Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1353973 - ipa-client-install should overwrite existing sssd.conf
Summary: ipa-client-install should overwrite existing sssd.conf
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
Depends On:
TreeView+ depends on / blocked
Reported: 2016-07-08 14:53 UTC by Luc de Louw
Modified: 2019-03-25 16:50 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

Description Luc de Louw 2016-07-08 14:53:17 UTC
Description of problem:
When running ipa-client-install, /etc/sssd/sssd.conf is appended instead of overwritten.

As a result, old authentication methods are still working on a IPA enrolled server. Usually this is not a wishful behaviour.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. configure sssd.conf to i.e. authenticate with LDAP
2. run ipa-client-install
3. Find /etc/sssd/sssd.conf allowing both the old and new authentication method.

Actual results:
IPA users and users from the former authentication method (i.e. LDAP) can log in

Expected results:
Only IPA users should be able to log in

Additional info:

There are valid situations where two or more authentication methods should be possible. Adding a switch to ipa-client-install such as --overwrite-sssd-config would be a nice option.

The same configuration issue is with /etc/openldap/ldap.conf, see BZ #1353969

Comment 2 Petr Vobornik 2016-07-12 15:57:01 UTC
Upstream ticket:

Comment 3 Petr Vobornik 2016-07-12 15:58:49 UTC
Was clone upstream to Future release milestone. This behavior is undefined in IPA and therefore it will need a design page.

A suggestion from Jan Pazdiora:
Could we check that the content of the file is the rpm-default/vanilla,  not touched yet, and overwrite if the file was not touched yet but not  overwrite if it was somehow modified by the admin?

Note You need to log in before you can comment on or make changes to this bug.