[[linux_wiki:freeipa_migrate_to_ipa_domain]]

FreeIPA Migrate To IPA Domain

General Information

Migrate to an IPA domain: Sets up a client system with sssd and configures it to point to the IPA servers for authentication.

Checklist

  • FreeIPA servers already installed/configured.
  • User account with enroll and host admin permissions.
    • For security purposes, this account should have no other permissions and not be allowed to login to any systems.

The Script

Run on clients that are migrating to the IPA domain.

ldap_migrate-to-ipa-domain.sh
#!/bin/bash
# Name: ldap_migrate-to-ipa-domain.sh
# Description: Sets up a system with sssd and configures to point to IPA servers
# Last Updated: 11/23/2016
# Recent Changes:-Added new auto enroll method for ipa-client-install, sshd redeploy and restart
#                -Cron fix for EL6 (sssd client idle timeout)
###############################################################################################
 
##### Customize These Variables #####
 
# Domain Name
domain_name="example.com"
 
# IPA Servers
ipa_server1="ipaserver01.${domain_name}"
ipa_server2="ipaserver02.${domain_name}"
 
# User with permissions to enroll/admin hosts into realm
# For security purposes, this account should not be able to login to any systems
enroll_user="enrolladmin"
 
# Password of Enroll User
enroll_pw="enroll-secret-here"
 
##### End of Customize Variables #####
 
#### Functions Here: Main Starts After ####
function check_os_type
{
  if [ -f /etc/system-release-cpe ];then
    distro=$(awk -F: '{printf "%s", $3}' /etc/system-release-cpe)
    major_version=$(awk -F: '{printf "%d", $5}' /etc/system-release-cpe)
  elif [ -f /etc/redhat-release ];then
    distro=$(awk '{printf "%s", $1}' /etc/redhat-release)
    major_version=$(awk -F. '{print $1}' /etc/redhat-release | awk '{printf "%d", $3}')
  fi
}
 
function show_usage
{
  echo -e "\n==== LDAP: Migrate to IPA Domain ===="
  echo -e "\nDescripton: Sets up a system with sssd and configures to point to IPA servers."
  echo -e "\n--Usage--"
  echo -e "-h                    => Display usage."
  echo -e "-i                    => Interactive Mode (Unattended is default)."
  echo -e "\n--Other Requirements--"
  echo -e "-> Hostname pre-added to the IPA servers for unattended mode (default mode)."
  echo -e "-> FreeIPA admin access for interactive mode."
  echo -e
}
 
#### End of Functions ####
 
#=======================
# Get Script Arguments
#=======================
# Reset POSIX variable in case it has been used previously in this shell
OPTIND=1
 
#Default Settings
interactive="no"
 
while getopts "hi" opt; do
  case "${opt}" in
    h) # -h (help) argument
      show_usage
      exit 0
    ;;
    i) # -i (interactive) argument
      interactive="yes"
    ;;
    *) # invalid argument
      show_usage
      exit 0
    ;;
  esac
done
 
#==================
# Main Starts Here
#==================
 
# Pre-checks
check_os_type
 
#==============================================================
# Confirm running the script
#==============================================================
echo -e "======================================================"
echo -e "####======== LDAP: Migrate to IPA Domain =========####"
echo -e "======================================================"
echo
echo -e "Warning: This script will disable nscd/nslcd, install sssd, and set LDAP authentication to IPA servers."
echo -e "Detected Distro: ${distro} ${major_version}"
if [[ ${interactive} == "no" ]]; then
  echo -e "Mode: Unattended"
else
  echo -e "Mode: Interactive"
fi
echo -e "\n=>Continue?[y/n]:\c"
read run_script
 
if [[ ${run_script} != "y" ]]; then
  echo -e "\n>>Will not run the LDAP migration to sssd/ipa script. Exiting..."
  exit 1
fi
 
echo -e "\n>>Installing the ipa-client..."
yum -y install ipa-client
 
echo -e "\n>>Configuring authentication..."
case ${major_version} in
  "7")
    if [[ ${interactive} == "no" ]]; then
      ## Unattended ##
      ipa-client-install --domain=${domain_name} --server=${ipa_server1} --server=${ipa_server2} --mkhomedir --no-dns-sshfp --fixed-primary --hostname=$(hostname | sed "s/.${domain_name}//" | tr '[:upper:]' '[:lower:]').${domain_name} --no-ntp --principal ${enroll_user} --password=${enroll_pw} --unattended --force-join
    else
      ## Interactive ##
      ipa-client-install --domain=${domain_name} --server=${ipa_server1} --server=${ipa_server2} --mkhomedir --no-dns-sshfp --fixed-primary --hostname=$(hostname | sed "s/.${domain_name}//" | tr '[:upper:]' '[:lower:]').${domain_name} --no-ntp --force-join
    fi
  ;;
  "6")
    if [[ ${interactive} == "no" ]]; then
      ## Unattended ##
      ipa-client-install --domain=${domain_name} --server=${ipa_server2} --server=${ipa_server1} --mkhomedir --no-dns-sshfp --fixed-primary --hostname=$(hostname | sed "s/.${domain_name}//" | tr '[:upper:]' '[:lower:]').${domain_name} --no-ntp --principal ${enroll_user} --password=${enroll_pw} --unattended --force-join
    else
      ## Interactive ##
      ipa-client-install --domain=${domain_name} --server=${ipa_server2} --server=${ipa_server1} --mkhomedir --no-dns-sshfp --fixed-primary --hostname=$(hostname | sed "s/.${domain_name}//" | tr '[:upper:]' '[:lower:]').${domain_name} --no-ntp --force-join
    fi
  ;;
  "5")
    if [[ ${interactive} == "no" ]]; then
      ## Unattended ##
      ipa-client-install --domain=${domain_name} --server=${ipa_server1} --server=${ipa_server2} --mkhomedir --hostname=$(hostname | sed "s/.${domain_name}//" | tr '[:upper:]' '[:lower:]').${domain_name} --no-ntp --principal ${enroll_user} --password=${enroll_pw} --unattended --force-join
    else
      ## Interactive ##
      ipa-client-install --domain=${domain_name} --server=${ipa_server1} --server=${ipa_server2} --mkhomedir --hostname=$(hostname | sed "s/.${domain_name}//" | tr '[:upper:]' '[:lower:]').${domain_name} --no-ntp --force-join
    fi
  ;;
esac
 
 
echo -e "\n>>Disabling nscd/nslcd..."
case ${major_version} in
  "7")
    systemctl stop nslcd nscd
    systemctl disable nslcd nscd
  ;;
  "6")
    service nslcd stop
    service nscd stop
    chkconfig nslcd off
    chkconfig nscd off
  ;;
  "5")
    service nscd stop
    chkconfig nscd off
  ;;
esac
 
echo -e "\n>>Disabling ldap identification,ldap auth, and force legacy (sssd used instead)..."
case ${major_version} in
  "7"|"6")
    authconfig --disableldap --disableldapauth --disableforcelegacy --update
  ;;
  "5")
    authconfig --disableldap --disableldapauth --update
  ;;
esac
 
echo -e "\n>>Restarting sssd..."
case ${major_version} in
  "7")
    systemctl restart sssd
  ;;
  "6"|"5")
    service sssd restart
  ;;
esac
 
echo -e "\n>>Starting and enabling oddjobd..."
case ${major_version} in
  "7")
    systemctl start oddjobd
    systemctl enable oddjobd
  ;;
  "6")
    service messagebus start
    service oddjobd start
    chkconfig messagebus on
    chkconfig oddjobd on
  ;;
  "5")
    service messagebus start
    service oddjobd start
    chkconfig messagebus on
    chkconfig oddjobd on
  ;;
esac
 
if [[ ${major_version} == "6" ]]; then
 
  echo -e "\n->Adding client idle timeout to sssd.conf (fix for EL6 cron bug)..."
  if [[ $(grep client_idle_timeout /etc/sssd/sssd.conf) ]]; then
    echo -e "->Client idle timeout found in sssd.conf, will not append"
  else
    sed -i '/services = nss, sudo, pam, ssh/ a\client_idle_timeout=75' /etc/sssd/sssd.conf
    service sssd restart
    service crond restart
  fi
 
fi
 
echo -e "\n======================================================"
echo -e "####==== LDAP: Migrate to IPA Domain Complete ====####"
echo -e "======================================================"

  • linux_wiki/freeipa_migrate_to_ipa_domain.txt
  • Last modified: 2019/05/26 03:50
  • (external edit)