FreeIPA Migrate To IPA Domain
General Information
Migrate to an IPA domain: Sets up a client system with sssd and configures it to point to the IPA servers for authentication.
Checklist
- FreeIPA servers already installed/configured.
- User account with enroll and host admin permissions.
- For security purposes, this account should have no other permissions and not be allowed to login to any systems.
The Script
Run on clients that are migrating to the IPA domain.
- ldap_migrate-to-ipa-domain.sh
#!/bin/bash # Name: ldap_migrate-to-ipa-domain.sh # Description: Sets up a system with sssd and configures to point to IPA servers # Last Updated: 11/23/2016 # Recent Changes:-Added new auto enroll method for ipa-client-install, sshd redeploy and restart # -Cron fix for EL6 (sssd client idle timeout) ############################################################################################### ##### Customize These Variables ##### # Domain Name domain_name="example.com" # IPA Servers ipa_server1="ipaserver01.${domain_name}" ipa_server2="ipaserver02.${domain_name}" # User with permissions to enroll/admin hosts into realm # For security purposes, this account should not be able to login to any systems enroll_user="enrolladmin" # Password of Enroll User enroll_pw="enroll-secret-here" ##### End of Customize Variables ##### #### Functions Here: Main Starts After #### function check_os_type { if [ -f /etc/system-release-cpe ];then distro=$(awk -F: '{printf "%s", $3}' /etc/system-release-cpe) major_version=$(awk -F: '{printf "%d", $5}' /etc/system-release-cpe) elif [ -f /etc/redhat-release ];then distro=$(awk '{printf "%s", $1}' /etc/redhat-release) major_version=$(awk -F. '{print $1}' /etc/redhat-release | awk '{printf "%d", $3}') fi } function show_usage { echo -e "\n==== LDAP: Migrate to IPA Domain ====" echo -e "\nDescripton: Sets up a system with sssd and configures to point to IPA servers." echo -e "\n--Usage--" echo -e "-h => Display usage." echo -e "-i => Interactive Mode (Unattended is default)." echo -e "\n--Other Requirements--" echo -e "-> Hostname pre-added to the IPA servers for unattended mode (default mode)." echo -e "-> FreeIPA admin access for interactive mode." echo -e } #### End of Functions #### #======================= # Get Script Arguments #======================= # Reset POSIX variable in case it has been used previously in this shell OPTIND=1 #Default Settings interactive="no" while getopts "hi" opt; do case "${opt}" in h) # -h (help) argument show_usage exit 0 ;; i) # -i (interactive) argument interactive="yes" ;; *) # invalid argument show_usage exit 0 ;; esac done #================== # Main Starts Here #================== # Pre-checks check_os_type #============================================================== # Confirm running the script #============================================================== echo -e "======================================================" echo -e "####======== LDAP: Migrate to IPA Domain =========####" echo -e "======================================================" echo echo -e "Warning: This script will disable nscd/nslcd, install sssd, and set LDAP authentication to IPA servers." echo -e "Detected Distro: ${distro} ${major_version}" if [[ ${interactive} == "no" ]]; then echo -e "Mode: Unattended" else echo -e "Mode: Interactive" fi echo -e "\n=>Continue?[y/n]:\c" read run_script if [[ ${run_script} != "y" ]]; then echo -e "\n>>Will not run the LDAP migration to sssd/ipa script. Exiting..." exit 1 fi echo -e "\n>>Installing the ipa-client..." yum -y install ipa-client echo -e "\n>>Configuring authentication..." case ${major_version} in "7") if [[ ${interactive} == "no" ]]; then ## Unattended ## ipa-client-install --domain=${domain_name} --server=${ipa_server1} --server=${ipa_server2} --mkhomedir --no-dns-sshfp --fixed-primary --hostname=$(hostname | sed "s/.${domain_name}//" | tr '[:upper:]' '[:lower:]').${domain_name} --no-ntp --principal ${enroll_user} --password=${enroll_pw} --unattended --force-join else ## Interactive ## ipa-client-install --domain=${domain_name} --server=${ipa_server1} --server=${ipa_server2} --mkhomedir --no-dns-sshfp --fixed-primary --hostname=$(hostname | sed "s/.${domain_name}//" | tr '[:upper:]' '[:lower:]').${domain_name} --no-ntp --force-join fi ;; "6") if [[ ${interactive} == "no" ]]; then ## Unattended ## ipa-client-install --domain=${domain_name} --server=${ipa_server2} --server=${ipa_server1} --mkhomedir --no-dns-sshfp --fixed-primary --hostname=$(hostname | sed "s/.${domain_name}//" | tr '[:upper:]' '[:lower:]').${domain_name} --no-ntp --principal ${enroll_user} --password=${enroll_pw} --unattended --force-join else ## Interactive ## ipa-client-install --domain=${domain_name} --server=${ipa_server2} --server=${ipa_server1} --mkhomedir --no-dns-sshfp --fixed-primary --hostname=$(hostname | sed "s/.${domain_name}//" | tr '[:upper:]' '[:lower:]').${domain_name} --no-ntp --force-join fi ;; "5") if [[ ${interactive} == "no" ]]; then ## Unattended ## ipa-client-install --domain=${domain_name} --server=${ipa_server1} --server=${ipa_server2} --mkhomedir --hostname=$(hostname | sed "s/.${domain_name}//" | tr '[:upper:]' '[:lower:]').${domain_name} --no-ntp --principal ${enroll_user} --password=${enroll_pw} --unattended --force-join else ## Interactive ## ipa-client-install --domain=${domain_name} --server=${ipa_server1} --server=${ipa_server2} --mkhomedir --hostname=$(hostname | sed "s/.${domain_name}//" | tr '[:upper:]' '[:lower:]').${domain_name} --no-ntp --force-join fi ;; esac echo -e "\n>>Disabling nscd/nslcd..." case ${major_version} in "7") systemctl stop nslcd nscd systemctl disable nslcd nscd ;; "6") service nslcd stop service nscd stop chkconfig nslcd off chkconfig nscd off ;; "5") service nscd stop chkconfig nscd off ;; esac echo -e "\n>>Disabling ldap identification,ldap auth, and force legacy (sssd used instead)..." case ${major_version} in "7"|"6") authconfig --disableldap --disableldapauth --disableforcelegacy --update ;; "5") authconfig --disableldap --disableldapauth --update ;; esac echo -e "\n>>Restarting sssd..." case ${major_version} in "7") systemctl restart sssd ;; "6"|"5") service sssd restart ;; esac echo -e "\n>>Starting and enabling oddjobd..." case ${major_version} in "7") systemctl start oddjobd systemctl enable oddjobd ;; "6") service messagebus start service oddjobd start chkconfig messagebus on chkconfig oddjobd on ;; "5") service messagebus start service oddjobd start chkconfig messagebus on chkconfig oddjobd on ;; esac if [[ ${major_version} == "6" ]]; then echo -e "\n->Adding client idle timeout to sssd.conf (fix for EL6 cron bug)..." if [[ $(grep client_idle_timeout /etc/sssd/sssd.conf) ]]; then echo -e "->Client idle timeout found in sssd.conf, will not append" else sed -i '/services = nss, sudo, pam, ssh/ a\client_idle_timeout=75' /etc/sssd/sssd.conf service sssd restart service crond restart fi fi echo -e "\n======================================================" echo -e "####==== LDAP: Migrate to IPA Domain Complete ====####" echo -e "======================================================"