Bug 1677994 - sssd config-check reports an error for a valid configuration option
Summary: sssd config-check reports an error for a valid configuration option
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: sssd
Version: 8.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: SSSD Maintainers
QA Contact: Madhuri
URL:
Whiteboard:
Depends On: 1682305
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-02-17 12:50 UTC by Thorsten Scherf
Modified: 2019-08-22 06:09 UTC (History)
9 users (show)

Fixed In Version: sssd-2.1.0-1.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug


Attachments (Terms of Use)

Description Thorsten Scherf 2019-02-17 12:50:49 UTC
Description of problem:
sssctl reports a false-positive error.

# rpm -q sssd
sssd-2.0.0-43.el8.x86_64

# grep ldap_host /etc/sssd/sssd.conf
ldap_host_object_class = ipService

# systemctl restart sssd 
# systemctl status sssd > /dev/null && echo $?
0

So the service starts ok, but the config-check fails:

# sssctl config-check
Issues identified by validators: 1
[rule/allowed_domain_options]: Attribute 'ldap_host_object_class' is not allowed in section 'domain/LDAP'. Check for typos.                           

There is also an error in sssd.log:
# tail -1 /var/log/sssd/sssd.log
(Sun Feb 17 07:35:23:363299 2019) [sssd] [sss_ini_call_validators] (0x0020): [rule/allowed_domain_options]: Attribute 'ldap_host_object_class' is not allowed in section 'domain/LDAP'. Check for typos.

It doesn't matter if the option is used in 'domain' or 'sssd' section. An error is shown in both cases.

Messages generated during configuration merging: 0

Used configuration snippet files: 0


Version-Release number of selected component (if applicable):
sssd-2.0.0-43.el8.x86_64 
I can verify the same issue also on RHEL7 with sssd-1.16.2-13.el7_6.5.x86_64.

How reproducible:
always

Steps to Reproduce:
1.create a sssd ldap domain
2.add any 'ldap_host_*' config directives to the domain
3.

Actual results:
sssctl reports a configuration error

Expected results:
config check passes without an error.

Additional info:

Comment 2 Jakub Hrozek 2019-02-18 20:33:31 UTC
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3961

Comment 3 Jakub Hrozek 2019-02-20 20:52:26 UTC
Upstream fixes:
  master: 85e3630
  sssd-1-16: 5e70cf5

Comment 5 Madhuri 2019-08-22 06:05:31 UTC
Verified with
sssd-2.2.0-11.el8


Verified with following code snippet

case 1:

ldap_host_object_class option in domain section,


    @pytest.mark.tier1
    def test_0023_checkldaphostobjectdomain(self, multihost, backupsssdconf):
        """
        @Title: IDM-SSSD-TC: Configuration validation: Check
        ldap_host_object_class option in domain section
        """
        section = "domain/%s" % ds_instance_name
        tools = sssdTools(multihost.client[0])
        domain_params = {'ldap_host_object_class': 'ipService'}
        tools.sssd_conf(section, domain_params)
        multihost.client[0].service_sssd('restart')
        sssctl_cmd = 'sssctl config-check'
        cmd = multihost.client[0].run_command(sssctl_cmd, raiseonerr=False)
        assert cmd.returncode == 0


case 2:

ldap_host_object_class option in sssd section,

    @pytest.mark.tier1
    def test_0024_checkldaphostobjectsssd(self, multihost, backupsssdconf):
        """
        @Title: IDM-SSSD-TC: Configuration validation: Check
        ldap_host_object_class option in sssd section
        """
        section = "sssd"
        tools = sssdTools(multihost.client[0])
        sssd_params = {'ldap_host_object_class': 'ipService'}
        tools.sssd_conf(section, sssd_params)
        multihost.client[0].service_sssd('restart')
        sssctl_cmd = 'sssctl config-check'
        cmd = multihost.client[0].run_command(sssctl_cmd, raiseonerr=False)
        assert cmd.returncode == 1
        log = re.compile(r".Attribute\s.ldap_host_object_class.\sis\snot\s"
                         r"allowed\sin\ssection\s.sssd.*")
        assert log.search(cmd.stdout_text)


Both test cases are passing
Thus marking this as verified.


Note You need to log in before you can comment on or make changes to this bug.