Bug 1571526

Summary: SSSD with ID provider 'ad' should give a warning in case the ldap schema is manually changed to something different than 'ad'.
Product: Red Hat Enterprise Linux 7 Reporter: Thorsten Scherf <tscherf>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: sssd-qe <sssd-qe>
Severity: low Docs Contact:
Priority: low    
Version: 7.5CC: fidencio, grajaiya, jhrozek, knakai, lslebodn, mkosek, mniranja, mzidek, pbrezina, sgoveas, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.16.2-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:42:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Thorsten Scherf 2018-04-25 05:08:52 UTC 
Description of problem:
SSSD with the AD provider sets 'ldap_schema' to 'ad', but it does not forbid or warn users from manually changing the schema to something different like 'rfc2307'. This may result in some unwanted effects where pure RfC2307 based objects stored in AD can not be resolved successfully.  

The ask here is to give a warning in the log files when 'id_provider' is set to 'ad' but 'ldap_schema' is set to something different than 'ad'. An additional note in sssd-ad man page would also help to avoid such problems.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 3 Jakub Hrozek 2018-04-30 13:32:34 UTC 
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3726
Comment 4 Fabiano FidĂȘncio 2018-05-03 20:08:55 UTC 
master:
3cff2c5
Comment 7 Niranjan Mallapadi Raghavender 2018-07-15 06:16:39 UTC 
1. Versions:

Configure sssd.conf as below:
[sssd]
domains = juno.test
config_file_version = 2
services = nss, pam

[domain/juno.test]
ad_domain = juno.test
krb5_realm = JUNO.TEST
realmd_tags = manages-system joined-with-samba 
cache_credentials = True
id_provider = ad
ldap_schema = rfc2307
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
debug_level = 9

2. Restart sssd 

3. Following log message is shown in log_<ad-domain>.log


(Sun Jul 15 02:14:17 2018) [sssd[be[juno.test]]] [ad_set_sdap_options] (0x0040): The AD provider only supports the AD LDAP schema. SSSD will ignore the ldap_schema option value and proceed with ldap_schema=ad
Comment 9 errata-xmlrpc 2018-10-30 10:42:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3158