1072458 – [RFE] SSSD configuration file test tool (sssd_check)

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1072458 - [RFE] SSSD configuration file test tool (sssd_check)

Summary: [RFE] SSSD configuration file test tool (sssd_check)

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	7.1
Assignee:	SSSD Maintainers
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:	1290382
Blocks:	1292074 1296125 1313485
TreeView+	depends on / blocked

Reported:	2014-03-04 15:46 UTC by Mark Heslin 🎸
Modified:	2020-05-02 17:39 UTC (History)
CC List:	10 users (show)
Fixed In Version:	sssd-1.14.0-2.el7
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-04 07:10:25 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 3311	0	None	closed	[RFE] SSSD configuration file test tool (sssd_check)	2020-09-25 04:12:46 UTC
Red Hat Product Errata	RHEA-2016:2476	0	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2016-11-03 14:08:11 UTC

Description Mark Heslin 🎸 2014-03-04 15:46:55 UTC

Description of problem:

The sssd.conf file has many parameters and options but no clean, efficient way to check the file for correctness - typos, incorrect parameter contexts, leading spaces, etc. Some checking is done when sssd is started but if problems are encountered, the usual result is sssd fails to start and any warnings, errors are logged but not always useful.

Having a stand-alone utility "sssd_check" (similar to the testparm tool included with Samba) has the potential to save much troubleshooting time for all. This makes good business sense given the fact that SSSD is installed by default on RHEL, and its interest and use continues to grow.


Version-Release number of selected component (if applicable):
RHEL 6.5+, RHEL 7+

How reproducible:
n/a

Steps to Reproduce:
1. n/a
2.
3.

Actual results:
n/a

Expected results:
n/a

Additional info:

From a high level sssd_check could operate (similar to Samba testparm) as follows:

# sssd_check --help

Usage:  [OPTION...] <config_file> 
  -v, --verbose        Show default options
  -l, --skip-logic-checks         Skip the global checks
      --show-all-parameters       Show the parameters, type, possible values
      --parameter-name=STRING     Limit testparm to a named parameter
      --section-name=STRING       Limit testparm to a named section

Help options:
  -?, --help                      Show this help message
      --usage                     Display brief usage message

Common sssd options:
  -V, --version                   Print version

Common sssd debugging:
  -d, --debuglevel=DEBUGLEVEL     Set debug level

Common sssd commandline config:
      --option=name=value         Set sssd.conf option from command line


Notes:
 1. If no config_file is specified then the default /etc/sssd/sssd.conf is used
 2. Comments are stripped out of the output


Using the following file as an example:

[sssd]
config_file_version = 2
debug_level = 0 
domains = refarch-ad.cloud.lab.eng.bos.redhat.com
services = nss, pam

# Uncomment/adjust as needed if IMU is not used:
#override_homedir = /home/%d/%u
#default_shell = /bin/bash

[domain/refarch-ad.cloud.lab.eng.bos.redhat.com]
id_provider = ad
access_provider = ad

# Permits offline logins:
# cache_credentials = true

# Use when service discovery not working:
# ad_server = win-srv1.refarch-ad.cloud.lab.eng.bos.redhat.com

# Enables use of POSIX UID's and GID's:
ldap_id_mapping = false

the examples below demonstrate it usage and output.

----------------------------
Example 1 - display version:
----------------------------

# check_sssd --version
Version 1.2.3-456.el6.5

-------------------------------
Example 2 - check on good file:
-------------------------------

# check_sssd
Loading sssd config file from /etc/sssd/sssd.conf
Loaded file OK.
Server role: DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[sssd]
config_file_version = 2
debug_level = 0 
domains = refarch-ad.cloud.lab.eng.bos.redhat.com
services = nss, pam

[domain/refarch-ad.cloud.lab.eng.bos.redhat.com]
id_provider = ad
access_provider = ad

ldap_id_mapping = false

---------------------------------------------------------------------
Example 3 - check on non-default file with bad parameter (foo = bar):
---------------------------------------------------------------------

# check_sssd -f  /etc/sssd/sssd.conf.bad
Loading sssd config file from /etc/sssd/sssd.conf.bad
Unknown parameter encountered: "foo"
Ignoring unknown parameter "foo"
Loaded file OK.
Server role: DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[sssd]
config_file_version = 2
debug_level = 0 
domains = refarch-ad.cloud.lab.eng.bos.redhat.com
services = nss, pam

[domain/refarch-ad.cloud.lab.eng.bos.redhat.com]
id_provider = ad
access_provider = ad

ldap_id_mapping = false

Comment 2 Jakub Hrozek 2014-03-05 08:51:30 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/2269

Comment 3 Jakub Hrozek 2014-03-06 20:06:04 UTC

Moving to 7.1 for now as discussed on the SSSD meeting.

Comment 4 Mark Heslin 🎸 2014-09-08 18:22:28 UTC

Hi Jakub,

I just wanted to check in and find out what the status is for this - is it still targeted to RHEL 7.1? 

I've had several customers with munged configuration files recently which reminded me to reach out for an update.

Thanks,

-m

Comment 5 Jakub Hrozek 2014-09-09 09:02:04 UTC

(In reply to Mark Heslin from comment #4)
> Hi Jakub,
> 
> I just wanted to check in and find out what the status is for this - is it
> still targeted to RHEL 7.1? 
> 
> I've had several customers with munged configuration files recently which
> reminded me to reach out for an update.
> 
> Thanks,
> 
> -m

No it's not, sorry. Currently it's 7.2 at the earliest.

It would be helpful if you could link the customer cases to the BZ so we know how many customers request the feature and plan accordingly.

Comment 6 Lukas Slebodnik 2016-07-07 13:24:11 UTC

master:
* e088912418fd4db750f2097dfde8ef9b77303f05
* 199984c7972272f8162a356cda139c22f6f08556

Comment 12 Madhuri 2016-09-06 09:44:47 UTC

Tested with sssd-1.14.0-27.el7.x86_64

Steps followed during verification:
1) Install the sssd-tools package.
2) Create the sssd.conf.
3) Run sssctl config-check.

config-check detects typos in option name (not value), typos in section name and misplaced options.
Additionally the config-check also reports when something unexpected happens during configuration merging but does not check which option is missing.

-------------------------------------------------------------
sssd.conf without any typos in option name and section name
-------------------------------------------------------------
#cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = LDAP

[domain/LDAP]
ldap_search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://server.example.com
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
debug_level = 10

[root@server ~]# sssctl config-check
Issues identified by validators: 0

Messages generated during configuration merging: 0

Used configuration snippet files: 0

-------------------------------------------------
sssd.conf with typos in option name
-------------------------------------------------
#cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = LDAP

[domain/LDAP]
search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://server.example.com
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
debug_level = 10

[root@server ~]# sssctl config-check
Issues identified by validators: 1
[rule/allowed_domain_options]: Attribute 'search_base' is not allowed in section 'domain/LDAP'. Check for typos.

Messages generated during configuration merging: 0

Used configuration snippet files: 0

------------------------------------------------
sssd.conf with typos in section name
------------------------------------------------
#cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = LDAP

[domain/LAP]
search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://server.example.com
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
debug_level = 10

[root@server ~]# sssctl config-check
(Fri Sep  2 11:40:43:603218 2016) [sssd] [confdb_get_domain_internal] (0x0010): Unknown domain [LDAP]
(Fri Sep  2 11:40:43:603339 2016) [sssd] [confdb_get_domains] (0x0010): Error (2 [No such file or directory]) retrieving domain [LDAP], skipping!
(Fri Sep  2 11:40:43:603361 2016) [sssd] [confdb_get_domains] (0x0010): No properly configured domains, fatal error!
.
------------------------------------------------
sssd.conf with misplaced option
------------------------------------------------
#cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
domains = LDAP

[domain/LDAP]
services = nss, pam
search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://server.example.com
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
debug_level = 10

[root@server sssd]# sssctl config-check
Issues identified by validators: 1
[rule/allowed_domain_options]: Attribute 'services' is not allowed in section 'domain/LDAP'. Check for typos.

Messages generated during configuration merging: 0

Used configuration snippet files: 0

Comment 14 errata-xmlrpc 2016-11-04 07:10:25 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2476.html

Note You need to log in before you can comment on or make changes to this bug.