websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Debian patch 4.7.2-3

Browse Source
This commit is contained in:
Timo Aaltonen
2019-05-06 08:43:34 +03:00
committed by Mario Fetka
parent 27edeba051
commit 8bc559c5a1
917 changed files with 1068993 additions and 1184676 deletions
Download Patch File Download Diff File Expand all files Collapse all files

80
ipaserver/advise/plugins/smart_card_auth.py
View File

@@ -105,7 +105,6 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
ssl_conf = paths.HTTPD_SSL_CONF
ssl_ocsp_directive = OCSP_DIRECTIVE
kdc_service_name = services.knownservices.krb5kdc.systemd_name
httpd_service_name = services.knownservices.httpd.systemd_name
def get_info(self):
self.log.exit_on_nonroot_euid()
@@ -118,7 +117,6 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
self.record_httpd_ocsp_status()
self.check_and_enable_pkinit()
self.enable_ok_to_auth_as_delegate_on_http_principal()
self.allow_httpd_ifp()
self.upload_smartcard_ca_certificates_to_systemwide_db()
self.install_smart_card_signing_ca_certs()
self.update_ipa_ca_certificate_store()
@@ -135,10 +133,9 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
self.log.comment('make sure bind-utils are installed so that we can '
'dig for ipa-ca records')
self.log.install_packages(
['bind-utils'],
['Failed to install bind-utils']
)
self.log.exit_on_failed_command(
'yum install -y bind-utils',
['Failed to install bind-utils'])
self.log.comment('make sure ipa-ca records are resolvable, '
'otherwise error out and instruct')
@@ -186,9 +183,7 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
def restart_httpd(self):
self.log.comment('finally restart apache')
self.log.command(
'systemctl restart {}'.format(self.httpd_service_name)
)
self.log.command('systemctl restart httpd')
def record_httpd_ocsp_status(self):
self.log.comment('store the OCSP upgrade state')
@@ -219,21 +214,6 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
["Failed to set OK_AS_AUTH_AS_DELEGATE flag on HTTP principal"]
)
def allow_httpd_ifp(self):
self.log.comment('Allow Apache to access SSSD IFP')
self.log.exit_on_failed_command(
'{} -c "import SSSDConfig; '
'from ipaclient.install.client import sssd_enable_ifp; '
'from ipaplatform.paths import paths; '
'c = SSSDConfig.SSSDConfig(); '
'c.import_config(); '
'sssd_enable_ifp(c, allow_httpd=True); '
'c.write(paths.SSSD_CONF)"'.format(sys.executable),
['Failed to modify SSSD config']
)
self.log.comment('Restart sssd')
self.log.command('systemctl restart sssd')
def restart_kdc(self):
self.log.exit_on_failed_command(
'systemctl restart {}'.format(self.kdc_service_name),
@@ -273,23 +253,26 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config):
self.restart_sssd()
def check_and_remove_pam_pkcs11(self):
self.log.remove_package(
'pam_pkcs11',
['Could not remove pam_pkcs11 package']
self.log.command('rpm -qi pam_pkcs11 > /dev/null')
self.log.commands_on_predicate(
'[ "$?" -eq "0" ]',
[
'yum remove -y pam_pkcs11'
]
)
def install_opensc_and_dconf_packages(self):
self.log.comment(
'authconfig often complains about missing dconf, '
'install it explicitly')
self.log.install_packages(
[self.opensc_module_name.lower(), 'dconf'],
self.log.exit_on_failed_command(
'yum install -y {} dconf'.format(self.opensc_module_name.lower()),
['Could not install OpenSC package']
)
def install_krb5_client_dependencies(self):
self.log.install_packages(
['krb5-pkinit-openssl'],
self.log.exit_on_failed_command(
'yum install -y krb5-pkinit-openssl',
['Failed to install Kerberos client PKINIT extensions.']
)
@@ -319,20 +302,8 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config):
)
def run_authselect_to_configure_smart_card_auth(self):
# In order to be compatible with all clients, we check first
# if the client supports authselect.
# Otherwise authconfig will be used.
self.log.comment('Use either authselect or authconfig to enable '
'Smart Card authentication')
self.log.commands_on_predicate(
'[ -f {} ]'.format(paths.AUTHSELECT),
['AUTHCMD="authselect enable-feature with-smartcard"'],
['AUTHCMD="authconfig --enablesssd --enablesssdauth '
'--enablesmartcard --smartcardmodule=sssd --smartcardaction=1 '
'--updateall"']
)
self.log.exit_on_failed_command(
'$AUTHCMD',
'authselect enable-feature with-smartcard',
[
'Failed to configure Smart Card authentication in SSSD'
]
@@ -340,22 +311,11 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config):
def configure_pam_cert_auth(self):
self.log.comment('Set pam_cert_auth=True in /etc/sssd/sssd.conf')
self.log.comment('This step is required only when authselect is used')
# If the advise command is run on RHEL7 or fedora but the client
# is rhel8, python3 executable may be in a different location
# Find the right python path first
self.log.command("python3 --version >/dev/null 2>&1")
self.log.commands_on_predicate(
'[ "$?" -eq 0 ]',
['PYTHON3CMD=python3'],
['PYTHON3CMD=/usr/libexec/platform-python']
)
self.log.commands_on_predicate(
'[ -f {} ]'.format(paths.AUTHSELECT),
["${PYTHON3CMD} -c 'from SSSDConfig import SSSDConfig; "
"c = SSSDConfig(); c.import_config(); "
"c.set(\"pam\", \"pam_cert_auth\", \"True\"); "
"c.write()'"])
self.log.command(
"{} -c 'from SSSDConfig import SSSDConfig; "
"c = SSSDConfig(); c.import_config(); "
"c.set(\"pam\", \"pam_cert_auth\", \"True\"); "
"c.write()'".format(sys.executable))
def restart_sssd(self):
self.log.command('systemctl restart sssd.service')