0N/A<?
xml version="1.0" encoding="UTF-8"?>
0N/A<!
DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" 0N/A<
title>SSSD Manual pages</
title>
0N/A <
refentrytitle>sssd-ad</
refentrytitle>
0N/A <
manvolnum>5</
manvolnum>
0N/A <
refmiscinfo class="manual">File Formats and Conventions</
refmiscinfo>
0N/A <
refnamediv id='name'>
0N/A <
refname>sssd-ad</
refname>
0N/A <
refpurpose>the configuration file for SSSD</
refpurpose>
0N/A <
refsect1 id='description'>
0N/A <
title>DESCRIPTION</
title>
0N/A This manual page describes the configuration of the AD provider
6159N/A <
refentrytitle>sssd</
refentrytitle>
0N/A <
manvolnum>8</
manvolnum>
0N/A For a detailed syntax reference, refer to the <
quote>FILE FORMAT</
quote> section of the
5982N/A </
citerefentry> manual page.
5982N/A The AD provider is a back end used to connect to an Active
5982N/A Directory server. This provider requires that the machine be
5648N/A joined to the AD domain and a keytab is available.
5648N/A The AD provider supports connecting to Active Directory 2008 R2
5648N/A or later. Earlier versions may work, but are unsupported.
5648N/A The AD provider accepts the same options used by the
5648N/A <
refentrytitle>sssd-ldap</
refentrytitle>
5648N/A </
citerefentry> identity provider and the
5648N/A <
refentrytitle>sssd-krb5</
refentrytitle>
0N/A </
citerefentry> authentication provider with some exceptions described
5648N/A However, it is neither necessary nor recommended to set these
5648N/A options. The AD provider can also be used as an access and chpass
0N/A provider. No configuration of the access provider is required on
0N/A By default, the AD provider will map UID and GID values from the
0N/A objectSID parameter in Active Directory. For details on this, see
0N/A the <
quote>ID MAPPING</
quote> section below. If you want to
801N/A disable ID mapping and instead rely on POSIX attributes defined in
3845N/A Active Directory, you should set
5982N/A Users, groups and other entities served by SSSD are always treated as
5648N/A case-insensitive in the AD provider for compatibility with Active
5982N/A Directory's LDAP implementation.
5648N/A <
refsect1 id='file-format'>
5982N/A <
title>CONFIGURATION OPTIONS</
title>
6159N/A <
para>Refer to the section <
quote>DOMAIN SECTIONS</
quote> of the
5512N/A </
citerefentry> manual page for details on the configuration of an SSSD domain.
5982N/A <
term>ad_domain (string)</
term>
5648N/A Specifies the name of the Active Directory domain.
5648N/A This is optional. If not provided, the
5648N/A configuration domain name is used.
5648N/A For proper operation, this option should be
3000N/A specified as the lower-case version of the long
3000N/A version of the Active Directory domain.
0N/A The short domain name (also known as the NetBIOS
0N/A or the flat name) is autodetected by the SSSD.
801N/A <
term>ad_server, ad_backup_server (string)</
term>
801N/A The comma-separated list of IP addresses or
5512N/A hostnames of the AD servers to which SSSD should
5512N/A connect in order of preference. For more
5512N/A information on failover and server redundancy, see
5512N/A the <
quote>FAILOVER</
quote> section.
5512N/A This is optional if autodiscovery is enabled.
5512N/A For more information on service discovery, refer
5512N/A to the <
quote>SERVICE DISCOVERY</
quote> section.
3000N/A <
term>ad_hostname (string)</
term>
3000N/A Optional. May be set on machines where the
3000N/A hostname(5) does not reflect the fully qualified
3000N/A name used in the Active Directory domain to
3000N/A This field is used to determine the host principal
3291N/A in use in the keytab. It must match the hostname
3845N/A for which the keytab was issued.
3000N/A <
term>ad_enable_dns_sites (boolean)</
term>
3000N/A Enables DNS sites - location based
5512N/A If true and service discovery (see Service
5512N/A Discovery paragraph at the bottom of the man page)
5512N/A is enabled, the SSSD will first attempt to discover
5512N/A the Active Directory server to connect to using the
5512N/A Active Directory Site Discovery and fall back to
5512N/A the DNS SRV records if no AD site is found. The
5512N/A DNS SRV configuration, including the discovery
5648N/A domain, is used during site discovery as well.
5512N/A <
term>dyndns_update (boolean)</
term>
5648N/A Optional. This option tells SSSD to automatically
801N/A update the Active Directory DNS server with
3291N/A the IP address of this client. The update is
801N/A secured using GSS-TSIG. As a consequence, the
801N/A Active Directory administrator only needs to
801N/A allow secure updates for the DNS zone. The IP
801N/A address of the AD LDAP connection is used for
0N/A the updates, if it is not otherwise specified
5512N/A by using the <
quote>dyndns_iface</
quote> option.
5512N/A NOTE: On older systems (such as RHEL 5), for this
5512N/A behavior to work reliably, the default Kerberos
5512N/A <
term>dyndns_ttl (integer)</
term>
5512N/A The TTL to apply to the client DNS record when updating it.
5512N/A If dyndns_update is false this has no effect. This will
5648N/A override the TTL serverside if set by an administrator.
5992N/A <
term>dyndns_iface (string)</
term>
5992N/A Optional. Applicable only when dyndns_update
5980N/A is true. Choose the interface whose IP address
5980N/A should be used for dynamic DNS updates.
5980N/A Default: Use the IP address of the AD LDAP connection
3845N/A <
term>dyndns_refresh_interval (integer)</
term>
3000N/A How often should the back end perform periodic DNS update in
3845N/A addition to the automatic update performed when the back end
3845N/A This option is optional and applicable only when dyndns_update
0N/A <
term>dyndns_update_ptr (bool)</
term>
3000N/A Whether the PTR record should also be explicitly
3000N/A updated when updating the client's DNS records.
0N/A Applicable only when dyndns_update is true.
5982N/A <
term>dyndns_force_tcp (bool)</
term>
5982N/A Whether the nsupdate utility should default to using
5982N/A TCP for communicating with the DNS server.
5982N/A Default: False (let nsupdate choose the protocol)
5982N/A <
term>krb5_use_enterprise_principal (boolean)</
term>
5982N/A Specifies if the user principal should be treated
5982N/A as enterprise principal. See section 5 of RFC 6806
5982N/A for more details about enterprise principals.
5982N/A Note that this default differs from the
5982N/A traditional Kerberos provider back end.
5982N/A The following example assumes that SSSD is correctly
5982N/A <
replaceable>[sssd]</
replaceable> section. This example shows only
5982N/A the AD provider-specific options.
5982N/A The AD access control provider checks if the account is expired.
5982N/A It has the same effect as the following configuration of the LDAP
0N/Aldap_access_order = expire
0N/Aldap_account_expire_policy = ad