Chapter 2. Upgrading an IdM client from RHEL 7 to RHEL 8

Unlike IdM servers, performing an in-place upgrade of an IdM client from RHEL 7 to RHEL 8 is supported.

In RHEL 8, some uncommon options and unused functionality have been removed from the System Security Services Daemon (SSSD), the service responsible for authentication in an IdM environment. See the following sections for steps to remove those options.

2.1. Updating the SSSD configuration after upgrading to RHEL 8

After upgrading an Identity Management (IdM) client from Red Hat Enterprise Linux (RHEL) 7 to RHEL 8, certain SSSD configuration options might no longer be supported. The leapp upgrade application might provide more details about such options in the generated pre-upgrade report.

The following procedures describe how to update your SSSD configuration to address these issues.

Prerequisites

  • You have upgraded an IdM client from RHEL 7 to RHEL 8.
  • You have root permissions to edit /etc/sssd/sssd.conf.

2.1.1. Switching from the local ID provider to the files ID provider

If you see the following error, replace the local ID provider with the files ID provider: 

SSSD Domain "example.com": local provider is no longer supported and the domain will be ignored.
Local provider is no longer supported.

Procedure

  1. Ensure any users and groups you retrieved with the local ID provider are also in the /etc/passwd and /etc/group files. This ensures that the files provider can access those users and groups.

    1. If you need to create users, use the useradd command. If you need to specify the UID, add the -u option: 

      [root@client ~]# useradd -u 3001 username

    2. If you need to create groups, use the groupadd command. If you need to specify the GID, add the -g option: 

      [root@client ~]# groupadd -g 5001 groupname
  2. Open the /etc/sssd/sssd.conf configuration file in a text editor.

  3. Replace id_provider=local with id_provider=files. 

    [domain/example.com]
id_provider = files
...
  4. Save the /etc/sssd/sssd.conf configuration file.

  5. Restart SSSD to load the configuration changes. 

    [root@client ~]# systemctl restart sssd

2.1.2. Removing deprecated options

If you see either of the following errors regarding deprecated options, Red Hat recommends removing those options from the /etc/sssd/sssd.conf configuration file: 

SSSD Domain "example.com": option ldap_groups_use_matching_rule_in_chain has no longer any effect
Option ldap_groups_use_matching_rule_in_chain was removed and it will be ignored.
SSSD Domain "example.com": option ldap_initgroups_use_matching_rule_in_chain has no longer any effect
Option ldap_initgroups_use_matching_rule_in_chain was removed and it will be ignored.

Procedure

  1. Open the /etc/sssd/sssd.conf configuration file in a text editor.
  2. Remove any occurrences of ldap_groups_use_matching_rule_in_chain or ldap_initgroups_use_matching_rule_in_chain options.
  3. Save the /etc/sssd/sssd.conf configuration file.

  4. Restart SSSD to load the configuration changes. 

    [root@client ~]# systemctl restart sssd

2.1.3. Enabling wildcard matching for sudo rules

The following warning indicates that sudo rules with wildcards in them will not work by default in RHEL 8, as the ldap_sudo_include_regexp option is now set to false by default. 

SSSD Domain "example.com": sudo rules containing wildcards will stop working.
Default value of ldap_sudo_include_regexp changed from true to false for performance reason.

If you use sudo rules with wildcards and want to enable wildcard matching, manually set the ldap_sudo_include_regexp option to true.

Note

Red Hat recommends against using wildcards to match sudo rules.

If the ldap_sudo_include_regexp option is set to true, SSSD downloads every sudo rule that contains a wildcard in the sudoHost attribute, which negatively impacts LDAP search performance.

Procedure

  1. Open the /etc/sssd/sssd.conf configuration file in a text editor.

  2. In the example.com domain, set ldap_sudo_include_regexp=true. 

    [domain/example.com]
...
ldap_sudo_include_regexp = true
...
  3. Save the /etc/sssd/sssd.conf configuration file.

  4. Restart SSSD to load the configuration changes. 

    [root@client ~]# systemctl restart sssd

2.2. List of SSSD functionality removed in RHEL 8

The following SSSD functionality has been removed in RHEL 8.

The local ID provider has been removed
The local ID provider, used to serve user information from the local SSSD cache, was deprecated in RHEL 7 and is no longer supported in RHEL 8. If you have a domain with id_provider=local in your /etc/sssd/sssd.conf configuration, SSSD ignores this domain and starts normally.
Command line tools to manage users and groups in local domains have been removed

The following commands, which only affected local domains, have been removed:

  • sss_useradd
  • sss_userdel
  • sss_groupadd
  • sss_groupdel
Support for the ldap_groups_use_matching_rule_in_chain option has been removed
This Active Directory-specific option does not provide a significant performance benefit and is ignored in any RHEL 8 sssd.conf configuration.
Support for the ldap_initgroups_use_matching_rule_in_chain option has been removed
This Active Directory-specific option does not provide a significant performance benefit and is ignored in any RHEL 8 sssd.conf configuration.
The ldap_sudo_include_regexp option now defaults to false
In RHEL 7, this option was set to true by default. If this option is set to true, SSSD downloads every sudo rule that contains a wildcard in the sudoHost attribute, which negatively impacts LDAP search performance.
The sssd-secrets responder has been removed
As the Kerberos Cache Manager (KCM) no longer relies on the sssd-secrets responder, and no other IdM process uses it, it has been removed.

2.3. Additional resources