Comment 24 for bug 1919563

c) replace_setting()

c1) if a setting is disabled by this sed:
sed -i '/^\['"$1"'\]$/,/^\[/ s/^[^#;]*'"$2".*'\b/#& # disabled by dpkg\n'"$setting"'/g' "$SSSD_CONF" || true

That is also adding a blank line at the end (see the last \n) and breaks a bit the flow of the config file. For example, for kicks, I disabled "config_file_version" in [sssd], and the section became:

[sssd]
#config_file_version = 2 # disabled by dpkg

services = nss, pam
domains = LDAP # here is the domain

Just esthetics. If we happen to get another upload, then this \n could be dropped, unless it's handling a case I haven't seen.

c2) this function will fail if the section name ([name]) contains a "/", which is quite common:

[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP

[domain/LDAP]
id_provider = ldap
ldap_uri = ldap://localhost
cache_credentials = True
ldap_search_base = dc=example,dc=com

That's not the case in any of the uses in postinst, however, so no need to complicate it now to fix a problem that hasn't happened yet.

I was wondering if the certificate_verification and pam_cert_verification could appear inside a [domain/] section, but looks like that's not a valid config.