Bug 1072458 - [RFE] SSSD configuration file test tool (sssd_check)
Summary: [RFE] SSSD configuration file test tool (sssd_check)
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd   
(Show other bugs)
Version: 7.0
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: 7.1
Assignee: SSSD Maintainers
QA Contact: Namita Soman
URL:
Whiteboard:
Keywords: FutureFeature
Depends On: 1290382
Blocks: 1292074 1296125 1313485
TreeView+ depends on / blocked
 
Reported: 2014-03-04 15:46 UTC by Mark Heslin
Modified: 2016-11-04 07:10 UTC (History)
10 users (show)

Fixed In Version: sssd-1.14.0-2.el7
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-04 07:10:25 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:2476 normal SHIPPED_LIVE sssd bug fix and enhancement update 2016-11-03 14:08:11 UTC

Description Mark Heslin 2014-03-04 15:46:55 UTC
Description of problem:

The sssd.conf file has many parameters and options but no clean, efficient way to check the file for correctness - typos, incorrect parameter contexts, leading spaces, etc. Some checking is done when sssd is started but if problems are encountered, the usual result is sssd fails to start and any warnings, errors are logged but not always useful.

Having a stand-alone utility "sssd_check" (similar to the testparm tool included with Samba) has the potential to save much troubleshooting time for all. This makes good business sense given the fact that SSSD is installed by default on RHEL, and its interest and use continues to grow.


Version-Release number of selected component (if applicable):
RHEL 6.5+, RHEL 7+

How reproducible:
n/a

Steps to Reproduce:
1. n/a
2.
3.

Actual results:
n/a

Expected results:
n/a

Additional info:

From a high level sssd_check could operate (similar to Samba testparm) as follows:

# sssd_check --help

Usage:  [OPTION...] <config_file> 
  -v, --verbose        Show default options
  -l, --skip-logic-checks         Skip the global checks
      --show-all-parameters       Show the parameters, type, possible values
      --parameter-name=STRING     Limit testparm to a named parameter
      --section-name=STRING       Limit testparm to a named section

Help options:
  -?, --help                      Show this help message
      --usage                     Display brief usage message

Common sssd options:
  -V, --version                   Print version

Common sssd debugging:
  -d, --debuglevel=DEBUGLEVEL     Set debug level

Common sssd commandline config:
      --option=name=value         Set sssd.conf option from command line


Notes:
 1. If no config_file is specified then the default /etc/sssd/sssd.conf is used
 2. Comments are stripped out of the output


Using the following file as an example:

[sssd]
config_file_version = 2
debug_level = 0 
domains = refarch-ad.cloud.lab.eng.bos.redhat.com
services = nss, pam

# Uncomment/adjust as needed if IMU is not used:
#override_homedir = /home/%d/%u
#default_shell = /bin/bash

[domain/refarch-ad.cloud.lab.eng.bos.redhat.com]
id_provider = ad
access_provider = ad

# Permits offline logins:
# cache_credentials = true

# Use when service discovery not working:
# ad_server = win-srv1.refarch-ad.cloud.lab.eng.bos.redhat.com

# Enables use of POSIX UID's and GID's:
ldap_id_mapping = false

the examples below demonstrate it usage and output.

----------------------------
Example 1 - display version:
----------------------------

# check_sssd --version
Version 1.2.3-456.el6.5

-------------------------------
Example 2 - check on good file:
-------------------------------

# check_sssd
Loading sssd config file from /etc/sssd/sssd.conf
Loaded file OK.
Server role: DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[sssd]
config_file_version = 2
debug_level = 0 
domains = refarch-ad.cloud.lab.eng.bos.redhat.com
services = nss, pam

[domain/refarch-ad.cloud.lab.eng.bos.redhat.com]
id_provider = ad
access_provider = ad

ldap_id_mapping = false

---------------------------------------------------------------------
Example 3 - check on non-default file with bad parameter (foo = bar):
---------------------------------------------------------------------

# check_sssd -f  /etc/sssd/sssd.conf.bad
Loading sssd config file from /etc/sssd/sssd.conf.bad
Unknown parameter encountered: "foo"
Ignoring unknown parameter "foo"
Loaded file OK.
Server role: DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[sssd]
config_file_version = 2
debug_level = 0 
domains = refarch-ad.cloud.lab.eng.bos.redhat.com
services = nss, pam

[domain/refarch-ad.cloud.lab.eng.bos.redhat.com]
id_provider = ad
access_provider = ad

ldap_id_mapping = false

Comment 2 Jakub Hrozek 2014-03-05 08:51:30 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2269

Comment 3 Jakub Hrozek 2014-03-06 20:06:04 UTC
Moving to 7.1 for now as discussed on the SSSD meeting.

Comment 4 Mark Heslin 2014-09-08 18:22:28 UTC
Hi Jakub,

I just wanted to check in and find out what the status is for this - is it still targeted to RHEL 7.1? 

I've had several customers with munged configuration files recently which reminded me to reach out for an update.

Thanks,

-m

Comment 5 Jakub Hrozek 2014-09-09 09:02:04 UTC
(In reply to Mark Heslin from comment #4)
> Hi Jakub,
> 
> I just wanted to check in and find out what the status is for this - is it
> still targeted to RHEL 7.1? 
> 
> I've had several customers with munged configuration files recently which
> reminded me to reach out for an update.
> 
> Thanks,
> 
> -m

No it's not, sorry. Currently it's 7.2 at the earliest.

It would be helpful if you could link the customer cases to the BZ so we know how many customers request the feature and plan accordingly.

Comment 6 Lukas Slebodnik 2016-07-07 13:24:11 UTC
master:
* e088912418fd4db750f2097dfde8ef9b77303f05
* 199984c7972272f8162a356cda139c22f6f08556

Comment 12 Madhuri 2016-09-06 09:44:47 UTC
Tested with sssd-1.14.0-27.el7.x86_64

Steps followed during verification:
1) Install the sssd-tools package.
2) Create the sssd.conf.
3) Run sssctl config-check.

config-check detects typos in option name (not value), typos in section name and misplaced options.
Additionally the config-check also reports when something unexpected happens during configuration merging but does not check which option is missing.

-------------------------------------------------------------
sssd.conf without any typos in option name and section name
-------------------------------------------------------------
#cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = LDAP

[domain/LDAP]
ldap_search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://server.example.com
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
debug_level = 10

[root@server ~]# sssctl config-check
Issues identified by validators: 0

Messages generated during configuration merging: 0

Used configuration snippet files: 0

-------------------------------------------------
sssd.conf with typos in option name
-------------------------------------------------
#cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = LDAP

[domain/LDAP]
search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://server.example.com
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
debug_level = 10

[root@server ~]# sssctl config-check
Issues identified by validators: 1
[rule/allowed_domain_options]: Attribute 'search_base' is not allowed in section 'domain/LDAP'. Check for typos.

Messages generated during configuration merging: 0

Used configuration snippet files: 0

------------------------------------------------
sssd.conf with typos in section name
------------------------------------------------
#cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = LDAP

[domain/LAP]
search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://server.example.com
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
debug_level = 10

[root@server ~]# sssctl config-check
(Fri Sep  2 11:40:43:603218 2016) [sssd] [confdb_get_domain_internal] (0x0010): Unknown domain [LDAP]
(Fri Sep  2 11:40:43:603339 2016) [sssd] [confdb_get_domains] (0x0010): Error (2 [No such file or directory]) retrieving domain [LDAP], skipping!
(Fri Sep  2 11:40:43:603361 2016) [sssd] [confdb_get_domains] (0x0010): No properly configured domains, fatal error!
.
------------------------------------------------
sssd.conf with misplaced option
------------------------------------------------
#cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
domains = LDAP

[domain/LDAP]
services = nss, pam
search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://server.example.com
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
debug_level = 10

[root@server sssd]# sssctl config-check
Issues identified by validators: 1
[rule/allowed_domain_options]: Attribute 'services' is not allowed in section 'domain/LDAP'. Check for typos.

Messages generated during configuration merging: 0

Used configuration snippet files: 0

Comment 14 errata-xmlrpc 2016-11-04 07:10:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2476.html


Note You need to log in before you can comment on or make changes to this bug.