1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
<refsect1 id='modified-default-options'>
<title>MODIFIED DEFAULT OPTIONS</title>
<para>
Certain option defaults do not match their respective backend
provider defaults, these option names and AD provider-specific
defaults are listed below:
</para>
<refsect2 id='krb5_modifications'>
<title>KRB5 Provider</title>
<itemizedlist>
<listitem>
<para>
krb5_validate = true
</para>
</listitem>
<listitem>
<para>
krb5_use_enterprise_principal = true
</para>
</listitem>
</itemizedlist>
</refsect2>
<refsect2 id='ldap_modifications'>
<title>LDAP Provider</title>
<itemizedlist>
<listitem>
<para>
ldap_schema = ad
</para>
</listitem>
<listitem>
<para>
ldap_force_upper_case_realm = true
</para>
</listitem>
<listitem>
<para>
ldap_id_mapping = true
</para>
</listitem>
<listitem>
<para>
ldap_sasl_mech = gssapi
</para>
</listitem>
<listitem>
<para>
ldap_referrals = false
</para>
</listitem>
<listitem>
<para>
ldap_account_expire_policy = ad
</para>
</listitem>
<listitem>
<para>
ldap_use_tokengroups = true
</para>
</listitem>
<listitem>
<para>
ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)
</para>
<para>
The AD provider looks for a different principal than the
LDAP provider by default, because in an Active Directory
environment the principals are divided into two groups
- User Principals and Service Principals. Only User
Principal can be used to obtain a TGT and by default,
computer object's principal is constructed from
its sAMAccountName and the AD realm. The well-known
and thus cannot be used to get a TGT with.
</para>
</listitem>
</itemizedlist>
</refsect2>
</refsect1>