|
<%#
|
|
kind: snippet
|
|
name: freeipa_register
|
|
%>
|
|
# FreeIPA Registration Snippet
|
|
#
|
|
# Optional parameters:
|
|
#
|
|
# freeipa_server IPA server
|
|
#
|
|
# freeipa_sudo Enable sudoers
|
|
# Default: true
|
|
#
|
|
# freeipa_ssh Enable ssh integration
|
|
# Default: true
|
|
#
|
|
# freeipa_automount Enable automounter
|
|
# Default: false
|
|
#
|
|
# freeipa_automount_location Location for automounts
|
|
#
|
|
# freeipa_mkhomedir Enable automatically making home directories
|
|
# Default: true
|
|
#
|
|
# freeipa_opts Additional options to pass directly to installer
|
|
#
|
|
<% if @host.operatingsystem.family == 'Redhat' -%>
|
|
<% if @host.operatingsystem.name == "Fedora" -%>
|
|
freeipa_client=freeipa-client
|
|
<% else -%>
|
|
freeipa_client=ipa-client
|
|
<% end -%>
|
|
<% else -%>
|
|
freeipa_client=freeipa-client
|
|
<% end -%>
|
|
|
|
<%= @host.operatingsystem.family == "Redhat" ? 'yum install -y libsss_sudo' : 'apt-get install -y libsss-sudo' %> $freeipa_client
|
|
|
|
##
|
|
## IPA Client Installation
|
|
##
|
|
|
|
<% if @host.params["freeipa_server"] -%>
|
|
freeipa_server="--server <%= @host.params["freeipa_server"] %>"
|
|
<% end -%>
|
|
|
|
<% unless @host.param_false? "freeipa_mkhomedir" %>
|
|
freeipa_mkhomedir="--mkhomedir"
|
|
<% end -%>
|
|
|
|
<% if @host.param_false? "freeipa_ssh" %>
|
|
freeipa_ssh="--no-ssh"
|
|
<% end -%>
|
|
|
|
<% if @host.params["freeipa_opts"] -%>
|
|
freeipa_opts="<%= @host.params["freeipa_opts"] %>"
|
|
<% end -%>
|
|
|
|
/usr/sbin/ipa-client-install -w '<%= @host.otp %>' --realm=<%= @host.realm %> -f -U $freeipa_mkhomedir $freeipa_opts $freeipa_server $freeipa_ssh
|
|
|
|
##
|
|
## Automounter
|
|
##
|
|
|
|
<% if @host.params["freeipa_automount_location"] -%>
|
|
automount_location="--location <%= @host.params["freeipa_automount_location"] %>"
|
|
<% end -%>
|
|
|
|
<% if @host.param_true? "freeipa_automount" -%>
|
|
if [ -f /usr/sbin/ipa-client-automount ]
|
|
then
|
|
/usr/sbin/ipa-client-automount $freeipa_server $automount_location --unattended
|
|
fi
|
|
<% end -%>
|
|
|
|
##
|
|
## Sudoers
|
|
##
|
|
|
|
<% unless @host.param_false? "freeipa_enable_sudo" %>
|
|
|
|
freeipa_realm=$(grep default_realm /etc/krb5.conf | cut -d"=" -f2 | tr -d ' ')
|
|
freeipa_domain=$(grep default_domain /etc/krb5.conf | cut -d"=" -f2 | tr -d ' ')
|
|
freeipa_dn=$(for word in $(echo $freeipa_domain | sed 's/\./ /g'); do echo -n dc=$word,; done)
|
|
|
|
sssd_version=$(sssd --version)
|
|
sssd_major=$(echo $sssd_version | cut -f1 -d.)
|
|
sssd_minor=$(echo $sssd_version | cut -f2 -d.)
|
|
LDAP_CONFIG=$(mktemp)
|
|
|
|
if [ $sssd_minor >= 11 ] || [ $sssd_major > 1 ]
|
|
then
|
|
echo "sudo_provider = ipa" > $LDAP_CONFIG
|
|
else
|
|
<% if @host.params["freeipa_server"] -%>
|
|
ldap_uri=", ldap://<%= @host.params["freeipa_server"] %>"
|
|
krb5_server=<%= @host.params["freeipa_server"] %>
|
|
<% else -%>
|
|
krb5_server="_srv_"
|
|
<% end -%>
|
|
|
|
cat <<EOF > $LDAP_CONFIG
|
|
sudo_provider = ldap
|
|
ldap_uri = _srv_ $ldap_uri
|
|
ldap_sudo_search_base = ou=SUDOers,${freeipa_dn%?}
|
|
ldap_sasl_mech = GSSAPI
|
|
ldap_sasl_authid = host/$HOSTNAME
|
|
ldap_sasl_realm = $freeipa_realm
|
|
krb5_server = $krb5_server
|
|
EOF
|
|
|
|
fi
|
|
|
|
sed -i -e "/\[domain\/.*\]/ r $LDAP_CONFIG" /etc/sssd/sssd.conf
|
|
sed -i -e "s/services = .*/\0, sudo/" /etc/sssd/sssd.conf
|
|
|
|
<% if @host.operatingsystem.family == 'Redhat' -%>
|
|
authconfig --nisdomain ${freeipa_domain} --update
|
|
chkconfig sssd on
|
|
|
|
if [[ $(rpm -qa systemd | wc -l) -gt 0 ]];
|
|
then
|
|
domain_service=/usr/lib/systemd/system/*-domainname.service
|
|
|
|
# Workaround for BZ1071969 on RHEL 7.0
|
|
grep -q "DefaultDependencies=no" $domain_service
|
|
if [[ $? -ne 0 ]]
|
|
then
|
|
sed -i -e "s/\[Unit\]/\[Unit\]\nDefaultDependencies=no/" $domain_service
|
|
fi
|
|
|
|
systemctl start $(basename $domain_service)
|
|
systemctl enable $(basename $domain_service)
|
|
fi
|
|
<% else -%>
|
|
sed -i -e '/^exit /d' /etc/rc.local
|
|
echo "nisdomainname ${freeipa_domain}" >> /etc/rc.local
|
|
echo "exit 0" >> /etc/rc.local
|
|
nisdomainname ${freeipa_domain}
|
|
<% end -%>
|
|
|
|
grep -q sudoers /etc/nsswitch.conf
|
|
if [[ $? -eq 0 ]];
|
|
then
|
|
sed -i -e "s/^sudoers.*/sudoers: files sss/" /etc/nsswitch.conf
|
|
else
|
|
echo sudoers: files sss >> /etc/nsswitch.conf
|
|
fi
|
|
<% end -%>
|
|
|