[Freeipa-devel] [PATCH] 0108 Add support for compatibility tree for trusted domain users
Alexander Bokovoy
abokovoy at redhat.com
Mon Jul 15 17:14:52 UTC 2013
Hi!
Attached patch allows to enable serving trusted domain users and groups
through Schema Compatibilty plugin.
The patch only does FreeIPA master configuration settings, the real work
is done by the changes to slapi-nis plugin (in a separate email).
Since ipa-adtrust-install can safely be run multiple times, one can
re-run it on the IPA master to enable serving old clients, by specifying
ipa-adtrust-install --enable-compat
or answering 'yes' to the interactive question.
I have expanded man page for ipa-adtrust-install to cover this option.
Once enabled, following is possible:
---------------------------------------------------------------------------
# ldapsearch -Y GSSAPI -b cn=compat,dc=vda,dc=li '(&(cn=domain admins at ad.lan)(objectclass=posixgroup))'
SASL/GSSAPI authentication started
SASL username: admin at VDA.LI
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=vda,dc=li> with scope subtree
# filter: (&(cn=domain admins at ad.lan)(objectclass=posixgroup))
# requesting: ALL
#
# domain admins at ad.lan, groups, compat, vda.li
dn: cn=domain admins at ad.lan,cn=groups,cn=compat,dc=vda,dc=li
objectClass: posixGroup
objectClass: extensibleObject
objectClass: top
gidNumber: 1442800512
memberUid: uid=administrator at ad.lan,cn=users,cn=compat,dc=vda,dc=li
schema-compat-origin: sssd
ipaNTSecurityIdentifier: S-1-5-21-3502988750-125904550-3683905862-512
cn: domain admins at ad.lan
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
---------------------------------------------------------------------------
and for users:
---------------------------------------------------------------------------
# ldapsearch -Y GSSAPI -b cn=compat,dc=vda,dc=li
# '(uid=administrator at ad.lan)'
SASL/GSSAPI authentication started
SASL username: admin at VDA.LI
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=vda,dc=li> with scope subtree
# filter: (uid=administrator at ad.lan)
# requesting: ALL
#
# administrator at ad.lan, users, compat, vda.li
dn: uid=administrator at ad.lan,cn=users,cn=compat,dc=vda,dc=li
objectClass: posixAccount
objectClass: extensibleObject
objectClass: top
gecos: Administrator
cn: Administrator
uidNumber: 1442800500
gidNumber: 1442800500
homeDirectory: /
schema-compat-origin: sssd
ipaNTSecurityIdentifier: S-1-5-21-3502988750-125904550-3683905862-500
uid: administrator at ad.lan
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
----------------------------------------------------------------------------
Currently PAM authentication is a bit broken due to yet-to-hunt bug in
SSSD or my environment (Jakub was unable to reproduce it) where SSSD
thinks that AD DC is offline during authentication step.
However, if you don't hit the bug, you can check authentication by doing
following bind and entering a password for your AD administrator:
# ldapsearch -D uid=administrator at ad.lan,cn=users,cn=compat,dc=vda,dc=li \
-W -x -C -a always -b dc=vda,dc=li '(uid=admin)'
The bind operation needs to be performed _after_ user lookup.
All these commands are only examples, I'm currently working on seeing
how to configure pam_ldap/nss_ldap to use compat plugin this way.
--
/ Alexander Bokovoy
-------------- next part --------------
>From bd7addcc2a25555b37cd128dcbea0bc6e9b2929e Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Mon, 15 Jul 2013 19:13:50 +0300
Subject: [PATCH] ipa-adtrust-install: configure compatibility tree to serve
trusted domain users
Enables support for trusted domains users for old clients through Schema
Compatibility plugin. SSSD supports trusted domains natively starting with
version 1.9 platform. For platforms that lack SSSD or run older SSSD version
one needs to use this option. When enabled, slapi-nis package needs to
be installed and schema-compat-plugin will be configured to provide lookup of
users and groups from trusted domains via SSSD on IPA server. These users and
groups will be available under cn=users,cn=compat,$SUFFIX and
cn=groups,cn=compat,$SUFFIX trees. SSSD will normalize names of users and
groups to lower case.
In addition to providing these users and groups through the compat tree,
this option enables authentication over LDAP for trusted domain users with DN
under compat tree, i.e. using bind DN uid=administrator at ad.domain,cn=users,cn=compat,$SUFFIX.
This authentication is related to PAM stack using 'system-auth' PAM
service. If you have disabled HBAC rule 'allow_all', then make sure there is
special service called 'system-auth' created and HBAC rule to allow access to
anyone to this rule on IPA masters is added. Please note that system-auth PAM
service is not used directly by any other application, therefore it is safe to
create one specifically to support trusted domain users via compatibility path.
https://fedorahosted.org/freeipa/ticket/3567
---
install/tools/ipa-adtrust-install | 18 +++++++++++++++++-
install/tools/man/ipa-adtrust-install.1 | 18 ++++++++++++++++++
ipaserver/install/adtrustinstance.py | 22 +++++++++++++++++++++-
3 files changed, 56 insertions(+), 2 deletions(-)
diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 5744c6f..838f722 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -62,6 +62,9 @@ def parse_options():
parser.add_option("--add-sids", dest="add_sids", action="store_true",
default=False, help="Add SIDs for existing users and" \
" groups as the final step")
+ parser.add_option("--enable-compat",
+ dest="enable_compat", default=False, action="store_true",
+ help="Enable support for trusted domains for old clients")
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
@@ -194,6 +197,15 @@ def ensure_admin_kinit(admin_name, admin_password):
return False
return True
+def enable_compat_tree():
+ print "Do you want to enable support for trusted domains in Schema Compatibility plugin?"
+ print "This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users."
+ print ""
+ enable_compat = ipautil.user_input("Enable trusted domains support in slapi-nis?", default = False, allow_empty = False)
+ print ""
+ return enable_compat
+
+
def main():
safe_options, options = parse_options()
@@ -244,6 +256,9 @@ def main():
sys.exit("Aborting installation.")
break
+ if not options.unattended and not options.enable_compat:
+ options.enable_compat = enable_compat_tree()
+
# Check we have a public IP that is associated with the hostname
ip = None
try:
@@ -363,7 +378,8 @@ def main():
smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain,
netbios_name, reset_netbios_name,
options.rid_base, options.secondary_rid_base,
- options.no_msdcs, options.add_sids)
+ options.no_msdcs, options.add_sids,
+ enable_compat = options.enable_compat)
smb.find_local_id_range()
smb.create_instance()
diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1
index 38957f3..7931178 100644
--- a/install/tools/man/ipa-adtrust-install.1
+++ b/install/tools/man/ipa-adtrust-install.1
@@ -106,6 +106,24 @@ The password of the user with administrative privileges for this IPA server. Wil
.TP
The credentials of the admin user will be used to obtain Kerberos ticket before configuring cross-realm trusts support and afterwards, to ensure that the ticket contains MS-PAC information required to actually add a trust with Active Directory domain via 'ipa trust-add --type=ad' command.
.TP
+\fB\-\-enable\-compat\fR
+Enables support for trusted domains users for old clients through Schema Compatibility plugin.
+SSSD supports trusted domains natively starting with version 1.9 platform. For platforms that
+lack SSSD or run older SSSD version one needs to use this option. When enabled, slapi\-nis package
+needs to be installed and schema\-compat\-plugin will be configured to provide lookup of
+users and groups from trusted domains via SSSD on IPA server. These users and groups will be
+available under \fBcn=users,cn=compat,$SUFFIX\fR and \fBcn=groups,cn=compat,$SUFFIX\fR trees.
+SSSD will normalize names of users and groups to lower case.
+.IP
+In addition to providing these users and groups through the compat tree, this option enables
+authentication over LDAP for trusted domain users with DN under compat tree, i.e. using bind DN
+\fBuid=administrator at ad.domain,cn=users,cn=compat,$SUFFIX\fR. This authentication is related
+to PAM stack using '\fBsystem\-auth\fR' PAM service. If you have disabled HBAC rule 'allow_all', then
+make sure there is special service called '\fBsystem\-auth\fR' created and HBAC rule to allow
+access to anyone to this rule on IPA masters is added. Please note that system-auth PAM service
+is not used directly by any other application, therefore it is safe to create one specifically
+to support trusted domain users via compatibility path.
+.TP
.SH "EXIT STATUS"
0 if the installation was successful
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 4eb20d9..9ecc7e9 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -664,6 +664,20 @@ class ADTRUSTInstance(service.Service):
except Exception, e:
root_logger.critical("Checking replicas for cifs principals failed with error '%s'" % e)
+ def __enable_compat_tree(self):
+ try:
+ compat_plugin_dn = DN("cn=Schema Compatibility,cn=plugins,cn=config")
+ lookup_sssd_name = "schema-compat-lookup-sssd"
+ for config in (("cn=users", "user"), ("cn=groups", "group")):
+ entry_dn = DN(config[0], compat_plugin_dn)
+ current = self.admin_conn.get_entry(entry_dn)
+ lookup_sssd = current.get(lookup_sssd_name, [])
+ if not(config[1] in lookup_sssd):
+ current[lookup_sssd_name] = [config[1]]
+ self.admin_conn.update_entry(entry_dn, current)
+ except Exception, e:
+ root_logger.critical("Enabling SSSD support in slapi-nis failed with error '%s'" % e)
+
def __start(self):
try:
self.start()
@@ -713,7 +727,7 @@ class ADTRUSTInstance(service.Service):
def setup(self, fqdn, ip_address, realm_name, domain_name, netbios_name,
reset_netbios_name, rid_base, secondary_rid_base,
- no_msdcs=False, add_sids=False, smbd_user="samba"):
+ no_msdcs=False, add_sids=False, smbd_user="samba", enable_compat=False):
self.fqdn = fqdn
self.ip_address = ip_address
self.realm = realm_name
@@ -724,6 +738,7 @@ class ADTRUSTInstance(service.Service):
self.secondary_rid_base = secondary_rid_base
self.no_msdcs = no_msdcs
self.add_sids = add_sids
+ self.enable_compat = enable_compat
self.smbd_user = smbd_user
self.suffix = ipautil.realm_to_suffix(self.realm)
self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % \
@@ -811,6 +826,11 @@ class ADTRUSTInstance(service.Service):
self.step("configuring smbd to start on boot", self.__enable)
self.step("adding special DNS service records", \
self.__add_dns_service_records)
+
+ if self.enable_compat:
+ self.step("Enabling trusted domains support for older clients via Schema Compatibility plugin",
+ self.__enable_compat_tree)
+
self.step("restarting Directory Server to take MS PAC and LDAP plugins changes into account", \
self.__restart_dirsrv)
self.step("adding fallback group", self.__add_fallback_group)
--
1.8.3.1
More information about the Freeipa-devel
mailing list