Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-101145

SSSDConfig ignores `*_provider = none`

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • rhel-9.5
    • sssd
    • None
    • No
    • None
    • rhel-idm-sssd
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified

      Hey there!

      I looked for similar issues, but could not find one. If this is a duplicate, please ignore this.

      While looking at my `/etc/sssd/conf.d/example.conf` file, I noticed some config-entries are missing? How comes?
      Turns out, after running `sss_obfuscate -d Example -f /etc/sssd/conf.d/example.conf` all entries of the pattern `_provider = none` are missing... I intended to set these explicitly to `none`.

      I am using RHEL 9.5 with SSSD version `2.9.5`, release `4.el9`

      Below I provide a minimal setup and script based on `sss_obfuscate` for demonstrating this issue:

      My minimal config `/etc/sssd/conf.d/minimal.conf`:
      ```ini
      [sssd]
      services = nss, pam
      domains = Example
      config_file_version = 2

      [domain/Example]
      id_provider = ldap
      access_provider = ldap
      auth_provider = ldap
      autofs_provider = none
      chpass_provider = none
      resolver_provider = none
      sudo_provider = none

      debug_level = 0x00400

      ldap_uri = ldaps://example.org
      ldap_default_bind_dn = example@example.org
      ldap_default_authtok_type = obfuscated_password
      ```

      After running the following python script (derived from `sss_obfuscate`):
      ```py
      import SSSDConfig

      sssdconfig = SSSDConfig.SSSDConfig()
      sssdconfig.import_config("/etc/sssd/conf.d/minimal.conf")
      domain = sssdconfig.get_domain("Example")
      print(f"Parsed Options:

      {domain.get_all_options()}

      ")
      sssdconfig.save_domain(domain)
      sssdconfig.write()
      ```

      The contents of `/etc/sssd/conf.d/minimal.conf` have changed:
      ```ini
      [sssd]
      services = nss, pam
      domains = Example
      config_file_version = 2

      [domain/Example]
      id_provider = ldap
      access_provider = ldap
      auth_provider = ldap

      debug_level = 0x400

      ldap_uri = ldaps://example.org
      ldap_default_bind_dn = example@example.org
      ldap_default_authtok_type = obfuscated_password
      ```

      As you can see, the following lines are missing after running the script, similar to running `sss_obfuscate`:
      ```ini
      autofs_provider = none
      chpass_provider = none
      resolver_provider = none
      sudo_provider = none
      ```

      The same happens when using `None` instead of `none`.
      I have not yet noticed this behavior with other contents (configurations, or comments).

      Is this intended behavior? And if yes, why? Where is it documented?
      Does the main daemon handle/parse the configuration the same way? If yes, does the main daemon suffer from the same issue resulting in using the default values instead of `none`?

              sbose@redhat.com Sumit Bose
              idm-jira-bot@redhat.com Identity Management Jira Bot
              SSSD Maintainers SSSD Maintainers
              SSSD QE SSSD QE
              Louise McGarry Louise McGarry
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated: