sssd-ad.5.xml revision 5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher <refpurpose>the configuration file for SSSD</refpurpose>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher This manual page describes the configuration of the AD provider
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher <citerefentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher </citerefentry>.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher For a detailed syntax reference, refer to the <quote>FILE FORMAT</quote> section of the
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher <citerefentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher </citerefentry> manual page.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher The AD provider is a back end used to connect to an Active
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher Directory server. This provider requires that the machine be
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher joined to the AD domain and a keytab is available.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher The AD provider supports connecting to Active Directory 2008 R2
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher or later. Earlier versions may work, but are unsupported.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher The AD provider accepts the same options used by the
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher <citerefentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher </citerefentry> identity provider and the
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher <citerefentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher </citerefentry> authentication provider with some exceptions described
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher However, it is neither necessary nor recommended to set these
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher options. The AD provider can also be used as an access and chpass
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher provider. No configuration of the access provider is required on
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher the client side.
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher By default, the AD provider will map UID and GID values from the
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher objectSID parameter in Active Directory. For details on this, see
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher the <quote>ID MAPPING</quote> section below. If you want to
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher disable ID mapping and instead rely on POSIX attributes defined in
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher Active Directory, you should set
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher <programlisting>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagherldap_id_mapping = False
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher </programlisting>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher <para>Refer to the section <quote>DOMAIN SECTIONS</quote> of the
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher <citerefentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher </citerefentry> manual page for details on the configuration of an SSSD domain.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher <variablelist>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher <varlistentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher Specifies the name of the Active Directory domain.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher This is optional. If not provided, the
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher configuration domain name is used.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher For proper operation, this option should be
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher specified as the lower-case version of the long
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher version of the Active Directory domain.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher </varlistentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher <varlistentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher The comma-separated list of IP addresses or
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher hostnames of the AD servers to which SSSD should
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher connect in order of preference. For more
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher information on failover and server redundancy, see
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher This is optional if autodiscovery is enabled.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher For more information on service discovery, refer
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher to the the <quote>SERVICE DISCOVERY</quote> section.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher </varlistentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher <varlistentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher Optional. May be set on machines where the
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher hostname(5) does not reflect the fully qualified
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher name used in the Active Directory domain to
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher identify this host.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher This field is used to determine the host principal
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher in use in the keytab. It must match the hostname
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher for which the keytab was issued.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher </varlistentry>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher <varlistentry>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher Override the user's home directory. You
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher can either provide an absolute value or a
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher template. In the template, the following
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher sequences are substituted:
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher <variablelist>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher <varlistentry>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher <listitem><para>login name</para></listitem>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher </varlistentry>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher <varlistentry>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher <listitem><para>UID number</para></listitem>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher </varlistentry>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher <varlistentry>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher <listitem><para>domain name</para></listitem>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher </varlistentry>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher <varlistentry>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher <listitem><para>fully qualified user name (user@domain)</para></listitem>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher </varlistentry>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher <varlistentry>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher </varlistentry>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher </variablelist>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher This option can also be set per-domain.
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher <programlisting>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagheroverride_homedir = /home/%u
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher </programlisting>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher Default: Not set (SSSD will use the value
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher retrieved from LDAP)
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher </varlistentry>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher <varlistentry>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher Set a default template for a user's home directory
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher if one is not specified explicitly by the domain's
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher data provider.
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher The available values for this option are the same
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher as for override_homedir.
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher <programlisting>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagherfallback_homedir = /home/%u
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher </programlisting>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher Default: not set (no substitution for unset home
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher </varlistentry>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher <varlistentry>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher The default shell to use if the provider does not
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher return one during lookup. This option supersedes
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher any other shell options if it takes effect.
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher Default: not set (Return NULL if no shell is
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher specified and rely on libc to substitute something
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher </varlistentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher </variablelist>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/failover.xml" />
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/service_discovery.xml" />
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/ldap_id_mapping.xml" />
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher The following example assumes that SSSD is correctly
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher configured and example.com is one of the domains in the
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher <replaceable>[sssd]</replaceable> section. This example shows only
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher the AD provider-specific options.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher<programlisting>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagherid_provider = ad
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagherauth_provider = ad
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagheraccess_provider = ad
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagherchpass_provider = ad
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher</programlisting>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />