Bug 1072458

Summary: [RFE] SSSD configuration file test tool (sssd_check)
Product: Red Hat Enterprise Linux 7 Reporter: Mark Heslin 🎸 <mheslin>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.0CC: grajaiya, jhrozek, lslebodn, mheslin, mkosek, mupadhye, pbrezina, prd-fedora, sbose, sgoveas
Target Milestone: rcKeywords: FutureFeature
Target Release: 7.1   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sssd-1.14.0-2.el7 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 07:10:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1290382    
Bug Blocks: 1292074, 1296125, 1313485    

Description Mark Heslin 🎸 2014-03-04 15:46:55 UTC 
Description of problem:

The sssd.conf file has many parameters and options but no clean, efficient way to check the file for correctness - typos, incorrect parameter contexts, leading spaces, etc. Some checking is done when sssd is started but if problems are encountered, the usual result is sssd fails to start and any warnings, errors are logged but not always useful.

Having a stand-alone utility "sssd_check" (similar to the testparm tool included with Samba) has the potential to save much troubleshooting time for all. This makes good business sense given the fact that SSSD is installed by default on RHEL, and its interest and use continues to grow.


Version-Release number of selected component (if applicable):
RHEL 6.5+, RHEL 7+

How reproducible:
n/a

Steps to Reproduce:
1. n/a
2.
3.

Actual results:
n/a

Expected results:
n/a

Additional info:

From a high level sssd_check could operate (similar to Samba testparm) as follows:

# sssd_check --help

Usage:  [OPTION...] <config_file> 
  -v, --verbose        Show default options
  -l, --skip-logic-checks         Skip the global checks
      --show-all-parameters       Show the parameters, type, possible values
      --parameter-name=STRING     Limit testparm to a named parameter
      --section-name=STRING       Limit testparm to a named section

Help options:
  -?, --help                      Show this help message
      --usage                     Display brief usage message

Common sssd options:
  -V, --version                   Print version

Common sssd debugging:
  -d, --debuglevel=DEBUGLEVEL     Set debug level

Common sssd commandline config:
      --option=name=value         Set sssd.conf option from command line


Notes:
 1. If no config_file is specified then the default /etc/sssd/sssd.conf is used
 2. Comments are stripped out of the output


Using the following file as an example:

[sssd]
config_file_version = 2
debug_level = 0 
domains = refarch-ad.cloud.lab.eng.bos.redhat.com
services = nss, pam

# Uncomment/adjust as needed if IMU is not used:
#override_homedir = /home/%d/%u
#default_shell = /bin/bash

[domain/refarch-ad.cloud.lab.eng.bos.redhat.com]
id_provider = ad
access_provider = ad

# Permits offline logins:
# cache_credentials = true

# Use when service discovery not working:
# ad_server = win-srv1.refarch-ad.cloud.lab.eng.bos.redhat.com

# Enables use of POSIX UID's and GID's:
ldap_id_mapping = false

the examples below demonstrate it usage and output.

----------------------------
Example 1 - display version:
----------------------------

# check_sssd --version
Version 1.2.3-456.el6.5

-------------------------------
Example 2 - check on good file:
-------------------------------

# check_sssd
Loading sssd config file from /etc/sssd/sssd.conf
Loaded file OK.
Server role: DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[sssd]
config_file_version = 2
debug_level = 0 
domains = refarch-ad.cloud.lab.eng.bos.redhat.com
services = nss, pam

[domain/refarch-ad.cloud.lab.eng.bos.redhat.com]
id_provider = ad
access_provider = ad

ldap_id_mapping = false

---------------------------------------------------------------------
Example 3 - check on non-default file with bad parameter (foo = bar):
---------------------------------------------------------------------

# check_sssd -f  /etc/sssd/sssd.conf.bad
Loading sssd config file from /etc/sssd/sssd.conf.bad
Unknown parameter encountered: "foo"
Ignoring unknown parameter "foo"
Loaded file OK.
Server role: DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[sssd]
config_file_version = 2
debug_level = 0 
domains = refarch-ad.cloud.lab.eng.bos.redhat.com
services = nss, pam

[domain/refarch-ad.cloud.lab.eng.bos.redhat.com]
id_provider = ad
access_provider = ad

ldap_id_mapping = false
Comment 2 Jakub Hrozek 2014-03-05 08:51:30 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2269
Comment 3 Jakub Hrozek 2014-03-06 20:06:04 UTC 
Moving to 7.1 for now as discussed on the SSSD meeting.
Comment 4 Mark Heslin 🎸 2014-09-08 18:22:28 UTC 
Hi Jakub,

I just wanted to check in and find out what the status is for this - is it still targeted to RHEL 7.1? 

I've had several customers with munged configuration files recently which reminded me to reach out for an update.

Thanks,

-m
Comment 5 Jakub Hrozek 2014-09-09 09:02:04 UTC 
(In reply to Mark Heslin from comment #4)
> Hi Jakub,
> 
> I just wanted to check in and find out what the status is for this - is it
> still targeted to RHEL 7.1? 
> 
> I've had several customers with munged configuration files recently which
> reminded me to reach out for an update.
> 
> Thanks,
> 
> -m

No it's not, sorry. Currently it's 7.2 at the earliest.

It would be helpful if you could link the customer cases to the BZ so we know how many customers request the feature and plan accordingly.
Comment 6 Lukas Slebodnik 2016-07-07 13:24:11 UTC 
master:
* e088912418fd4db750f2097dfde8ef9b77303f05
* 199984c7972272f8162a356cda139c22f6f08556
Comment 12 Madhuri 2016-09-06 09:44:47 UTC 
Tested with sssd-1.14.0-27.el7.x86_64

Steps followed during verification:
1) Install the sssd-tools package.
2) Create the sssd.conf.
3) Run sssctl config-check.

config-check detects typos in option name (not value), typos in section name and misplaced options.
Additionally the config-check also reports when something unexpected happens during configuration merging but does not check which option is missing.

-------------------------------------------------------------
sssd.conf without any typos in option name and section name
-------------------------------------------------------------
#cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = LDAP

[domain/LDAP]
ldap_search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://server.example.com
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
debug_level = 10

[root@server ~]# sssctl config-check
Issues identified by validators: 0

Messages generated during configuration merging: 0

Used configuration snippet files: 0

-------------------------------------------------
sssd.conf with typos in option name
-------------------------------------------------
#cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = LDAP

[domain/LDAP]
search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://server.example.com
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
debug_level = 10

[root@server ~]# sssctl config-check
Issues identified by validators: 1
[rule/allowed_domain_options]: Attribute 'search_base' is not allowed in section 'domain/LDAP'. Check for typos.

Messages generated during configuration merging: 0

Used configuration snippet files: 0

------------------------------------------------
sssd.conf with typos in section name
------------------------------------------------
#cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = LDAP

[domain/LAP]
search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://server.example.com
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
debug_level = 10

[root@server ~]# sssctl config-check
(Fri Sep  2 11:40:43:603218 2016) [sssd] [confdb_get_domain_internal] (0x0010): Unknown domain [LDAP]
(Fri Sep  2 11:40:43:603339 2016) [sssd] [confdb_get_domains] (0x0010): Error (2 [No such file or directory]) retrieving domain [LDAP], skipping!
(Fri Sep  2 11:40:43:603361 2016) [sssd] [confdb_get_domains] (0x0010): No properly configured domains, fatal error!
.
------------------------------------------------
sssd.conf with misplaced option
------------------------------------------------
#cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
domains = LDAP

[domain/LDAP]
services = nss, pam
search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://server.example.com
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
debug_level = 10

[root@server sssd]# sssctl config-check
Issues identified by validators: 1
[rule/allowed_domain_options]: Attribute 'services' is not allowed in section 'domain/LDAP'. Check for typos.

Messages generated during configuration merging: 0

Used configuration snippet files: 0
Comment 14 errata-xmlrpc 2016-11-04 07:10:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2476.html