diff options
| author | Alexander Bokovoy <abokovoy@redhat.com> | 2013-07-15 19:13:50 +0300 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2013-07-18 17:56:30 +0200 |
| commit | e95a7b1b8db9fb12c25fd371cac627352c5e93fb (patch) | |
| tree | 9d072add9ec8f067fbf27e458c1386fa4c8abe3f /install/tools/ipa-adtrust-install | |
| parent | f98054a31aef1c03e2b7b9190a9b5b6a354072cb (diff) | |
| download | freeipa-e95a7b1b8db9fb12c25fd371cac627352c5e93fb.tar.gz freeipa-e95a7b1b8db9fb12c25fd371cac627352c5e93fb.tar.xz freeipa-e95a7b1b8db9fb12c25fd371cac627352c5e93fb.zip | |
ipa-adtrust-install: configure compatibility tree to serve trusted domain users
Enables support for trusted domains users for old clients through Schema
Compatibility plugin. SSSD supports trusted domains natively starting with
version 1.9 platform. For platforms that lack SSSD or run older SSSD version
one needs to use this option. When enabled, slapi-nis package needs to
be installed and schema-compat-plugin will be configured to provide lookup of
users and groups from trusted domains via SSSD on IPA server. These users and
groups will be available under cn=users,cn=compat,$SUFFIX and
cn=groups,cn=compat,$SUFFIX trees. SSSD will normalize names of users and
groups to lower case.
In addition to providing these users and groups through the compat tree,
this option enables authentication over LDAP for trusted domain users with DN
under compat tree, i.e. using bind DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX.
This authentication is related to PAM stack using 'system-auth' PAM
service. If you have disabled HBAC rule 'allow_all', then make sure there is
special service called 'system-auth' created and HBAC rule to allow access to
anyone to this rule on IPA masters is added. Please note that system-auth PAM
service is not used directly by any other application, therefore it is safe to
create one specifically to support trusted domain users via compatibility path.
https://fedorahosted.org/freeipa/ticket/3567
Diffstat (limited to 'install/tools/ipa-adtrust-install')
| -rwxr-xr-x | install/tools/ipa-adtrust-install | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 5744c6f67..838f7226b 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -62,6 +62,9 @@ def parse_options(): parser.add_option("--add-sids", dest="add_sids", action="store_true", default=False, help="Add SIDs for existing users and" \ " groups as the final step") + parser.add_option("--enable-compat", + dest="enable_compat", default=False, action="store_true", + help="Enable support for trusted domains for old clients") options, args = parser.parse_args() safe_options = parser.get_safe_opts(options) @@ -194,6 +197,15 @@ def ensure_admin_kinit(admin_name, admin_password): return False return True +def enable_compat_tree(): + print "Do you want to enable support for trusted domains in Schema Compatibility plugin?" + print "This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users." + print "" + enable_compat = ipautil.user_input("Enable trusted domains support in slapi-nis?", default = False, allow_empty = False) + print "" + return enable_compat + + def main(): safe_options, options = parse_options() @@ -244,6 +256,9 @@ def main(): sys.exit("Aborting installation.") break + if not options.unattended and not options.enable_compat: + options.enable_compat = enable_compat_tree() + # Check we have a public IP that is associated with the hostname ip = None try: @@ -363,7 +378,8 @@ def main(): smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain, netbios_name, reset_netbios_name, options.rid_base, options.secondary_rid_base, - options.no_msdcs, options.add_sids) + options.no_msdcs, options.add_sids, + enable_compat = options.enable_compat) smb.find_local_id_range() smb.create_instance() |