diff --git a/server_admin/topics/user-federation/sssd.adoc b/server_admin/topics/user-federation/sssd.adoc index d7aa348d51..8e2dee480d 100644 --- a/server_admin/topics/user-federation/sssd.adoc +++ b/server_admin/topics/user-federation/sssd.adoc @@ -2,9 +2,9 @@ === SSSD and FreeIPA Identity Management Integration -{{book.project.name}} also comes with a built-in https://fedorahosted.org/sssd/wiki[SSSD] (System Security Services Daemon) plugin. SSSD is part of the latest Fedora or Red Hat Enterprise Linux and provides access to multiple identity and authentication providers. It provides benefits such as failover and offline support. To see configuration options and for more information see https://fedorahosted.org/sssd/wiki/Documentation[the Fedora documentation]. +{{book.project.name}} also comes with a built-in https://fedorahosted.org/sssd/wiki[SSSD] (System Security Services Daemon) plugin. SSSD is part of the latest Fedora or Red Hat Enterprise Linux and provides access to multiple identity and authentication providers. It provides benefits such as failover and offline support. To see configuration options and for more information see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/SSSD.html[the Red Hat Enterprise Linux Identity Management documentation]. -SSSD also integrates with the http://www.freeipa.org/page/Main_Page[FreeIPA identity management (IdM)] server, providing authentication and access control. For {book_project_name}, we benefit from this integration authenticating against http://tldp.org/HOWTO/User-Authentication-HOWTO/x115.html[PAM] services and retrieving user data from SSSD. +SSSD also integrates with the http://www.freeipa.org/page/Main_Page[FreeIPA identity management (IdM)] server, providing authentication and access control. For {book_project_name}, we benefit from this integration authenticating against http://tldp.org/HOWTO/User-Authentication-HOWTO/x115.html[PAM] services and retrieving user data from SSSD. For more information about using Red Hat Identity Management in Linux environments, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html[the Red Hat Enterprise Linux Identity Management documentation]. image:../../{{book.images}}/keycloak-sssd-freeipa-integration-overview.png[] @@ -64,42 +64,13 @@ You must run the provisioning script available from the Keycloak distribution: {% if book.product %} -You must copy and run this provisioning script: +You must run this provisioning script: -[source,bash] +[source] +---- +$ .../bin/federation-sssd-setup.sh ---- -#!/bin/sh - -# Setup for SSSD -SSSD_FILE="/etc/sssd/sssd.conf" - -if [ -f "$SSSD_FILE" ]; -then - sed -i '/ldap_tls_cacert/a ldap_user_extra_attrs = mail:mail, sn:sn, givenname:givenname, telephoneNumber:telephoneNumber' $SSSD_FILE - sed -i 's/nss, sudo, pam/nss, sudo, pam, ifp/' $SSSD_FILE - sed -i '/\[ifp\]/a allowed_uids = root\nuser_attributes = +mail, +telephoneNumber, +givenname, +sn' $SSSD_FILE - systemctl restart sssd -else - echo "Please make sure you have $SSSD_FILE into your system! Aborting." - exit 1 -fi - -# Setup for PAM -PAM_FILE="/etc/pam.d/keycloak" - -if [ ! -f "$PAM_FILE" ]; -then -cat < $PAM_FILE - auth required pam_sss.so - account required pam_sss.so -EOF -else - echo "$PAM_FILE already exists. Skipping it..." - exit 0 -fi - ----- {% endif %} This script makes the necessary changes to `/etc/sssd/sssd.conf`: