Este contenido no está disponible en el idioma seleccionado.
Chapter 2. Upgrading an IdM client from RHEL 7 to RHEL 8
Unlike IdM servers, performing an in-place upgrade of an IdM client from RHEL 7 to RHEL 8 is supported.
In RHEL 8, some uncommon options and unused functionality have been removed from the System Security Services Daemon (SSSD), the service responsible for authentication in an IdM environment. See the following sections for steps to remove those options.
2.1. Updating the SSSD configuration after upgrading to RHEL 8
After upgrading an Identity Management (IdM) client from Red Hat Enterprise Linux (RHEL) 7 to RHEL 8, certain SSSD configuration options might no longer be supported. The leapp
upgrade application might provide more details about such options in the generated pre-upgrade report.
The following procedures describe how to update your SSSD configuration to address these issues.
Prerequisites
- You have upgraded an IdM client from RHEL 7 to RHEL 8.
-
You have
root
permissions to edit/etc/sssd/sssd.conf
.
2.1.1. Switching from the local
ID provider to the files
ID provider
If you see the following error, replace the local
ID provider with the files
ID provider:
SSSD Domain "example.com": local provider is no longer supported and the domain will be ignored.
Local provider is no longer supported.
Procedure
Ensure any users and groups you retrieved with the
local
ID provider are also in the/etc/passwd
and/etc/group
files. This ensures that thefiles
provider can access those users and groups.If you need to create users, use the
useradd
command. If you need to specify the UID, add the-u
option:[root@client ~]# useradd -u 3001 username
If you need to create groups, use the
groupadd
command. If you need to specify the GID, add the-g
option:[root@client ~]# groupadd -g 5001 groupname
-
Open the
/etc/sssd/sssd.conf
configuration file in a text editor. Replace
id_provider=local
withid_provider=files
.[domain/example.com] id_provider = files ...
-
Save the
/etc/sssd/sssd.conf
configuration file. Restart SSSD to load the configuration changes.
[root@client ~]# systemctl restart sssd
2.1.2. Removing deprecated options
If you see either of the following errors regarding deprecated options, Red Hat recommends removing those options from the /etc/sssd/sssd.conf
configuration file:
SSSD Domain "example.com": option ldap_groups_use_matching_rule_in_chain has no longer any effect Option ldap_groups_use_matching_rule_in_chain was removed and it will be ignored.
SSSD Domain "example.com": option ldap_initgroups_use_matching_rule_in_chain has no longer any effect Option ldap_initgroups_use_matching_rule_in_chain was removed and it will be ignored.
Procedure
-
Open the
/etc/sssd/sssd.conf
configuration file in a text editor. -
Remove any occurrences of
ldap_groups_use_matching_rule_in_chain
orldap_initgroups_use_matching_rule_in_chain
options. -
Save the
/etc/sssd/sssd.conf
configuration file. Restart SSSD to load the configuration changes.
[root@client ~]# systemctl restart sssd
2.1.3. Enabling wildcard matching for sudo rules
The following warning indicates that sudo
rules with wildcards in them will not work by default in RHEL 8, as the ldap_sudo_include_regexp
option is now set to false
by default.
SSSD Domain "example.com": sudo rules containing wildcards will stop working.
Default value of ldap_sudo_include_regexp changed from true to false for performance reason.
If you use sudo
rules with wildcards and want to enable wildcard matching, manually set the ldap_sudo_include_regexp
option to true
.
Red Hat recommends against using wildcards to match sudo
rules.
If the ldap_sudo_include_regexp
option is set to true
, SSSD downloads every sudo
rule that contains a wildcard in the sudoHost
attribute, which negatively impacts LDAP search performance.
Procedure
-
Open the
/etc/sssd/sssd.conf
configuration file in a text editor. In the
example.com
domain, setldap_sudo_include_regexp=true
.[domain/example.com] ... ldap_sudo_include_regexp = true ...
-
Save the
/etc/sssd/sssd.conf
configuration file. Restart SSSD to load the configuration changes.
[root@client ~]# systemctl restart sssd
2.2. List of SSSD functionality removed in RHEL 8
The following SSSD functionality has been removed in RHEL 8.
- The
local
ID provider has been removed -
The
local
ID provider, used to serve user information from the local SSSD cache, was deprecated in RHEL 7 and is no longer supported in RHEL 8. If you have a domain withid_provider=local
in your/etc/sssd/sssd.conf
configuration, SSSD ignores this domain and starts normally. - Command line tools to manage users and groups in
local
domains have been removed The following commands, which only affected
local
domains, have been removed:-
sss_useradd
-
sss_userdel
-
sss_groupadd
-
sss_groupdel
-
- Support for the
ldap_groups_use_matching_rule_in_chain
option has been removed -
This Active Directory-specific option does not provide a significant performance benefit and is ignored in any RHEL 8
sssd.conf
configuration. - Support for the
ldap_initgroups_use_matching_rule_in_chain
option has been removed -
This Active Directory-specific option does not provide a significant performance benefit and is ignored in any RHEL 8
sssd.conf
configuration. - The
ldap_sudo_include_regexp
option now defaults tofalse
-
In RHEL 7, this option was set to
true
by default. If this option is set totrue
, SSSD downloads everysudo
rule that contains a wildcard in thesudoHost
attribute, which negatively impacts LDAP search performance. - The
sssd-secrets
responder has been removed -
As the Kerberos Cache Manager (KCM) no longer relies on the
sssd-secrets
responder, and no other IdM process uses it, it has been removed.
2.3. Additional resources
- For more details on upgrading to RHEL 8, see Upgrading from RHEL 7 to RHEL 8.