a8c5a86d183db25a57bf193c06b41e092ec2e151Timo Sirainen<?xml version="1.0" encoding="UTF-8"?>
2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
08d6658a4e2ec8104cd1307f6baa75fdb07a24f8Mark Washenberger"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen<reference>
2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen<title>SSSD Manual pages</title>
2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen<refentry>
2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen
2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen <refmeta>
2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen <refentrytitle>sssd-ipa</refentrytitle>
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen <manvolnum>5</manvolnum>
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen </refmeta>
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen
91e2dc36b9c0c91f0af716be81dc2aa6cbbed6c2Timo Sirainen <refnamediv id='name'>
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen <refname>sssd-ipa</refname>
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen <refpurpose>SSSD IPA provider</refpurpose>
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen </refnamediv>
2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen <refsect1 id='description'>
0f39a57760d93cddbce3ca43096d78e0fe2f42fdTimo Sirainen <title>DESCRIPTION</title>
3313a51ef9b245248d672c20f930c52a577a42f7Timo Sirainen <para>
0f39a57760d93cddbce3ca43096d78e0fe2f42fdTimo Sirainen This manual page describes the configuration of the IPA provider
3313a51ef9b245248d672c20f930c52a577a42f7Timo Sirainen for
0f39a57760d93cddbce3ca43096d78e0fe2f42fdTimo Sirainen <citerefentry>
3313a51ef9b245248d672c20f930c52a577a42f7Timo Sirainen <refentrytitle>sssd</refentrytitle>
3313a51ef9b245248d672c20f930c52a577a42f7Timo Sirainen <manvolnum>8</manvolnum>
0f39a57760d93cddbce3ca43096d78e0fe2f42fdTimo Sirainen </citerefentry>.
3313a51ef9b245248d672c20f930c52a577a42f7Timo Sirainen For a detailed syntax reference, refer to the <quote>FILE FORMAT</quote> section of the
3313a51ef9b245248d672c20f930c52a577a42f7Timo Sirainen <citerefentry>
0f39a57760d93cddbce3ca43096d78e0fe2f42fdTimo Sirainen <refentrytitle>sssd.conf</refentrytitle>
3313a51ef9b245248d672c20f930c52a577a42f7Timo Sirainen <manvolnum>5</manvolnum>
0f39a57760d93cddbce3ca43096d78e0fe2f42fdTimo Sirainen </citerefentry> manual page.
0f39a57760d93cddbce3ca43096d78e0fe2f42fdTimo Sirainen </para>
0f39a57760d93cddbce3ca43096d78e0fe2f42fdTimo Sirainen <para>
3313a51ef9b245248d672c20f930c52a577a42f7Timo Sirainen The IPA provider is a back end used to connect to an IPA server.
3313a51ef9b245248d672c20f930c52a577a42f7Timo Sirainen (Refer to the freeipa.org web site for information about IPA servers.)
3313a51ef9b245248d672c20f930c52a577a42f7Timo Sirainen This provider requires that the machine be joined to the IPA domain;
5c253723e8ef84cb71a80ced19efe597e8a90ea6Timo Sirainen configuration is almost entirely self-discovered and obtained
3313a51ef9b245248d672c20f930c52a577a42f7Timo Sirainen directly from the server.
ee6df9526e9716b3f1734d85b566e00fc41208bcTimo Sirainen </para>
ee6df9526e9716b3f1734d85b566e00fc41208bcTimo Sirainen <para>
cd75c360f244c96b9ee10e01ee3a66fad13183c8Timo Sirainen The IPA provider enables SSSD to use the
58bc77731bb25e900498a28409337e747f622722Timo Sirainen <citerefentry>
c2f24d55319fad0b6c03425f402f0cb0cb1a318bTimo Sirainen <refentrytitle>sssd-ldap</refentrytitle>
6fabfb7bbfd88d0c1de66981e52850f26067623bTimo Sirainen <manvolnum>5</manvolnum>
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen </citerefentry> identity provider and the
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen <citerefentry>
2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen <refentrytitle>sssd-krb5</refentrytitle>
2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen <manvolnum>5</manvolnum>
e9503210d3521a6833ed62dc332fc42ffb0e7a13Timo Sirainen </citerefentry> authentication provider with optimizations for IPA
2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen environments. The IPA provider accepts the same options used by the
b0e9375a1ff97c9c7d40655922af5ccc73ecaa76Timo Sirainen sssd-ldap and sssd-krb5 providers with some exceptions. However, it is
2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen neither necessary nor recommended to set these options.
b0e9375a1ff97c9c7d40655922af5ccc73ecaa76Timo Sirainen </para>
b0e9375a1ff97c9c7d40655922af5ccc73ecaa76Timo Sirainen <para>
b0e9375a1ff97c9c7d40655922af5ccc73ecaa76Timo Sirainen The IPA provider primarily copies the traditional ldap and krb5 provider
2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen default options with some exceptions, the differences are listed in the
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen <quote>MODIFIED DEFAULT OPTIONS</quote> section.
b0e9375a1ff97c9c7d40655922af5ccc73ecaa76Timo Sirainen </para>
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen <para>
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen As an access provider, the IPA provider uses HBAC (host-based access control)
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen rules. Please refer to freeipa.org for more information about HBAC. No
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen configuration of access provider is required on the client side.
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen </para>
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen <para>
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen If <quote>auth_provider=ipa</quote> or
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen <quote>access_provider=ipa</quote> is configured
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen in sssd.conf then the id_provider must also be set to
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen <quote>ipa</quote>.
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen </para>
1aad8ad0590bee2d09d5fdb5413af72e2a8e156aTimo Sirainen <para>
1aad8ad0590bee2d09d5fdb5413af72e2a8e156aTimo Sirainen The IPA provider will use the PAC responder if the Kerberos tickets
1aad8ad0590bee2d09d5fdb5413af72e2a8e156aTimo Sirainen of users from trusted realms contain a PAC. To make configuration
91e2dc36b9c0c91f0af716be81dc2aa6cbbed6c2Timo Sirainen easier the PAC responder is started automatically if the IPA ID
91e2dc36b9c0c91f0af716be81dc2aa6cbbed6c2Timo Sirainen provider is configured.
e9371f899a3d4207a0ffd3923ea5ec7250cf5e75Timo Sirainen </para>
1aad8ad0590bee2d09d5fdb5413af72e2a8e156aTimo Sirainen </refsect1>
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen <refsect1 id='configuration-options'>
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen <title>CONFIGURATION OPTIONS</title>
e9371f899a3d4207a0ffd3923ea5ec7250cf5e75Timo Sirainen <para>Refer to the section <quote>DOMAIN SECTIONS</quote> of the
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen <citerefentry>
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen <refentrytitle>sssd.conf</refentrytitle>
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen <manvolnum>5</manvolnum>
b0e9375a1ff97c9c7d40655922af5ccc73ecaa76Timo Sirainen </citerefentry> manual page for details on the configuration of an SSSD domain.
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen <variablelist>
b0e9375a1ff97c9c7d40655922af5ccc73ecaa76Timo Sirainen <varlistentry>
b0e9375a1ff97c9c7d40655922af5ccc73ecaa76Timo Sirainen <term>ipa_domain (string)</term>
b0e9375a1ff97c9c7d40655922af5ccc73ecaa76Timo Sirainen <listitem>
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen <para>
e9371f899a3d4207a0ffd3923ea5ec7250cf5e75Timo Sirainen Specifies the name of the IPA domain.
e9371f899a3d4207a0ffd3923ea5ec7250cf5e75Timo Sirainen This is optional. If not provided, the configuration
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen domain name is used.
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen </para>
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen </listitem>
e9371f899a3d4207a0ffd3923ea5ec7250cf5e75Timo Sirainen </varlistentry>
b0e9375a1ff97c9c7d40655922af5ccc73ecaa76Timo Sirainen
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen <varlistentry>
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen <term>ipa_server, ipa_backup_server (string)</term>
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen <listitem>
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen <para>
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen The comma-separated list of IP addresses or hostnames of the
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen IPA servers to which SSSD should connect in
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen the order of preference. For more information
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen on failover and server redundancy, see the
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen <quote>FAILOVER</quote> section.
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen This is optional if autodiscovery is enabled.
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen For more information on service discovery, refer
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen to the <quote>SERVICE DISCOVERY</quote> section.
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen </para>
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen </listitem>
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen </varlistentry>
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen <varlistentry>
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen <term>ipa_hostname (string)</term>
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen <listitem>
91e2dc36b9c0c91f0af716be81dc2aa6cbbed6c2Timo Sirainen <para>
e9371f899a3d4207a0ffd3923ea5ec7250cf5e75Timo Sirainen Optional. May be set on machines where the
91e2dc36b9c0c91f0af716be81dc2aa6cbbed6c2Timo Sirainen hostname(5) does not reflect the fully qualified
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen name used in the IPA domain to identify this host.
2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen The hostname must be fully qualified.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>dyndns_update (boolean)</term>
<listitem>
<para>
Optional. This option tells SSSD to automatically
update the DNS server built into FreeIPA with
the IP address of this client. The update is
secured using GSS-TSIG. The IP address of the IPA
LDAP connection is used for the updates, if it is
not otherwise specified by using the
<quote>dyndns_iface</quote> option.
</para>
<para>
NOTE: On older systems (such as RHEL 5), for this
behavior to work reliably, the default Kerberos
realm must be set properly in /etc/krb5.conf
</para>
<para>
NOTE: While it is still possible to use the old
<emphasis>ipa_dyndns_update</emphasis> option, users
should migrate to using <emphasis>dyndns_update</emphasis>
in their config file.
</para>
<para>
Default: false
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>dyndns_ttl (integer)</term>
<listitem>
<para>
The TTL to apply to the client DNS record when updating it.
If dyndns_update is false this has no effect. This will
override the TTL serverside if set by an administrator.
</para>
<para>
NOTE: While it is still possible to use the old
<emphasis>ipa_dyndns_ttl</emphasis> option, users
should migrate to using <emphasis>dyndns_ttl</emphasis>
in their config file.
</para>
<para>
Default: 1200 (seconds)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>dyndns_iface (string)</term>
<listitem>
<para>
Optional. Applicable only when dyndns_update
is true. Choose the interface or a list of interfaces
whose IP addresses should be used for dynamic DNS
updates. Special value <quote>*</quote> implies that
IPs from all interfaces should be used.
</para>
<para>
NOTE: While it is still possible to use the old
<emphasis>ipa_dyndns_iface</emphasis> option, users
should migrate to using <emphasis>dyndns_iface</emphasis>
in their config file.
</para>
<para>
Default: Use the IP addresses of the interface which
is used for IPA LDAP connection
</para>
<para>
Example: dyndns_iface = em1, vnet1, vnet2
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>dyndns_auth (string)</term>
<listitem>
<para>
Whether the nsupdate utility should use GSS-TSIG
authentication for secure updates with the DNS
server, insecure updates can be sent by setting
this option to 'none'.
</para>
<para>
Default: GSS-TSIG
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ipa_enable_dns_sites (boolean)</term>
<listitem>
<para>
Enables DNS sites - location based
service discovery.
</para>
<para>
If true and service discovery (see Service
Discovery paragraph at the bottom of the man page)
is enabled, then the SSSD will first attempt
location based discovery using a query that contains
"_location.hostname.example.com" and then fall back
to traditional SRV discovery. If the location based
discovery succeeds, the IPA servers located with
the location based discovery are treated as primary
servers and the IPA servers located using the
traditional SRV discovery are used as back up
servers
</para>
<para>
Default: false
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>dyndns_refresh_interval (integer)</term>
<listitem>
<para>
How often should the back end perform periodic DNS update in
addition to the automatic update performed when the back end
goes online.
This option is optional and applicable only when dyndns_update
is true.
</para>
<para>
Default: 0 (disabled)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>dyndns_update_ptr (bool)</term>
<listitem>
<para>
Whether the PTR record should also be explicitly
updated when updating the client's DNS records.
Applicable only when dyndns_update is true.
</para>
<para>
This option should be False in most IPA
deployments as the IPA server generates the
PTR records automatically when forward records
are changed.
</para>
<para>
Default: False (disabled)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>dyndns_force_tcp (bool)</term>
<listitem>
<para>
Whether the nsupdate utility should default to using
TCP for communicating with the DNS server.
</para>
<para>
Default: False (let nsupdate choose the protocol)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>dyndns_server (string)</term>
<listitem>
<para>
The DNS server to use when performing a DNS
update. In most setups, it's recommended to leave
this option unset.
</para>
<para>
Setting this option makes sense for environments
where the DNS server is different from the identity
server.
</para>
<para>
Please note that this option will be only used in
fallback attempt when previous attempt using
autodetected settings failed.
</para>
<para>
Default: None (let nsupdate choose the server)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ipa_deskprofile_search_base (string)</term>
<listitem>
<para>
Optional. Use the given string as search base for
Desktop Profile related objects.
</para>
<para>
Default: Use base DN
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ipa_hbac_search_base (string)</term>
<listitem>
<para>
Optional. Use the given string as search base for
HBAC related objects.
</para>
<para>
Default: Use base DN
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ipa_host_search_base (string)</term>
<listitem>
<para>
Deprecated. Use ldap_host_search_base instead.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ipa_selinux_search_base (string)</term>
<listitem>
<para>
Optional. Use the given string as search base for
SELinux user maps.
</para>
<para>
See <quote>ldap_search_base</quote> for
information about configuring multiple search
bases.
</para>
<para>
Default: the value of
<emphasis>ldap_search_base</emphasis>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ipa_subdomains_search_base (string)</term>
<listitem>
<para>
Optional. Use the given string as search base for
trusted domains.
</para>
<para>
See <quote>ldap_search_base</quote> for
information about configuring multiple search
bases.
</para>
<para>
Default: the value of
<emphasis>cn=trusts,%basedn</emphasis>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ipa_master_domain_search_base (string)</term>
<listitem>
<para>
Optional. Use the given string as search base for
master domain object.
</para>
<para>
See <quote>ldap_search_base</quote> for
information about configuring multiple search
bases.
</para>
<para>
Default: the value of
<emphasis>cn=ad,cn=etc,%basedn</emphasis>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ipa_views_search_base (string)</term>
<listitem>
<para>
Optional. Use the given string as search base for
views containers.
</para>
<para>
See <quote>ldap_search_base</quote> for
information about configuring multiple search
bases.
</para>
<para>
Default: the value of
<emphasis>cn=views,cn=accounts,%basedn</emphasis>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb5_realm (string)</term>
<listitem>
<para>
The name of the Kerberos realm. This is optional and
defaults to the value of <quote>ipa_domain</quote>.
</para>
<para>
The name of the Kerberos realm has a special
meaning in IPA - it is converted into the base
DN to use for performing LDAP operations.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb5_confd_path (string)</term>
<listitem>
<para>
Absolute path of a directory where SSSD should place
Kerberos configuration snippets.
</para>
<para>
To disable the creation of the configuration
snippets set the parameter to 'none'.
</para>
<para>
Default: not set (krb5.include.d subdirectory of
SSSD's pubconf directory)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ipa_deskprofile_refresh (integer)</term>
<listitem>
<para>
The amount of time between lookups of the Desktop
Profile rules against the IPA server. This will
reduce the latency and load on the IPA server if
there are many desktop profiles requests made in a
short period.
</para>
<para>
Default: 5 (seconds)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ipa_deskprofile_request_interval (integer)</term>
<listitem>
<para>
The amount of time between lookups of the Desktop
Profile rules against the IPA server in case the
last request did not return any rule.
</para>
<para>
Default: 60 (minutes)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ipa_hbac_refresh (integer)</term>
<listitem>
<para>
The amount of time between lookups of the HBAC
rules against the IPA server. This will reduce the
latency and load on the IPA server if there are
many access-control requests made in a short
period.
</para>
<para>
Default: 5 (seconds)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ipa_hbac_selinux (integer)</term>
<listitem>
<para>
The amount of time between lookups of the SELinux
maps against the IPA server. This will reduce the
latency and load on the IPA server if there are
many user login requests made in a short
period.
</para>
<para>
Default: 5 (seconds)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ipa_server_mode (boolean)</term>
<listitem>
<para>
This option will be set by the IPA installer
(ipa-server-install) automatically and denotes
if SSSD is running on an IPA server or not.
</para>
<para>
On an IPA server SSSD will lookup users and groups
from trusted domains directly while on a client
it will ask an IPA server.
</para>
<para>
NOTE: There are currently some assumptions that
must be met when SSSD is running on an IPA server.
<itemizedlist>
<listitem>
<para>
The <quote>ipa_server</quote> option
must be configured to point to the
IPA server itself. This is already
the default set by the IPA installer,
so no manual change is required.
</para>
</listitem>
<listitem>
<para>
The <quote>full_name_format</quote>
option must not be tweaked to only
print short names for users from
trusted domains.
</para>
</listitem>
</itemizedlist>
</para>
<para>
Default: false
</para>
</listitem>
</varlistentry>
<varlistentry condition="with_autofs">
<term>ipa_automount_location (string)</term>
<listitem>
<para>
The automounter location this IPA client will be using
</para>
<para>
Default: The location named "default"
</para>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/autofs_restart.xml" />
</listitem>
</varlistentry>
</variablelist>
</para>
<refsect2 id='views'>
<title>VIEWS AND OVERRIDES</title>
<para>
SSSD can handle views and overrides which are offered by
FreeIPA 4.1 and later version. Since all paths and objectclasses
are fixed on the server side there is basically no need to
configure anything. For completeness the related options are
listed here with their default values.
<variablelist>
<varlistentry>
<term>ipa_view_class (string)</term>
<listitem>
<para>
Objectclass of the view container.
</para>
<para>
Default: nsContainer
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ipa_view_name (string)</term>
<listitem>
<para>
Name of the attribute holding the name of the
view.
</para>
<para>
Default: cn
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ipa_override_object_class (string)</term>
<listitem>
<para>
Objectclass of the override objects.
</para>
<para>
Default: ipaOverrideAnchor
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ipa_anchor_uuid (string)</term>
<listitem>
<para>
Name of the attribute containing the reference
to the original object in a remote domain.
</para>
<para>
Default: ipaAnchorUUID
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ipa_user_override_object_class (string)</term>
<listitem>
<para>
Name of the objectclass for user overrides. It
is used to determine if the found override
object is related to a user or a group.
</para>
<para>
User overrides can contain attributes given by
<itemizedlist>
<listitem>
<para>ldap_user_name</para>
</listitem>
<listitem>
<para>ldap_user_uid_number</para>
</listitem>
<listitem>
<para>ldap_user_gid_number</para>
</listitem>
<listitem>
<para>ldap_user_gecos</para>
</listitem>
<listitem>
<para>ldap_user_home_directory</para>
</listitem>
<listitem>
<para>ldap_user_shell</para>
</listitem>
<listitem>
<para>ldap_user_ssh_public_key</para>
</listitem>
</itemizedlist>
</para>
<para>
Default: ipaUserOverride
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ipa_group_override_object_class (string)</term>
<listitem>
<para>
Name of the objectclass for group overrides. It
is used to determine if the found override
object is related to a user or a group.
</para>
<para>
Group overrides can contain attributes given by
<itemizedlist>
<listitem>
<para>ldap_group_name</para>
</listitem>
<listitem>
<para>ldap_group_gid_number</para>
</listitem>
</itemizedlist>
</para>
<para>
Default: ipaGroupOverride
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsect2>
</refsect1>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/ipa_modified_defaults.xml" />
<refsect1 id='subdomains_provider'>
<title>SUBDOMAINS PROVIDER</title>
<para>
The IPA subdomains provider behaves slightly differently
if it is configured explicitly or implicitly.
</para>
<para>
If the option 'subdomains_provider = ipa' is found in the
domain section of sssd.conf, the IPA subdomains provider is
configured explicitly, and all subdomain requests are sent to the
IPA server if necessary.
</para>
<para>
If the option 'subdomains_provider' is not set in the domain
section of sssd.conf but there is the option 'id_provider = ipa',
the IPA subdomains provider is configured implicitly. In this case,
if a subdomain request fails and indicates that the server does not
support subdomains, i.e. is not configured for trusts, the IPA
subdomains provider is disabled. After an hour or after the IPA
provider goes online, the subdomains provider is enabled again.
</para>
</refsect1>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/failover.xml" />
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/service_discovery.xml" />
<refsect1 id='example'>
<title>EXAMPLE</title>
<para>
The following example assumes that SSSD is correctly
configured and example.com is one of the domains in the
<replaceable>[sssd]</replaceable> section. This examples shows only
the ipa provider-specific options.
</para>
<para>
<programlisting>
[domain/example.com]
id_provider = ipa
ipa_server = ipaserver.example.com
ipa_hostname = myhost.example.com
</programlisting>
</para>
</refsect1>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
</refentry>
</reference>