Bug 1353973

Summary: ipa-client-install should overwrite existing sssd.conf
Product: Red Hat Enterprise Linux 8 Reporter: Luc de Louw <ldelouw>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED WONTFIX QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0CC: pasik, pcech, pvoborni, rcritten, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-18 12:37:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Luc de Louw 2016-07-08 14:53:17 UTC 
Description of problem:
When running ipa-client-install, /etc/sssd/sssd.conf is appended instead of overwritten.

As a result, old authentication methods are still working on a IPA enrolled server. Usually this is not a wishful behaviour.


Version-Release number of selected component (if applicable):
4.2

How reproducible:
Always

Steps to Reproduce:
1. configure sssd.conf to i.e. authenticate with LDAP
2. run ipa-client-install
3. Find /etc/sssd/sssd.conf allowing both the old and new authentication method.

Actual results:
IPA users and users from the former authentication method (i.e. LDAP) can log in

Expected results:
Only IPA users should be able to log in


Additional info:

There are valid situations where two or more authentication methods should be possible. Adding a switch to ipa-client-install such as --overwrite-sssd-config would be a nice option.

The same configuration issue is with /etc/openldap/ldap.conf, see BZ #1353969
Comment 2 Petr Vobornik 2016-07-12 15:57:01 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6063
Comment 3 Petr Vobornik 2016-07-12 15:58:49 UTC 
Was clone upstream to Future release milestone. This behavior is undefined in IPA and therefore it will need a design page.

A suggestion from Jan Pazdiora:
"""
Could we check that the content of the file is the rpm-default/vanilla,  not touched yet, and overwrite if the file was not touched yet but not  overwrite if it was somehow modified by the admin?
"""
Comment 7 Petr Čech 2020-08-18 12:37:15 UTC 
Thank you taking your time and submitting this request for Red Hat Enterprise Linux. It was unfortunately not given priority Red Hat Enterprise Linux.
Given that this request is not planned for a close release, it is highly unlikely it will be fixed in this major version of Red Hat Enterprise Linux. We are therefore closing the request as WONTFIX.
To request that Red Hat reconsiders the decision, please reopen the Bugzilla with the help of Red Hat Customer Service and provide additional business and/or technical details about it's importance to you.