Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1884196 - [RFE] Add "enabled" option to domain section in config file
Summary: [RFE] Add "enabled" option to domain section in config file
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: sssd
Version: 8.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Pavel Březina
QA Contact: Madhuri
lmcgarry
URL:
Whiteboard: sync-to-jira qetodo
Depends On: 1881992
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-10-01 10:31 UTC by Alexey Tikhonov
Modified: 2021-05-18 15:05 UTC (History)
13 users (show)

Fixed In Version: sssd-2.4.0-1.el8
Doc Type: Enhancement
Doc Text:
.Enabling or disabling SSSD domains within the [domain] section of the sssd.conf file With this update, you can now enable or disable an SSSD domain by modifying its respective `[domain]` section in the `sssd.conf` file. Previously, if your SSSD configuration contained a standalone domain, you still had to modify the `domains` option in the `[sssd]` section of the `sssd.conf` file. This update allows you to set the `enabled=` option in the domain configuration to true or false. * Setting the `enabled` option to true enables a domain, even if it is not listed under the `domains` option in the `[sssd]` section of the `sssd.conf` file. * Setting the `enabled` option to false disables a domain, even if it is listed under the `domains` option in the `[sssd]` section of the `sssd.conf` file. * If the `enabled` option is not set, the configuration in the `domains` option in the `[sssd]` section of the `sssd.conf` is used.
Clone Of:
Environment:
Last Closed: 2021-05-18 15:03:57 UTC
Type: Enhancement
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 4743 0 None closed [RFE] Add "enabled" option to domain section 2021-02-15 04:30:14 UTC

Description Alexey Tikhonov 2020-10-01 10:31:15 UTC
Instead of enabling domains using the "domains" option in [sssd] section we could have [domain/*] option "enabled". This would allow admins to configure and enable domain in the same snippet file.

Comment 2 Alexey Tikhonov 2020-10-01 10:37:27 UTC
Pushed PR: https://github.com/SSSD/sssd/pull/5213
* `master`
    * ff8d7b8f0dca57d04ed4157bc60ad3dd3a0eda4f - config: [RFE] Add "enabled" option to domain section


Pushed PR: https://github.com/SSSD/sssd/pull/5270
* `master`
    * fbc7082149ccc6ee4fe077480a5d692a86e75c79 - CONFDB: fixed bug in confdb_get_domain_enabled()
    * 83ae34509c6587568cb5164ff04d2af04da94c01 - CONFDB: fixed compilation warning

Comment 7 Madhuri 2020-12-06 10:28:51 UTC
Verified with:

# rpm -qa sssd
sssd-2.4.0-2.el8.x86_64

case1:
with two domain, 
in one enable = true, for other enabled = false

sssd snippet:

[sssd]
config_file_version = 2
sbus_timeout = 30
services = pam, nss
domains = ldap1, ldap2

[domain/ldap1]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_id_use_start_tls = True
debug_level = 0xFFF0
enumerate = True
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
ldap_search_base = dc=example0,dc=test
ldap_uri = ldaps://server.example.co
min_uid = 2000
max_id = 2020
ldap_group_search_base = ou=Groups,dc=example0,dc=test
ldap_user_search_base = ou=People,dc=example0,dc=test
cache_credentials = False
use_fully_qualified_names = True
enabled = true

[domain/ldap2]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_id_use_start_tls = True
debug_level = 0xFFF0
enumerate = True
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
ldap_search_base = dc=example1,dc=test
ldap_uri = ldaps://server.example.com
min_uid = 3000
max_id = 3020
ldap_group_search_base = ou=Groups,dc=example1,dc=test
ldap_user_search_base = ou=People,dc=example1,dc=test
cache_credentials = False
use_fully_qualified_names = True
enabled = false

Check user lookups
[root@ci-vm-10-0-99-15 ~]# getent passwd puser1@ldap1
puser1@ldap1:*:2001:2001:puser1 User:/home/puser1:/bin/bash
[root@ci-vm-10-0-99-15 ~]# getent passwd puser2@ldap1
puser2@ldap1:*:2002:2002:puser2 User:/home/puser2:/bin/bash
[root@ci-vm-10-0-99-15 ~]# getent passwd quser1@ldap2
[root@ci-vm-10-0-99-15 ~]# getent passwd quser2@ldap2

User lookup is failing for ldap2 as enabled is false for ldap2 domain.

case2:

Add enabled in both ldap1 and ldap2 domain but 
in sssd section define 
domains = ldap1 only

sssd snippet:

[sssd]
config_file_version = 2
sbus_timeout = 30
services = pam, nss
domains = ldap1

[domain/ldap1]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_id_use_start_tls = True
debug_level = 0xFFF0
enumerate = True
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
ldap_search_base = dc=example0,dc=test
ldap_uri = ldaps://server.example.co
min_uid = 2000
max_id = 2020
ldap_group_search_base = ou=Groups,dc=example0,dc=test
ldap_user_search_base = ou=People,dc=example0,dc=test
cache_credentials = False
use_fully_qualified_names = True
enabled = true

[domain/ldap2]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_id_use_start_tls = True
debug_level = 0xFFF0
enumerate = True
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
ldap_search_base = dc=example1,dc=test
ldap_uri = ldaps://server.example.com
min_uid = 3000
max_id = 3020
ldap_group_search_base = ou=Groups,dc=example1,dc=test
ldap_user_search_base = ou=People,dc=example1,dc=test
cache_credentials = False
use_fully_qualified_names = True
enabled = true

check user lookup

[root@ci-vm-10-0-99-15 ~]# getent passwd puser1@ldap1
puser1@ldap1:*:2001:2001:puser1 User:/home/puser1:/bin/bash
[root@ci-vm-10-0-99-15 ~]# getent passwd puser2@ldap1
puser2@ldap1:*:2002:2002:puser2 User:/home/puser2:/bin/bash
[root@ci-vm-10-0-99-15 ~]# getent passwd quser1@ldap2
quser1@ldap2:*:3001:3001:quser1 User:/home/quser1:/bin/bash
[root@ci-vm-10-0-99-15 ~]# getent passwd quser2@ldap2
quser2@ldap2:*:3002:3002:quser2 User:/home/quser2:/bin/bash

user lookups are successful from both domains

case 3:
with snippet file, in sssd setion not defining any domains of sssd.conf file

create the snippet file
[root@ci-vm-10-0-98-105 ~]# cat /etc/sssd/conf.d/01snippet.conf 
[domain/ldap2]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_id_use_start_tls = True
debug_level = 0xFFF0
enumerate = True
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
ldap_search_base = dc=example1,dc=test
ldap_uri = ldaps://server.example.com
min_id = 3000
max_id = 3020
ldap_group_search_base = ou=Groups,dc=example1,dc=test
ldap_user_search_base = ou=People,dc=example1,dc=test
cache_credentials = False
use_fully_qualified_names = True
enabled = true

[root@ci-vm-10-0-99-15 ~]# sssctl config-check
Issues identified by validators: 0

Messages generated during configuration merging: 0

Used configuration snippet files: 1
/etc/sssd/conf.d/01snippet.conf

sssd snippet

[sssd]
config_file_version = 2
sbus_timeout = 30
services = pam, nss
domains = 

[domain/ldap1]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_id_use_start_tls = True
debug_level = 0xFFF0
enumerate = True
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
ldap_search_base = dc=example0,dc=test
ldap_uri = ldaps://server.example.co
min_uid = 2000
max_id = 2020
ldap_group_search_base = ou=Groups,dc=example0,dc=test
ldap_user_search_base = ou=People,dc=example0,dc=test
cache_credentials = False
use_fully_qualified_names = True
enabled = true

check userlookup
[root@ci-vm-10-0-99-15 ~]# getent passwd puser1@ldap1
puser1@ldap1:*:2001:2001:puser1 User:/home/puser1:/bin/bash
[root@ci-vm-10-0-99-15 ~]# getent passwd puser2@ldap1
puser2@ldap1:*:2002:2002:puser2 User:/home/puser2:/bin/bash
[root@ci-vm-10-0-99-15 ~]# getent passwd quser1@ldap2
quser1@ldap2:*:3001:3001:quser1 User:/home/quser1:/bin/bash
[root@ci-vm-10-0-99-15 ~]# getent passwd quser2@ldap2
quser2@ldap2:*:3002:3002:quser2 User:/home/quser2:/bin/bash

User lookups are successful from both domains.

Comment 15 errata-xmlrpc 2021-05-18 15:03:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1666


Note You need to log in before you can comment on or make changes to this bug.