Project

General

Profile

Download (4.04 KB) Statistics
| Branch: | Tag: | Revision:

foreman/app/views/unattended/snippets/_freeipa_register.erb @ bd1fe677

<%#
kind: snippet
name: freeipa_register
%>
# FreeIPA Registration Snippet
#
# Optional parameters:
#
# freeipa_server IPA server
#
# freeipa_sudo Enable sudoers
# Default: true
#
# freeipa_ssh Enable ssh integration
# Default: true
#
# freeipa_automount Enable automounter
# Default: false
#
# freeipa_automount_location Location for automounts
#
# freeipa_mkhomedir Enable automatically making home directories
# Default: true
#
# freeipa_opts Additional options to pass directly to installer
#
<% if @host.operatingsystem.family == 'Redhat' -%>
<% if @host.operatingsystem.name == "Fedora" -%>
freeipa_client=freeipa-client
<% else -%>
freeipa_client=ipa-client
<% end -%>
<% else -%>
freeipa_client=freeipa-client
<% end -%>

<%= @host.operatingsystem.family == "Redhat" ? 'yum install -y libsss_sudo' : 'apt-get install -y libsss-sudo' %> $freeipa_client

##
## IPA Client Installation
##

<% if @host.params["freeipa_server"] -%>
freeipa_server="--server <%= @host.params["freeipa_server"] %>"
<% end -%>

<% unless @host.param_false? "freeipa_mkhomedir" %>
freeipa_mkhomedir="--mkhomedir"
<% end -%>

<% if @host.param_false? "freeipa_ssh" %>
freeipa_ssh="--no-ssh"
<% end -%>

<% if @host.params["freeipa_opts"] -%>
freeipa_opts="<%= @host.params["freeipa_opts"] %>"
<% end -%>

/usr/sbin/ipa-client-install -w '<%= @host.otp %>' --realm=<%= @host.realm %> -f -U $freeipa_mkhomedir $freeipa_opts $freeipa_server $freeipa_ssh

##
## Automounter
##

<% if @host.params["freeipa_automount_location"] -%>
automount_location="--location <%= @host.params["freeipa_automount_location"] %>"
<% end -%>

<% if @host.param_true? "freeipa_automount" -%>
if [ -f /usr/sbin/ipa-client-automount ]
then
/usr/sbin/ipa-client-automount $freeipa_server $automount_location --unattended
fi
<% end -%>

##
## Sudoers
##

<% unless @host.param_false? "freeipa_enable_sudo" %>

freeipa_realm=$(grep default_realm /etc/krb5.conf | cut -d"=" -f2 | tr -d ' ')
freeipa_domain=$(grep default_domain /etc/krb5.conf | cut -d"=" -f2 | tr -d ' ')
freeipa_dn=$(for word in $(echo $freeipa_domain | sed 's/\./ /g'); do echo -n dc=$word,; done)

sssd_version=$(sssd --version)
sssd_major=$(echo $sssd_version | cut -f1 -d.)
sssd_minor=$(echo $sssd_version | cut -f2 -d.)
LDAP_CONFIG=$(mktemp)

if [ $sssd_minor >= 11 ] || [ $sssd_major > 1 ]
then
echo "sudo_provider = ipa" > $LDAP_CONFIG
else
<% if @host.params["freeipa_server"] -%>
ldap_uri=", ldap://<%= @host.params["freeipa_server"] %>"
krb5_server=<%= @host.params["freeipa_server"] %>
<% else -%>
krb5_server="_srv_"
<% end -%>

cat <<EOF > $LDAP_CONFIG
sudo_provider = ldap
ldap_uri = _srv_ $ldap_uri
ldap_sudo_search_base = ou=SUDOers,${freeipa_dn%?}
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/$HOSTNAME
ldap_sasl_realm = $freeipa_realm
krb5_server = $krb5_server
EOF

fi

sed -i -e "/\[domain\/.*\]/ r $LDAP_CONFIG" /etc/sssd/sssd.conf
sed -i -e "s/services = .*/\0, sudo/" /etc/sssd/sssd.conf

<% if @host.operatingsystem.family == 'Redhat' -%>
authconfig --nisdomain ${freeipa_domain} --update
chkconfig sssd on

if [[ $(rpm -qa systemd | wc -l) -gt 0 ]];
then
domain_service=/usr/lib/systemd/system/*-domainname.service

# Workaround for BZ1071969 on RHEL 7.0
grep -q "DefaultDependencies=no" $domain_service
if [[ $? -ne 0 ]]
then
sed -i -e "s/\[Unit\]/\[Unit\]\nDefaultDependencies=no/" $domain_service
fi

systemctl start $(basename $domain_service)
systemctl enable $(basename $domain_service)
fi
<% else -%>
sed -i -e '/^exit /d' /etc/rc.local
echo "nisdomainname ${freeipa_domain}" >> /etc/rc.local
echo "exit 0" >> /etc/rc.local
nisdomainname ${freeipa_domain}
<% end -%>

grep -q sudoers /etc/nsswitch.conf
if [[ $? -eq 0 ]];
then
sed -i -e "s/^sudoers.*/sudoers: files sss/" /etc/nsswitch.conf
else
echo sudoers: files sss >> /etc/nsswitch.conf
fi
<% end -%>

(4-4/8)