Bug 1884196
Summary: | [RFE] Add "enabled" option to domain section in config file | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Alexey Tikhonov <atikhono> |
Component: | sssd | Assignee: | Pavel Březina <pbrezina> |
Status: | CLOSED ERRATA | QA Contact: | Madhuri <mupadhye> |
Severity: | unspecified | Docs Contact: | lmcgarry |
Priority: | unspecified | ||
Version: | 8.3 | CC: | dlavu, grajaiya, jhrozek, lmanasko, lslebodn, mupadhye, mzidek, pbrezina, sbose, sgoveas, sssd-qe, thalman, tscherf |
Target Milestone: | rc | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | sync-to-jira qetodo | ||
Fixed In Version: | sssd-2.4.0-1.el8 | Doc Type: | Enhancement |
Doc Text: |
.Enabling or disabling SSSD domains within the [domain] section of the sssd.conf file
With this update, you can now enable or disable an SSSD domain by modifying its respective `[domain]` section in the `sssd.conf` file.
Previously, if your SSSD configuration contained a standalone domain, you still had to modify the `domains` option in the `[sssd]` section of the `sssd.conf` file. This update allows you to set the `enabled=` option in the domain configuration to true or false.
* Setting the `enabled` option to true enables a domain, even if it is not listed under the `domains` option in the `[sssd]` section of the `sssd.conf` file.
* Setting the `enabled` option to false disables a domain, even if it is listed under the `domains` option in the `[sssd]` section of the `sssd.conf` file.
* If the `enabled` option is not set, the configuration in the `domains` option in the `[sssd]` section of the `sssd.conf` is used.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-05-18 15:03:57 UTC | Type: | Enhancement |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1881992 | ||
Bug Blocks: |
Description
Alexey Tikhonov
2020-10-01 10:31:15 UTC
Pushed PR: https://github.com/SSSD/sssd/pull/5213 * `master` * ff8d7b8f0dca57d04ed4157bc60ad3dd3a0eda4f - config: [RFE] Add "enabled" option to domain section Pushed PR: https://github.com/SSSD/sssd/pull/5270 * `master` * fbc7082149ccc6ee4fe077480a5d692a86e75c79 - CONFDB: fixed bug in confdb_get_domain_enabled() * 83ae34509c6587568cb5164ff04d2af04da94c01 - CONFDB: fixed compilation warning Verified with: # rpm -qa sssd sssd-2.4.0-2.el8.x86_64 case1: with two domain, in one enable = true, for other enabled = false sssd snippet: [sssd] config_file_version = 2 sbus_timeout = 30 services = pam, nss domains = ldap1, ldap2 [domain/ldap1] id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_id_use_start_tls = True debug_level = 0xFFF0 enumerate = True ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem ldap_search_base = dc=example0,dc=test ldap_uri = ldaps://server.example.co min_uid = 2000 max_id = 2020 ldap_group_search_base = ou=Groups,dc=example0,dc=test ldap_user_search_base = ou=People,dc=example0,dc=test cache_credentials = False use_fully_qualified_names = True enabled = true [domain/ldap2] id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_id_use_start_tls = True debug_level = 0xFFF0 enumerate = True ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem ldap_search_base = dc=example1,dc=test ldap_uri = ldaps://server.example.com min_uid = 3000 max_id = 3020 ldap_group_search_base = ou=Groups,dc=example1,dc=test ldap_user_search_base = ou=People,dc=example1,dc=test cache_credentials = False use_fully_qualified_names = True enabled = false Check user lookups [root@ci-vm-10-0-99-15 ~]# getent passwd puser1@ldap1 puser1@ldap1:*:2001:2001:puser1 User:/home/puser1:/bin/bash [root@ci-vm-10-0-99-15 ~]# getent passwd puser2@ldap1 puser2@ldap1:*:2002:2002:puser2 User:/home/puser2:/bin/bash [root@ci-vm-10-0-99-15 ~]# getent passwd quser1@ldap2 [root@ci-vm-10-0-99-15 ~]# getent passwd quser2@ldap2 User lookup is failing for ldap2 as enabled is false for ldap2 domain. case2: Add enabled in both ldap1 and ldap2 domain but in sssd section define domains = ldap1 only sssd snippet: [sssd] config_file_version = 2 sbus_timeout = 30 services = pam, nss domains = ldap1 [domain/ldap1] id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_id_use_start_tls = True debug_level = 0xFFF0 enumerate = True ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem ldap_search_base = dc=example0,dc=test ldap_uri = ldaps://server.example.co min_uid = 2000 max_id = 2020 ldap_group_search_base = ou=Groups,dc=example0,dc=test ldap_user_search_base = ou=People,dc=example0,dc=test cache_credentials = False use_fully_qualified_names = True enabled = true [domain/ldap2] id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_id_use_start_tls = True debug_level = 0xFFF0 enumerate = True ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem ldap_search_base = dc=example1,dc=test ldap_uri = ldaps://server.example.com min_uid = 3000 max_id = 3020 ldap_group_search_base = ou=Groups,dc=example1,dc=test ldap_user_search_base = ou=People,dc=example1,dc=test cache_credentials = False use_fully_qualified_names = True enabled = true check user lookup [root@ci-vm-10-0-99-15 ~]# getent passwd puser1@ldap1 puser1@ldap1:*:2001:2001:puser1 User:/home/puser1:/bin/bash [root@ci-vm-10-0-99-15 ~]# getent passwd puser2@ldap1 puser2@ldap1:*:2002:2002:puser2 User:/home/puser2:/bin/bash [root@ci-vm-10-0-99-15 ~]# getent passwd quser1@ldap2 quser1@ldap2:*:3001:3001:quser1 User:/home/quser1:/bin/bash [root@ci-vm-10-0-99-15 ~]# getent passwd quser2@ldap2 quser2@ldap2:*:3002:3002:quser2 User:/home/quser2:/bin/bash user lookups are successful from both domains case 3: with snippet file, in sssd setion not defining any domains of sssd.conf file create the snippet file [root@ci-vm-10-0-98-105 ~]# cat /etc/sssd/conf.d/01snippet.conf [domain/ldap2] id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_id_use_start_tls = True debug_level = 0xFFF0 enumerate = True ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem ldap_search_base = dc=example1,dc=test ldap_uri = ldaps://server.example.com min_id = 3000 max_id = 3020 ldap_group_search_base = ou=Groups,dc=example1,dc=test ldap_user_search_base = ou=People,dc=example1,dc=test cache_credentials = False use_fully_qualified_names = True enabled = true [root@ci-vm-10-0-99-15 ~]# sssctl config-check Issues identified by validators: 0 Messages generated during configuration merging: 0 Used configuration snippet files: 1 /etc/sssd/conf.d/01snippet.conf sssd snippet [sssd] config_file_version = 2 sbus_timeout = 30 services = pam, nss domains = [domain/ldap1] id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_id_use_start_tls = True debug_level = 0xFFF0 enumerate = True ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem ldap_search_base = dc=example0,dc=test ldap_uri = ldaps://server.example.co min_uid = 2000 max_id = 2020 ldap_group_search_base = ou=Groups,dc=example0,dc=test ldap_user_search_base = ou=People,dc=example0,dc=test cache_credentials = False use_fully_qualified_names = True enabled = true check userlookup [root@ci-vm-10-0-99-15 ~]# getent passwd puser1@ldap1 puser1@ldap1:*:2001:2001:puser1 User:/home/puser1:/bin/bash [root@ci-vm-10-0-99-15 ~]# getent passwd puser2@ldap1 puser2@ldap1:*:2002:2002:puser2 User:/home/puser2:/bin/bash [root@ci-vm-10-0-99-15 ~]# getent passwd quser1@ldap2 quser1@ldap2:*:3001:3001:quser1 User:/home/quser1:/bin/bash [root@ci-vm-10-0-99-15 ~]# getent passwd quser2@ldap2 quser2@ldap2:*:3002:3002:quser2 User:/home/quser2:/bin/bash User lookups are successful from both domains. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (sssd bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1666 |