tkt-78015: Switch from SSSD to NSLCD (#2687)

* Switch from SSSD to NSLCD - Begin using NSLCD for authenticated LDAP. More work is needed to bring in / validate kerberos support post-sssd.
truenas · Mar 8, 2019 · df3ee38 · df3ee38
1 parent 95cb046
commit df3ee38
Show file tree

Hide file tree

Showing 18 changed files with 124 additions and 1,197 deletions.
diff --git a/gui/directoryservice/migrations/0007_migrate_to_nslcd.py b/gui/directoryservice/migrations/0007_migrate_to_nslcd.py
@@ -0,0 +1,22 @@
+import django.core.validators
+from django.db import migrations, models
+import freenasUI.freeadmin.models.fields
+
+def remove_sssd_aux_params(apps, schema_editor):
+    LDAP = apps.get_model('directoryservice.LDAP')
+    for o in LDAP.objects.all():
+        if not o.ldap_anonbind:
+            o.ldap_auxiliary_parameters = ""
+            o.save()
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('directoryservice', '0006_certificate_model'),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            remove_sssd_aux_params 
+        ),
+    ]
diff --git a/gui/directoryservice/models.py b/gui/directoryservice/models.py
@@ -1279,7 +1279,7 @@ class LDAP(DirectoryServiceBase):
     ldap_auxiliary_parameters = models.TextField(
         verbose_name=_("Auxiliary Parameters"),
         blank=True,
-        help_text=_("These parameters are added to sssd.conf")
+        help_text=_("These parameters are added to nslcd.conf")
     )
     ldap_schema = models.CharField(
         verbose_name=("Schema"),

diff --git a/src/freenas/etc/directoryservice/ActiveDirectory/ctl b/src/freenas/etc/directoryservice/ActiveDirectory/ctl
@@ -23,31 +23,6 @@ adctl_cmd()
 	return 0
 }
 
-sssd_running()
-{
-	${service} sssd onestatus >/dev/null 2>&1
-	return $?
-}
-
-sssd_start()
-{
-	adctl_cmd ${service} sssd onestart
-	return $?
-}
-
-sssd_stop()
-{
-	adctl_cmd ${service} sssd onestop
-	return $?
-}
-
-sssd_restart()
-{
-	adctl_cmd ${service} sssd onestop
-	adctl_cmd ${service} sssd onestart
-	return $?
-}
-
 cifs_enabled()
 {
 	srv_enabled cifs && return 0
@@ -123,17 +98,6 @@ adctl_start()
 		return 1
 	fi
 
-	if AD_has_unix_extensions && AD_has_keytab
-	then
-		adctl_cmd ${service} ix-sssd start
-		if sssd_running
-		then
-			sssd_restart
-		else
-			sssd_start
-		fi
-	fi
-
 	cifs_start
 
 	if ! adctl_cmd ${service} ix-activedirectory quietstart
@@ -180,12 +144,6 @@ adctl_stop()
 		cifs_stop
 	fi
 
-	if sssd_running
-	then
-		sssd_stop
-		adctl_cmd ${service} ix-sssd start
-	fi
-
 	if [ "${prev_cifs_started}" = "0" -a "${cifs_started}" = "0" ]
 	then
 		adctl_cmd ${service} samba_server forcestop

diff --git a/src/freenas/etc/directoryservice/LDAP/ctl b/src/freenas/etc/directoryservice/LDAP/ctl
@@ -22,31 +22,6 @@ ldapctl_cmd()
 	return 0
 }
 
-sssd_running()
-{
-	${service} sssd onestatus >/dev/null 2>&1
-	return $?
-}
-
-sssd_start()
-{
-	ldapctl_cmd ${service} sssd onestart
-	return $?
-}
-
-sssd_stop()
-{
-	ldapctl_cmd ${service} sssd onestop
-	return $?
-}
-
-sssd_restart()
-{
-	ldapctl_cmd ${service} sssd onestop
-	ldapctl_cmd ${service} sssd onestart
-	return $?
-}
-
 nslcd_running()
 {
 	${service} nslcd onestatus >/dev/null 2>&1
@@ -87,7 +62,7 @@ cifs_restart()
 
 cifs_reset()
 {
-	ldapctl_cmd ${python} ${notifier} call etc.generate smb 
+	ldapctl_cmd ${python} ${notifier} call etc.generate smb > /dev/null 
 
 	if cifs_enabled;
 	then
@@ -150,26 +125,14 @@ ldapctl_start()
 		fi  
 	fi
 
-	anonbind="$(LDAP_get ldap_anonbind)"
-	if [ "${anonbind}" = "0" ]
-	then
-		ldapctl_cmd ${service} ix-sssd start	
-		if sssd_running
-		then
-			sssd_restart
-		else
-			sssd_start
-		fi
-
-	elif [ "${anonbind}" = "1" ]
+
+	ldapctl_cmd ${python} ${notifier} call etc.generate nss > /dev/null 
+	ldapctl_cmd ${service} ix-pam quietstart
+	if nslcd_running
 	then
-		ldapctl_cmd ${service} ix-pam quietstart
-		if nslcd_running
-		then
-			nslcd_restart
-		else
-			nslcd_start
-		fi
+		nslcd_restart
+	else
+		nslcd_start
 	fi
 
 	if ! ldapctl_cmd ${service} ix-ldap status
@@ -181,6 +144,8 @@ ldapctl_start()
 
 	if cifs_enabled && LDAP_has_samba_schema 
 	then
+		ldapctl_cmd ${python} ${notifier} call etc.generate smb > /dev/null 
+		ldapctl_cmd ${python} ${notifier} call smb.store_ldap_admin_password > /dev/null 
 		cifs_restart
 	fi
 
@@ -200,19 +165,14 @@ ldapctl_stop()
 		ldap_set 1
 	fi
 
-	if sssd_running
-	then
-		sssd_stop
-		ldapctl_cmd ${service} ix-sssd start
-	fi
 	if nslcd_running
 	then
 		nslcd_stop
 		ldapctl_cmd ${service} ix-nslcd start
 	fi
 
 	ldapctl_cmd ${service} ix-ldap forcestop
-	ldapctl_cmd ${service} ix-nsswitch quietstop
+	ldapctl_cmd ${python} ${notifier} call etc.generate nss > /dev/null 
 	ldapctl_cmd ${service} ix-pam quietstop
 	ldapctl_cmd "${service} ix-cache quietstop &"
 

diff --git a/src/freenas/etc/ix.rc.d/ix-smbpasswd b/src/freenas/etc/ix.rc.d/ix-smbpasswd
diff --git a/src/freenas/etc/ix.rc.d/ix-sssd b/src/freenas/etc/ix.rc.d/ix-sssd
diff --git a/src/freenas/etc/ix.rc.d/ix_pf_late b/src/freenas/etc/ix.rc.d/ix_pf_late
@@ -4,7 +4,7 @@
 #
 
 # PROVIDE: ix_pf_late
-# REQUIRE: ix-smbpasswd
+# REQUIRE: samba_server
 # KEYWORD: nojail shutdown
 
 . /etc/rc.subr

diff --git a/src/freenas/etc/rc.conf.local b/src/freenas/etc/rc.conf.local
@@ -444,42 +444,13 @@ _snmp_config()
 _ldap_config()
 {
 
-	# Should we ditch sssd now that we have nslcd in? TBD
-	sssd_enable="NO"
+	# Should we ditch sssd now that we have nslcd in? Yes 
 	nslcd_enable="NO"
 
 	if dirsrv_enabled ldap ; then
-		local anonymous_bind=$(${FREENAS_SQLITE_CMD} ${FREENAS_CONFIG} "
-			SELECT
-				ldap_anonbind
-			FROM
-				directoryservice_ldap
-			ORDER BY
-				-id
-			LIMIT 1
-		")
-		if [ "${anonymous_bind}" = "1" ]; then
-			nslcd_enable="YES"
-		fi
-		sssd_enable="YES"
+		nslcd_enable="YES"
 	fi
 
-	# This needs to go away, winbind is perfectly fine for this use case nowdays
-	if dirsrv_enabled activedirectory; then
-		local ad_unix=$(${FREENAS_SQLITE_CMD} ${FREENAS_CONFIG} "
-			SELECT
-				ad_unix_extensions
-			FROM
-				directoryservice_activedirectory
-			ORDER BY
-				-id
-			LIMIT 1
-		")
-		if [ "${ad_unix}" = "1" ]; then
-			sssd_enable="YES"
-		fi
-	fi
-	echo "sssd_enable=\"${sssd_enable}\""
 	echo "nslcd_enable=\"${nslcd_enable}\""
 }
 

diff --git a/src/freenas/etc/rc.freenas b/src/freenas/etc/rc.freenas
@@ -60,7 +60,6 @@
 #
 #	LDAP settings
 #
-: ${SSSD_CONF:="/usr/local/etc/sssd/sssd.conf"}
 : ${LDAP_CONF:="/usr/local/etc/openldap/ldap.conf"}
 : ${CERT_FILE:="/usr/local/etc/certs/cacert.crt"}
 : ${LDAP_TIMEOUT:="0"}

diff --git a/src/freenas/usr/local/libexec/freenas-debug/active_directory/active_directory.sh b/src/freenas/usr/local/libexec/freenas-debug/active_directory/active_directory.sh
@@ -195,13 +195,6 @@ __EOF__
 	klist
 	section_footer
 
-	#
-	#	Dump Active Directory SSSD configuration
-	#
-	section_header "${SSSD_CONF}"
-	sc "${SSSD_CONF}" | grep -iv ldap_default_authtok
-	section_footer
-
 	#
 	#	Dump generated AD config file
 	#

diff --git a/src/freenas/usr/local/libexec/freenas-debug/domain_controller/domain_controller.sh b/src/freenas/usr/local/libexec/freenas-debug/domain_controller/domain_controller.sh
@@ -165,13 +165,6 @@ __EOF__
 	klist
 	section_footer
 
-	#
-	#	Dump Domain Controller SSSD configuration
-	#
-	section_header "${SSSD_CONF}"
-	sc "${SSSD_CONF}" | grep -iv ldap_default_authtok
-	section_footer
-
 	#
 	#	Dump generated DC config file
 	#

diff --git a/src/freenas/usr/local/libexec/freenas-debug/ldap/ldap.sh b/src/freenas/usr/local/libexec/freenas-debug/ldap/ldap.sh
@@ -142,10 +142,10 @@ __EOF__
 	section_footer
 
 	#
-	#	Dump SSSD configuration
+	#	Dump NSLCD configuration
 	#
-	section_header "${SSSD_CONF}"
-	sc "${SSSD_CONF}" | grep -iv ldap_default_authtok
+	section_header "${NSLCD_CONF}"
+	sc "${NSLCD_CONF}" | grep -iv ldap_default_authtok
 	section_footer
 
 	#