1884196 – [RFE] Add "enabled" option to domain section in config file

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1884196 - [RFE] Add "enabled" option to domain section in config file

Summary: [RFE] Add "enabled" option to domain section in config file

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	8.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Pavel Březina
QA Contact:	Madhuri
Docs Contact:	lmcgarry
URL:
Whiteboard:	sync-to-jira qetodo
Depends On:	1881992
Blocks:
TreeView+	depends on / blocked

Reported:	2020-10-01 10:31 UTC by Alexey Tikhonov
Modified:	2021-05-18 15:05 UTC (History)
CC List:	13 users (show)
Fixed In Version:	sssd-2.4.0-1.el8
Doc Type:	Enhancement
Doc Text:	.Enabling or disabling SSSD domains within the [domain] section of the sssd.conf file With this update, you can now enable or disable an SSSD domain by modifying its respective `[domain]` section in the `sssd.conf` file. Previously, if your SSSD configuration contained a standalone domain, you still had to modify the `domains` option in the `[sssd]` section of the `sssd.conf` file. This update allows you to set the `enabled=` option in the domain configuration to true or false. * Setting the `enabled` option to true enables a domain, even if it is not listed under the `domains` option in the `[sssd]` section of the `sssd.conf` file. * Setting the `enabled` option to false disables a domain, even if it is listed under the `domains` option in the `[sssd]` section of the `sssd.conf` file. * If the `enabled` option is not set, the configuration in the `domains` option in the `[sssd]` section of the `sssd.conf` is used.
Clone Of:
Environment:
Last Closed:	2021-05-18 15:03:57 UTC
Type:	Enhancement
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 4743	0	None	closed	[RFE] Add "enabled" option to domain section	2021-02-15 04:30:14 UTC

Description Alexey Tikhonov 2020-10-01 10:31:15 UTC

Instead of enabling domains using the "domains" option in [sssd] section we could have [domain/*] option "enabled". This would allow admins to configure and enable domain in the same snippet file.

Comment 2 Alexey Tikhonov 2020-10-01 10:37:27 UTC

Pushed PR: https://github.com/SSSD/sssd/pull/5213
* `master`
    * ff8d7b8f0dca57d04ed4157bc60ad3dd3a0eda4f - config: [RFE] Add "enabled" option to domain section


Pushed PR: https://github.com/SSSD/sssd/pull/5270
* `master`
    * fbc7082149ccc6ee4fe077480a5d692a86e75c79 - CONFDB: fixed bug in confdb_get_domain_enabled()
    * 83ae34509c6587568cb5164ff04d2af04da94c01 - CONFDB: fixed compilation warning

Comment 7 Madhuri 2020-12-06 10:28:51 UTC

Verified with:

# rpm -qa sssd
sssd-2.4.0-2.el8.x86_64

case1:
with two domain, 
in one enable = true, for other enabled = false

sssd snippet:

[sssd]
config_file_version = 2
sbus_timeout = 30
services = pam, nss
domains = ldap1, ldap2

[domain/ldap1]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_id_use_start_tls = True
debug_level = 0xFFF0
enumerate = True
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
ldap_search_base = dc=example0,dc=test
ldap_uri = ldaps://server.example.co
min_uid = 2000
max_id = 2020
ldap_group_search_base = ou=Groups,dc=example0,dc=test
ldap_user_search_base = ou=People,dc=example0,dc=test
cache_credentials = False
use_fully_qualified_names = True
enabled = true

[domain/ldap2]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_id_use_start_tls = True
debug_level = 0xFFF0
enumerate = True
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
ldap_search_base = dc=example1,dc=test
ldap_uri = ldaps://server.example.com
min_uid = 3000
max_id = 3020
ldap_group_search_base = ou=Groups,dc=example1,dc=test
ldap_user_search_base = ou=People,dc=example1,dc=test
cache_credentials = False
use_fully_qualified_names = True
enabled = false

Check user lookups
[root@ci-vm-10-0-99-15 ~]# getent passwd puser1@ldap1
puser1@ldap1:*:2001:2001:puser1 User:/home/puser1:/bin/bash
[root@ci-vm-10-0-99-15 ~]# getent passwd puser2@ldap1
puser2@ldap1:*:2002:2002:puser2 User:/home/puser2:/bin/bash
[root@ci-vm-10-0-99-15 ~]# getent passwd quser1@ldap2
[root@ci-vm-10-0-99-15 ~]# getent passwd quser2@ldap2

User lookup is failing for ldap2 as enabled is false for ldap2 domain.

case2:

Add enabled in both ldap1 and ldap2 domain but 
in sssd section define 
domains = ldap1 only

sssd snippet:

[sssd]
config_file_version = 2
sbus_timeout = 30
services = pam, nss
domains = ldap1

[domain/ldap1]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_id_use_start_tls = True
debug_level = 0xFFF0
enumerate = True
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
ldap_search_base = dc=example0,dc=test
ldap_uri = ldaps://server.example.co
min_uid = 2000
max_id = 2020
ldap_group_search_base = ou=Groups,dc=example0,dc=test
ldap_user_search_base = ou=People,dc=example0,dc=test
cache_credentials = False
use_fully_qualified_names = True
enabled = true

[domain/ldap2]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_id_use_start_tls = True
debug_level = 0xFFF0
enumerate = True
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
ldap_search_base = dc=example1,dc=test
ldap_uri = ldaps://server.example.com
min_uid = 3000
max_id = 3020
ldap_group_search_base = ou=Groups,dc=example1,dc=test
ldap_user_search_base = ou=People,dc=example1,dc=test
cache_credentials = False
use_fully_qualified_names = True
enabled = true

check user lookup

[root@ci-vm-10-0-99-15 ~]# getent passwd puser1@ldap1
puser1@ldap1:*:2001:2001:puser1 User:/home/puser1:/bin/bash
[root@ci-vm-10-0-99-15 ~]# getent passwd puser2@ldap1
puser2@ldap1:*:2002:2002:puser2 User:/home/puser2:/bin/bash
[root@ci-vm-10-0-99-15 ~]# getent passwd quser1@ldap2
quser1@ldap2:*:3001:3001:quser1 User:/home/quser1:/bin/bash
[root@ci-vm-10-0-99-15 ~]# getent passwd quser2@ldap2
quser2@ldap2:*:3002:3002:quser2 User:/home/quser2:/bin/bash

user lookups are successful from both domains

case 3:
with snippet file, in sssd setion not defining any domains of sssd.conf file

create the snippet file
[root@ci-vm-10-0-98-105 ~]# cat /etc/sssd/conf.d/01snippet.conf 
[domain/ldap2]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_id_use_start_tls = True
debug_level = 0xFFF0
enumerate = True
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
ldap_search_base = dc=example1,dc=test
ldap_uri = ldaps://server.example.com
min_id = 3000
max_id = 3020
ldap_group_search_base = ou=Groups,dc=example1,dc=test
ldap_user_search_base = ou=People,dc=example1,dc=test
cache_credentials = False
use_fully_qualified_names = True
enabled = true

[root@ci-vm-10-0-99-15 ~]# sssctl config-check
Issues identified by validators: 0

Messages generated during configuration merging: 0

Used configuration snippet files: 1
/etc/sssd/conf.d/01snippet.conf

sssd snippet

[sssd]
config_file_version = 2
sbus_timeout = 30
services = pam, nss
domains = 

[domain/ldap1]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_id_use_start_tls = True
debug_level = 0xFFF0
enumerate = True
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
ldap_search_base = dc=example0,dc=test
ldap_uri = ldaps://server.example.co
min_uid = 2000
max_id = 2020
ldap_group_search_base = ou=Groups,dc=example0,dc=test
ldap_user_search_base = ou=People,dc=example0,dc=test
cache_credentials = False
use_fully_qualified_names = True
enabled = true

check userlookup
[root@ci-vm-10-0-99-15 ~]# getent passwd puser1@ldap1
puser1@ldap1:*:2001:2001:puser1 User:/home/puser1:/bin/bash
[root@ci-vm-10-0-99-15 ~]# getent passwd puser2@ldap1
puser2@ldap1:*:2002:2002:puser2 User:/home/puser2:/bin/bash
[root@ci-vm-10-0-99-15 ~]# getent passwd quser1@ldap2
quser1@ldap2:*:3001:3001:quser1 User:/home/quser1:/bin/bash
[root@ci-vm-10-0-99-15 ~]# getent passwd quser2@ldap2
quser2@ldap2:*:3002:3002:quser2 User:/home/quser2:/bin/bash

User lookups are successful from both domains.

Comment 15 errata-xmlrpc 2021-05-18 15:03:57 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1666

Note You need to log in before you can comment on or make changes to this bug.