summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTomas Babej <tomasbabej@gmail.com>2013-11-21 13:09:28 +0100
committerAlexander Bokovoy <abokovoy@redhat.com>2014-05-09 13:57:04 +0300
commitef3c9d3bb00fb64c9eb97c17ae62e042d5091cc0 (patch)
treecf9cd1551ebf8ed03a56a7bbe0f41615afd758fe
parentd90eb46cce788595edf50f4658e97a7dd8c3e9b8 (diff)
downloadfreeipa-ef3c9d3bb00fb64c9eb97c17ae62e042d5091cc0.zip
freeipa-ef3c9d3bb00fb64c9eb97c17ae62e042d5091cc0.tar.gz
freeipa-ef3c9d3bb00fb64c9eb97c17ae62e042d5091cc0.tar.xz
ipa-client-install: Configure sudo to use SSSD as data source
Makes ipa-client-install configure SSSD as the data provider for the sudo service by default. This behaviour can be disabled by using --no-sudo flag. https://fedorahosted.org/freeipa/ticket/3358 Reviewed-By: Jakub Hrozek <jhrozek@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-rwxr-xr-xipa-client/ipa-install/ipa-client-install84
-rw-r--r--ipa-client/man/ipa-client-install.13
2 files changed, 86 insertions, 1 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 5fdd515..6fd64d0 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -72,6 +72,8 @@ SSH_KNOWNHOSTSFILE = '/var/lib/sss/pubconf/known_hosts'
client_nss_nickname_format = 'IPA Machine Certificate - %s'
+NSSWITCH_CONF = '/etc/nsswitch.conf'
+
def parse_options():
def validate_ca_cert_file_option(option, opt, value, parser):
if not os.path.exists(value):
@@ -137,6 +139,9 @@ def parse_options():
help="do not configure OpenSSH client")
basic_group.add_option("--no-sshd", dest="conf_sshd", default=True, action="store_false",
help="do not configure OpenSSH server")
+ basic_group.add_option("--no-sudo", dest="conf_sudo", default=True,
+ action="store_false",
+ help="do not configure SSSD as data source for sudo")
basic_group.add_option("--no-dns-sshfp", dest="create_sshfp", default=True, action="store_false",
help="do not automatically create DNS SSHFP records")
basic_group.add_option("--noac", dest="no_ac", default=False, action="store_true",
@@ -352,6 +357,69 @@ def is_ipa_client_installed(on_master=False):
return installed
+def configure_nsswitch_database(fstore, database, services, preserve=True,
+ append=True, default_value=None):
+ """
+ Edits the specified nsswitch.conf database (e.g. passwd, group, sudoers)
+ to use the specified service(s).
+
+ Arguments:
+ fstore - FileStore to backup the nsswitch.conf
+ database - database configuration that should be ammended, e.g 'sudoers'
+ service - list of services that should be added, e.g. ['sss']
+ preserve - if True, the already configured services will be preserved
+
+ The next arguments modify the behaviour if preserve=True:
+ append - if True, the services will be appended, if False, prepended
+ default_value - list of services that are considered as default (if
+ the database is not mentioned in nsswitch.conf), e.g.
+ ['files']
+ """
+
+ # Backup the original version of nsswitch.conf, we're going to edit it now
+ if not fstore.has_file(NSSWITCH_CONF):
+ fstore.backup_file(NSSWITCH_CONF)
+
+ conf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer")
+ conf.setOptionAssignment(':')
+
+ if preserve:
+ # Read the existing configuration
+ with open('/etc/nsswitch.conf', 'r') as f:
+ opts = conf.parse(f)
+ raw_database_entry = conf.findOpts(opts, 'option', database)[1]
+
+ if not raw_database_entry:
+ # If there is no database entry, database is not present in
+ # the nsswitch.conf. Set the list of services to the
+ # default list, if passed.
+ configured_services = ' '.join(default_value or [])
+ else:
+ configured_services = raw_database_entry['value'].strip()
+
+ if append:
+ new_services = ' ' + configured_services + ' ' + ' '.join(services)
+ else:
+ new_services = ' ' + ' '.join(services) + ' ' + configured_services
+
+ else:
+ # Preserve not set, let's rewrite existing configuration
+ new_services = ' ' + ' '.join(services)
+
+ # Set new services as sources for database
+ opts = [{'name': database,
+ 'type':'option',
+ 'action':'set',
+ 'value': new_services
+ },
+ {'name':'empty',
+ 'type':'empty'
+ }]
+
+ conf.changeConf(NSSWITCH_CONF, opts)
+ root_logger.info("Configured %s in %s" % (database, NSSWITCH_CONF))
+
+
def uninstall(options, env):
if not is_ipa_client_installed():
@@ -1141,6 +1209,20 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, clie
sssdconfig.activate_service('ssh')
+ if options.conf_sudo:
+ # Activate the service in the SSSD config
+ try:
+ sssdconfig.new_service('sudo')
+ except SSSDConfig.ServiceAlreadyExists:
+ pass
+ except SSSDConfig.ServiceNotRecognizedError:
+ root_logger.error("Unable to activate the SUDO service in "
+ "SSSD config.")
+
+ sssdconfig.activate_service('sudo')
+ configure_nsswitch_database(fstore, 'sudoers', ['sss'],
+ default_value=['files'])
+
domain.add_provider('ipa', 'id')
#add discovery domain if client domain different from server domain
@@ -2265,7 +2347,7 @@ def install(options, env, fstore, statestore):
# skip this step when run by ipa-server-install as it always configures
# hostname if different from system hostname
ipaservices.backup_and_replace_hostname(fstore, statestore, options.hostname)
-
+
if not options.on_master:
# Attempt to sync time with IPA server.
# We assume that NTP servers are discoverable through SRV records in the DNS
diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1
index 3694fca..279d66a 100644
--- a/ipa-client/man/ipa-client-install.1
+++ b/ipa-client/man/ipa-client-install.1
@@ -140,6 +140,9 @@ Do not configure OpenSSH client.
\fB\-\-no\-sshd\fR
Do not configure OpenSSH server.
.TP
+\fB\-\-no\-sudo\fR
+Do not configure SSSD as a data source for sudo.
+.TP
\fB\-\-no\-dns\-sshfp\fR
Do not automatically create DNS SSHFP records.
.TP