All;
I'm using Puppet to configure sssd domains. Generally I am trying to add them via separate files under /etc/sssd/conf.d/. The question I have is how the [sssd]/domains parameter is merged. My guess is that the highest numbered config file under conf.d will take precedence.
If that is the case I think my best bet would be to exclude this parameter from all conf.d files and only use the parameter in sssd.conf to control which domains get configured.
It would be very useful if the domains parameter could be merged across all conf.d files so one could simply drop a new domain configuration and have it be used.
Thoughts?
Thanks! -LJK
On Thu, Apr 13, 2017 at 07:39:48AM -0500, Lesley Kimmel wrote:
All;
I'm using Puppet to configure sssd domains. Generally I am trying to add them via separate files under /etc/sssd/conf.d/. The question I have is how the [sssd]/domains parameter is merged. My guess is that the highest numbered config file under conf.d will take precedence.
If that is the case I think my best bet would be to exclude this parameter from all conf.d files and only use the parameter in sssd.conf to control which domains get configured.
It would be very useful if the domains parameter could be merged across all conf.d files so one could simply drop a new domain configuration and have it be used.
What we we talking about (but it's not implemented yet) is that all domains with enabled=True flag would be enabled without being listed in the domains= option. So you'd just drop a file like this:
[domains/myldap] id_provider = ldap ldap_uri = ldap://my.ldap enabled=True
Of course we'd need to figure out the ordering..but perhaps just putting the domain into the enabled domains list when it's first read from the snippet would work?
On Thu, 2017-04-13 at 15:23 +0200, Jakub Hrozek wrote:
On Thu, Apr 13, 2017 at 07:39:48AM -0500, Lesley Kimmel wrote:
All;
I'm using Puppet to configure sssd domains. Generally I am trying to add
them via separate files under /etc/sssd/conf.d/. The question I have is how
the [sssd]/domains parameter is merged. My guess is that the highest
numbered config file under conf.d will take precedence.
If that is the case I think my best bet would be to exclude this parameter
from all conf.d files and only use the parameter in sssd.conf to control
which domains get configured.
It would be very useful if the domains parameter could be merged across all
conf.d files so one could simply drop a new domain configuration and have
it be used.
What we we talking about (but it's not implemented yet) is that all domains with enabled=True flag would be enabled without being listed in the domains= option. So you'd just drop a file like this:
[domains/myldap] id_provider = ldap ldap_uri = ldap://my.ldap enabled=True
Of course we'd need to figure out the ordering..but perhaps just putting the domain into the enabled domains list when it's first read from the snippet would work?
If the snippets are read in order (with order specified as "alphabetic or something?), then that could be the order.
the problem is that the python configuration API does not preserve ordering of sections, so if you then use this in the main sssd.conf where you have multiple sections and you use the python API to change sssd.conf you may end up with reordered domains ... and that would definitely not be nice.
Simo.
On Thu, Apr 13, 2017 at 09:50:26AM -0400, Simo Sorce wrote:
On Thu, 2017-04-13 at 15:23 +0200, Jakub Hrozek wrote:
On Thu, Apr 13, 2017 at 07:39:48AM -0500, Lesley Kimmel wrote:
All;
I'm using Puppet to configure sssd domains. Generally I am trying to add
them via separate files under /etc/sssd/conf.d/. The question I have is how
the [sssd]/domains parameter is merged. My guess is that the highest
numbered config file under conf.d will take precedence.
If that is the case I think my best bet would be to exclude this parameter
from all conf.d files and only use the parameter in sssd.conf to control
which domains get configured.
It would be very useful if the domains parameter could be merged across all
conf.d files so one could simply drop a new domain configuration and have
it be used.
What we we talking about (but it's not implemented yet) is that all domains with enabled=True flag would be enabled without being listed in the domains= option. So you'd just drop a file like this:
[domains/myldap] id_provider = ldap ldap_uri = ldap://my.ldap enabled=True
Of course we'd need to figure out the ordering..but perhaps just putting the domain into the enabled domains list when it's first read from the snippet would work?
If the snippets are read in order (with order specified as "alphabetic or something?), then that could be the order.
This is exactly how it's used.
the problem is that the python configuration API does not preserve ordering of sections, so if you then use this in the main sssd.conf where you have multiple sections and you use the python API to change sssd.conf you may end up with reordered domains ... and that would definitely not be nice.
Hmm, good point, we need to fix that..
On (17/04/17 10:41), Jakub Hrozek wrote:
On Thu, Apr 13, 2017 at 09:50:26AM -0400, Simo Sorce wrote:
On Thu, 2017-04-13 at 15:23 +0200, Jakub Hrozek wrote:
On Thu, Apr 13, 2017 at 07:39:48AM -0500, Lesley Kimmel wrote:
All;
I'm using Puppet to configure sssd domains. Generally I am trying to add
them via separate files under /etc/sssd/conf.d/. The question I have is how
the [sssd]/domains parameter is merged. My guess is that the highest
numbered config file under conf.d will take precedence.
If that is the case I think my best bet would be to exclude this parameter
from all conf.d files and only use the parameter in sssd.conf to control
which domains get configured.
It would be very useful if the domains parameter could be merged across all
conf.d files so one could simply drop a new domain configuration and have
it be used.
What we we talking about (but it's not implemented yet) is that all domains with enabled=True flag would be enabled without being listed in the domains= option. So you'd just drop a file like this:
[domains/myldap] id_provider = ldap ldap_uri = ldap://my.ldap enabled=True
Of course we'd need to figure out the ordering..but perhaps just putting the domain into the enabled domains list when it's first read from the snippet would work?
If the snippets are read in order (with order specified as "alphabetic or something?), then that could be the order.
This is exactly how it's used.
the problem is that the python configuration API does not preserve ordering of sections, so if you then use this in the main sssd.conf where you have multiple sections and you use the python API to change sssd.conf you may end up with reordered domains ... and that would definitely not be nice.
Hmm, good point, we need to fix that..
There is nothing to fix :-). The agreement was that we do not support snippet files in python-sssdconfig.
So it would be RFE to support them :-)
LS
On Tue, Apr 18, 2017 at 10:53:43AM +0200, Lukas Slebodnik wrote:
On (17/04/17 10:41), Jakub Hrozek wrote:
On Thu, Apr 13, 2017 at 09:50:26AM -0400, Simo Sorce wrote:
On Thu, 2017-04-13 at 15:23 +0200, Jakub Hrozek wrote:
On Thu, Apr 13, 2017 at 07:39:48AM -0500, Lesley Kimmel wrote:
All;
I'm using Puppet to configure sssd domains. Generally I am trying to add
them via separate files under /etc/sssd/conf.d/. The question I have is how
the [sssd]/domains parameter is merged. My guess is that the highest
numbered config file under conf.d will take precedence.
If that is the case I think my best bet would be to exclude this parameter
from all conf.d files and only use the parameter in sssd.conf to control
which domains get configured.
It would be very useful if the domains parameter could be merged across all
conf.d files so one could simply drop a new domain configuration and have
it be used.
What we we talking about (but it's not implemented yet) is that all domains with enabled=True flag would be enabled without being listed in the domains= option. So you'd just drop a file like this:
[domains/myldap] id_provider = ldap ldap_uri = ldap://my.ldap enabled=True
Of course we'd need to figure out the ordering..but perhaps just putting the domain into the enabled domains list when it's first read from the snippet would work?
If the snippets are read in order (with order specified as "alphabetic or something?), then that could be the order.
This is exactly how it's used.
the problem is that the python configuration API does not preserve ordering of sections, so if you then use this in the main sssd.conf where you have multiple sections and you use the python API to change sssd.conf you may end up with reordered domains ... and that would definitely not be nice.
Hmm, good point, we need to fix that..
There is nothing to fix :-). The agreement was that we do not support snippet files in python-sssdconfig.
So it would be RFE to support them :-)
This is not about the snippet files, but about the main config file.
If we support this:
[sssd] # no domains= line here
[domain/foo] enabled=true
[domain/bar] enabled=true
then it's important that python-sssdconfig doesn't reverse the order of the [domain/] sections during some update.
On (18/04/17 11:01), Jakub Hrozek wrote:
On Tue, Apr 18, 2017 at 10:53:43AM +0200, Lukas Slebodnik wrote:
On (17/04/17 10:41), Jakub Hrozek wrote:
On Thu, Apr 13, 2017 at 09:50:26AM -0400, Simo Sorce wrote:
On Thu, 2017-04-13 at 15:23 +0200, Jakub Hrozek wrote:
On Thu, Apr 13, 2017 at 07:39:48AM -0500, Lesley Kimmel wrote:
All;
I'm using Puppet to configure sssd domains. Generally I am trying to add
them via separate files under /etc/sssd/conf.d/. The question I have is how
the [sssd]/domains parameter is merged. My guess is that the highest
numbered config file under conf.d will take precedence.
If that is the case I think my best bet would be to exclude this parameter
from all conf.d files and only use the parameter in sssd.conf to control
which domains get configured.
It would be very useful if the domains parameter could be merged across all
conf.d files so one could simply drop a new domain configuration and have
it be used.
What we we talking about (but it's not implemented yet) is that all domains with enabled=True flag would be enabled without being listed in the domains= option. So you'd just drop a file like this:
[domains/myldap] id_provider = ldap ldap_uri = ldap://my.ldap enabled=True
Of course we'd need to figure out the ordering..but perhaps just putting the domain into the enabled domains list when it's first read from the snippet would work?
If the snippets are read in order (with order specified as "alphabetic or something?), then that could be the order.
This is exactly how it's used.
the problem is that the python configuration API does not preserve ordering of sections, so if you then use this in the main sssd.conf where you have multiple sections and you use the python API to change sssd.conf you may end up with reordered domains ... and that would definitely not be nice.
Hmm, good point, we need to fix that..
There is nothing to fix :-). The agreement was that we do not support snippet files in python-sssdconfig.
So it would be RFE to support them :-)
This is not about the snippet files, but about the main config file.
If we support this:
[sssd] # no domains= line here
[domain/foo] enabled=true
[domain/bar] enabled=true
then it's important that python-sssdconfig doesn't reverse the order of the [domain/] sections during some update.
We do not support it yet. So it is not really related to this thread.
But you can add such notes to existing ticket for such feature. If we have one.
LS
On (13/04/17 07:39), Lesley Kimmel wrote:
All;
I'm using Puppet to configure sssd domains. Generally I am trying to add them via separate files under /etc/sssd/conf.d/. The question I have is how the [sssd]/domains parameter is merged. My guess is that the highest numbered config file under conf.d will take precedence.
sssd does not merge any colliding options. Last one win. It does not matter whether it is in main sssd.conf or in /etc/sssd/conf.d. More details in man sssd.conf -> "CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY"
If that is the case I think my best bet would be to exclude this parameter from all conf.d files and only use the parameter in sssd.conf to control which domains get configured.
It would be very useful if the domains parameter could be merged across all conf.d files so one could simply drop a new domain configuration and have it be used.
Do you plan to have more domains in separate snippet file in conf.d?
Could you describe what do you want to achieve?
LS
sssd-users@lists.fedorahosted.org