<refsect1 id='modified-default-options'>
<title>MODIFIED DEFAULT OPTIONS</title>
<para>
Certain option defaults do not match their respective backend
provider defaults, these option names and AD provider-specific
defaults are listed below:
</para>
<refsect2 id='krb5_modifications'>
<title>KRB5 Provider</title>
<itemizedlist>
<listitem>
<para>
krb5_validate = true
</para>
</listitem>
<listitem>
<para>
krb5_use_enterprise_principal = true
</para>
</listitem>
</itemizedlist>
</refsect2>
<refsect2 id='ldap_modifications'>
<title>LDAP Provider</title>
<itemizedlist>
<listitem>
<para>
ldap_schema = ad
</para>
</listitem>
<listitem>
<para>
ldap_force_upper_case_realm = true
</para>
</listitem>
<listitem>
<para>
ldap_id_mapping = true
</para>
</listitem>
<listitem>
<para>
ldap_sasl_mech = gssapi
</para>
</listitem>
<listitem>
<para>
ldap_referrals = false
</para>
</listitem>
<listitem>
<para>
ldap_account_expire_policy = ad
</para>
</listitem>
<listitem>
<para>
ldap_use_tokengroups = true
</para>
</listitem>
<listitem>
<para>
ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)
</para>
<para>
The AD provider looks for a different principal than the
LDAP provider by default, because in an Active Directory
environment the principals are divided into two groups
- User Principals and Service Principals. Only User
Principal can be used to obtain a TGT and by default,
computer object's principal is constructed from
its sAMAccountName and the AD realm. The well-known
and thus cannot be used to get a TGT with.
</para>
</listitem>
</itemizedlist>
</refsect2>
</refsect1>