Bug 1658287

Verified
ipa-server-4.7.1-7.module+el8+2555+b334d87b.x86_64

Now ipa-advise command points to the working URL "https://pagure.io/authconfig/raw/master/f/cacertdir_rehash"

Console Output:
===============
 ipa-advise config-generic-linux-sssd-before-1-9
#!/bin/sh
# ----------------------------------------------------------------------
# Instructions for configuring a system with an old version of SSSD
# (1.5-1.8) as a IPA client. This set of instructions is targeted for
# linux systems that do not include the authconfig utility.
# ----------------------------------------------------------------------
# Schema Compatibility plugin has not been configured on this server. To
# configure it, run "ipa-adtrust-install --enable-compat"
# Install required packages using your system's package manager. E.g:
apt-get -y install sssd curl openssl

# Please note that this script assumes /etc/openldap/cacerts as the
# default CA certificate location. If this value is different on your
# system the script needs to be modified accordingly.
# Download the CA certificate of the IPA server
mkdir -p -m 755 /etc/openldap/cacerts
curl http://kvm-02-guest11.testrelm0901a.test/ipa/config/ca.crt -o /etc/openldap/cacerts/ipa.crt

# Generate hashes for the openldap library
command -v cacertdir_rehash
if [ $? -ne 0 ] ; then
 curl "https://pagure.io/authconfig/raw/master/f/cacertdir_rehash" -o cacertdir_rehash ;
 chmod 755 ./cacertdir_rehash ;
 ./cacertdir_rehash /etc/openldap/cacerts/ ;
else
 cacertdir_rehash /etc/openldap/cacerts/ ;
fi

# Configure ldap.conf. Set the value of TLS_CACERTDIR to
# /etc/openldap/cacerts. Make sure that the location of ldap.conf file
# matches your system's configuration.
echo "TLS_CACERTDIR /etc/openldap/cacerts" >> /etc/ldap/ldap.conf

# Configure nsswitch.conf. Append sss to the lines beginning with passwd
# and group.
grep "^passwd.*sss" /etc/nsswitch.conf
if [ $? -ne 0 ] ; then sed -i '/^passwd/s|$| sss|' /etc/nsswitch.conf ; fi
grep "^group.*sss" /etc/nsswitch.conf
if [ $? -ne 0 ] ; then sed -i '/^group/s|$| sss|' /etc/nsswitch.conf ; fi

# Configure PAM. Configuring the PAM stack differs on particular
# distributions. The resulting PAM stack should look like this:
cat > /etc/pam.conf << EOF 
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

EOF

# Configure SSSD
cat > /etc/sssd/sssd.conf << EOF 
[sssd]
services = nss, pam
config_file_version = 2
domains = default
re_expression = (?P<name>.+)

[domain/default]
cache_credentials = True
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://kvm-02-guest11.testrelm0901a.test
ldap_search_base = cn=compat,dc=testrelm0901a,dc=test
ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt

EOF
chmod 0600 /etc/sssd/sssd.conf

# Start SSSD
service sssd start



Based on the above observation, marking the bug VERIFIED