sssd-ad.5.xml revision 728a1812b7c5f70febb522342c5b357da598acfe
97a9a944b5887e91042b019776c41d5dd74557aferikabele<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
97a9a944b5887e91042b019776c41d5dd74557aferikabele"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
b686b6a420bde7f78c416b90be11db94cb789979nd <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
b686b6a420bde7f78c416b90be11db94cb789979nd <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
b686b6a420bde7f78c416b90be11db94cb789979nd </refmeta>
b686b6a420bde7f78c416b90be11db94cb789979nd </refnamediv>
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd This manual page describes the configuration of the AD provider
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd <citerefentry>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </citerefentry>.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive For a detailed syntax reference, refer to the <quote>FILE FORMAT</quote> section of the
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <citerefentry>
80d3dc69b0e6ad772135f6a78af3d16bd6cccc42nd </citerefentry> manual page.
a63f0ab647ad2ab72efc9bea7a66e24e9ebc5cc2nd The AD provider is a back end used to connect to an Active
a63f0ab647ad2ab72efc9bea7a66e24e9ebc5cc2nd Directory server. This provider requires that the machine be
a63f0ab647ad2ab72efc9bea7a66e24e9ebc5cc2nd joined to the AD domain and a keytab is available.
a63f0ab647ad2ab72efc9bea7a66e24e9ebc5cc2nd The AD provider supports connecting to Active Directory 2008 R2
80d3dc69b0e6ad772135f6a78af3d16bd6cccc42nd or later. Earlier versions may work, but are unsupported.
80d3dc69b0e6ad772135f6a78af3d16bd6cccc42nd The AD provider is able to provide identity information and
2aff288113d772cedca6add888eb643afffe9fb1nd authentication for entities from trusted domains as well. Currently
a63f0ab647ad2ab72efc9bea7a66e24e9ebc5cc2nd only trusted domains in the same forest are recognized.
a63f0ab647ad2ab72efc9bea7a66e24e9ebc5cc2nd The AD provider accepts the same options used by the
a63f0ab647ad2ab72efc9bea7a66e24e9ebc5cc2nd <citerefentry>
a63f0ab647ad2ab72efc9bea7a66e24e9ebc5cc2nd </citerefentry> identity provider and the
a63f0ab647ad2ab72efc9bea7a66e24e9ebc5cc2nd <citerefentry>
a63f0ab647ad2ab72efc9bea7a66e24e9ebc5cc2nd </citerefentry> authentication provider with some exceptions described
2aff288113d772cedca6add888eb643afffe9fb1nd However, it is neither necessary nor recommended to set these
2aff288113d772cedca6add888eb643afffe9fb1nd options. The AD provider can also be used as an access and chpass
80d3dc69b0e6ad772135f6a78af3d16bd6cccc42nd provider. No configuration of the access provider is required on
80d3dc69b0e6ad772135f6a78af3d16bd6cccc42nd the client side.
80d3dc69b0e6ad772135f6a78af3d16bd6cccc42nd By default, the AD provider will map UID and GID values from the
2aff288113d772cedca6add888eb643afffe9fb1nd objectSID parameter in Active Directory. For details on this, see
2aff288113d772cedca6add888eb643afffe9fb1nd the <quote>ID MAPPING</quote> section below. If you want to
2aff288113d772cedca6add888eb643afffe9fb1nd disable ID mapping and instead rely on POSIX attributes defined in
2aff288113d772cedca6add888eb643afffe9fb1nd Active Directory, you should set
2aff288113d772cedca6add888eb643afffe9fb1nd <programlisting>
2aff288113d772cedca6add888eb643afffe9fb1ndldap_id_mapping = False
2aff288113d772cedca6add888eb643afffe9fb1nd </programlisting>
2aff288113d772cedca6add888eb643afffe9fb1nd Users, groups and other entities served by SSSD are always treated as
2aff288113d772cedca6add888eb643afffe9fb1nd case-insensitive in the AD provider for compatibility with Active
2aff288113d772cedca6add888eb643afffe9fb1nd Directory's LDAP implementation.
2aff288113d772cedca6add888eb643afffe9fb1nd </refsect1>
2aff288113d772cedca6add888eb643afffe9fb1nd <para>Refer to the section <quote>DOMAIN SECTIONS</quote> of the
aa0b2780958e9b1467c9d0153a05738e399811a5nd <citerefentry>
2aff288113d772cedca6add888eb643afffe9fb1nd </citerefentry> manual page for details on the configuration of an SSSD domain.
64c02f1310b7747423957823ee09fb3608430f89nd <variablelist>
aa0b2780958e9b1467c9d0153a05738e399811a5nd <varlistentry>
2aff288113d772cedca6add888eb643afffe9fb1nd <listitem>
80d3dc69b0e6ad772135f6a78af3d16bd6cccc42nd Specifies the name of the Active Directory domain.
2aff288113d772cedca6add888eb643afffe9fb1nd This is optional. If not provided, the
2aff288113d772cedca6add888eb643afffe9fb1nd configuration domain name is used.
2aff288113d772cedca6add888eb643afffe9fb1nd For proper operation, this option should be
80d3dc69b0e6ad772135f6a78af3d16bd6cccc42nd specified as the lower-case version of the long
2aff288113d772cedca6add888eb643afffe9fb1nd version of the Active Directory domain.
bf94bedcb62d7f0b926f4286069def5ee6b07b60nd The short domain name (also known as the NetBIOS
2aff288113d772cedca6add888eb643afffe9fb1nd or the flat name) is autodetected by the SSSD.
bbcbf978a3074512c627c797fedcb30eeab7b39dslive </listitem>
80d3dc69b0e6ad772135f6a78af3d16bd6cccc42nd </varlistentry>
e55e60efce8a3e2139132c1d6ad9f6f0d2976614nd <varlistentry>
2aff288113d772cedca6add888eb643afffe9fb1nd <listitem>
e55e60efce8a3e2139132c1d6ad9f6f0d2976614nd The comma-separated list of
75585bd48fe0f30483dba4762e61edf39ea3e0f6nd hostnames of the AD servers to which SSSD should
75585bd48fe0f30483dba4762e61edf39ea3e0f6nd connect in order of preference. For more
80d3dc69b0e6ad772135f6a78af3d16bd6cccc42nd information on failover and server redundancy, see
3b58542e01ec69422f3086db5825a12fc77b726end This is optional if autodiscovery is enabled.
a0d937b340692a3578f1d2f2535890c520c4bf0cnd For more information on service discovery, refer
2aff288113d772cedca6add888eb643afffe9fb1nd </listitem>
2aff288113d772cedca6add888eb643afffe9fb1nd </varlistentry>
80d3dc69b0e6ad772135f6a78af3d16bd6cccc42nd <varlistentry>
2aff288113d772cedca6add888eb643afffe9fb1nd <listitem>
2aff288113d772cedca6add888eb643afffe9fb1nd Optional. May be set on machines where the
80d3dc69b0e6ad772135f6a78af3d16bd6cccc42nd hostname(5) does not reflect the fully qualified
2aff288113d772cedca6add888eb643afffe9fb1nd name used in the Active Directory domain to
2aff288113d772cedca6add888eb643afffe9fb1nd identify this host.
2aff288113d772cedca6add888eb643afffe9fb1nd This field is used to determine the host principal
2aff288113d772cedca6add888eb643afffe9fb1nd in use in the keytab. It must match the hostname
80d3dc69b0e6ad772135f6a78af3d16bd6cccc42nd for which the keytab was issued.
80d3dc69b0e6ad772135f6a78af3d16bd6cccc42nd </listitem>
73ba54c33b4fcad0e13005e10ea8648c9fe4265bnd </varlistentry>
73ba54c33b4fcad0e13005e10ea8648c9fe4265bnd <varlistentry>
73ba54c33b4fcad0e13005e10ea8648c9fe4265bnd <listitem>
80d3dc69b0e6ad772135f6a78af3d16bd6cccc42nd Enables DNS sites - location based
2aff288113d772cedca6add888eb643afffe9fb1nd service discovery.
2aff288113d772cedca6add888eb643afffe9fb1nd If true and service discovery (see Service
2aff288113d772cedca6add888eb643afffe9fb1nd Discovery paragraph at the bottom of the man page)
2aff288113d772cedca6add888eb643afffe9fb1nd is enabled, the SSSD will first attempt to discover
2aff288113d772cedca6add888eb643afffe9fb1nd the Active Directory server to connect to using the
2aff288113d772cedca6add888eb643afffe9fb1nd Active Directory Site Discovery and fall back to
2aff288113d772cedca6add888eb643afffe9fb1nd the DNS SRV records if no AD site is found. The
2aff288113d772cedca6add888eb643afffe9fb1nd DNS SRV configuration, including the discovery
2aff288113d772cedca6add888eb643afffe9fb1nd domain, is used during site discovery as well.
2aff288113d772cedca6add888eb643afffe9fb1nd Default: true
2aff288113d772cedca6add888eb643afffe9fb1nd </listitem>
2aff288113d772cedca6add888eb643afffe9fb1nd </varlistentry>
2aff288113d772cedca6add888eb643afffe9fb1nd <varlistentry>
80d3dc69b0e6ad772135f6a78af3d16bd6cccc42nd <listitem>
a63f0ab647ad2ab72efc9bea7a66e24e9ebc5cc2nd Optional. This option tells SSSD to automatically
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd update the Active Directory DNS server with
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd the IP address of this client. The update is
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd secured using GSS-TSIG. As a consequence, the
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd Active Directory administrator only needs to
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd allow secure updates for the DNS zone. The IP
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd address of the AD LDAP connection is used for
35714556a25fceb7c9bf9c4e01791b2e2a4c27c3nd the updates, if it is not otherwise specified
configured and example.com is one of the domains in the
ad_server = dc1.example.com
ad_hostname = client.example.com
ad_domain = example.com