SSSD on IPA should fail with short names #8261
Conversation
SSSD in server mode on IPA server is not allowed to use short names.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request correctly implements a check to prevent SSSD from starting in IPA server mode when full_name_format is set to use only short names. The accompanying test case is also well-written and verifies the new behavior. My only suggestion is to add a system log message for the startup failure to improve visibility for administrators, as the current implementation only logs to the debug log.
| if (strcmp(be_ctx->domain->names->fq_fmt, "%1$s") == 0) { | ||
| DEBUG(SSSDBG_FATAL_FAILURE, "%s is set to [%s], this is prohibited in server mode!\n", | ||
| CONFDB_FULL_NAME_FORMAT, be_ctx->domain->names->fq_fmt); | ||
| return EINVAL; | ||
| } |
There was a problem hiding this comment.
When SSSD fails to start due to a configuration error, it's crucial to log a message to the system log (e.g., syslog or journald) so that administrators can easily diagnose the problem without needing to enable high-level debug logging. The existing check for a non-default full_name_format already does this using sss_log(). This new fatal error should do the same.
if (strcmp(be_ctx->domain->names->fq_fmt, "%1$s") == 0) {
DEBUG(SSSDBG_FATAL_FAILURE, "%s is set to [%s], this is prohibited in server mode!\n",
CONFDB_FULL_NAME_FORMAT, be_ctx->domain->names->fq_fmt);
sss_log(SSS_LOG_ERR, "%s is set to [%s], this is prohibited in server mode!\n",
CONFDB_FULL_NAME_FORMAT, be_ctx->domain->names->fq_fmt);
return EINVAL;
}
2 participants
SSSD should refuse to start when SSSD is in server mode and
full_name_formatis set to%1s$.