sssd-ad.5.xml revision ad1be6fd04234f61f108773ff39aa7485abda47c
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
<reference>
<title>SSSD Manual pages</title>
<refentry>
<refmeta>
<refentrytitle>sssd-ad</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
</refmeta>
<refnamediv id='name'>
<refname>sssd-ad</refname>
<refpurpose>the configuration file for SSSD</refpurpose>
</refnamediv>
<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
This manual page describes the configuration of the AD provider
for
<citerefentry>
<refentrytitle>sssd</refentrytitle>
<manvolnum>8</manvolnum>
</citerefentry>.
For a detailed syntax reference, refer to the <quote>FILE FORMAT</quote> section of the
<citerefentry>
<manvolnum>5</manvolnum>
</citerefentry> manual page.
</para>
<para>
The AD provider is a back end used to connect to an Active
Directory server. This provider requires that the machine be
joined to the AD domain and a keytab is available.
</para>
<para>
The AD provider supports connecting to Active Directory 2008 R2
or later. Earlier versions may work, but are unsupported.
</para>
<para>
The AD provider accepts the same options used by the
<citerefentry>
<refentrytitle>sssd-ldap</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry> identity provider and the
<citerefentry>
<refentrytitle>sssd-krb5</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry> authentication provider with some exceptions described
below.
</para>
<para>
However, it is neither necessary nor recommended to set these
options. The AD provider can also be used as an access and chpass
provider. No configuration of the access provider is required on
the client side.
</para>
<para>
By default, the AD provider will map UID and GID values from the
objectSID parameter in Active Directory. For details on this, see
the <quote>ID MAPPING</quote> section below. If you want to
disable ID mapping and instead rely on POSIX attributes defined in
Active Directory, you should set
<programlisting>
ldap_id_mapping = False
</programlisting>
Users, groups and other entities served by SSSD are always treated as
case-insensitive in the AD provider for compatibility with Active
Directory's LDAP implementation.
</para>
</refsect1>
<refsect1 id='file-format'>
<title>CONFIGURATION OPTIONS</title>
<para>Refer to the section <quote>DOMAIN SECTIONS</quote> of the
<citerefentry>
<manvolnum>5</manvolnum>
</citerefentry> manual page for details on the configuration of an SSSD domain.
<variablelist>
<varlistentry>
<term>ad_domain (string)</term>
<listitem>
<para>
Specifies the name of the Active Directory domain.
This is optional. If not provided, the
configuration domain name is used.
</para>
<para>
For proper operation, this option should be
specified as the lower-case version of the long
version of the Active Directory domain.
</para>
<para>
The short domain name (also known as the NetBIOS
or the flat name) is autodetected by the SSSD.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ad_server, ad_backup_server (string)</term>
<listitem>
<para>
The comma-separated list of IP addresses or
hostnames of the AD servers to which SSSD should
connect in order of preference. For more
information on failover and server redundancy, see
the <quote>FAILOVER</quote> section.
This is optional if autodiscovery is enabled.
For more information on service discovery, refer
to the <quote>SERVICE DISCOVERY</quote> section.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ad_hostname (string)</term>
<listitem>
<para>
Optional. May be set on machines where the
hostname(5) does not reflect the fully qualified
name used in the Active Directory domain to
identify this host.
</para>
<para>
This field is used to determine the host principal
in use in the keytab. It must match the hostname
for which the keytab was issued.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ad_enable_dns_sites (boolean)</term>
<listitem>
<para>
Enables DNS sites - location based
service discovery.
</para>
<para>
If true and service discovery (see Service
Discovery paragraph at the bottom of the man page)
is enabled, the SSSD will first attempt to discover
the Active Directory server to connect to using the
Active Directory Site Discovery and fall back to
the DNS SRV records if no AD site is found.
</para>
<para>
Default: true
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>dyndns_update (boolean)</term>
<listitem>
<para>
Optional. This option tells SSSD to automatically
update the Active Directory DNS server with
the IP address of this client.
</para>
<para>
NOTE: On older systems (such as RHEL 5), for this
behavior to work reliably, the default Kerberos
</para>
<para>
Default: true
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>dyndns_ttl (integer)</term>
<listitem>
<para>
The TTL to apply to the client DNS record when updating it.
If dyndns_update is false this has no effect. This will
override the TTL serverside if set by an administrator.
</para>
<para>
Default: 3600 (seconds)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>dyndns_iface (string)</term>
<listitem>
<para>
Optional. Applicable only when dyndns_update
is true. Choose the interface whose IP address
should be used for dynamic DNS updates.
</para>
<para>
Default: Use the IP address of the AD LDAP connection
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>dyndns_refresh_interval (integer)</term>
<listitem>
<para>
How often should the back end perform periodic DNS update in
addition to the automatic update performed when the back end
goes online.
This option is optional and applicable only when dyndns_update
is true.
</para>
<para>
Default: 86400 (24 hours)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>dyndns_update_ptr (bool)</term>
<listitem>
<para>
Whether the PTR record should also be explicitly
updated when updating the client's DNS records.
Applicable only when dyndns_update is true.
</para>
<para>
Default: True
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>dyndns_force_tcp (bool)</term>
<listitem>
<para>
Whether the nsupdate utility should default to using
TCP for communicating with the DNS server.
</para>
<para>
Default: False (let nsupdate choose the protocol)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb5_use_enterprise_principal (boolean)</term>
<listitem>
<para>
Specifies if the user principal should be treated
as enterprise principal. See section 5 of RFC 6806
for more details about enterprise principals.
</para>
<para>
Default: true
</para>
<para>
Note that this default differs from the
traditional Kerberos provider back end.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1 id='example'>
<title>EXAMPLE</title>
<para>
The following example assumes that SSSD is correctly
configured and example.com is one of the domains in the
<replaceable>[sssd]</replaceable> section. This example shows only
the AD provider-specific options.
</para>
<para>
<programlisting>
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
ad_server = dc1.example.com
ad_hostname = client.example.com
ad_domain = example.com
</programlisting>
</para>
</refsect1>
<refsect1 id='notes'>
<title>NOTES</title>
<para>
The AD access control provider checks if the account is expired.
It has the same effect as the following configuration of the LDAP
provider:
<programlisting>
access_provider = ldap
ldap_access_order = expire
ldap_account_expire_policy = ad
</programlisting>
</para>
</refsect1>
</refentry>
</reference>