<
refname>sssd-ipa</
refname>
<
refpurpose>the configuration file for SSSD</
refpurpose>
<
refsect1 id='description'>
<
title>DESCRIPTION</
title>
This manual page describes the configuration of the IPA provider
<
refentrytitle>sssd</
refentrytitle>
For a detailed syntax reference, refer to the <
quote>FILE FORMAT</
quote> section of the
</
citerefentry> manual page.
The IPA provider is a back end used to connect to an IPA server.
(Refer to the
freeipa.org web site for information about IPA servers.)
This provider requires that the machine be joined to the IPA domain;
configuration is almost entirely self-discovered and obtained
directly from the server.
The IPA provider accepts the same options used by the
<
refentrytitle>sssd-ldap</
refentrytitle>
</
citerefentry> identity provider and the
<
refentrytitle>sssd-krb5</
refentrytitle>
</
citerefentry> authentication provider with some exceptions described
However, it is neither necessary nor recommended to set these options.
IPA provider can also be used as an access and chpass provider. As an
access provider it uses HBAC (host-based access control) rules. Please
refer to
freeipa.org for more information about HBAC. No configuration
of access provider is required on the client side.
The IPA provider will use the PAC responder if the Kerberos tickets
of users from trusted realms contain a PAC. To make configuration
easier the PAC responder is started automatically if the IPA ID
<
refsect1 id='file-format'>
<
title>CONFIGURATION OPTIONS</
title>
<
para>Refer to the section <
quote>DOMAIN SECTIONS</
quote> of the
</
citerefentry> manual page for details on the configuration of an SSSD domain.
<
term>ipa_domain (string)</
term>
Specifies the name of the IPA domain.
This is optional. If not provided, the configuration
<
term>ipa_server, ipa_backup_server (string)</
term>
The comma-separated list of IP addresses or hostnames of the
IPA servers to which SSSD should connect in
the order of preference. For more information
on failover and server redundancy, see the
<
quote>FAILOVER</
quote> section.
This is optional if autodiscovery is enabled.
For more information on service discovery, refer
to the <
quote>SERVICE DISCOVERY</
quote> section.
<
term>ipa_hostname (string)</
term>
Optional. May be set on machines where the
hostname(5) does not reflect the fully qualified
name used in the IPA domain to identify this host.
<
term>dyndns_update (boolean)</
term>
Optional. This option tells SSSD to automatically
update the DNS server built into FreeIPA v2 with
the IP address of this client. The update is
secured using GSS-TSIG. The IP address of the IPA
LDAP connection is used for the updates, if it is
not otherwise specified by using the
<
quote>dyndns_iface</
quote> option.
NOTE: On older systems (such as RHEL 5), for this
behavior to work reliably, the default Kerberos
NOTE: While it is still possible to use the old
<
emphasis>ipa_dyndns_update</
emphasis> option, users
should migrate to using <
emphasis>dyndns_update</
emphasis>
<
term>dyndns_ttl (integer)</
term>
The TTL to apply to the client DNS record when updating it.
If dyndns_update is false this has no effect. This will
override the TTL serverside if set by an administrator.
NOTE: While it is still possible to use the old
<
emphasis>ipa_dyndns_ttl</
emphasis> option, users
should migrate to using <
emphasis>dyndns_ttl</
emphasis>
<
term>dyndns_iface (string)</
term>
Optional. Applicable only when dyndns_update
is true. Choose the interface whose IP address
should be used for dynamic DNS updates.
NOTE: While it is still possible to use the old
<
emphasis>ipa_dyndns_iface</
emphasis> option, users
should migrate to using <
emphasis>dyndns_iface</
emphasis>
Default: Use the IP address of the IPA LDAP connection
<
term>ipa_enable_dns_sites (boolean)</
term>
Enables DNS sites - location based
If true and service discovery (see Service
Discovery paragraph at the bottom of the man page)
is enabled, then the SSSD will first attempt
location based discovery using a query that contains
to traditional SRV discovery. If the location based
discovery succeeds, the IPA servers located with
the location based discovery are treated as primary
servers and the IPA servers located using the
traditional SRV discovery are used as back up
<
term>dyndns_refresh_interval (integer)</
term>
How often should the back end perform periodic DNS update in
addition to the automatic update performed when the back end
This option is optional and applicable only when dyndns_update
<
term>dyndns_update_ptr (bool)</
term>
Whether the PTR record should also be explicitly
updated when updating the client's DNS records.
Applicable only when dyndns_update is true.
This option should be False in most IPA
deployments as the IPA server generates the
PTR records automatically when forward records
Default: False (disabled)
<
term>dyndns_force_tcp (bool)</
term>
Whether the nsupdate utility should default to using
TCP for communicating with the DNS server.
Default: False (let nsupdate choose the protocol)
<
term>ipa_hbac_search_base (string)</
term>
Optional. Use the given string as search base for
<
term>ipa_host_search_base (string)</
term>
Optional. Use the given string as search base for
See <
quote>ldap_search_base</
quote> for
information about configuring multiple search
If filter is given in any of search bases and
<
emphasis>ipa_hbac_support_srchost</
emphasis>
is set to False, the filter will be ignored.
<
emphasis>ldap_search_base</
emphasis>
<
term>ipa_selinux_search_base (string)</
term>
Optional. Use the given string as search base for
See <
quote>ldap_search_base</
quote> for
information about configuring multiple search
<
emphasis>ldap_search_base</
emphasis>
<
term>ipa_subdomains_search_base (string)</
term>
Optional. Use the given string as search base for
See <
quote>ldap_search_base</
quote> for
information about configuring multiple search
<
emphasis>cn=trusts,%basedn</
emphasis>
<
term>ipa_master_domain_search_base (string)</
term>
Optional. Use the given string as search base for
See <
quote>ldap_search_base</
quote> for
information about configuring multiple search
<
emphasis>cn=ad,cn=etc,%basedn</
emphasis>
<
term>krb5_validate (boolean)</
term>
Verify with the help of krb5_keytab that the TGT
obtained has not been spoofed.
Note that this default differs from the
traditional Kerberos provider back end.
<
term>krb5_realm (string)</
term>
The name of the Kerberos realm. This is optional and
defaults to the value of <
quote>ipa_domain</
quote>.
The name of the Kerberos realm has a special
meaning in IPA - it is converted into the base
DN to use for performing LDAP operations.
<
term>krb5_canonicalize (boolean)</
term>
Specifies if the host and user principal should be
canonicalized when connecting to IPA LDAP and also for AS
requests. This feature is available with MIT
<
term>ipa_hbac_refresh (integer)</
term>
The amount of time between lookups of the HBAC
rules against the IPA server. This will reduce the
latency and load on the IPA server if there are
many access-control requests made in a short
<
term>ipa_hbac_selinux (integer)</
term>
The amount of time between lookups of the SELinux
maps against the IPA server. This will reduce the
latency and load on the IPA server if there are
many user login requests made in a short
<
term>ipa_hbac_treat_deny_as (string)</
term>
This option specifies how to treat the deprecated
DENY-type HBAC rules. As of FreeIPA v2.1, DENY
rules are no longer supported on the server. All
users of FreeIPA will need to migrate their rules
to use only the ALLOW rules. The client will
support two modes of operation during this
<
emphasis>DENY_ALL</
emphasis>: If any HBAC DENY
rules are detected, all users will be denied
<
emphasis>IGNORE</
emphasis>: SSSD will ignore any
DENY rules. Be very careful with this option, as
it may result in opening unintended access.
<
term>ipa_hbac_support_srchost (boolean)</
term>
If this is set to false, then srchost as given
to SSSD by PAM will be ignored.
Note that if set to <
emphasis>False</
emphasis>,
this option casuses filters given in
<
emphasis>ipa_host_search_base</
emphasis> to be ignored;
<
term>ipa_server_mode (boolean)</
term>
This options should only be set by the IPA
The option denotes that the SSSD is running on
IPA server and should perform lookups of users
and groups from trusted domains differently.
<
varlistentry condition="with_autofs">
<
term>ipa_automount_location (string)</
term>
The automounter location this IPA client will be using
Default: The location named "default"
<
term>ipa_netgroup_member_of (string)</
term>
The LDAP attribute that lists netgroup's
<
term>ipa_netgroup_member_user (string)</
term>
The LDAP attribute that lists system users
and groups that are direct members of the
<
term>ipa_netgroup_member_host (string)</
term>
The LDAP attribute that lists hosts and host groups
that are direct members of the netgroup.
<
term>ipa_netgroup_member_ext_host (string)</
term>
The LDAP attribute that lists FQDNs of hosts
and host groups that are members of the netgroup.
<
term>ipa_netgroup_domain (string)</
term>
The LDAP attribute that contains NIS domain
<
term>ipa_host_object_class (string)</
term>
The object class of a host entry in LDAP.
<
term>ipa_host_fqdn (string)</
term>
The LDAP attribute that contains FQDN of the host.
<
term>ipa_selinux_usermap_object_class (string)</
term>
The object class of a host entry in LDAP.
<
term>ipa_selinux_usermap_name (string)</
term>
The LDAP attribute that contains the name
<
term>ipa_selinux_usermap_member_user (string)</
term>
The LDAP attribute that contains all users / groups
<
term>ipa_selinux_usermap_member_host (string)</
term>
The LDAP attribute that contains all hosts / hostgroups
<
term>ipa_selinux_usermap_see_also (string)</
term>
The LDAP attribute that contains DN of HBAC
rule which can be used for matching instead
of memberUser and memberHost
<
term>ipa_selinux_usermap_selinux_user (string)</
term>
The LDAP attribute that contains SELinux user
<
term>ipa_selinux_usermap_enabled (string)</
term>
The LDAP attribute that contains whether
or not is user map enabled for usage.
<
term>ipa_selinux_usermap_user_category (string)</
term>
The LDAP attribute that contains user category
<
term>ipa_selinux_usermap_host_category (string)</
term>
The LDAP attribute that contains host category
<
term>ipa_selinux_usermap_uuid (string)</
term>
The LDAP attribute that contains unique ID
<
varlistentry condition="with_ssh">
<
term>ipa_host_ssh_public_key (string)</
term>
The LDAP attribute that contains the host's SSH
<
refsect1 id='subdomains_provider'>
<
title>SUBDOMAINS PROVIDER</
title>
The IPA subdomains provider behaves slightly differently
if it is configured explicitly or implicitly.
If the option 'subdomains_provider = ipa' is found in the
domain section of
sssd.conf, the IPA subdomains provider is
configured explicitly, and all subdomain requests are sent to the
If the option 'subdomains_provider' is not set in the domain
section of
sssd.conf but there is the option 'id_provider = ipa',
the IPA subdomains provider is configured implicitly. In this case,
if a subdomain request fails and indicates that the server does not
support subdomains,
i.e. is not configured for trusts, the IPA
subdomains provider is disabled. After an hour or after the IPA
provider goes online, the subdomains provider is enabled again.
The following example assumes that SSSD is correctly
configured and
example.com is one of the domains in the
<
replaceable>[sssd]</
replaceable> section. This examples shows only
the ipa provider-specific options.