man/include/ad_modified_defaults.xml

6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson<refsect1 id='modified-default-options'>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson    <title>MODIFIED DEFAULT OPTIONS</title>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson    <para>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson        Certain option defaults do not match their respective backend
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson        provider defaults, these option names and AD provider-specific
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson        defaults are listed below:
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson    </para>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson    <refsect2 id='krb5_modifications'>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson        <title>KRB5 Provider</title>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson        <itemizedlist>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson            <listitem>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson                <para>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson                    krb5_validate = true
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson                </para>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson            </listitem>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson            <listitem>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson                <para>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson                    krb5_use_enterprise_principal = true
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson                </para>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson            </listitem>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson        </itemizedlist>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson    </refsect2>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson    <refsect2 id='ldap_modifications'>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson        <title>LDAP Provider</title>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson        <itemizedlist>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson            <listitem>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson                <para>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson                    ldap_schema = ad
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson                </para>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson            </listitem>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson            <listitem>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson                <para>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson                    ldap_force_upper_case_realm = true
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson                </para>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson            </listitem>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson            <listitem>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson                <para>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson                    ldap_id_mapping = true
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson                </para>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson            </listitem>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson            <listitem>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson                <para>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson                    ldap_sasl_mech = gssapi
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson                </para>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson            </listitem>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson            <listitem>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson                <para>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson                    ldap_referrals = false
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson                </para>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson            </listitem>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson            <listitem>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson                <para>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson                    ldap_account_expire_policy = ad
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson                </para>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson            </listitem>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson            <listitem>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson                <para>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson                    ldap_use_tokengroups = true
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson                </para>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson            </listitem>
91d1e4c134b7c90abd2ff86b313175c542cd834cJakub Hrozek            <listitem>
91d1e4c134b7c90abd2ff86b313175c542cd834cJakub Hrozek                <para>
91d1e4c134b7c90abd2ff86b313175c542cd834cJakub Hrozek                    ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)
91d1e4c134b7c90abd2ff86b313175c542cd834cJakub Hrozek                </para>
91d1e4c134b7c90abd2ff86b313175c542cd834cJakub Hrozek                <para>
91d1e4c134b7c90abd2ff86b313175c542cd834cJakub Hrozek                    The AD provider looks for a different principal than the
91d1e4c134b7c90abd2ff86b313175c542cd834cJakub Hrozek                    LDAP provider by default, because in an Active Directory
91d1e4c134b7c90abd2ff86b313175c542cd834cJakub Hrozek                    environment the principals are divided into two groups
91d1e4c134b7c90abd2ff86b313175c542cd834cJakub Hrozek                    - User Principals and Service Principals. Only User
91d1e4c134b7c90abd2ff86b313175c542cd834cJakub Hrozek                    Principal can be used to obtain a TGT and by default,
91d1e4c134b7c90abd2ff86b313175c542cd834cJakub Hrozek                    computer object's principal is constructed from
91d1e4c134b7c90abd2ff86b313175c542cd834cJakub Hrozek                    its sAMAccountName and the AD realm. The well-known
91d1e4c134b7c90abd2ff86b313175c542cd834cJakub Hrozek                    host/hostname@REALM principal is a Service Principal
91d1e4c134b7c90abd2ff86b313175c542cd834cJakub Hrozek                    and thus cannot be used to get a TGT with.
91d1e4c134b7c90abd2ff86b313175c542cd834cJakub Hrozek                </para>
91d1e4c134b7c90abd2ff86b313175c542cd834cJakub Hrozek            </listitem>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson        </itemizedlist>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson    </refsect2>
6e27e8572f671de575d9ac2a34a677d9efc24fbcJustin Stephenson</refsect1>