3112N/A<?
xml version="1.0" encoding="UTF-8"?>
3112N/A<!
DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" 3112N/A<
title>SSSD Manual pages</
title>
6982N/A <
refentrytitle>sssd-ipa</
refentrytitle>
3112N/A <
refmiscinfo class="manual">File Formats and Conventions</
refmiscinfo>
6982N/A <
refname>sssd-ipa</
refname>
6982N/A <
refpurpose>the configuration file for SSSD</
refpurpose>
3112N/A <
refsect1 id='description'>
4251N/A This manual page describes the configuration of the IPA provider
2889N/A <
refentrytitle>sssd</
refentrytitle>
4714N/A For a detailed syntax reference, refer to the <
quote>FILE FORMAT</
quote> section of the
2889N/A </
citerefentry> manual page.
2889N/A The IPA provider is a back end used to connect to an IPA server.
2889N/A This provider requires that the machine be joined to the IPA domain;
2889N/A configuration is almost entirely self-discovered and obtained
4714N/A The IPA provider accepts the same options used by the
4714N/A <
refentrytitle>sssd-ldap</
refentrytitle>
4714N/A </
citerefentry> identity provider and the
4714N/A <
refentrytitle>sssd-krb5</
refentrytitle>
4714N/A </
citerefentry> authentication provider with some exceptions described
2889N/A However, it is neither necessary nor recommended to set these options.
2889N/A IPA provider can also be used as an access and chpass provider. As an
2889N/A access provider it uses HBAC (host-based access control) rules. Please
2889N/A of access provider is required on the client side.
2889N/A <
refsect1 id='file-format'>
2889N/A <
title>CONFIGURATION OPTIONS</
title>
2889N/A <
para>Refer to the section <
quote>DOMAIN SECTIONS</
quote> of the
2889N/A </
citerefentry> manual page for details on the configuration of an SSSD domain.
2889N/A <
term>ipa_domain (string)</
term>
4714N/A Specifies the name of the IPA domain.
4714N/A This is optional. If not provided, the configuration
4714N/A <
term>ipa_server (string)</
term>
4714N/A The comma-separated list of IP addresses or hostnames of the
4714N/A IPA servers to which SSSD should connect in
4714N/A the order of preference. For more information
4714N/A on failover and server redundancy, see the
4714N/A <
quote>FAILOVER</
quote> section.
4714N/A This is optional if autodiscovery is enabled.
4714N/A For more information on service discovery, refer
4714N/A to the the <
quote>SERVICE DISCOVERY</
quote> section.
4714N/A <
term>ipa_hostname (string)</
term>
4714N/A Optional. May be set on machines where the
4714N/A hostname(5) does not reflect the fully qualified
4714N/A name used in the IPA domain to identify this host.
4714N/A <
term>ipa_dyndns_update (boolean)</
term>
4714N/A Optional. This option tells SSSD to automatically
4714N/A update the DNS server built into FreeIPA v2 with
4714N/A the IP address of this client.
4714N/A <
term>ipa_dyndns_iface (string)</
term>
4714N/A Optional. Applicable only when ipa_dyndns_update
4714N/A is true. Choose the interface whose IP address
4714N/A should be used for dynamic DNS updates.
2889N/A Default: Use the IP address of the IPA LDAP connection
2889N/A <
term>ipa_hbac_search_base (string)</
term>
2889N/A Optional. Use the given string as search base for
4714N/A <
term>krb5_validate (boolean)</
term>
4714N/A Verify with the help of krb5_keytab that the TGT
4714N/A obtained has not been spoofed.
4714N/A Note that this default differs from the
4714N/A traditional Kerberos provider back end.
4714N/A <
term>krb5_realm (string)</
term>
2889N/A The name of the Kerberos realm. This is optional and
2889N/A defaults to the value of <
quote>ipa_domain</
quote>.
4714N/A The name of the Kerberos realm has a special
4714N/A meaning in IPA - it is converted into the base
4714N/A DN to use for performing LDAP operations.
4714N/A <
term>krb5_canonicalize (boolean)</
term>
4714N/A Specifies if the host and user principal should be
4714N/A canonicalized when connecting to IPA LDAP and also for AS
4714N/A requests. This feature is available with MIT
4714N/A <
term>ipa_hbac_refresh (integer)</
term>
4714N/A The amount of time between lookups of the HBAC
2889N/A rules against the IPA server. This will reduce the
4714N/A latency and load on the IPA server if there are
4714N/A many access-control requests made in a short
4714N/A <
term>ipa_hbac_treat_deny_as (string)</
term>
4714N/A This option specifies how to treat the deprecated
4714N/A DENY-type HBAC rules. As of FreeIPA v2.1, DENY
4714N/A rules are no longer supported on the server. All
4714N/A users of FreeIPA will need to migrate their rules
4714N/A to use only the ALLOW rules. The client will
2889N/A support two modes of operation during this
2889N/A <
emphasis>DENY_ALL</
emphasis>: If any HBAC DENY
2889N/A rules are detected, all users will be denied
2889N/A <
emphasis>IGNORE</
emphasis>: SSSD will ignore any
2889N/A DENY rules. Be very careful with this option, as
2889N/A it may result in opening unintended access.
2889N/A <
term>ipa_netgroup_member_of (string)</
term>
2889N/A The LDAP attribute that lists netgroup's
2889N/A <
term>ipa_netgroup_member_user (string)</
term>
2889N/A The LDAP attribute that lists system users
2889N/A and groups that are direct members of the
2889N/A <
term>ipa_netgroup_member_host (string)</
term>
2889N/A The LDAP attribute that lists hosts and host groups
2889N/A that are direct members of the netgroup.
2889N/A <
term>ipa_netgroup_member_ext_host (string)</
term>
2889N/A The LDAP attribute that lists FQDNs of hosts
2889N/A and host groups that are members of the netgroup.
2889N/A <
term>ipa_netgroup_domain (string)</
term>
2889N/A The LDAP attribute that contains NIS domain
2889N/A <
term>ipa_host_object_class (string)</
term>
2889N/A The object class of a host entry in LDAP.
2889N/A <
term>ipa_host_fqdn (string)</
term>
2889N/A The LDAP attribute that contains FQDN of the host.
4714N/A The following example assumes that SSSD is correctly
4714N/A <
replaceable>[sssd]</
replaceable> section. This examples shows only
4714N/A the ipa provider-specific options.
2889N/A <
refentrytitle>sssd-ldap</
refentrytitle><
manvolnum>5</
manvolnum>
2889N/A <
refentrytitle>sssd-krb5</
refentrytitle><
manvolnum>5</
manvolnum>
2889N/A <
refentrytitle>sssd</
refentrytitle><
manvolnum>8</
manvolnum>