3853N/A<?
xml version="1.0" encoding="UTF-8"?>
3853N/A<!
DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" 3853N/A<
title>SSSD Manual pages</
title>
3853N/A <
refentrytitle>sssd-ad</
refentrytitle>
3853N/A <
refmiscinfo class="manual">File Formats and Conventions</
refmiscinfo>
3853N/A <
refpurpose>the configuration file for SSSD</
refpurpose>
3853N/A <
refsect1 id='description'>
3853N/A This manual page describes the configuration of the AD provider
3853N/A <
refentrytitle>sssd</
refentrytitle>
3853N/A For a detailed syntax reference, refer to the <
quote>FILE FORMAT</
quote> section of the
3853N/A </
citerefentry> manual page.
3853N/A The AD provider is a back end used to connect to an Active
3853N/A Directory server. This provider requires that the machine be
3853N/A joined to the AD domain and a keytab is available.
3853N/A The AD provider supports connecting to Active Directory 2008 R2
3853N/A or later. Earlier versions may work, but are unsupported.
3853N/A The AD provider accepts the same options used by the
3853N/A <
refentrytitle>sssd-ldap</
refentrytitle>
4294N/A </
citerefentry> identity provider and the
3853N/A <
refentrytitle>sssd-krb5</
refentrytitle>
3853N/A </
citerefentry> authentication provider with some exceptions described
3853N/A However, it is neither necessary nor recommended to set these
3853N/A options. The AD provider can also be used as an access and chpass
3853N/A provider. No configuration of the access provider is required on
3853N/A By default, the AD provider will map UID and GID values from the
3853N/A objectSID parameter in Active Directory. For details on this, see
3853N/A the <
quote>ID MAPPING</
quote> section below. If you want to
3853N/A disable ID mapping and instead rely on POSIX attributes defined in
3853N/A Active Directory, you should set
3853N/A Users, groups and other entities served by SSSD are always treated as
3853N/A case-insensitive in the AD provider for compatibility with Active
4136N/A Directory's LDAP implementation.
3853N/A <
refsect1 id='file-format'>
3853N/A <
title>CONFIGURATION OPTIONS</
title>
3853N/A <
para>Refer to the section <
quote>DOMAIN SECTIONS</
quote> of the
3853N/A </
citerefentry> manual page for details on the configuration of an SSSD domain.
5085N/A <
term>ad_domain (string)</
term>
3853N/A Specifies the name of the Active Directory domain.
3853N/A This is optional. If not provided, the
3853N/A configuration domain name is used.
3884N/A For proper operation, this option should be
3884N/A specified as the lower-case version of the long
4500N/A version of the Active Directory domain.
4500N/A <
term>ad_server, ad_backup_server (string)</
term>
3853N/A The comma-separated list of IP addresses or
3853N/A hostnames of the AD servers to which SSSD should
3853N/A connect in order of preference. For more
3853N/A information on failover and server redundancy, see
3853N/A the <
quote>FAILOVER</
quote> section.
3853N/A This is optional if autodiscovery is enabled.
3853N/A For more information on service discovery, refer
4294N/A to the <
quote>SERVICE DISCOVERY</
quote> section.
3853N/A <
term>ad_hostname (string)</
term>
3853N/A Optional. May be set on machines where the
3853N/A hostname(5) does not reflect the fully qualified
3858N/A name used in the Active Directory domain to
3858N/A This field is used to determine the host principal
3853N/A in use in the keytab. It must match the hostname
3853N/A for which the keytab was issued.
3853N/A <
term>krb5_use_enterprise_principal (boolean)</
term>
3853N/A Specifies if the user principal should be treated
3853N/A as enterprise principal. See section 5 of RFC 6806
3853N/A for more details about enterprise principals.
3853N/A Note that this default differs from the
3853N/A traditional Kerberos provider back end.
3853N/A The following example assumes that SSSD is correctly
3853N/A <
replaceable>[sssd]</
replaceable> section. This example shows only
3853N/A the AD provider-specific options.
4923N/A The AD access control provider checks if the account is expired.
4923N/A It has the same effect as the following configuration of the LDAP
3853N/Aldap_account_expire_policy = ad