sssd-ldap.5.xml revision 173f557c915aeee80a0c3dc8ae4d3f44dd5bc7c9
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive <refpurpose>the configuration file for SSSD</refpurpose>
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive </refnamediv>
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive This manual page describes the configuration of LDAP
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive domains for
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive <citerefentry>
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive </citerefentry>.
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive Refer to the <quote>FILE FORMAT</quote> section of the
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive <citerefentry>
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive </citerefentry> manual page for detailed syntax information.</para>
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive You can configure SSSD to use more than one LDAP domain.
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive LDAP back end supports id, auth, access and chpass providers. If you want
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive to authenticate against an LDAP server either TLS/SSL or LDAPS
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive not</emphasis> support authentication over an unencrypted channel.
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive If the LDAP server is used only as an identity provider, an encrypted
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive channel is not needed. Please refer to <quote>ldap_access_filter</quote>
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive config option for more information about using LDAP as an access provider.
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive </refsect1>
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive All of the common configuration options that apply to SSSD domains also apply
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section of the
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive <citerefentry>
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive </citerefentry> manual page for full details.
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive <variablelist>
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive <varlistentry>
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive Specifies the comma-separated list of URIs of the LDAP servers to which
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive SSSD should connect in the order of preference. Refer to the
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive <quote>FAILOVER</quote> section for more information on failover and server redundancy.
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive If not specified, service discovery is enabled. For more information, refer
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive The format of the URI must match the format defined in RFC 2732:
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive ldap[s]://<host>[:port]
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive For explicit IPv6 addresses, <host> must be enclosed in brackets []
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive example: ldap://[fc00::126:25]:389
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive </listitem>
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive </varlistentry>
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive <varlistentry>
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive Specifies the comma-separated list of URIs of the LDAP servers to
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive which SSSD should connect in the order of preference
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive to change the password of a user. Refer to the
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive on failover and server redundancy.
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive To enable service discovery
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive ldap_chpass_dns_service_name must be set.
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive Default: empty, i.e. ldap_uri is used.
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive </listitem>
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive </varlistentry>
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive <varlistentry>
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive The default base DN to use for
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive performing LDAP user operations.
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive Starting with SSSD 1.7.0, SSSD supports multiple
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive search bases using the syntax:
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive search_base[?scope?[filter][?search_base?scope?[filter]]*]
04ff03c2d7e0ff45ee181eb1fa5bf7649ffcf6bfslive The scope can be one of "base", "onelevel" or "subtree".
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive The filter must be a valid LDAP search filter as
46d1ef8cb385aa2f519ce7d355afc51f144bd938slive ldap_search_base = dc=example,dc=com
04ff03c2d7e0ff45ee181eb1fa5bf7649ffcf6bfslive (which is equivalent to)
04ff03c2d7e0ff45ee181eb1fa5bf7649ffcf6bfslive ldap_search_base = dc=example,dc=com?subtree?
04ff03c2d7e0ff45ee181eb1fa5bf7649ffcf6bfslive ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?(host=thishost)?dc=example.com?subtree?
04ff03c2d7e0ff45ee181eb1fa5bf7649ffcf6bfslive Note: It is unsupported to have multiple search
04ff03c2d7e0ff45ee181eb1fa5bf7649ffcf6bfslive bases which reference identically-named objects
04ff03c2d7e0ff45ee181eb1fa5bf7649ffcf6bfslive (for example, groups with the same name in two
04ff03c2d7e0ff45ee181eb1fa5bf7649ffcf6bfslive different search bases). This will lead to
04ff03c2d7e0ff45ee181eb1fa5bf7649ffcf6bfslive unpredictable behavior on client machines.
04ff03c2d7e0ff45ee181eb1fa5bf7649ffcf6bfslive Default: If not set, the value of the
04ff03c2d7e0ff45ee181eb1fa5bf7649ffcf6bfslive defaultNamingContext or namingContexts attribute
04ff03c2d7e0ff45ee181eb1fa5bf7649ffcf6bfslive from the RootDSE of the LDAP server is
04ff03c2d7e0ff45ee181eb1fa5bf7649ffcf6bfslive used. If defaultNamingContext does not exists or
46d1ef8cb385aa2f519ce7d355afc51f144bd938slive has an empty value namingContexts is used.
46d1ef8cb385aa2f519ce7d355afc51f144bd938slive The namingContexts attribute must have a
46d1ef8cb385aa2f519ce7d355afc51f144bd938slive single value with the DN of the search base of the
46d1ef8cb385aa2f519ce7d355afc51f144bd938slive LDAP server to make this work. Multiple values are
46d1ef8cb385aa2f519ce7d355afc51f144bd938slive are not supported.
46d1ef8cb385aa2f519ce7d355afc51f144bd938slive </listitem>
46d1ef8cb385aa2f519ce7d355afc51f144bd938slive </varlistentry>
46d1ef8cb385aa2f519ce7d355afc51f144bd938slive <varlistentry>
46d1ef8cb385aa2f519ce7d355afc51f144bd938slive Specifies the Schema Type in use on the target LDAP
46d1ef8cb385aa2f519ce7d355afc51f144bd938slive Depending on the selected schema, the default
46d1ef8cb385aa2f519ce7d355afc51f144bd938slive attribute names retrieved from the servers may vary.
46d1ef8cb385aa2f519ce7d355afc51f144bd938slive The way that some attributes are handled may also differ.
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive Three schema types are currently supported:
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive The main difference between these schema types is
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive how group memberships are recorded in the server.
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive With rfc2307, group members are listed by name in the
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive With rfc2307bis and IPA, group members are listed by DN
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive and stored in the <emphasis>member</emphasis> attribute.
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive Default: rfc2307
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive </listitem>
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive </varlistentry>
46d1ef8cb385aa2f519ce7d355afc51f144bd938slive <varlistentry>
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive The default bind DN to use for
46d1ef8cb385aa2f519ce7d355afc51f144bd938slive performing LDAP operations.
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive </listitem>
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive </varlistentry>
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive <varlistentry>
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive The type of the authentication token of the
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive default bind DN.
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive The two mechanisms currently supported are:
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive obfuscated_password
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive Default: password
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive </listitem>
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive </varlistentry>
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive <varlistentry>
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive The authentication token of the default bind DN.
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive Only clear text passwords are currently supported.
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive </listitem>
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive </varlistentry>
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive <varlistentry>
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive The object class of a user entry in LDAP.
3fa58e00171aebf3b2cfa90035ed530f5b1f651dslive Default: posixAccount
supports nested groups (e.g. RFC2307bis), then
Default: not set, i.e. service discovery is disabled
use server side access control, i.e. the LDAP
ldap_uri = ldap://ldap.mydomain.org