Import Upstream version 4.12.4

2025-08-12 22:28:56 +02:00
parent 03a8170b15
commit 9181ee2487
1629 changed files with 874094 additions and 554378 deletions
--- a/ipaplatform/suse/constants.py
+++ b/ipaplatform/suse/constants.py
@@ -8,14 +8,17 @@ related constants for the SUSE OS family-based systems.
 """

 # Fallback to default path definitions
-from ipaplatform.base.constants import BaseConstantsNamespace
+from ipaplatform.base.constants import BaseConstantsNamespace, User, Group
+
+
+__all__ = ("constants", "User", "Group")


 class SuseConstantsNamespace(BaseConstantsNamespace):
-    HTTPD_USER = "wwwrun"
-    HTTPD_GROUP = "www"
+    HTTPD_USER = User("wwwrun")
+    HTTPD_GROUP = Group("www")
    # Don't have it yet
-    SSSD_USER = "root"
+    SSSD_USER = User("root")
    TLS_HIGH_CIPHERS = None


--- a/ipaplatform/suse/paths.py
+++ b/ipaplatform/suse/paths.py
@@ -27,8 +27,12 @@ class SusePathNamespace(BasePathNamespace):
    HTTPD_PASSWORD_CONF = "/etc/apache2/ipa/password.conf"
    NAMED_CUSTOM_CONF = "/etc/named.d/ipa-ext.conf"
    NAMED_CUSTOM_OPTIONS_CONF = "/etc/named.d/ipa-options-ext.conf"
+    NAMED_LOGGING_OPTIONS_CONF = "/etc/named.d/ipa-logging-ext.conf"
    NAMED_VAR_DIR = "/var/lib/named"
    NAMED_MANAGED_KEYS_DIR = "/var/lib/named/dyn"
+    OPENSSL_DIR = "/etc/ssl"
+    OPENSSL_CERTS_DIR = "/etc/ssl/certs"
+    OPENSSL_PRIVATE_DIR = "/etc/ssl/private"
    IPA_P11_KIT = "/etc/pki/trust/ipa.p11-kit"
    # Those files are only here to be able to configure them, we copy those in
    # rpm spec to fillupdir
@@ -82,7 +86,7 @@ class SusePathNamespace(BasePathNamespace):
    KDESTROY = "/usr/lib/mit/bin/kdestroy"
    BIN_KVNO = "/usr/lib/mit/bin/kvno"
    UPDATE_CA_TRUST = "/usr/sbin/update-ca-certificates"
-    AUTHSELECT = "/usr/bin/authselect"
+    PAM_CONFIG = "/usr/sbin/pam-config"


 paths = SusePathNamespace()
--- a/ipaplatform/suse/services.py
+++ b/ipaplatform/suse/services.py
@@ -17,7 +17,6 @@ suse_system_units = dict(
    (x, "%s.service" % x) for x in base_services.wellknownservices
 )
 suse_system_units["httpd"] = "apache2.service"
-
 suse_system_units["dirsrv"] = "dirsrv@.service"
 suse_system_units["pki-tomcatd"] = "pki-tomcatd@pki-tomcat.service"
 suse_system_units["pki_tomcatd"] = suse_system_units["pki-tomcatd"]
@@ -163,9 +162,25 @@ class SuseCAService(SuseService):
        return False


+# For services which have no SUSE counterpart
+class SuseNoService(base_services.PlatformService):
+    def start(self):
+        pass
+
+    def stop(self):
+        pass
+
+    def restart(self):
+        pass
+
+    def disable(self):
+        pass
+
 def suse_service_class_factory(name, api):
    if name == "dirsrv":
        return SuseDirectoryService(name, api)
+    if name == 'domainname':
+        return SuseNoService(name, api)
    if name == "ipa":
        return SuseIPAService(name, api)
    if name in ("pki-tomcatd", "pki_tomcatd"):
@@ -189,6 +204,6 @@ class SuseServices(base_services.KnownServices):
        super().__init__(services)


-timedate_services = ["ntpd"]
+timedate_services = base_services.timedate_services
 service = suse_service_class_factory
 knownservices = SuseServices()
--- a/ipaplatform/suse/tasks.py
+++ b/ipaplatform/suse/tasks.py
@@ -10,7 +10,9 @@ system tasks.
 import logging

 from ipaplatform.paths import paths
+from ipaplatform.base.tasks import BaseTaskNamespace as BaseTask
 from ipaplatform.redhat.tasks import RedHatTaskNamespace
+from ipapython import ipautil

 logger = logging.getLogger(__name__)

@@ -42,5 +44,80 @@ class SuseTaskNamespace(RedHatTaskNamespace):
    def set_selinux_booleans(self, required_settings, backup_func=None):
        return False  # FIXME: Implement after libexec move

+    def modify_nsswitch_pam_stack(self, sssd, mkhomedir, statestore,
+                                  sudo=True, subid=False):
+        # pylint: disable=ipa-forbidden-import
+        from ipalib import sysrestore  # FixMe: break import cycle
+        # pylint: enable=ipa-forbidden-import
+        fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
+        logger.debug('Enabling SSSD in nsswitch')
+        BaseTask.configure_nsswitch_database(self, fstore, 'group',
+                                             ['sss'], default_value=['compat'])
+        BaseTask.configure_nsswitch_database(self, fstore, 'passwd',
+                                             ['sss'], default_value=['compat'])
+        BaseTask.configure_nsswitch_database(self, fstore, 'shadow',
+                                             ['sss'], default_value=['compat'])
+        BaseTask.configure_nsswitch_database(self, fstore, 'netgroup',
+                                             ['files','sss'], preserve=False,
+                                             default_value=['files','nis'])
+        BaseTask.configure_nsswitch_database(self, fstore, 'automount',
+                                             ['files','sss'], preserve=False,
+                                             default_value=['files','nis'])
+        if sudo:
+            BaseTask.enable_sssd_sudo(self,fstore)
+        logger.debug('Enabling sss in PAM')
+        try:
+            ipautil.run([paths.PAM_CONFIG, '--add', '--sss'])
+            if mkhomedir:
+                logger.debug('Enabling mkhomedir in PAM')
+                try:
+                    ipautil.run([paths.PAM_CONFIG, '--add', '--mkhomedir',
+                                 '--mkhomedir-umask=0077'])
+                except ipautil.CalledProcessError:
+                    logger.debug('Failed to configure PAM mkhomedir')
+                    return False
+        except ipautil.CalledProcessError:
+            logger.debug('Failed to configure PAM to use SSSD')
+            return False
+        return True
+
+    def restore_pre_ipa_client_configuration(self, fstore, statestore,
+                                             was_sssd_installed,
+                                             was_sssd_configured):
+        if fstore.has_file(paths.NSSWITCH_CONF):
+            logger.debug('Restoring nsswitch from fstore')
+            fstore.restore_file(paths.NSSWITCH_CONF)
+        else:
+            logger.info('nsswitch not restored')
+            return False
+        try:
+            logger.debug('Removing sssd from PAM')
+            ipautil.run([paths.PAM_CONFIG, '--delete', '--mkhomedir'])
+            ipautil.run([paths.PAM_CONFIG, '--delete', '--sss'])
+            logger.debug('Removing sssd from PAM successed')
+        except ipautil.CalledProcessError:
+            logger.debug('Faled to remove sssd from PAM')
+            return False
+        return True
+
+    def disable_ldap_automount(self, statestore):
+        # SUSE does not use authconfig or authselect
+        return BaseTask.disable_ldap_automount(self, statestore)
+
+    def modify_pam_to_use_krb5(self, statestore):
+        # SUSE doesn't use authconfig, this is handled by pam-config
+        return True
+
+    def backup_auth_configuration(self, path):
+        # SUSE doesn't use authconfig, nothing to backup
+        return True
+
+    def restore_auth_configuration(self, path):
+        # SUSE doesn't use authconfig, nothing to restore
+        return True
+
+    def migrate_auth_configuration(self, statestore):
+        # SUSE doesn't have authselect
+        return True

 tasks = SuseTaskNamespace()