Instead of enabling domains using the "domains" option in [sssd] section we could have [domain/*] option "enabled". This would allow admins to configure and enable domain in the same snippet file.
Pushed PR: https://github.com/SSSD/sssd/pull/5213 * `master` * ff8d7b8f0dca57d04ed4157bc60ad3dd3a0eda4f - config: [RFE] Add "enabled" option to domain section Pushed PR: https://github.com/SSSD/sssd/pull/5270 * `master` * fbc7082149ccc6ee4fe077480a5d692a86e75c79 - CONFDB: fixed bug in confdb_get_domain_enabled() * 83ae34509c6587568cb5164ff04d2af04da94c01 - CONFDB: fixed compilation warning
Verified with: # rpm -qa sssd sssd-2.4.0-2.el8.x86_64 case1: with two domain, in one enable = true, for other enabled = false sssd snippet: [sssd] config_file_version = 2 sbus_timeout = 30 services = pam, nss domains = ldap1, ldap2 [domain/ldap1] id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_id_use_start_tls = True debug_level = 0xFFF0 enumerate = True ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem ldap_search_base = dc=example0,dc=test ldap_uri = ldaps://server.example.co min_uid = 2000 max_id = 2020 ldap_group_search_base = ou=Groups,dc=example0,dc=test ldap_user_search_base = ou=People,dc=example0,dc=test cache_credentials = False use_fully_qualified_names = True enabled = true [domain/ldap2] id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_id_use_start_tls = True debug_level = 0xFFF0 enumerate = True ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem ldap_search_base = dc=example1,dc=test ldap_uri = ldaps://server.example.com min_uid = 3000 max_id = 3020 ldap_group_search_base = ou=Groups,dc=example1,dc=test ldap_user_search_base = ou=People,dc=example1,dc=test cache_credentials = False use_fully_qualified_names = True enabled = false Check user lookups [root@ci-vm-10-0-99-15 ~]# getent passwd puser1@ldap1 puser1@ldap1:*:2001:2001:puser1 User:/home/puser1:/bin/bash [root@ci-vm-10-0-99-15 ~]# getent passwd puser2@ldap1 puser2@ldap1:*:2002:2002:puser2 User:/home/puser2:/bin/bash [root@ci-vm-10-0-99-15 ~]# getent passwd quser1@ldap2 [root@ci-vm-10-0-99-15 ~]# getent passwd quser2@ldap2 User lookup is failing for ldap2 as enabled is false for ldap2 domain. case2: Add enabled in both ldap1 and ldap2 domain but in sssd section define domains = ldap1 only sssd snippet: [sssd] config_file_version = 2 sbus_timeout = 30 services = pam, nss domains = ldap1 [domain/ldap1] id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_id_use_start_tls = True debug_level = 0xFFF0 enumerate = True ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem ldap_search_base = dc=example0,dc=test ldap_uri = ldaps://server.example.co min_uid = 2000 max_id = 2020 ldap_group_search_base = ou=Groups,dc=example0,dc=test ldap_user_search_base = ou=People,dc=example0,dc=test cache_credentials = False use_fully_qualified_names = True enabled = true [domain/ldap2] id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_id_use_start_tls = True debug_level = 0xFFF0 enumerate = True ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem ldap_search_base = dc=example1,dc=test ldap_uri = ldaps://server.example.com min_uid = 3000 max_id = 3020 ldap_group_search_base = ou=Groups,dc=example1,dc=test ldap_user_search_base = ou=People,dc=example1,dc=test cache_credentials = False use_fully_qualified_names = True enabled = true check user lookup [root@ci-vm-10-0-99-15 ~]# getent passwd puser1@ldap1 puser1@ldap1:*:2001:2001:puser1 User:/home/puser1:/bin/bash [root@ci-vm-10-0-99-15 ~]# getent passwd puser2@ldap1 puser2@ldap1:*:2002:2002:puser2 User:/home/puser2:/bin/bash [root@ci-vm-10-0-99-15 ~]# getent passwd quser1@ldap2 quser1@ldap2:*:3001:3001:quser1 User:/home/quser1:/bin/bash [root@ci-vm-10-0-99-15 ~]# getent passwd quser2@ldap2 quser2@ldap2:*:3002:3002:quser2 User:/home/quser2:/bin/bash user lookups are successful from both domains case 3: with snippet file, in sssd setion not defining any domains of sssd.conf file create the snippet file [root@ci-vm-10-0-98-105 ~]# cat /etc/sssd/conf.d/01snippet.conf [domain/ldap2] id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_id_use_start_tls = True debug_level = 0xFFF0 enumerate = True ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem ldap_search_base = dc=example1,dc=test ldap_uri = ldaps://server.example.com min_id = 3000 max_id = 3020 ldap_group_search_base = ou=Groups,dc=example1,dc=test ldap_user_search_base = ou=People,dc=example1,dc=test cache_credentials = False use_fully_qualified_names = True enabled = true [root@ci-vm-10-0-99-15 ~]# sssctl config-check Issues identified by validators: 0 Messages generated during configuration merging: 0 Used configuration snippet files: 1 /etc/sssd/conf.d/01snippet.conf sssd snippet [sssd] config_file_version = 2 sbus_timeout = 30 services = pam, nss domains = [domain/ldap1] id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_id_use_start_tls = True debug_level = 0xFFF0 enumerate = True ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem ldap_search_base = dc=example0,dc=test ldap_uri = ldaps://server.example.co min_uid = 2000 max_id = 2020 ldap_group_search_base = ou=Groups,dc=example0,dc=test ldap_user_search_base = ou=People,dc=example0,dc=test cache_credentials = False use_fully_qualified_names = True enabled = true check userlookup [root@ci-vm-10-0-99-15 ~]# getent passwd puser1@ldap1 puser1@ldap1:*:2001:2001:puser1 User:/home/puser1:/bin/bash [root@ci-vm-10-0-99-15 ~]# getent passwd puser2@ldap1 puser2@ldap1:*:2002:2002:puser2 User:/home/puser2:/bin/bash [root@ci-vm-10-0-99-15 ~]# getent passwd quser1@ldap2 quser1@ldap2:*:3001:3001:quser1 User:/home/quser1:/bin/bash [root@ci-vm-10-0-99-15 ~]# getent passwd quser2@ldap2 quser2@ldap2:*:3002:3002:quser2 User:/home/quser2:/bin/bash User lookups are successful from both domains.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (sssd bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1666