src/man/sssd-ad.5.xml

	sssd-ad.5.xml revision 294e9a5521d327c5cdc49beeb9cb9e703b3134f1
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess<?xml version="1.0" encoding="UTF-8"?>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess<reference>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess<title>SSSD Manual pages</title>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess<refentry>
5a58787efeb02a1c3f06569d019ad81fd2efa06end    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
5a58787efeb02a1c3f06569d019ad81fd2efa06end
5a58787efeb02a1c3f06569d019ad81fd2efa06end    <refmeta>
5a58787efeb02a1c3f06569d019ad81fd2efa06end        <refentrytitle>sssd-ad</refentrytitle>
5a58787efeb02a1c3f06569d019ad81fd2efa06end        <manvolnum>5</manvolnum>
5a58787efeb02a1c3f06569d019ad81fd2efa06end        <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
5a58787efeb02a1c3f06569d019ad81fd2efa06end    </refmeta>
5a58787efeb02a1c3f06569d019ad81fd2efa06end
5a58787efeb02a1c3f06569d019ad81fd2efa06end    <refnamediv id='name'>
5a58787efeb02a1c3f06569d019ad81fd2efa06end        <refname>sssd-ad</refname>
5a58787efeb02a1c3f06569d019ad81fd2efa06end        <refpurpose>the configuration file for SSSD</refpurpose>
5a58787efeb02a1c3f06569d019ad81fd2efa06end    </refnamediv>
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd    <refsect1 id='description'>
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd        <title>DESCRIPTION</title>
33d72404431f4707b29dcebe8875bff549bacfd6nd        <para>
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd            This manual page describes the configuration of the AD provider
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd            for
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd            <citerefentry>
5a58787efeb02a1c3f06569d019ad81fd2efa06end                <refentrytitle>sssd</refentrytitle>
5a58787efeb02a1c3f06569d019ad81fd2efa06end                <manvolnum>8</manvolnum>
5a58787efeb02a1c3f06569d019ad81fd2efa06end            </citerefentry>.
5a58787efeb02a1c3f06569d019ad81fd2efa06end            For a detailed syntax reference, refer to the <quote>FILE FORMAT</quote> section of the
5a58787efeb02a1c3f06569d019ad81fd2efa06end            <citerefentry>
5a58787efeb02a1c3f06569d019ad81fd2efa06end                <refentrytitle>sssd.conf</refentrytitle>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                <manvolnum>5</manvolnum>
5a58787efeb02a1c3f06569d019ad81fd2efa06end            </citerefentry> manual page.
5a58787efeb02a1c3f06569d019ad81fd2efa06end        </para>
5a58787efeb02a1c3f06569d019ad81fd2efa06end        <para>
5a58787efeb02a1c3f06569d019ad81fd2efa06end            The AD provider is a back end used to connect to an Active
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess            Directory server. This provider requires that the machine be
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess            joined to the AD domain and a keytab is available.
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess        </para>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess        <para>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess            The AD provider supports connecting to Active Directory 2008 R2
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess            or later. Earlier versions may work, but are unsupported.
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess        </para>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess        <para>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess            The AD provider accepts the same options used by the
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess            <citerefentry>
5a58787efeb02a1c3f06569d019ad81fd2efa06end                <refentrytitle>sssd-ldap</refentrytitle>
5a58787efeb02a1c3f06569d019ad81fd2efa06end                <manvolnum>5</manvolnum>
5a58787efeb02a1c3f06569d019ad81fd2efa06end            </citerefentry> identity provider and the
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess            <citerefentry>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                <refentrytitle>sssd-krb5</refentrytitle>
9bcfc3697a91b5215893a7d0206865b13fc72148nd                <manvolnum>5</manvolnum>
9bcfc3697a91b5215893a7d0206865b13fc72148nd            </citerefentry> authentication provider with some exceptions described
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess            below.
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess        </para>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess        <para>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess            However, it is neither necessary nor recommended to set these
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess            options. The AD provider can also be used as an access and chpass
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess            provider. No configuration of the access provider is required on
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess            the client side.
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess        </para>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess        <para>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess            By default, the AD provider will map UID and GID values from the
cd9f05dfac570b44f26f531e01869e679c45401berikabele            objectSID parameter in Active Directory. For details on this, see
cd9f05dfac570b44f26f531e01869e679c45401berikabele            the <quote>ID MAPPING</quote> section below. If you want to
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess            disable ID mapping and instead rely on POSIX attributes defined in
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess            Active Directory, you should set
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess            <programlisting>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kessldap_id_mapping = False
9bcfc3697a91b5215893a7d0206865b13fc72148nd            </programlisting>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess        </para>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess    </refsect1>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess    <refsect1 id='file-format'>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess        <title>CONFIGURATION OPTIONS</title>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess        <para>Refer to the section <quote>DOMAIN SECTIONS</quote> of the
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess            <citerefentry>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                <refentrytitle>sssd.conf</refentrytitle>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                <manvolnum>5</manvolnum>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess            </citerefentry> manual page for details on the configuration of an SSSD domain.
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess            <variablelist>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                <varlistentry>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                    <term>ad_domain (string)</term>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                    <listitem>
5a58787efeb02a1c3f06569d019ad81fd2efa06end                        <para>
5a58787efeb02a1c3f06569d019ad81fd2efa06end                            Specifies the name of the Active Directory domain.
5a58787efeb02a1c3f06569d019ad81fd2efa06end                            This is optional. If not provided, the
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                            configuration domain name is used.
9bcfc3697a91b5215893a7d0206865b13fc72148nd                        </para>
9bcfc3697a91b5215893a7d0206865b13fc72148nd                        <para>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                            For proper operation, this option should be
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                            specified as the lower-case version of the long
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                            version of the Active Directory domain.
49038652341bbe660a629c860507622583f8fdf0kess                        </para>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                    </listitem>
49038652341bbe660a629c860507622583f8fdf0kess                </varlistentry>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                <varlistentry>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                    <term>ad_server, ad_backup_server (string)</term>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                    <listitem>
5a58787efeb02a1c3f06569d019ad81fd2efa06end                        <para>
5a58787efeb02a1c3f06569d019ad81fd2efa06end                            The comma-separated list of IP addresses or
5a58787efeb02a1c3f06569d019ad81fd2efa06end                            hostnames of the AD servers to which SSSD should
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                            connect in order of preference. For more
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                            information on failover and server redundancy, see
9bcfc3697a91b5215893a7d0206865b13fc72148nd                            the <quote>FAILOVER</quote> section.
9bcfc3697a91b5215893a7d0206865b13fc72148nd                            This is optional if autodiscovery is enabled.
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                            For more information on service discovery, refer
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                            to the the <quote>SERVICE DISCOVERY</quote> section.
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                        </para>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                    </listitem>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                </varlistentry>
49038652341bbe660a629c860507622583f8fdf0kess
49038652341bbe660a629c860507622583f8fdf0kess                <varlistentry>
49038652341bbe660a629c860507622583f8fdf0kess                    <term>ad_hostname (string)</term>
49038652341bbe660a629c860507622583f8fdf0kess                    <listitem>
49038652341bbe660a629c860507622583f8fdf0kess                        <para>
49038652341bbe660a629c860507622583f8fdf0kess                            Optional. May be set on machines where the
49038652341bbe660a629c860507622583f8fdf0kess                            hostname(5) does not reflect the fully qualified
49038652341bbe660a629c860507622583f8fdf0kess                            name used in the Active Directory domain to
49038652341bbe660a629c860507622583f8fdf0kess                            identify this host.
49038652341bbe660a629c860507622583f8fdf0kess                        </para>
49038652341bbe660a629c860507622583f8fdf0kess                        <para>
49038652341bbe660a629c860507622583f8fdf0kess                            This field is used to determine the host principal
49038652341bbe660a629c860507622583f8fdf0kess                            in use in the keytab. It must match the hostname
49038652341bbe660a629c860507622583f8fdf0kess                            for which the keytab was issued.
49038652341bbe660a629c860507622583f8fdf0kess                        </para>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                    </listitem>
49038652341bbe660a629c860507622583f8fdf0kess                </varlistentry>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                <varlistentry>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                    <term>override_homedir (string)</term>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                    <listitem>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                        <para>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                            Override the user's home directory. You
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                            can either provide an absolute value or a
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                            template. In the template, the following
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                            sequences are substituted:
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                            <variablelist>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                                <varlistentry>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                                    <term>%u</term>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                                    <listitem><para>login name</para></listitem>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                                </varlistentry>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                                <varlistentry>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                                    <term>%U</term>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                                    <listitem><para>UID number</para></listitem>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                                </varlistentry>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                                <varlistentry>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                                    <term>%d</term>
fefb8b844b6286bfc41bb2e0c4cc003b8e7d4ff2kess                                    <listitem><para>domain name</para></listitem>
5a58787efeb02a1c3f06569d019ad81fd2efa06end                                </varlistentry>
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd                                <varlistentry>
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd                                    <term>%f</term>
33d72404431f4707b29dcebe8875bff549bacfd6nd                                    <listitem><para>fully qualified user name (user@domain)</para></listitem>
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd                                </varlistentry>
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd                                <varlistentry>
b95ae799514ad86a15610ad75808d7065e9847c9kess                                    <term>%%</term>
5a58787efeb02a1c3f06569d019ad81fd2efa06end                                    <listitem><para>a literal '%'</para>
5a58787efeb02a1c3f06569d019ad81fd2efa06end                                    </listitem>
                                </varlistentry>
                            </variablelist>
                        </para>
                        <para>
                            This option can also be set per-domain.
                        </para>
                        <para>
                            example:
                            <programlisting>
override_homedir = /home/%u
                            </programlisting>
                        </para>
                        <para>
                            Default: Not set (SSSD will use the value
                            retrieved from LDAP)
                        </para>
                    </listitem>
                </varlistentry>
                <varlistentry>
                    <term>fallback_homedir (string)</term>
                    <listitem>
                        <para>
                            Set a default template for a user's home directory
                            if one is not specified explicitly by the domain's
                            data provider.
                        </para>
                        <para>
                            The available values for this option are the same
                            as for override_homedir.
                        </para>
                        <para>
                            example:
                            <programlisting>
fallback_homedir = /home/%u
                            </programlisting>
                        </para>
                        <para>
                            Default: not set (no substitution for unset home
                            directories)
                        </para>
                    </listitem>
                </varlistentry>
                <varlistentry>
                    <term>default_shell</term>
                    <listitem>
                        <para>
                            The default shell to use if the provider does not
                            return one during lookup. This option supersedes
                            any other shell options if it takes effect.
                        </para>
                        <para>
                            Default: not set (Return NULL if no shell is
                            specified and rely on libc to substitute something
                            sensible when necessary, usually /bin/sh)
                        </para>
                    </listitem>
                </varlistentry>
            </variablelist>
        </para>
    </refsect1>

    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/failover.xml" />

    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/service_discovery.xml" />

    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/ldap_id_mapping.xml" />

    <refsect1 id='example'>
        <title>EXAMPLE</title>
        <para>
            The following example assumes that SSSD is correctly
            configured and example.com is one of the domains in the
            <replaceable>[sssd]</replaceable> section. This example shows only
            the AD provider-specific options.
        </para>
        <para>
<programlisting>
[domain/EXAMPLE]
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad

ad_server = dc1.example.com
ad_hostname = client.example.com
ad_domain = example.com
</programlisting>
        </para>
    </refsect1>

    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />

</refentry>
</reference>