Bug 1677994

Summary: sssd config-check reports an error for a valid configuration option
Product: Red Hat Enterprise Linux 8 Reporter: Thorsten Scherf <tscherf>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Madhuri <mupadhye>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0CC: dbula, grajaiya, jhrozek, lslebodn, mupadhye, mzidek, pbrezina, sgoveas, tscherf
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-2.1.0-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-05 22:34:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1682305    
Bug Blocks:    

Description Thorsten Scherf 2019-02-17 12:50:49 UTC 
Description of problem:
sssctl reports a false-positive error.

# rpm -q sssd
sssd-2.0.0-43.el8.x86_64

# grep ldap_host /etc/sssd/sssd.conf
ldap_host_object_class = ipService

# systemctl restart sssd 
# systemctl status sssd > /dev/null && echo $?
0

So the service starts ok, but the config-check fails:

# sssctl config-check
Issues identified by validators: 1
[rule/allowed_domain_options]: Attribute 'ldap_host_object_class' is not allowed in section 'domain/LDAP'. Check for typos.                           

There is also an error in sssd.log:
# tail -1 /var/log/sssd/sssd.log
(Sun Feb 17 07:35:23:363299 2019) [sssd] [sss_ini_call_validators] (0x0020): [rule/allowed_domain_options]: Attribute 'ldap_host_object_class' is not allowed in section 'domain/LDAP'. Check for typos.

It doesn't matter if the option is used in 'domain' or 'sssd' section. An error is shown in both cases.

Messages generated during configuration merging: 0

Used configuration snippet files: 0


Version-Release number of selected component (if applicable):
sssd-2.0.0-43.el8.x86_64 
I can verify the same issue also on RHEL7 with sssd-1.16.2-13.el7_6.5.x86_64.

How reproducible:
always

Steps to Reproduce:
1.create a sssd ldap domain
2.add any 'ldap_host_*' config directives to the domain
3.

Actual results:
sssctl reports a configuration error

Expected results:
config check passes without an error.

Additional info:
Comment 2 Jakub Hrozek 2019-02-18 20:33:31 UTC 
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3961
Comment 3 Jakub Hrozek 2019-02-20 20:52:26 UTC 
Upstream fixes:
  master: 85e3630
  sssd-1-16: 5e70cf5
Comment 5 Madhuri 2019-08-22 06:05:31 UTC 
Verified with
sssd-2.2.0-11.el8


Verified with following code snippet

case 1:

ldap_host_object_class option in domain section,


    @pytest.mark.tier1
    def test_0023_checkldaphostobjectdomain(self, multihost, backupsssdconf):
        """
        @Title: IDM-SSSD-TC: Configuration validation: Check
        ldap_host_object_class option in domain section
        """
        section = "domain/%s" % ds_instance_name
        tools = sssdTools(multihost.client[0])
        domain_params = {'ldap_host_object_class': 'ipService'}
        tools.sssd_conf(section, domain_params)
        multihost.client[0].service_sssd('restart')
        sssctl_cmd = 'sssctl config-check'
        cmd = multihost.client[0].run_command(sssctl_cmd, raiseonerr=False)
        assert cmd.returncode == 0


case 2:

ldap_host_object_class option in sssd section,

    @pytest.mark.tier1
    def test_0024_checkldaphostobjectsssd(self, multihost, backupsssdconf):
        """
        @Title: IDM-SSSD-TC: Configuration validation: Check
        ldap_host_object_class option in sssd section
        """
        section = "sssd"
        tools = sssdTools(multihost.client[0])
        sssd_params = {'ldap_host_object_class': 'ipService'}
        tools.sssd_conf(section, sssd_params)
        multihost.client[0].service_sssd('restart')
        sssctl_cmd = 'sssctl config-check'
        cmd = multihost.client[0].run_command(sssctl_cmd, raiseonerr=False)
        assert cmd.returncode == 1
        log = re.compile(r".Attribute\s.ldap_host_object_class.\sis\snot\s"
                         r"allowed\sin\ssection\s.sssd.*")
        assert log.search(cmd.stdout_text)


Both test cases are passing
Thus marking this as verified.
Comment 8 errata-xmlrpc 2019-11-05 22:34:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3651