500 quiet +auth sufficient pam_sss.so use_first_pass +auth required pam_deny.so + +account required pam_unix.so broken_shadow +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 500 quiet +account [default=bad success=ok user_unknown=ignore] pam_sss.so +account required pam_permit.so + +password requisite pam_cracklib.so try_first_pass retry=3 type= +password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok +password sufficient pam_sss.so use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so +session optional pam_sss.so diff --git a/install/share/advise/legacy/pam.conf.template b/install/share/advise/legacy/pam.conf.template deleted file mode 100644 index bdd91821..00000000 --- a/install/share/advise/legacy/pam.conf.template +++ /dev/null @@ -1,22 +0,0 @@ -auth required pam_env.so -auth sufficient pam_unix.so nullok try_first_pass -auth requisite pam_succeed_if.so uid >= 500 quiet -auth sufficient pam_sss.so use_first_pass -auth required pam_deny.so - -account required pam_unix.so broken_shadow -account sufficient pam_localuser.so -account sufficient pam_succeed_if.so uid < 500 quiet -account [default=bad success=ok user_unknown=ignore] pam_sss.so -account required pam_permit.so - -password requisite pam_cracklib.so try_first_pass retry=3 type= -password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok -password sufficient pam_sss.so use_authtok -password required pam_deny.so - -session optional pam_keyinit.so revoke -session required pam_limits.so -session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -session required pam_unix.so -session optional pam_sss.so diff --git a/install/share/advise/legacy/pam_conf_sshd.template b/install/share/advise/legacy/pam_conf_sshd.template new file mode 100644 index 00000000..488f4998 --- /dev/null +++ b/install/share/advise/legacy/pam_conf_sshd.template @@ -0,0 +1,25 @@ +# PAM configuration for the "sshd" service +# + +# auth +auth sufficient pam_opie.so no_warn no_fake_prompts +auth requisite pam_opieaccess.so no_warn allow_local +#auth sufficient pam_krb5.so no_warn try_first_pass +#auth sufficient pam_ssh.so no_warn try_first_pass +auth sufficient /usr/local/lib/pam_ldap.so no_warn +auth required pam_unix.so no_warn try_first_pass + +# account +account required pam_nologin.so +#account required pam_krb5.so +account required /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user +account required pam_login_access.so +account required pam_unix.so + +# session +#session optional pam_ssh.so want_agent +session required pam_permit.so + +# password +#password sufficient pam_krb5.so no_warn try_first_pass +password required pam_unix.so no_warn try_first_pass diff --git a/install/share/advise/legacy/sssd.conf.template b/install/share/advise/legacy/sssd.conf.template index 28f9c115..87084870 100644 --- a/install/share/advise/legacy/sssd.conf.template +++ b/install/share/advise/legacy/sssd.conf.template @@ -8,6 +8,6 @@ re_expression = (?P.+) cache_credentials = True id_provider = ldap auth_provider = ldap -ldap_uri = ldap://$IPA_SERVER_HOSTNAME -ldap_search_base = cn=compat,$BASE_DN +ldap_uri = $URI +ldap_search_base = $BASE ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt diff --git a/ipaserver/advise/plugins/legacy_clients.py b/ipaserver/advise/plugins/legacy_clients.py index f58af9b9..c81fcf8b 100644 --- a/ipaserver/advise/plugins/legacy_clients.py +++ b/ipaserver/advise/plugins/legacy_clients.py @@ -23,7 +23,12 @@ from ipalib.frontend import Advice from ipapython.ipautil import template_file, SHARE_DIR -class config_base_sssd_before_1_9(Advice): +class config_base_legacy_client(Advice): + def get_uri_and_base(self): + uri = 'ldap://%s' % api.env.host + base = 'cn=compat,%s' % api.env.basedn + return uri, base + def check_compat_plugin(self): compat_is_enabled = api.Command['compat_is_enabled']()['result'] if not compat_is_enabled: @@ -57,17 +62,14 @@ class config_base_sssd_before_1_9(Advice): self.log.command('fi\n') def configure_and_start_sssd(self): - sub_dict = dict( - IPA_SERVER_HOSTNAME=api.env.host, - BASE_DN=','. join(['dc=%s' % c for c in api.env.domain.split('.')]) - ) + uri, base = self.get_uri_and_base() template = os.path.join( SHARE_DIR, 'advise', 'legacy', 'sssd.conf.template' ) - sssd_conf = template_file(template, sub_dict) + sssd_conf = template_file(template, dict(URI=uri, BASE=base)) self.log.comment('Configure SSSD') self.log.command('cat > /etc/sssd/sssd.conf << EOF \n' @@ -78,9 +80,9 @@ class config_base_sssd_before_1_9(Advice): self.log.command('service sssd start') -class config_redhat_sssd_before_1_9(config_base_sssd_before_1_9): +class config_redhat_sssd_before_1_9(config_base_legacy_client): """ - Legacy client configuration for Red Hat based platforms. + Legacy client configuration for Red Hat based systems, using SSSD. """ description = ('Instructions for configuring a system with an old version ' 'of SSSD (1.5-1.8) as a FreeIPA client. This set of ' @@ -103,17 +105,25 @@ class config_redhat_sssd_before_1_9(config_base_sssd_before_1_9): self.configure_and_start_sssd() + def configure_ca_cert(self): + self.log.comment('NOTE: IPA certificate uses the SHA-256 hash ' + 'function. SHA-256 was introduced in RHEL5.2. ' + 'Therefore, clients older than RHEL5.2 will not be ' + 'able to interoperate with IPA server 3.x.') + super(config_redhat_sssd_before_1_9, self).configure_ca_cert() + api.register(config_redhat_sssd_before_1_9) -class config_generic_sssd_before_1_9(config_base_sssd_before_1_9): +class config_generic_linux_sssd_before_1_9(config_base_legacy_client): """ - Legacy client configuration for non Red Hat based platforms. + Legacy client configuration for non Red Hat based linux systems, + using SSSD. """ description = ('Instructions for configuring a system with an old version ' 'of SSSD (1.5-1.8) as a FreeIPA client. This set of ' - 'instructions is targeted for platforms that do not ' + 'instructions is targeted for linux systems that do not ' 'include the authconfig utility.') def get_info(self): @@ -123,7 +133,7 @@ class config_generic_sssd_before_1_9(config_base_sssd_before_1_9): SHARE_DIR, 'advise', 'legacy', - 'pam.conf.template')) as fd: + 'pam.conf.sssd.template')) as fd: pam_conf = fd.read() self.log.comment('Install required packages using your system\'s ' @@ -150,7 +160,113 @@ class config_generic_sssd_before_1_9(config_base_sssd_before_1_9): self.configure_and_start_sssd() def configure_ca_cert(self): - super(config_generic_sssd_before_1_9, self).configure_ca_cert() + super(config_generic_linux_sssd_before_1_9, self).configure_ca_cert() + + self.log.comment('Configure ldap.conf. Set the value of ' + 'TLS_CACERTDIR to /etc/openldap/cacerts. Make sure ' + 'that the location of ldap.conf file matches your ' + 'system\'s configuration.') + self.log.command('echo "TLS_CACERTDIR /etc/openldap/cacerts" >> ' + '/etc/ldap/ldap.conf\n') + + +api.register(config_generic_linux_sssd_before_1_9) + + +class config_redhat_nss_pam_ldapd(config_base_legacy_client): + """ + Legacy client configuration for Red Hat based systems, + using nss-pam-ldapd. + """ + description = ('Instructions for configuring a system with nss-pam-ldapd ' + 'as a FreeIPA client. This set of instructions is targeted ' + 'for platforms that include the authconfig utility, which ' + 'are all Red Hat based platforms.') + + def get_info(self): + uri, base = self.get_uri_and_base() + self.check_compat_plugin() + + self.log.comment('Install required packages via yum') + self.log.command('yum install -y wget openssl nss-pam-ldapd pam_ldap ' + 'authconfig\n') + + self.configure_ca_cert() + + self.log.comment('Use the authconfig to configure nsswitch.conf ' + 'and the PAM stack') + self.log.command('authconfig --updateall --enableldap ' + '--enableldapauth --ldapserver=%s --ldapbasedn=%s\n' + % (uri, base)) + + def configure_ca_cert(self): + self.log.comment('NOTE: IPA certificate uses the SHA-256 hash ' + 'function. SHA-256 was introduced in RHEL5.2. ' + 'Therefore, clients older than RHEL5.2 will not be ' + 'able to interoperate with IPA server 3.x.') + super(config_redhat_nss_pam_ldapd, self).configure_ca_cert() + + +api.register(config_redhat_nss_pam_ldapd) + + +class config_generic_linux_nss_pam_ldapd(config_base_legacy_client): + """ + Legacy client configuration for non Red Hat based linux systems, + using nss-pam-ldapd. + """ + description = ('Instructions for configuring a system with nss-pam-ldapd. ' + 'This set of instructions is targeted for linux systems ' + 'that do not include the authconfig utility.') + + def get_info(self): + uri, base = self.get_uri_and_base() + self.check_compat_plugin() + + with open(os.path.join( + SHARE_DIR, + 'advise', + 'legacy', + 'pam.conf.nss_pam_ldapd.template')) as fd: + pam_conf = fd.read() + + nslcd_conf = 'uri %s\nbase %s' % (uri, base) + + self.log.comment('Install required packages using your system\'s ' + 'package manager. E.g:') + self.log.command('apt-get -y install wget openssl libnss-ldapd ' + 'libpam-ldapd nslcd\n') + + self.configure_ca_cert() + + self.log.comment('Configure nsswitch.conf. Append ldap to the lines ' + 'beginning with passwd and group. ') + self.log.command('grep "^passwd.*ldap" /etc/nsswitch.conf') + self.log.command('if [ $? -ne 0 ] ; then sed -i ' + '\'/^passwd/s|$| ldap|\' /etc/nsswitch.conf ; fi') + self.log.command('grep "^group.*ldap" /etc/nsswitch.conf') + self.log.command('if [ $? -ne 0 ] ; then sed -i ' + '\'/^group/s|$| ldap|\' /etc/nsswitch.conf ; fi\n') + + self.log.comment('Configure PAM. Configuring the PAM stack differs on ' + 'particular distributions. The resulting PAM stack ' + 'should look like this:') + self.log.command('cat > /etc/pam.conf << EOF \n' + '%s\nEOF\n' % pam_conf) + + self.log.comment('Configure nslcd.conf:') + self.log.command('cat > /etc/nslcd.conf << EOF \n' + '%s\nEOF\n' % nslcd_conf) + + self.log.comment('Configure pam_ldap.conf:') + self.log.command('cat > /etc/pam_ldap.conf << EOF \n' + '%s\nEOF\n' % nslcd_conf) + + self.log.comment('Stop nscd and restart nslcd') + self.log.command('service nscd stop && service nslcd restart') + + def configure_ca_cert(self): + super(config_generic_linux_nss_pam_ldapd, self).configure_ca_cert() self.log.comment('Configure ldap.conf. Set the value of ' 'TLS_CACERTDIR to /etc/openldap/cacerts. Make sure ' @@ -160,4 +276,72 @@ class config_generic_sssd_before_1_9(config_base_sssd_before_1_9): '/etc/ldap/ldap.conf\n') -api.register(config_generic_sssd_before_1_9) +api.register(config_generic_linux_nss_pam_ldapd) + + +class config_freebsd_nss_pam_ldapd(config_base_legacy_client): + """ + Legacy client configuration for FreeBSD, using nss-pam-ldapd. + """ + description = ('Instructions for configuring a FreeBSD system with ' + 'nss-pam-ldapd. ') + + def get_info(self): + uri, base = self.get_uri_and_base() + cacrt = '/usr/local/etc/ipa.crt' + + self.check_compat_plugin() + + with open(os.path.join( + SHARE_DIR, + 'advise', + 'legacy', + 'pam_conf_sshd.template')) as fd: + pam_conf = fd.read() + + self.log.comment('Install required packages') + self.log.command('pkg_add -r nss-pam-ldapd curl\n') + + self.configure_ca_cert(cacrt) + + self.log.comment('Configure nsswitch.conf') + self.log.command('sed -i \'\' -e \'s/^passwd:/passwd: files ldap/\' ' + '/etc/nsswitch.conf') + self.log.command('sed -i \'\' -e \'s/^group:/group: files ldap/\' ' + '/etc/nsswitch.conf\n') + + self.log.comment('Configure PAM stack for the sshd service') + self.log.command('cat > /etc/pam.d/sshd << EOF \n' + '%s\nEOF\n' % pam_conf) + + self.log.comment('Add automated start of nslcd to /etc/rc.conf') + self.log.command('echo \'nslcd_enable="YES"\nnslcd_debug="NO"\' >> ' + '/etc/rc.conf') + + self.log.comment('Configure nslcd.conf:') + self.log.command('echo "uid nslcd\n' + 'gid nslcd\n' + 'uri %s\n' + 'base %s\n' + 'scope sub\n' + 'base group cn=groups,%s\n' + 'base passwd cn=users,%s\n' + 'base shadow cn=users,%s\n' + 'ssl start_tls\n' + 'tls_cacertfile %s\n" > /usr/local/etc/nslcd.conf' + % ((uri,) + (base,)*4 + (cacrt,))) + + self.log.comment('Configure ldap.conf:') + self.log.command('echo "uri %s\nbase %s\nssl start_tls\ntls_cacert %s"' + '> /usr/local/etc/ldap.conf' % (uri, base, cacrt)) + + self.log.comment('Restart nslcd') + self.log.command('/usr/local/etc/rc.d/nslcd restart') + + def configure_ca_cert(self, cacrt): + self.log.comment('Download the CA certificate of the IPA server') + self.log.command('curl -k https://%s/ipa/config/ca.crt > ' + '%s' % (api.env.host, cacrt)) + + +api.register(config_freebsd_nss_pam_ldapd) -- cgit