Bug 708119

Summary: [RFE] sssd - request for better documentation.
Product: Red Hat Enterprise Linux 6 Reporter: Kevin Toyama <ktoyama>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED NOTABUG QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.2CC: benl, dpal, grajaiya, jgalipea, prc
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-26 21:32:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Kevin Toyama 2011-05-26 19:15:31 UTC 
Description of problem:
Customer has been trying to implement sssd with LDAP trees.  Documentation for search, user, group bases has been a struggle since some options are poorly documented or hard to find both in doc.redhat.com and man pages.

Version-Release number of selected component (if applicable):
sssd-1.2.1-28.el6_0.4.x86_64

How reproducible:
always

Steps to Reproduce:
1. read the documentation.
2.
3.
  
Actual results:
hard to configure

Expected results:
easy to understand how to configure.

Additional info:

customer's notes & comments.

==================================================================
There is no man page for pam_ldap.conf at all.   I suspect it has its
own form but it appears pretty much like ldap.conf or nslcd.conf.  The file 
/etc/pam_ldap.conf is mentioned in several places, e.g.

http://rpmfind.net/linux/RPM/fedora/14/i386/pam_ldap-185-5.fc14.i686.html

* Fri Jan 08 2010 Nalin Dahyabhai <nalin> 185-1
  - split out pam_ldap as a separate source package, update URL, change
    %{version} to reflect pam_ldap's versioning rather than nss_ldap's
  - set config file to /etc/pam_ldap.conf, rootbindpw file 
/etc/pam_ldap.secret


and in our experiments we needed it to make pam-ldap work when using 
nonstandard ldap port.


It is particulary critical when using non-standard ldap ports (389,
636). It does not appear that pam_ldap.conf is auto configured by any
utility.  Therefore it must be correct with at a minimun, the URI value and 
they must match that of the sssd.conf or nslcd.conf URI values.   

We have found that if the sssd.conf or nslcd.conf files use a
non-standard ldap port and the pam_ldap.conf file uses the same ldap server ip 
address but uses a standard port, i.e. one that differs from either sssd.conf 
or nslcd.conf, then user authentication for ssh and telnet, and perhap other 
utilities will not authenticate.   The result is that pam_ldap sends it's data 
on the standard ldap port ( the one configured in the URI line of the 
pam_ldap.conf file) and each transmission to the ldap server is rejected with 
a RST.

If pam_ldap was modified to look for and use values in nslcd.conf or
sssd.conf, it would avoid this confusion. 



Specific to sssd.conf:

sssd-ldap:

ldap_user_search_base   
   Explain the use of this value when multiple values are declared and
the 
   most unusual syntax of seperating the keyword from the first value
with a comma.
   
   example:
   ldap_user_search_base, ou =
ldapusers3,dc=osn,dc=cxo,dc=cpqcorp,dc=net,   
ou=ldapusers2,dc=osn,dc=cxo,dc=cpqcorp,dc=net,
ou=ldapusers1,dc=osn,dc=cxo,dc=cpqcorp,dc=net


ldap_group_search_base
   If the syntax is similar to that of the ldap_user_search_base then a
similar
   modification needs to be made.


We have yet to determine the full extent of the anamoly of ldap
specific values that are ignored unless they are specifically placed in the
[domain/LDAP] section.

This is particularly important when sssd.conf is generated from the
output of authconfig in which new values are place in the [domain/default]
section.

Some ldap values are accepted in the default domain section and others
are ignored. 
The values for ldap_user_search_base is ignored in the default domain
section but accepted in the LDAP domain section.


There is little to no syntax checking by sssd on startup.   It would be
very helpful if syntax was checked and flagged if found to be unacceptable.
Comment 2 Stephen Gallagher 2011-05-26 20:44:03 UTC 
(In reply to comment #0)
> There is no man page for pam_ldap.conf at all.   I suspect it has its
> own form but it appears pretty much like ldap.conf or nslcd.conf.  The file 
> /etc/pam_ldap.conf is mentioned in several places, e.g.
> 

pam_ldap has nothing to do with SSSD. They are mutually-exclusive. SSSD provides its own internal LDAP authentication mechanism (via authenticated LDAP bind).

> 
> ldap_user_search_base   
>    Explain the use of this value when multiple values are declared and
> the 
>    most unusual syntax of seperating the keyword from the first value
> with a comma.
> 
>    example:
>    ldap_user_search_base, ou =
> ldapusers3,dc=osn,dc=cxo,dc=cpqcorp,dc=net,   
> ou=ldapusers2,dc=osn,dc=cxo,dc=cpqcorp,dc=net,
> ou=ldapusers1,dc=osn,dc=cxo,dc=cpqcorp,dc=net

This option is not multi-valued. Currently, SSSD does not support multiple search bases. The upstream bug https://fedorahosted.org/sssd/ticket/868 is tracking this issue.

Also, I don't know where you got that example, but it's completely wrong. All attributes in sssd.conf are
name = value

> 
> ldap_group_search_base
>    If the syntax is similar to that of the ldap_user_search_base then a
> similar
>    modification needs to be made.
> 

This option is similarly not multi-valued.


> We have yet to determine the full extent of the anamoly of ldap
> specific values that are ignored unless they are specifically placed in the
> [domain/LDAP] section.
> 
> This is particularly important when sssd.conf is generated from the
> output of authconfig in which new values are place in the [domain/default]
> section.
> 
> Some ldap values are accepted in the default domain section and others
> are ignored. 
> The values for ldap_user_search_base is ignored in the default domain
> section but accepted in the LDAP domain section.
> 

[domain/default] is misleading, and bz#697644 is meant to address it.

In the [sssd] section, there is an option "domains =" which describes which [domain/<domainname>] sections are active, and what order they should resolve.

If you are using
domains = LDAP
then only changes to [domain/LDAP] will have any effect. [domain/default] in this case is disabled.

The only reason that some values APPEAR to be ignored in the LDAP section is that for certain attributes (like search bases) if they are unspecified, we will ask the LDAP server's Root DSE to provide them for us.


> 
> There is little to no syntax checking by sssd on startup.   It would be
> very helpful if syntax was checked and flagged if found to be unacceptable.

There are several BZs open to track the addition of syntax validation, but right now it is not yet available. The relevant upstream bug is https://fedorahosted.org/sssd/ticket/133