Bug 923808

Summary: Wrong description for backend providers
Product: Red Hat Enterprise Linux 6 Reporter: Thorsten Scherf <tscherf>
Component: doc-Identity_Management_GuideAssignee: Deon Ballard <dlackey>
Status: CLOSED CURRENTRELEASE QA Contact: Jenny Severance <jgalipea>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: dpal, jhrozek
Target Milestone: rcKeywords: Documentation
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-10 03:43:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Thorsten Scherf 2013-03-20 13:51:46 UTC 
Description of problem:
The following statement on page 378 chapter 20.1.1.2 is misleading:

"A domain in SSSD defines four backend functions: authentication, identity lookups, access, and password changes. The SSSD domain is then configured to use an identity provider to supply the information for any one (or all)
of those four functions."

This should be changed to:

"A domain in SSSD defines four backend functions: authentication, identity lookups, access, and password changes. The SSSD domain is then configured to use an backend provider to supply the information for any one (or all)
of those four functions. SSSD requires at least one identity provider. If no provider is specified for authentication, access and password change, SSSD uses the identity provider as default."



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Dmitri Pal 2013-03-20 15:57:26 UTC 
May be like this?

"A domain in SSSD defines four backend functions: authentication, identity lookups, access, and password changes. The SSSD domain is then configured to use a backend provider to supply the information for any one (or all)
of those four functions. SSSD requires at least the identity provider to be specified for a domain. If no provider is specified for authentication, access and password change, SSSD uses the identity provider value to determine how other functions should be provided. For example, if identity provider value is 'ldap' other functions will be configured assuming they are provided by the same LDAP server as the identity provider, if identity provider is 'ipa' other functions will be configured assuming they are provided by the same IdM server, etc."

I wonder whether this applies to AD provider.
I hope so. But what is the access provider for AD? It is same as with LDAP, right?
Comment 2 Jakub Hrozek 2013-03-20 17:04:02 UTC 
(In reply to comment #1)
> I hope so. But what is the access provider for AD? It is same as with LDAP,
> right?

acess_provider=ad expands to:

access_provider=ldap
ldap_access_order = expire
ldap_account_expire_policy = ad
Comment 3 Dmitri Pal 2013-03-20 19:24:44 UTC 
Then we should probably have a table of the defaults.

Something like:

If only identity provider is specified other back end provider settings are assumed based on the following table:

Identity Provider   Authentication  Access provider  Password Change
ad                     ...          <Jakub's reply>      ...
ipa                    ...               ...             ...
ldap                   ...               ...             ...

Makes sense?
... - need to be replaced with the actual defaults
Comment 4 Jakub Hrozek 2013-03-21 10:06:17 UTC 
For "bare" providers the situation is actually very simple, it's always the same value.

For "composite" providers like ipa or ad this table would make sense for the subchapters about the providers.
Comment 7 Deon Ballard 2014-05-10 03:43:43 UTC 
Mass closure of bugs modified in 2013. All of these are in the currently-published docs.