Merge pull request #91 from jenmalloy/RHSSO-932

fixed RHSSO-932
This commit is contained in:
Jen Malloy 2017-03-31 15:11:43 -04:00 committed by GitHub
commit c3903f6a17

View file

@ -2,9 +2,9 @@
=== SSSD and FreeIPA Identity Management Integration === SSSD and FreeIPA Identity Management Integration
{{book.project.name}} also comes with a built-in https://fedorahosted.org/sssd/wiki[SSSD] (System Security Services Daemon) plugin. SSSD is part of the latest Fedora or Red Hat Enterprise Linux and provides access to multiple identity and authentication providers. It provides benefits such as failover and offline support. To see configuration options and for more information see https://fedorahosted.org/sssd/wiki/Documentation[the Fedora documentation]. {{book.project.name}} also comes with a built-in https://fedorahosted.org/sssd/wiki[SSSD] (System Security Services Daemon) plugin. SSSD is part of the latest Fedora or Red Hat Enterprise Linux and provides access to multiple identity and authentication providers. It provides benefits such as failover and offline support. To see configuration options and for more information see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/SSSD.html[the Red Hat Enterprise Linux Identity Management documentation].
SSSD also integrates with the http://www.freeipa.org/page/Main_Page[FreeIPA identity management (IdM)] server, providing authentication and access control. For {book_project_name}, we benefit from this integration authenticating against http://tldp.org/HOWTO/User-Authentication-HOWTO/x115.html[PAM] services and retrieving user data from SSSD. SSSD also integrates with the http://www.freeipa.org/page/Main_Page[FreeIPA identity management (IdM)] server, providing authentication and access control. For {book_project_name}, we benefit from this integration authenticating against http://tldp.org/HOWTO/User-Authentication-HOWTO/x115.html[PAM] services and retrieving user data from SSSD. For more information about using Red Hat Identity Management in Linux environments, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html[the Red Hat Enterprise Linux Identity Management documentation].
image:../../{{book.images}}/keycloak-sssd-freeipa-integration-overview.png[] image:../../{{book.images}}/keycloak-sssd-freeipa-integration-overview.png[]
@ -64,42 +64,13 @@ You must run the provisioning script available from the Keycloak distribution:
{% if book.product %} {% if book.product %}
You must copy and run this provisioning script: You must run this provisioning script:
[source,bash] [source]
----
$ .../bin/federation-sssd-setup.sh
---- ----
#!/bin/sh
# Setup for SSSD
SSSD_FILE="/etc/sssd/sssd.conf"
if [ -f "$SSSD_FILE" ];
then
sed -i '/ldap_tls_cacert/a ldap_user_extra_attrs = mail:mail, sn:sn, givenname:givenname, telephoneNumber:telephoneNumber' $SSSD_FILE
sed -i 's/nss, sudo, pam/nss, sudo, pam, ifp/' $SSSD_FILE
sed -i '/\[ifp\]/a allowed_uids = root\nuser_attributes = +mail, +telephoneNumber, +givenname, +sn' $SSSD_FILE
systemctl restart sssd
else
echo "Please make sure you have $SSSD_FILE into your system! Aborting."
exit 1
fi
# Setup for PAM
PAM_FILE="/etc/pam.d/keycloak"
if [ ! -f "$PAM_FILE" ];
then
cat <<EOF > $PAM_FILE
auth required pam_sss.so
account required pam_sss.so
EOF
else
echo "$PAM_FILE already exists. Skipping it..."
exit 0
fi
----
{% endif %} {% endif %}
This script makes the necessary changes to `/etc/sssd/sssd.conf`: This script makes the necessary changes to `/etc/sssd/sssd.conf`: