src/man/sssd-ad.5.xml

	sssd-ad.5.xml revision d231e95b0a5e1bd377f67e041e8b502a79fdc605
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher<?xml version="1.0" encoding="UTF-8"?>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher<reference>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher<title>SSSD Manual pages</title>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher<refentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher    <refmeta>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        <refentrytitle>sssd-ad</refentrytitle>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        <manvolnum>5</manvolnum>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher    </refmeta>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher    <refnamediv id='name'>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        <refname>sssd-ad</refname>
7b58d637c20f87e1e49ffc1d49a4de8b25ef06bbJakub Hrozek        <refpurpose>the configuration file for SSSD</refpurpose>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher    </refnamediv>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher    <refsect1 id='description'>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        <title>DESCRIPTION</title>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        <para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            This manual page describes the configuration of the AD provider
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            for
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            <citerefentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                <refentrytitle>sssd</refentrytitle>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                <manvolnum>8</manvolnum>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            </citerefentry>.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            For a detailed syntax reference, refer to the <quote>FILE FORMAT</quote> section of the
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            <citerefentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                <refentrytitle>sssd.conf</refentrytitle>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                <manvolnum>5</manvolnum>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            </citerefentry> manual page.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        </para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        <para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            The AD provider is a back end used to connect to an Active
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            Directory server. This provider requires that the machine be
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            joined to the AD domain and a keytab is available.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        </para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        <para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            The AD provider supports connecting to Active Directory 2008 R2
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            or later. Earlier versions may work, but are unsupported.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        </para>
728a1812b7c5f70febb522342c5b357da598acfeJakub Hrozek        <para>
728a1812b7c5f70febb522342c5b357da598acfeJakub Hrozek            The AD provider accepts the same options used by the
728a1812b7c5f70febb522342c5b357da598acfeJakub Hrozek            <citerefentry>
728a1812b7c5f70febb522342c5b357da598acfeJakub Hrozek                <refentrytitle>sssd-ldap</refentrytitle>
728a1812b7c5f70febb522342c5b357da598acfeJakub Hrozek                <manvolnum>5</manvolnum>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            </citerefentry> identity provider and the
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            <citerefentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                <refentrytitle>sssd-krb5</refentrytitle>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                <manvolnum>5</manvolnum>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            </citerefentry> authentication provider with some exceptions described
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            below.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        </para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        <para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            However, it is neither necessary nor recommended to set these
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            options. The AD provider can also be used as an access and chpass
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            provider. No configuration of the access provider is required on
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            the client side.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        </para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        <para>
61804568ce5ede3b1a699cda17c033dd6c23f0e3Sumit Bose            By default, the AD provider will map UID and GID values from the
61804568ce5ede3b1a699cda17c033dd6c23f0e3Sumit Bose            objectSID parameter in Active Directory. For details on this, see
61804568ce5ede3b1a699cda17c033dd6c23f0e3Sumit Bose            the <quote>ID MAPPING</quote> section below. If you want to
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            disable ID mapping and instead rely on POSIX attributes defined in
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher            Active Directory, you should set
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher            <programlisting>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagherldap_id_mapping = False
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher            </programlisting>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher        </para>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher    </refsect1>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher    <refsect1 id='file-format'>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher        <title>CONFIGURATION OPTIONS</title>
4343b618051d295cbb1a805a85feb117a91c6945Jakub Hrozek        <para>Refer to the section <quote>DOMAIN SECTIONS</quote> of the
4343b618051d295cbb1a805a85feb117a91c6945Jakub Hrozek            <citerefentry>
4343b618051d295cbb1a805a85feb117a91c6945Jakub Hrozek                <refentrytitle>sssd.conf</refentrytitle>
4343b618051d295cbb1a805a85feb117a91c6945Jakub Hrozek                <manvolnum>5</manvolnum>
4343b618051d295cbb1a805a85feb117a91c6945Jakub Hrozek            </citerefentry> manual page for details on the configuration of an SSSD domain.
c7a4383b3b5549d0627c21bb02bd5f0bd46a3531Jakub Hrozek            <variablelist>
c7a4383b3b5549d0627c21bb02bd5f0bd46a3531Jakub Hrozek                <varlistentry>
c7a4383b3b5549d0627c21bb02bd5f0bd46a3531Jakub Hrozek                    <term>ad_domain (string)</term>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher                    <listitem>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                        <para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            Specifies the name of the Active Directory domain.
65a8e6e655c22027d3e02ea697972111f2a33e33Jakub Hrozek                            This is optional. If not provided, the
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            configuration domain name is used.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                        </para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                        <para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            For proper operation, this option should be
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            specified as the lower-case version of the long
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            version of the Active Directory domain.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                        </para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                    </listitem>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                </varlistentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                <varlistentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                    <term>ad_server, ad_backup_server (string)</term>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                    <listitem>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                        <para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            The comma-separated list of IP addresses or
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            hostnames of the AD servers to which SSSD should
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            connect in order of preference. For more
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            information on failover and server redundancy, see
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            the <quote>FAILOVER</quote> section.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            This is optional if autodiscovery is enabled.
4cdaf239d4504966bed8ecd5e3fa07def74c7302Sumit Bose                            For more information on service discovery, refer
4cdaf239d4504966bed8ecd5e3fa07def74c7302Sumit Bose                            to the <quote>SERVICE DISCOVERY</quote> section.
4cdaf239d4504966bed8ecd5e3fa07def74c7302Sumit Bose                        </para>
4cdaf239d4504966bed8ecd5e3fa07def74c7302Sumit Bose                    </listitem>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                </varlistentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                <varlistentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                    <term>ad_hostname (string)</term>
294e9a5521d327c5cdc49beeb9cb9e703b3134f1Jan Zeleny                    <listitem>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                        <para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            Optional. May be set on machines where the
02ec52b73c1714b877b0b7bc43fbc8d36ad8ca40Jakub Hrozek                            hostname(5) does not reflect the fully qualified
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            name used in the Active Directory domain to
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            identify this host.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                        </para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                        <para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            This field is used to determine the host principal
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            in use in the keytab. It must match the hostname
c0d9babd59c81c12ca182ab3a72176d4fae494a4Yuri Chornoivan                            for which the keytab was issued.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                        </para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                    </listitem>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                </varlistentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                <varlistentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                    <term>override_homedir (string)</term>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                    <listitem>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                        <para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            Override the user's home directory. You
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            can either provide an absolute value or a
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            template. In the template, the following
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            sequences are substituted:
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            <variablelist>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                                <varlistentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                                    <term>%u</term>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                                    <listitem><para>login name</para></listitem>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                                </varlistentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                                <varlistentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                                    <term>%U</term>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                                    <listitem><para>UID number</para></listitem>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                                </varlistentry>
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                                <varlistentry>
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                                    <term>%d</term>
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                                    <listitem><para>domain name</para></listitem>
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                                </varlistentry>
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                                <varlistentry>
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                                    <term>%f</term>
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                                    <listitem><para>fully qualified user name (user@domain)</para></listitem>
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                                </varlistentry>
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                                <varlistentry>
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                                    <term>%%</term>
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                                    <listitem><para>a literal '%'</para>
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                                    </listitem>
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                                </varlistentry>
de4ce3477497c20416c6397adb520bb60f3c6d28Jakub Hrozek                            </variablelist>
de4ce3477497c20416c6397adb520bb60f3c6d28Jakub Hrozek                        </para>
de4ce3477497c20416c6397adb520bb60f3c6d28Jakub Hrozek                        <para>
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                            This option can also be set per-domain.
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                        </para>
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                        <para>
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                            example:
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                            <programlisting>
a679f0167b646cffdae86546ed77e105576991b0Pavel Březinaoverride_homedir = /home/%u
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                            </programlisting>
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek                        </para>
7a7fe9ace6990f20bddccfbb8fbbe91204df979eYassir Elley                        <para>
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek                            Default: Not set (SSSD will use the value
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek                            retrieved from LDAP)
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek                        </para>
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek                    </listitem>
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek                </varlistentry>
19d56eacc786d83fcea1805743370c53098ef552Jakub Hrozek                <varlistentry>
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek                    <term>fallback_homedir (string)</term>
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek                    <listitem>
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek                        <para>
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek                            Set a default template for a user's home directory
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            if one is not specified explicitly by the domain's
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            data provider.
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                        </para>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                        <para>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            The available values for this option are the same
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            as for override_homedir.
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                        </para>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                        <para>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            example:
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            <programlisting>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozekfallback_homedir = /home/%u
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            </programlisting>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                        </para>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                        <para>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            Default: not set (no substitution for unset home
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            directories)
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                        </para>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                    </listitem>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                </varlistentry>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                <varlistentry>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                    <term>default_shell</term>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                    <listitem>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                        <para>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            The default shell to use if the provider does not
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            return one during lookup. This option supersedes
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            any other shell options if it takes effect and can
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            be set either in the [nss] section or per-domain.
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                        </para>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                        <para>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            Default: not set (Return NULL if no shell is
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek                            specified and rely on libc to substitute something
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek                            sensible when necessary, usually /bin/sh)
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                        </para>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                    </listitem>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                </varlistentry>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek            </variablelist>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek        </para>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek    </refsect1>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/failover.xml" />
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/service_discovery.xml" />
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/ldap_id_mapping.xml" />
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek    <refsect1 id='example'>
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek        <title>EXAMPLE</title>
ba4a81e933deebb416603369b447ead6ebaa040dJakub Hrozek        <para>
ba4a81e933deebb416603369b447ead6ebaa040dJakub Hrozek            The following example assumes that SSSD is correctly
ba4a81e933deebb416603369b447ead6ebaa040dJakub Hrozek            configured and example.com is one of the domains in the
ba4a81e933deebb416603369b447ead6ebaa040dJakub Hrozek            <replaceable>[sssd]</replaceable> section. This example shows only
ba4a81e933deebb416603369b447ead6ebaa040dJakub Hrozek            the AD provider-specific options.
fdaaf2525e333af04ee9b48429b6766b5fd6cab6Jakub Hrozek        </para>
fdaaf2525e333af04ee9b48429b6766b5fd6cab6Jakub Hrozek        <para>
fdaaf2525e333af04ee9b48429b6766b5fd6cab6Jakub Hrozek<programlisting>
fdaaf2525e333af04ee9b48429b6766b5fd6cab6Jakub Hrozek[domain/EXAMPLE]
fdaaf2525e333af04ee9b48429b6766b5fd6cab6Jakub Hrozekid_provider = ad
fdaaf2525e333af04ee9b48429b6766b5fd6cab6Jakub Hrozekauth_provider = ad
fdaaf2525e333af04ee9b48429b6766b5fd6cab6Jakub Hrozekaccess_provider = ad
fdaaf2525e333af04ee9b48429b6766b5fd6cab6Jakub Hrozekchpass_provider = ad
fdaaf2525e333af04ee9b48429b6766b5fd6cab6Jakub Hrozek
fdaaf2525e333af04ee9b48429b6766b5fd6cab6Jakub Hrozekad_server = dc1.example.com
fdaaf2525e333af04ee9b48429b6766b5fd6cab6Jakub Hrozekad_hostname = client.example.com
fdaaf2525e333af04ee9b48429b6766b5fd6cab6Jakub Hrozekad_domain = example.com
fdaaf2525e333af04ee9b48429b6766b5fd6cab6Jakub Hrozek</programlisting>
ba4a81e933deebb416603369b447ead6ebaa040dJakub Hrozek        </para>
ba4a81e933deebb416603369b447ead6ebaa040dJakub Hrozek    </refsect1>
ba4a81e933deebb416603369b447ead6ebaa040dJakub Hrozek
ba4a81e933deebb416603369b447ead6ebaa040dJakub Hrozek    <refsect1 id='notes'>
ba4a81e933deebb416603369b447ead6ebaa040dJakub Hrozek        <title>NOTES</title>
ba4a81e933deebb416603369b447ead6ebaa040dJakub Hrozek        <para>
ba4a81e933deebb416603369b447ead6ebaa040dJakub Hrozek            The AD access control provider checks if the account is expired.
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley            It has the same effect as the following configuration of the LDAP
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley            provider:
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley<programlisting>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elleyaccess_provider = ldap
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elleyldap_access_order = expire
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elleyldap_account_expire_policy = ad
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley</programlisting>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley        </para>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley    </refsect1>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley</refentry>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley</reference>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley