Add ipa-advise plugins for legacy clients

Old versions of SSSD do not directly support cross-realm trusts between IPA
and AD. This patch introduces plugins for the ipa-advise tool, which should
help with configuring an old version of SSSD (1.5-1.8) to gain access to
resources in trusted domain.

Since the configuration steps differ depending on whether the platform includes
the authconfig tool, two plugins are needed:

* config-redhat-sssd-before-1-9 - provides configuration for Red Hat based
  systems, as these system include the autconfig utility
* config-generic-sssd-before-1-9 - provides configuration for other platforms

https://fedorahosted.org/freeipa/ticket/3671
https://fedorahosted.org/freeipa/ticket/3672

5 files changed, 71 insertions, 0 deletions

diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 1e56d2c53..5fff55bd1 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -1,5 +1,9 @@
 NULL =
 
+SUBDIRS =  				\
+	advise				\
+	$(NULL)
+
 appdir = $(IPA_DATA_DIR)
 app_DATA =				\
 	05rfc2247.ldif			\
diff --git a/install/share/advise/Makefile.am b/install/share/advise/Makefile.am
new file mode 100644
index 000000000..877f91ce8
--- /dev/null
+++ b/install/share/advise/Makefile.am
@@ -0,0 +1,17 @@
+NULL =
+
+SUBDIRS =  				\
+	legacy				\
+	$(NULL)
+
+appdir = $(IPA_DATA_DIR)/advise
+app_DATA =				\
+	$(NULL)
+
+EXTRA_DIST =				\
+	$(app_DATA)			\
+	$(NULL)
+
+MAINTAINERCLEANFILES =			\
+	*~				\
+	Makefile.in
diff --git a/install/share/advise/legacy/Makefile.am b/install/share/advise/legacy/Makefile.am
new file mode 100644
index 000000000..73cd2718c
--- /dev/null
+++ b/install/share/advise/legacy/Makefile.am
@@ -0,0 +1,15 @@
+NULL =
+
+appdir = $(IPA_DATA_DIR)/advise/legacy
+app_DATA =				\
+	sssd.conf.template		\
+	pam.conf.template		\
+	$(NULL)
+
+EXTRA_DIST =				\
+	$(app_DATA)			\
+	$(NULL)
+
+MAINTAINERCLEANFILES =			\
+	*~				\
+	Makefile.in
diff --git a/install/share/advise/legacy/pam.conf.template b/install/share/advise/legacy/pam.conf.template
new file mode 100644
index 000000000..bdd91821e
--- /dev/null
+++ b/install/share/advise/legacy/pam.conf.template
@@ -0,0 +1,22 @@
+auth        required      pam_env.so
+auth        sufficient    pam_unix.so nullok try_first_pass
+auth        requisite     pam_succeed_if.so uid >= 500 quiet
+auth        sufficient    pam_sss.so use_first_pass
+auth        required      pam_deny.so
+
+account     required      pam_unix.so broken_shadow
+account     sufficient    pam_localuser.so
+account     sufficient    pam_succeed_if.so uid < 500 quiet
+account     [default=bad success=ok user_unknown=ignore] pam_sss.so
+account     required      pam_permit.so
+
+password    requisite     pam_cracklib.so try_first_pass retry=3 type=
+password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+password    sufficient    pam_sss.so use_authtok
+password    required      pam_deny.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so
+session     optional      pam_sss.so
diff --git a/install/share/advise/legacy/sssd.conf.template b/install/share/advise/legacy/sssd.conf.template
new file mode 100644
index 000000000..28f9c115d
--- /dev/null
+++ b/install/share/advise/legacy/sssd.conf.template
@@ -0,0 +1,13 @@
+[sssd]
+services = nss, pam
+config_file_version = 2
+domains = default
+re_expression = (?P<name>.+)
+
+[domain/default]
+cache_credentials = True
+id_provider = ldap
+auth_provider = ldap
+ldap_uri = ldap://$IPA_SERVER_HOSTNAME
+ldap_search_base = cn=compat,$BASE_DN
+ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt