#3214 Update man pages for any AD provider config options that differ from ldap/krb5 providers defaults
Closed: Fixed None Opened 2 years ago by jstephen.

Some AD provider option defaults are different from their default values mentioned in sssd-ldap or sssd-krb5 man pages. I am creating a general ticket for this under the assumption that there are other options i'm not aware of which differ but these two I came across myself during troubleshooting.

  • krb5 provider example

    man sssd-krb5| grep -A5 krb5_validate

       krb5_validate (boolean)
           Verify with the help of krb5_keytab that the TGT obtained has not been spoofed. The keytab is checked for entries sequentially, and the first entry with a matching realm is used for validation. If no entry matches the
           realm, the last entry in the keytab is used. This process can be used to validate environments using cross-realm trust by placing the appropriate keytab entry as the last entry or the only entry in the keytab file.
           Default: false

    grep krb5_validate /var/log/sssd/sssd_AD.JSTEPHEN.log

    (Thu Oct 6 14:41:05 2016) [sssd[be[AD.JSTEPHEN]]] [dp_get_options] (0x0400): Option krb5_validate is TRUE

  • ldap provider example

    man sssd-ldap| grep -A5 ldap_id_mapping

       ldap_id_mapping (boolean)
           Specifies that SSSD should attempt to map user and group IDs from the ldap_user_objectsid and ldap_group_objectsid attributes instead of relying on ldap_user_uid_number and ldap_group_gid_number.
           Currently this feature supports only ActiveDirectory objectSID mapping.
           Default: false

    grep 'ldap_id_mapping' /var/log/sssd/sssd_AD.JSTEPHEN.log

    (Thu Oct 6 14:41:05 2016) [sssd[be[AD.JSTEPHEN]]] [dp_get_options] (0x0400): Option ldap_id_mapping is TRUE

The 'ldap_id_mapping' example above is not the best example because the sssd-ad man page does discuss id mapping in some detail however there is nothing mentioned about krb5 validate in the sssd-ad man page.

Sumit suggested that we should add the different AD provider default value in the ldap/krb5 provider man page and also in the ad provider man page.

sbose| justin-time, the defaults are different in the plain krb5 and the AD provider. Would you mind to file a ticket to update the man page accordingly?
justin-tim| sbose: sure, should the option be added to the sssd-ad man page then or a conditional note in the sssd-krb5 man page?
sbose| justin-time, I guess best would be both, it would be redundant, but might help the user to find the information he is looking for.

Fields changed

owner: somebody => jstephen
status: new => assigned

In general I agree. I just wonder if documenting the different defaults just in sssd-ad man page might be more concise (our manpages are already quite big). On the other hand, splitting the options that are reused but with different defaults in different providers might allow us to split those options into included xml files and then only have a single place to change defaults at.

I think I would lean towards the second option and put the low-level kerberos options into a separate section in sssd-ad man page, but that's just my quick opinion :)

We'll gladly review a PR, in the meantime, moving to Patches welcome.

milestone: NEEDS_TRIAGE => SSSD Patches welcome

milestone: SSSD Patches welcome => SSSD 1.15 Alpha
resolution: => fixed
status: assigned => closed

Metadata Update from @jstephen:
- Issue assigned to jstephen
- Issue set to the milestone: SSSD 1.15.0

2 years ago

Login to comment on this ticket.