Red Hat SummitDieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 3. Upgrading an IdM client from RHEL 7 to RHEL 8
Unlike IdM servers, performing an in-place upgrade of an IdM client from RHEL 7 to RHEL 8 is supported.
In RHEL 8, some uncommon options and unused functionality have been removed from the System Security Services Daemon (SSSD), the service responsible for authentication in an IdM environment. See the following sections for steps to remove those options.
3.1. Updating the SSSD configuration after upgrading to RHEL 8
After upgrading an Identity Management (IdM) client from Red Hat Enterprise Linux (RHEL) 7 to RHEL 8, certain SSSD configuration options might no longer be supported. The leapp upgrade application might provide more details about such options in the generated pre-upgrade report.
The following procedures describe how to update your SSSD configuration to address these issues.
Prerequisites
- You have upgraded an IdM client from RHEL 7 to RHEL 8.
-
You have
rootpermissions to edit/etc/sssd/sssd.conf.
3.1.1. Switching from the local ID provider to the files ID provider
If you see the following error, replace the local ID provider with the files ID provider:
SSSD Domain "example.com": local provider is no longer supported and the domain will be ignored. Local provider is no longer supported.
SSSD Domain "example.com": local provider is no longer supported and the domain will be ignored.
Local provider is no longer supported.Procedure
Ensure any users and groups you retrieved with the
localID provider are also in the/etc/passwdand/etc/groupfiles. This ensures that thefilesprovider can access those users and groups.If you need to create users, use the
useraddcommand. If you need to specify the UID, add the-uoption:useradd -u 3001 username
[root@client ~]# useradd -u 3001 usernameCopy to Clipboard Copied! Toggle word wrap Toggle overflow If you need to create groups, use the
groupaddcommand. If you need to specify the GID, add the-goption:groupadd -g 5001 groupname
[root@client ~]# groupadd -g 5001 groupnameCopy to Clipboard Copied! Toggle word wrap Toggle overflow
-
Open the
/etc/sssd/sssd.confconfiguration file in a text editor. Replace
id_provider=localwithid_provider=files.[domain/example.com] id_provider = files ...
[domain/example.com] id_provider = files ...Copy to Clipboard Copied! Toggle word wrap Toggle overflow -
Save the
/etc/sssd/sssd.confconfiguration file. Restart SSSD to load the configuration changes.
systemctl restart sssd
[root@client ~]# systemctl restart sssdCopy to Clipboard Copied! Toggle word wrap Toggle overflow
3.1.2. Removing deprecated options
If you see either of the following errors regarding deprecated options, Red Hat recommends removing those options from the /etc/sssd/sssd.conf configuration file:
SSSD Domain "example.com": option ldap_groups_use_matching_rule_in_chain has no longer any effect Option ldap_groups_use_matching_rule_in_chain was removed and it will be ignored.
SSSD Domain "example.com": option ldap_groups_use_matching_rule_in_chain has no longer any effect
Option ldap_groups_use_matching_rule_in_chain was removed and it will be ignored.SSSD Domain "example.com": option ldap_initgroups_use_matching_rule_in_chain has no longer any effect Option ldap_initgroups_use_matching_rule_in_chain was removed and it will be ignored.
SSSD Domain "example.com": option ldap_initgroups_use_matching_rule_in_chain has no longer any effect
Option ldap_initgroups_use_matching_rule_in_chain was removed and it will be ignored.Procedure
-
Open the
/etc/sssd/sssd.confconfiguration file in a text editor. -
Remove any occurrences of
ldap_groups_use_matching_rule_in_chainorldap_initgroups_use_matching_rule_in_chainoptions. -
Save the
/etc/sssd/sssd.confconfiguration file. Restart SSSD to load the configuration changes.
systemctl restart sssd
[root@client ~]# systemctl restart sssdCopy to Clipboard Copied! Toggle word wrap Toggle overflow
3.1.3. Enabling wildcard matching for sudo rules
The following warning indicates that sudo rules with wildcards in them will not work by default in RHEL 8, as the ldap_sudo_include_regexp option is now set to false by default.
SSSD Domain "example.com": sudo rules containing wildcards will stop working. Default value of ldap_sudo_include_regexp changed from true to false for performance reason.
SSSD Domain "example.com": sudo rules containing wildcards will stop working.
Default value of ldap_sudo_include_regexp changed from true to false for performance reason.
If you use sudo rules with wildcards and want to enable wildcard matching, manually set the ldap_sudo_include_regexp option to true.
Red Hat recommends against using wildcards to match sudo rules.
If the ldap_sudo_include_regexp option is set to true, SSSD downloads every sudo rule that contains a wildcard in the sudoHost attribute, which negatively impacts LDAP search performance.
Procedure
-
Open the
/etc/sssd/sssd.confconfiguration file in a text editor. In the
example.comdomain, setldap_sudo_include_regexp=true.[domain/example.com] ... ldap_sudo_include_regexp = true ...
[domain/example.com] ... ldap_sudo_include_regexp = true ...Copy to Clipboard Copied! Toggle word wrap Toggle overflow -
Save the
/etc/sssd/sssd.confconfiguration file. Restart SSSD to load the configuration changes.
systemctl restart sssd
[root@client ~]# systemctl restart sssdCopy to Clipboard Copied! Toggle word wrap Toggle overflow
3.2. List of SSSD functionality removed in RHEL 8
The following SSSD functionality has been removed in RHEL 8.
- The
localID provider has been removed -
The
localID provider, used to serve user information from the local SSSD cache, was deprecated in RHEL 7 and is no longer supported in RHEL 8. If you have a domain withid_provider=localin your/etc/sssd/sssd.confconfiguration, SSSD ignores this domain and starts normally. - Command line tools to manage users and groups in
localdomains have been removed The following commands, which only affected
localdomains, have been removed:-
sss_useradd -
sss_userdel -
sss_groupadd -
sss_groupdel
-
- Support for the
ldap_groups_use_matching_rule_in_chainoption has been removed -
This Active Directory-specific option does not provide a significant performance benefit and is ignored in any RHEL 8
sssd.confconfiguration. - Support for the
ldap_initgroups_use_matching_rule_in_chainoption has been removed -
This Active Directory-specific option does not provide a significant performance benefit and is ignored in any RHEL 8
sssd.confconfiguration. - The
ldap_sudo_include_regexpoption now defaults tofalse -
In RHEL 7, this option was set to
trueby default. If this option is set totrue, SSSD downloads everysudorule that contains a wildcard in thesudoHostattribute, which negatively impacts LDAP search performance. - The
sssd-secretsresponder has been removed -
As the Kerberos Cache Manager (KCM) no longer relies on the
sssd-secretsresponder, and no other IdM process uses it, it has been removed.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}