sssd-ldap.5.xml revision 5ef295d1cf410ceaa92c03a7843df8a36409f465
3726777f47ac4bba3e21b075905959bbea47e72eerikabele<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
3726777f47ac4bba3e21b075905959bbea47e72eerikabele"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
3726777f47ac4bba3e21b075905959bbea47e72eerikabele <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
3726777f47ac4bba3e21b075905959bbea47e72eerikabele <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
3726777f47ac4bba3e21b075905959bbea47e72eerikabele <refpurpose>the configuration file for SSSD</refpurpose>
3726777f47ac4bba3e21b075905959bbea47e72eerikabele </refnamediv>
3726777f47ac4bba3e21b075905959bbea47e72eerikabele This manual page describes the configuration of LDAP
e0471b26427a7310358a7a3a835bd146072e4c29nd domains for
e0471b26427a7310358a7a3a835bd146072e4c29nd <citerefentry>
3726777f47ac4bba3e21b075905959bbea47e72eerikabele </citerefentry>.
3726777f47ac4bba3e21b075905959bbea47e72eerikabele Refer to the <quote>FILE FORMAT</quote> section of the
e0471b26427a7310358a7a3a835bd146072e4c29nd <citerefentry>
3726777f47ac4bba3e21b075905959bbea47e72eerikabele </citerefentry> manual page for detailed syntax information.</para>
3c56725151a46fef84ce376d709b5339da28e10fnd You can configure SSSD to use more than one LDAP domain.
3726777f47ac4bba3e21b075905959bbea47e72eerikabele LDAP back end supports id, auth, access and chpass providers. If you want
3726777f47ac4bba3e21b075905959bbea47e72eerikabele to authenticate against an LDAP server either TLS/SSL or LDAPS
e0471b26427a7310358a7a3a835bd146072e4c29nd not</emphasis> support authentication over an unencrypted channel.
e0471b26427a7310358a7a3a835bd146072e4c29nd If the LDAP server is used only as an identity provider, an encrypted
3726777f47ac4bba3e21b075905959bbea47e72eerikabele channel is not needed. Please refer to <quote>ldap_access_filter</quote>
3c56725151a46fef84ce376d709b5339da28e10fnd config option for more information about using LDAP as an access provider.
3c56725151a46fef84ce376d709b5339da28e10fnd </refsect1>
e0471b26427a7310358a7a3a835bd146072e4c29nd All of the common configuration options that apply to SSSD domains also apply
e0471b26427a7310358a7a3a835bd146072e4c29nd to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section of the
e0471b26427a7310358a7a3a835bd146072e4c29nd <citerefentry>
e0471b26427a7310358a7a3a835bd146072e4c29nd </citerefentry> manual page for full details.
e0471b26427a7310358a7a3a835bd146072e4c29nd <variablelist>
e0471b26427a7310358a7a3a835bd146072e4c29nd <varlistentry>
e0471b26427a7310358a7a3a835bd146072e4c29nd <listitem>
3726777f47ac4bba3e21b075905959bbea47e72eerikabele Specifies the comma-separated list of URIs of the LDAP servers to which
3726777f47ac4bba3e21b075905959bbea47e72eerikabele SSSD should connect in the order of preference. Refer to the
3726777f47ac4bba3e21b075905959bbea47e72eerikabele <quote>FAILOVER</quote> section for more information on failover and server redundancy.
3726777f47ac4bba3e21b075905959bbea47e72eerikabele If neither option is specified, service discovery is enabled. For more information,
3726777f47ac4bba3e21b075905959bbea47e72eerikabele refer to the <quote>SERVICE DISCOVERY</quote> section.
e0471b26427a7310358a7a3a835bd146072e4c29nd The format of the URI must match the format defined in RFC 2732:
e0471b26427a7310358a7a3a835bd146072e4c29nd ldap[s]://<host>[:port]
3726777f47ac4bba3e21b075905959bbea47e72eerikabele For explicit IPv6 addresses, <host> must be enclosed in brackets []
3c56725151a46fef84ce376d709b5339da28e10fnd example: ldap://[fc00::126:25]:389
3726777f47ac4bba3e21b075905959bbea47e72eerikabele </varlistentry>
3c56725151a46fef84ce376d709b5339da28e10fnd <varlistentry>
3c56725151a46fef84ce376d709b5339da28e10fnd <term>ldap_chpass_uri, ldap_chpass_backup_uri (string)</term>
e0471b26427a7310358a7a3a835bd146072e4c29nd <listitem>
e0471b26427a7310358a7a3a835bd146072e4c29nd Specifies the comma-separated list of URIs of the LDAP servers to
e0471b26427a7310358a7a3a835bd146072e4c29nd which SSSD should connect in the order of preference
e0471b26427a7310358a7a3a835bd146072e4c29nd to change the password of a user. Refer to the
e0471b26427a7310358a7a3a835bd146072e4c29nd on failover and server redundancy.
e0471b26427a7310358a7a3a835bd146072e4c29nd To enable service discovery
e0471b26427a7310358a7a3a835bd146072e4c29nd ldap_chpass_dns_service_name must be set.
e0471b26427a7310358a7a3a835bd146072e4c29nd Default: empty, i.e. ldap_uri is used.
e0471b26427a7310358a7a3a835bd146072e4c29nd </listitem>
e0471b26427a7310358a7a3a835bd146072e4c29nd </varlistentry>
3c56725151a46fef84ce376d709b5339da28e10fnd <varlistentry>
3c56725151a46fef84ce376d709b5339da28e10fnd <listitem>
e0471b26427a7310358a7a3a835bd146072e4c29nd The default base DN to use for
e0471b26427a7310358a7a3a835bd146072e4c29nd performing LDAP user operations.
3c56725151a46fef84ce376d709b5339da28e10fnd Starting with SSSD 1.7.0, SSSD supports multiple
3c56725151a46fef84ce376d709b5339da28e10fnd search bases using the syntax:
e0471b26427a7310358a7a3a835bd146072e4c29nd search_base[?scope?[filter][?search_base?scope?[filter]]*]
3726777f47ac4bba3e21b075905959bbea47e72eerikabele The scope can be one of "base", "onelevel" or "subtree".
e0471b26427a7310358a7a3a835bd146072e4c29nd The filter must be a valid LDAP search filter as
e0471b26427a7310358a7a3a835bd146072e4c29nd ldap_search_base = dc=example,dc=com
e0471b26427a7310358a7a3a835bd146072e4c29nd (which is equivalent to)
e0471b26427a7310358a7a3a835bd146072e4c29nd ldap_search_base = dc=example,dc=com?subtree?
e0471b26427a7310358a7a3a835bd146072e4c29nd ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?(host=thishost)?dc=example.com?subtree?
e0471b26427a7310358a7a3a835bd146072e4c29nd Note: It is unsupported to have multiple search
e0471b26427a7310358a7a3a835bd146072e4c29nd bases which reference identically-named objects
e0471b26427a7310358a7a3a835bd146072e4c29nd (for example, groups with the same name in two
e0471b26427a7310358a7a3a835bd146072e4c29nd different search bases). This will lead to
e0471b26427a7310358a7a3a835bd146072e4c29nd unpredictable behavior on client machines.
e0471b26427a7310358a7a3a835bd146072e4c29nd Default: If not set, the value of the
e0471b26427a7310358a7a3a835bd146072e4c29nd defaultNamingContext or namingContexts attribute
e0471b26427a7310358a7a3a835bd146072e4c29nd from the RootDSE of the LDAP server is
e0471b26427a7310358a7a3a835bd146072e4c29nd used. If defaultNamingContext does not exist or
e0471b26427a7310358a7a3a835bd146072e4c29nd has an empty value namingContexts is used.
e0471b26427a7310358a7a3a835bd146072e4c29nd The namingContexts attribute must have a
e0471b26427a7310358a7a3a835bd146072e4c29nd single value with the DN of the search base of the
e0471b26427a7310358a7a3a835bd146072e4c29nd LDAP server to make this work. Multiple values are
e0471b26427a7310358a7a3a835bd146072e4c29nd are not supported.
e0471b26427a7310358a7a3a835bd146072e4c29nd </listitem>
e0471b26427a7310358a7a3a835bd146072e4c29nd </varlistentry>
e0471b26427a7310358a7a3a835bd146072e4c29nd <varlistentry>
e0471b26427a7310358a7a3a835bd146072e4c29nd <listitem>
e0471b26427a7310358a7a3a835bd146072e4c29nd Specifies the Schema Type in use on the target LDAP
e0471b26427a7310358a7a3a835bd146072e4c29nd Depending on the selected schema, the default
e0471b26427a7310358a7a3a835bd146072e4c29nd attribute names retrieved from the servers may vary.
e0471b26427a7310358a7a3a835bd146072e4c29nd The way that some attributes are handled may also differ.
e0471b26427a7310358a7a3a835bd146072e4c29nd Four schema types are currently supported:
e0471b26427a7310358a7a3a835bd146072e4c29nd rfc2307bis
e0471b26427a7310358a7a3a835bd146072e4c29nd The main difference between these schema types is
e0471b26427a7310358a7a3a835bd146072e4c29nd how group memberships are recorded in the server.
e0471b26427a7310358a7a3a835bd146072e4c29nd With rfc2307, group members are listed by name in the
e0471b26427a7310358a7a3a835bd146072e4c29nd With rfc2307bis and IPA, group members are listed by DN
e0471b26427a7310358a7a3a835bd146072e4c29nd The AD schema type sets the attributes to correspond with
e0471b26427a7310358a7a3a835bd146072e4c29nd Active Directory 2008r2 values.
e0471b26427a7310358a7a3a835bd146072e4c29nd Default: rfc2307
e0471b26427a7310358a7a3a835bd146072e4c29nd </listitem>
e0471b26427a7310358a7a3a835bd146072e4c29nd </varlistentry>
e0471b26427a7310358a7a3a835bd146072e4c29nd <varlistentry>
e0471b26427a7310358a7a3a835bd146072e4c29nd <listitem>
e0471b26427a7310358a7a3a835bd146072e4c29nd The default bind DN to use for
e0471b26427a7310358a7a3a835bd146072e4c29nd performing LDAP operations.
e0471b26427a7310358a7a3a835bd146072e4c29nd </listitem>
e0471b26427a7310358a7a3a835bd146072e4c29nd </varlistentry>
e0471b26427a7310358a7a3a835bd146072e4c29nd <varlistentry>
e0471b26427a7310358a7a3a835bd146072e4c29nd <listitem>
e0471b26427a7310358a7a3a835bd146072e4c29nd The type of the authentication token of the
e0471b26427a7310358a7a3a835bd146072e4c29nd default bind DN.
e0471b26427a7310358a7a3a835bd146072e4c29nd The two mechanisms currently supported are:
e0471b26427a7310358a7a3a835bd146072e4c29nd obfuscated_password
e0471b26427a7310358a7a3a835bd146072e4c29nd Default: password
e0471b26427a7310358a7a3a835bd146072e4c29nd </listitem>
e0471b26427a7310358a7a3a835bd146072e4c29nd </varlistentry>
e0471b26427a7310358a7a3a835bd146072e4c29nd <varlistentry>
e0471b26427a7310358a7a3a835bd146072e4c29nd <listitem>
e0471b26427a7310358a7a3a835bd146072e4c29nd The authentication token of the default bind DN.
e0471b26427a7310358a7a3a835bd146072e4c29nd Only clear text passwords are currently supported.
e0471b26427a7310358a7a3a835bd146072e4c29nd </listitem>
e0471b26427a7310358a7a3a835bd146072e4c29nd </varlistentry>
e0471b26427a7310358a7a3a835bd146072e4c29nd <varlistentry>
e0471b26427a7310358a7a3a835bd146072e4c29nd <listitem>
e0471b26427a7310358a7a3a835bd146072e4c29nd The object class of a user entry in LDAP.
e0471b26427a7310358a7a3a835bd146072e4c29nd Default: posixAccount
e0471b26427a7310358a7a3a835bd146072e4c29nd </listitem>
e0471b26427a7310358a7a3a835bd146072e4c29nd </varlistentry>
e0471b26427a7310358a7a3a835bd146072e4c29nd <varlistentry>
e0471b26427a7310358a7a3a835bd146072e4c29nd <listitem>
e0471b26427a7310358a7a3a835bd146072e4c29nd The LDAP attribute that corresponds to the
e0471b26427a7310358a7a3a835bd146072e4c29nd user's login name.
e0471b26427a7310358a7a3a835bd146072e4c29nd Default: uid
e0471b26427a7310358a7a3a835bd146072e4c29nd </listitem>
e0471b26427a7310358a7a3a835bd146072e4c29nd </varlistentry>
e0471b26427a7310358a7a3a835bd146072e4c29nd <varlistentry>
e0471b26427a7310358a7a3a835bd146072e4c29nd <listitem>
supports nested groups (e.g. RFC2307bis), then
by ldap.conf)
Default: not set, i.e. service discovery is disabled
use server side access control, i.e. the LDAP
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/ldap_search_bases_experimental.xml" />
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/ldap_search_bases_experimental.xml" />
ldap_uri = ldap://ldap.mydomain.org