Bug 662963

Summary: yast2 ldap-client creates invalid sssd.conf when "Do Not Use LDAP" is selected
Product: [openSUSE] openSUSE 11.4 Reporter: Ralf Haferkamp <ralf>
Component: YaST2Assignee: Jiří Suchomel <jsuchome>
Status: RESOLVED FIXED QA Contact: Jiri Srain <jsrain>
Severity: Normal    
Priority: P5 - None    
Version: Milestone 5 of 6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: Development Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Ralf Haferkamp 2011-01-07 10:40:33 UTC 
How to reproduce:

1. make sure sssd is not installed and /etc/sssd/sssd.conf does not exist
2. start yast2 ldap-client
3. Select "Do Not Use LDAP" from the Radio Button Group
4. Enter LDAP settings (server + basedn)
5. Click ok.

Upon writing YaST will create an incomplete sssd.conf (missing some sections and settings). Now:

6. start yast2 ldap-client again
7. Select "Use LDAP"
8. Click ok.

sssd and its dependencies will get installed but, sssd can't startup because the configuration is broken.

We should either create a working sssd.conf of not write sssd.conf at all when "Do Not Use LDAP" is selected. I'll give more details about the missing things in sssd.conf in the next comment.
Comment 1 Jiří Suchomel 2011-01-07 12:00:30 UTC 
In latest package, I do not write the file when it is not present. Is it good enough?
Comment 2 Ralf Haferkamp 2011-01-07 12:24:26 UTC 
(In reply to comment #1)
> In latest package, I do not write the file when it is not present. Is it good
> enough?
Yes, I guess so. Though the main reasons why it was working were:

- sssd.conf needs to be 0600 (it might contain cleartext secrets, or cleartext equivalents). SSSD checks that upon startup and refuses to start if the file is not 0600. YaST created that file as 0644.

- the [sssd] section missed the line: 
config_file_version = 2

yast2-ldap-client should probably check the above conditions, always when writing sssd.conf.
Comment 3 Jiří Suchomel 2011-01-07 12:42:42 UTC 
(In reply to comment #2)
> (In reply to comment #1)
> > In latest package, I do not write the file when it is not present. Is it good
> > enough?
> Yes, I guess so. Though the main reasons why it was working were:
> 
> - sssd.conf needs to be 0600 (it might contain cleartext secrets, or cleartext
> equivalents). SSSD checks that upon startup and refuses to start if the file is
> not 0600. YaST created that file as 0644.
> 
> - the [sssd] section missed the line: 
> config_file_version = 2
> 
> yast2-ldap-client should probably check the above conditions, always when
> writing sssd.conf.

I don't think check for permission is needed, when I ensure that YaST writes only into existing file. If the file exists, it was created by sssd package with correct permissions. If they were still wrong, user must have changed them manually, which is bad, but YaST should not argue about it.