Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add initial round of changes for SSSD support
This commit provides equivalent functionality from SSSD that we were getting from nss-pam-ldapd (nslcd) * remove nslcd from build and runtime requirements * add truenas-sssd to build and runtime requirements * slightly refactor LDAP plugin to restart new sssd service rather than nslcd service. * remove mako file for nslcd and create one for sssd * remove murmurhash3 python implementation and use one provided by sssd. TODO: - add user and group UI caching for LDAP users - improve SSSD status checks - add migration to comment-out auxiliary parameters for LDAP plugin
- Loading branch information
Showing
13 changed files
with
137 additions
and
286 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
82 changes: 0 additions & 82 deletions
82
src/middlewared/middlewared/etc_files/local/nslcd.conf.mako
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,86 @@ | ||
# | ||
# NSLCD.CONF(5) The configuration file for LDAP nameservice daemon | ||
# | ||
<% | ||
from middlewared.plugins.ldap_ import constants | ||
from middlewared.plugins.ldap_ import utils | ||
ldap = middleware.call_sync('ldap.config') | ||
kerberos_realm = None | ||
aux = [] | ||
map_params = utils.attribute_maps_data_to_params(ldap[constants.LDAP_ATTRIBUTE_MAP_SCHEMA_NAME]) | ||
search_params = utils.search_base_data_to_params(ldap[constants.LDAP_SEARCH_BASES_SCHEMA_NAME]) | ||
min_uid = 1000 | ||
kerberos_realm = None | ||
certpath = None | ||
if ldap['certificate']: | ||
try: | ||
cert = middleware.call_sync('certificate.query', [('id', '=', ldap['certificate'])], {'get': True}) | ||
except IndexError: | ||
pass | ||
else: | ||
certpath = cert['certificate_path'] | ||
keypath = cert['privatekey_path'] | ||
if ldap['kerberos_realm']: | ||
kerberos_realm = middleware.call_sync( | ||
'kerberos.realm.query', | ||
[('id', '=', ldap['kerberos_realm'])], | ||
{'get': True} | ||
)['realm'] | ||
ldap_enabled = ldap['enable'] | ||
if ldap_enabled: | ||
domain = kerberos_realm or ldap['hostname'][0] | ||
ldap_enabled = ldap['enable'] | ||
for param in ldap['auxiliary_parameters'].splitlines(): | ||
param = param.strip() | ||
if not param.startswith('nss_min_uid'): | ||
aux.append(param) | ||
else: | ||
try: | ||
min_uid = param.split()[1] | ||
except Exception: | ||
pass | ||
%> | ||
% if ldap_enabled: | ||
[sssd] | ||
domains = ${domain} | ||
services = nss, pam | ||
config_file_version = 2 | ||
|
||
[domain/${domain}] | ||
id_provider = ldap | ||
auth_provider = ldap | ||
ldap_uri = ${','.join(ldap['uri_list'])} | ||
ldap_search_base = ${ldap['basedn']} | ||
% if ldap['ssl'] == 'START_TLS': | ||
ldap_id_use_start_tls = true | ||
% endif | ||
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt | ||
% if certpath: | ||
ldap_tls_cert = ${certpath} | ||
ldap_tls_key = ${keypath} | ||
% endif | ||
ldap_tls_reqcert = ${'demand' if ldap['validate_certificates'] else 'allow'} | ||
% if ldap['binddn'] and ldap['bindpw']: | ||
ldap_default_bind_dn = ${ldap['binddn']} | ||
ldap_default_authtok = ${ldap['bindpw']} | ||
% endif | ||
enumerate = ${not ldap['disable_freenas_cache']} | ||
% if kerberos_realm: | ||
ldap_sasl_mech = GSSAPI | ||
ldap_sasl_realm = ${kerberos_realm} | ||
% if ldap['kerberos_principal']: | ||
ldap_sasl_authid = ldap['kerberos_principal'] | ||
% endif | ||
% endif | ||
timeout = ${ldap['timeout']} | ||
ldap_schema = ${ldap['schema'].lower()} | ||
${'\n '.join(search_params)} | ||
${'\n '.join(map_params)} | ||
% if aux: | ||
${'\n '.join(aux)} | ||
% endif | ||
% endif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +0,0 @@ | ||
import sys | ||
# nss-pam-ldapd generates constants at compile time that are stored in python | ||
# nslcd client files in /usr/share/nslcd-utils. Hence, path is expanded to include | ||
# this for the middleware nslcd client | ||
sys.path.append('/usr/share/nslcd-utils') | ||
Oops, something went wrong.