sssd-ldap.5.xml revision 74a7d5805499a95a868ab4f43f77d34ccf9854a3
3db86aab554edbb4244c8d1a1c90f152eee768afstevel<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
3db86aab554edbb4244c8d1a1c90f152eee768afstevel"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <refpurpose>the configuration file for SSSD</refpurpose>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </refnamediv>
11c2b4c0e543fe2e1e5910cde1f4422cc3218160rw This manual page describes the configuration of LDAP
3db86aab554edbb4244c8d1a1c90f152eee768afstevel domains for
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <citerefentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </citerefentry>.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Refer to the <quote>FILE FORMAT</quote> section of the
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <citerefentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </citerefentry> manual page for detailed syntax information.</para>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel You can configure SSSD to use more than one LDAP domain.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel LDAP back end supports id, auth, access and chpass providers. If you want
3db86aab554edbb4244c8d1a1c90f152eee768afstevel to authenticate against an LDAP server either TLS/SSL or LDAPS
3db86aab554edbb4244c8d1a1c90f152eee768afstevel not</emphasis> support authentication over an unencrypted channel.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel If the LDAP server is used only as an identity provider, an encrypted
3db86aab554edbb4244c8d1a1c90f152eee768afstevel channel is not needed. Please refer to <quote>ldap_access_filter</quote>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel config option for more information about using LDAP as an access provider.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </refsect1>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel All of the common configuration options that apply to SSSD domains also apply
3db86aab554edbb4244c8d1a1c90f152eee768afstevel to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section of the
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <citerefentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </citerefentry> manual page for full details.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <variablelist>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Specifies the comma-separated list of URIs of the LDAP servers to which
3db86aab554edbb4244c8d1a1c90f152eee768afstevel SSSD should connect in the order of preference. Refer to the
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <quote>FAILOVER</quote> section for more information on failover and server redundancy.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel If not specified, service discovery is enabled. For more information, refer
3db86aab554edbb4244c8d1a1c90f152eee768afstevel The format of the URI must match the format defined in RFC 2732:
3db86aab554edbb4244c8d1a1c90f152eee768afstevel ldap[s]://<host>[:port]
3db86aab554edbb4244c8d1a1c90f152eee768afstevel For explicit IPv6 addresses, <host> must be enclosed in brackets []
3db86aab554edbb4244c8d1a1c90f152eee768afstevel example: ldap://[fc00::126:25]:389
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Specifies the comma-separated list of URIs of the LDAP servers to
0d282d1376eb7ba06504448622a6d65726e4bd3erw which SSSD should connect in the order of preference
3db86aab554edbb4244c8d1a1c90f152eee768afstevel to change the password of a user. Refer to the
3db86aab554edbb4244c8d1a1c90f152eee768afstevel on failover and server redundancy.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel To enable service discovery
3db86aab554edbb4244c8d1a1c90f152eee768afstevel ldap_chpass_dns_service_name must be set.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: empty, i.e. ldap_uri is used.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel The default base DN to use for
3db86aab554edbb4244c8d1a1c90f152eee768afstevel performing LDAP user operations.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Starting with SSSD 1.7.0, SSSD supports multiple
3db86aab554edbb4244c8d1a1c90f152eee768afstevel search bases using the syntax:
3db86aab554edbb4244c8d1a1c90f152eee768afstevel search_base[?scope?[filter][?search_base?scope?[filter]]*]
3db86aab554edbb4244c8d1a1c90f152eee768afstevel The scope can be one of "base", "onelevel" or "subtree".
3db86aab554edbb4244c8d1a1c90f152eee768afstevel The filter must be a valid LDAP search filter as
3db86aab554edbb4244c8d1a1c90f152eee768afstevel ldap_search_base = dc=example,dc=com
3db86aab554edbb4244c8d1a1c90f152eee768afstevel (which is equivalent to)
3db86aab554edbb4244c8d1a1c90f152eee768afstevel ldap_search_base = dc=example,dc=com?subtree?
3db86aab554edbb4244c8d1a1c90f152eee768afstevel ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?(host=thishost)?dc=example.com?subtree?
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Note: It is unsupported to have multiple search
3db86aab554edbb4244c8d1a1c90f152eee768afstevel bases which reference identically-named objects
3db86aab554edbb4244c8d1a1c90f152eee768afstevel (for example, groups with the same name in two
3db86aab554edbb4244c8d1a1c90f152eee768afstevel different search bases). This will lead to
3db86aab554edbb4244c8d1a1c90f152eee768afstevel unpredictable behavior on client machines.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: If not set, the value of the
3db86aab554edbb4244c8d1a1c90f152eee768afstevel defaultNamingContext or namingContexts attribute
3db86aab554edbb4244c8d1a1c90f152eee768afstevel from the RootDSE of the LDAP server is
3db86aab554edbb4244c8d1a1c90f152eee768afstevel used. If defaultNamingContext does not exists or
3db86aab554edbb4244c8d1a1c90f152eee768afstevel has an empty value namingContexts is used.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel The namingContexts attribute must have a
3db86aab554edbb4244c8d1a1c90f152eee768afstevel single value with the DN of the search base of the
3db86aab554edbb4244c8d1a1c90f152eee768afstevel LDAP server to make this work. Multiple values are
3db86aab554edbb4244c8d1a1c90f152eee768afstevel are not supported.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Specifies the Schema Type in use on the target LDAP
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Depending on the selected schema, the default
3db86aab554edbb4244c8d1a1c90f152eee768afstevel attribute names retrieved from the servers may vary.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel The way that some attributes are handled may also differ.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Three schema types are currently supported:
3db86aab554edbb4244c8d1a1c90f152eee768afstevel The main difference between these schema types is
3db86aab554edbb4244c8d1a1c90f152eee768afstevel how group memberships are recorded in the server.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel With rfc2307, group members are listed by name in the
3db86aab554edbb4244c8d1a1c90f152eee768afstevel With rfc2307bis and IPA, group members are listed by DN
3db86aab554edbb4244c8d1a1c90f152eee768afstevel and stored in the <emphasis>member</emphasis> attribute.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: rfc2307
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel The default bind DN to use for
3db86aab554edbb4244c8d1a1c90f152eee768afstevel performing LDAP operations.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel The type of the authentication token of the
3db86aab554edbb4244c8d1a1c90f152eee768afstevel default bind DN.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel The two mechanisms currently supported are:
3db86aab554edbb4244c8d1a1c90f152eee768afstevel obfuscated_password
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: password
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel The authentication token of the default bind DN.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Only clear text passwords are currently supported.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel The object class of a user entry in LDAP.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: posixAccount
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel The LDAP attribute that corresponds to the
3db86aab554edbb4244c8d1a1c90f152eee768afstevel user's login name.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: uid
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel The LDAP attribute that corresponds to the
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: uidNumber
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel The LDAP attribute that corresponds to the
3db86aab554edbb4244c8d1a1c90f152eee768afstevel user's primary group id.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: gidNumber
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel The LDAP attribute that corresponds to the
3db86aab554edbb4244c8d1a1c90f152eee768afstevel user's gecos field.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: gecos
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel The LDAP attribute that contains the name of the user's
3db86aab554edbb4244c8d1a1c90f152eee768afstevel home directory.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: homeDirectory
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
11c2b4c0e543fe2e1e5910cde1f4422cc3218160rw <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel The LDAP attribute that contains the path to the
3db86aab554edbb4244c8d1a1c90f152eee768afstevel user's default shell.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: loginShell
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel an LDAP user object.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: nsUniqueId
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel The LDAP attribute that contains timestamp of the
3db86aab554edbb4244c8d1a1c90f152eee768afstevel last modification of the parent object.
11c2b4c0e543fe2e1e5910cde1f4422cc3218160rw Default: modifyTimestamp
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel When using ldap_pwd_policy=shadow, this parameter
3db86aab554edbb4244c8d1a1c90f152eee768afstevel contains the name of an LDAP attribute corresponding
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <citerefentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </citerefentry> counterpart (date of the last
3db86aab554edbb4244c8d1a1c90f152eee768afstevel password change).
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: shadowLastChange
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel When using ldap_pwd_policy=shadow, this parameter
3db86aab554edbb4244c8d1a1c90f152eee768afstevel contains the name of an LDAP attribute corresponding
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <citerefentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </citerefentry> counterpart (minimum password age).
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: shadowMin
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel When using ldap_pwd_policy=shadow, this parameter
3db86aab554edbb4244c8d1a1c90f152eee768afstevel contains the name of an LDAP attribute corresponding
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <citerefentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </citerefentry> counterpart (maximum password age).
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: shadowMax
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel When using ldap_pwd_policy=shadow, this parameter
3db86aab554edbb4244c8d1a1c90f152eee768afstevel contains the name of an LDAP attribute corresponding
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <citerefentry>
903a11ebdc8df157c4700150f41f1f262f4a8ae8rh </citerefentry> counterpart (password warning
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: shadowWarning
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel When using ldap_pwd_policy=shadow, this parameter
3db86aab554edbb4244c8d1a1c90f152eee768afstevel contains the name of an LDAP attribute corresponding
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <citerefentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </citerefentry> counterpart (password inactivity
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: shadowInactive
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel When using ldap_pwd_policy=shadow or
3db86aab554edbb4244c8d1a1c90f152eee768afstevel ldap_account_expire_policy=shadow, this parameter
3db86aab554edbb4244c8d1a1c90f152eee768afstevel contains the name of an LDAP attribute corresponding
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <citerefentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </citerefentry> counterpart (account expiration date).
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: shadowExpire
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel When using ldap_pwd_policy=mit_kerberos, this
3db86aab554edbb4244c8d1a1c90f152eee768afstevel parameter contains the name of an LDAP attribute
3db86aab554edbb4244c8d1a1c90f152eee768afstevel storing the date and time of last password change
3db86aab554edbb4244c8d1a1c90f152eee768afstevel in kerberos.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: krbLastPwdChange
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <term>ldap_user_krb_password_expiration (string)</term>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel When using ldap_pwd_policy=mit_kerberos, this
3db86aab554edbb4244c8d1a1c90f152eee768afstevel parameter contains the name of an LDAP attribute
193974072f41a843678abf5f61979c748687e66bSherry Moore storing the date and time when current password
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: krbPasswordExpiration
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
193974072f41a843678abf5f61979c748687e66bSherry Moore When using ldap_account_expire_policy=ad, this
3db86aab554edbb4244c8d1a1c90f152eee768afstevel parameter contains the name of an LDAP attribute
3db86aab554edbb4244c8d1a1c90f152eee768afstevel storing the expiration time of the account.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: accountExpires
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <term>ldap_user_ad_user_account_control (string)</term>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel When using ldap_account_expire_policy=ad, this
3db86aab554edbb4244c8d1a1c90f152eee768afstevel parameter contains the name of an LDAP attribute
193974072f41a843678abf5f61979c748687e66bSherry Moore storing the user account control bit field.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: userAccountControl
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel When using ldap_account_expire_policy=rhds or
3db86aab554edbb4244c8d1a1c90f152eee768afstevel equivalent, this parameter determines if access is
193974072f41a843678abf5f61979c748687e66bSherry Moore allowed or not.
193974072f41a843678abf5f61979c748687e66bSherry Moore Default: nsAccountLock
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel When using ldap_account_expire_policy=nds, this
3db86aab554edbb4244c8d1a1c90f152eee768afstevel attribute determines if access is allowed or not.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: loginDisabled
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <term>ldap_user_nds_login_expiration_time (string)</term>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel When using ldap_account_expire_policy=nds, this
3db86aab554edbb4244c8d1a1c90f152eee768afstevel attribute determines until which date access is
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: loginDisabled
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <term>ldap_user_nds_login_allowed_time_map (string)</term>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel When using ldap_account_expire_policy=nds, this
3db86aab554edbb4244c8d1a1c90f152eee768afstevel attribute determines the hours of a day in a week
3db86aab554edbb4244c8d1a1c90f152eee768afstevel when access is granted.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: loginAllowedTimeMap
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel The LDAP attribute that contains the user's Kerberos
3db86aab554edbb4244c8d1a1c90f152eee768afstevel User Principal Name (UPN).
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: krbPrincipalName
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
11c2b4c0e543fe2e1e5910cde1f4422cc3218160rw <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Some directory servers, for example Active Directory,
3db86aab554edbb4244c8d1a1c90f152eee768afstevel might deliver the realm part of the UPN in lower case,
3db86aab554edbb4244c8d1a1c90f152eee768afstevel which might cause the authentication to fail. Set this
3db86aab554edbb4244c8d1a1c90f152eee768afstevel option to a non-zero value if you want to use an
3db86aab554edbb4244c8d1a1c90f152eee768afstevel upper-case realm.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: false
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
193974072f41a843678abf5f61979c748687e66bSherry Moore <varlistentry>
193974072f41a843678abf5f61979c748687e66bSherry Moore <term>ldap_enumeration_refresh_timeout (integer)</term>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel The LDAP attribute that contains how many seconds
3db86aab554edbb4244c8d1a1c90f152eee768afstevel SSSD has to wait before refreshing its cache of
3db86aab554edbb4244c8d1a1c90f152eee768afstevel enumerated records.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: 300
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang Determine how often to check the cache for
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang inactive entries (such as groups with no
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang members and users who have never logged in) and
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang remove them to save space.
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang Setting this option to zero will disable the
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang cache cleanup operation.
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang Default: 10800 (12 hours)
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang </varlistentry>
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang <varlistentry>
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang The LDAP attribute that corresponds to the
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang user's full name.
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang </varlistentry>
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel The LDAP attribute that lists the user's
3db86aab554edbb4244c8d1a1c90f152eee768afstevel group memberships.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: memberOf
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel If access_provider=ldap and
3db86aab554edbb4244c8d1a1c90f152eee768afstevel ldap_access_order=authorized_service, SSSD will
3db86aab554edbb4244c8d1a1c90f152eee768afstevel use the presence of the authorizedService
3db86aab554edbb4244c8d1a1c90f152eee768afstevel attribute in the user's LDAP entry to determine
3db86aab554edbb4244c8d1a1c90f152eee768afstevel access privilege.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel An explicit deny (!svc) is resolved first. Second,
3db86aab554edbb4244c8d1a1c90f152eee768afstevel SSSD searches for explicit allow (svc) and finally
3db86aab554edbb4244c8d1a1c90f152eee768afstevel for allow_all (*).
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: authorizedService
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel If access_provider=ldap and
3db86aab554edbb4244c8d1a1c90f152eee768afstevel ldap_access_order=host, SSSD will use the presence
3db86aab554edbb4244c8d1a1c90f152eee768afstevel of the host attribute in the user's LDAP entry to
3db86aab554edbb4244c8d1a1c90f152eee768afstevel determine access privilege.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel An explicit deny (!host) is resolved first. Second,
3db86aab554edbb4244c8d1a1c90f152eee768afstevel SSSD searches for explicit allow (host) and finally
3db86aab554edbb4244c8d1a1c90f152eee768afstevel for allow_all (*).
11c2b4c0e543fe2e1e5910cde1f4422cc3218160rw Default: host
11c2b4c0e543fe2e1e5910cde1f4422cc3218160rw </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel The object class of a group entry in LDAP.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: posixGroup
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
193974072f41a843678abf5f61979c748687e66bSherry Moore The LDAP attribute that corresponds to
3db86aab554edbb4244c8d1a1c90f152eee768afstevel the group name.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: cn
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel The LDAP attribute that corresponds to the
3db86aab554edbb4244c8d1a1c90f152eee768afstevel group's id.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: gidNumber
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel The LDAP attribute that contains the names of
3db86aab554edbb4244c8d1a1c90f152eee768afstevel the group's members.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: memberuid (rfc2307) / member (rfc2307bis)
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel an LDAP group object.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: nsUniqueId
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
193974072f41a843678abf5f61979c748687e66bSherry Moore The LDAP attribute that contains timestamp of the
193974072f41a843678abf5f61979c748687e66bSherry Moore last modification of the parent object.
193974072f41a843678abf5f61979c748687e66bSherry Moore Default: modifyTimestamp
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
193974072f41a843678abf5f61979c748687e66bSherry Moore <varlistentry>
193974072f41a843678abf5f61979c748687e66bSherry Moore <term>ldap_group_nesting_level (integer)</term>
b8a60a54bb33ac7b5184fd07e6a63ae6d365fd69rw If ldap_schema is set to a schema format that
193974072f41a843678abf5f61979c748687e66bSherry Moore supports nested groups (e.g. RFC2307bis), then
3db86aab554edbb4244c8d1a1c90f152eee768afstevel this option controls how many levels of nesting
3db86aab554edbb4244c8d1a1c90f152eee768afstevel SSSD will follow. This option has no effect on the
3db86aab554edbb4244c8d1a1c90f152eee768afstevel RFC2307 schema.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
b8a60a54bb33ac7b5184fd07e6a63ae6d365fd69rw </varlistentry>
193974072f41a843678abf5f61979c748687e66bSherry Moore <varlistentry>
b8a60a54bb33ac7b5184fd07e6a63ae6d365fd69rw <listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel The object class of a netgroup entry in LDAP.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: nisNetgroup
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel The LDAP attribute that corresponds to
3db86aab554edbb4244c8d1a1c90f152eee768afstevel the netgroup name.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: cn
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
193974072f41a843678abf5f61979c748687e66bSherry Moore The LDAP attribute that contains the names of
3db86aab554edbb4244c8d1a1c90f152eee768afstevel the netgroup's members.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: memberNisNetgroup
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel The LDAP attribute that contains the (host, user,
3db86aab554edbb4244c8d1a1c90f152eee768afstevel domain) netgroup triples.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: nisNetgroupTriple
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel an LDAP netgroup object.
193974072f41a843678abf5f61979c748687e66bSherry Moore Default: nsUniqueId
193974072f41a843678abf5f61979c748687e66bSherry Moore </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
193974072f41a843678abf5f61979c748687e66bSherry Moore The LDAP attribute that contains timestamp of the
3db86aab554edbb4244c8d1a1c90f152eee768afstevel last modification of the parent object.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: modifyTimestamp
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
193974072f41a843678abf5f61979c748687e66bSherry Moore </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Specifies the timeout (in seconds) that ldap
3db86aab554edbb4244c8d1a1c90f152eee768afstevel searches are allowed to run before they are
3db86aab554edbb4244c8d1a1c90f152eee768afstevel cancelled and cached results are returned (and
3db86aab554edbb4244c8d1a1c90f152eee768afstevel offline mode is entered)
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Note: this option is subject to change in future
3db86aab554edbb4244c8d1a1c90f152eee768afstevel versions of the SSSD. It will likely be replaced at
3db86aab554edbb4244c8d1a1c90f152eee768afstevel some point by a series of timeouts for specific
3db86aab554edbb4244c8d1a1c90f152eee768afstevel lookup types.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <term>ldap_enumeration_search_timeout (integer)</term>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Specifies the timeout (in seconds) that ldap
3db86aab554edbb4244c8d1a1c90f152eee768afstevel searches for user and group enumerations
3db86aab554edbb4244c8d1a1c90f152eee768afstevel are allowed to run before they are cancelled and
3db86aab554edbb4244c8d1a1c90f152eee768afstevel cached results are returned (and offline mode is
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: 60
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
193974072f41a843678abf5f61979c748687e66bSherry Moore Specifies the timeout (in seconds) after which
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <citerefentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </citerefentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel following a
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <citerefentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </citerefentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel returns in case of no activity.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Specifies a timeout (in seconds) after which
3db86aab554edbb4244c8d1a1c90f152eee768afstevel calls to synchronous LDAP APIs will abort if no
3db86aab554edbb4244c8d1a1c90f152eee768afstevel response is received. Also controls the timeout
3db86aab554edbb4244c8d1a1c90f152eee768afstevel when communicating with the KDC in case of SASL bind.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Specify the number of records to retrieve from
3db86aab554edbb4244c8d1a1c90f152eee768afstevel LDAP in a single request. Some LDAP servers
3db86aab554edbb4244c8d1a1c90f152eee768afstevel enforce a maximum limit per-request.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: 1000
193974072f41a843678abf5f61979c748687e66bSherry Moore </varlistentry>
193974072f41a843678abf5f61979c748687e66bSherry Moore <varlistentry>
193974072f41a843678abf5f61979c748687e66bSherry Moore Specify the number of group members that must be
3db86aab554edbb4244c8d1a1c90f152eee768afstevel missing from the internal cache in order to trigger
3db86aab554edbb4244c8d1a1c90f152eee768afstevel a dereference lookup. If less members are missing,
3db86aab554edbb4244c8d1a1c90f152eee768afstevel they are looked up individually.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel You can turn off dereference lookups completely by
3db86aab554edbb4244c8d1a1c90f152eee768afstevel setting the value to 0.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel A dereference lookup is a means of fetching all
3db86aab554edbb4244c8d1a1c90f152eee768afstevel group members in a single LDAP call.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Different LDAP servers may implement different
3db86aab554edbb4244c8d1a1c90f152eee768afstevel dereference methods. The currently supported
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: 10
193974072f41a843678abf5f61979c748687e66bSherry Moore </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Specifies what checks to perform on server
3db86aab554edbb4244c8d1a1c90f152eee768afstevel certificates in a TLS session, if any. It
3db86aab554edbb4244c8d1a1c90f152eee768afstevel can be specified as one of the following
3db86aab554edbb4244c8d1a1c90f152eee768afstevel not request or check any server certificate.
193974072f41a843678abf5f61979c748687e66bSherry Moore certificate is requested. If no certificate is
193974072f41a843678abf5f61979c748687e66bSherry Moore provided, the session proceeds normally. If a
193974072f41a843678abf5f61979c748687e66bSherry Moore bad certificate is provided, it will be ignored
193974072f41a843678abf5f61979c748687e66bSherry Moore and the session proceeds normally.
193974072f41a843678abf5f61979c748687e66bSherry Moore <emphasis>try</emphasis> = The server certificate
193974072f41a843678abf5f61979c748687e66bSherry Moore is requested. If no certificate is provided, the
193974072f41a843678abf5f61979c748687e66bSherry Moore session proceeds normally. If a bad certificate
3db86aab554edbb4244c8d1a1c90f152eee768afstevel is provided, the session is immediately terminated.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel certificate is requested. If no certificate
193974072f41a843678abf5f61979c748687e66bSherry Moore is provided, or a bad certificate is provided,
3db86aab554edbb4244c8d1a1c90f152eee768afstevel the session is immediately terminated.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: hard
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Specifies the file that contains certificates for
193974072f41a843678abf5f61979c748687e66bSherry Moore all of the Certificate Authorities that
193974072f41a843678abf5f61979c748687e66bSherry Moore Default: use OpenLDAP defaults, typically in
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Specifies the path of a directory that contains
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Certificate Authority certificates in separate
3db86aab554edbb4244c8d1a1c90f152eee768afstevel individual files. Typically the file names need to
3db86aab554edbb4244c8d1a1c90f152eee768afstevel be the hash of the certificate followed by '.0'.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel can be used to create the correct names.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: use OpenLDAP defaults, typically in
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Specifies the file that contains the certificate
3db86aab554edbb4244c8d1a1c90f152eee768afstevel for the client's key.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: not set
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Specifies the file that contains the client's key.
193974072f41a843678abf5f61979c748687e66bSherry Moore Default: not set
193974072f41a843678abf5f61979c748687e66bSherry Moore </varlistentry>
193974072f41a843678abf5f61979c748687e66bSherry Moore <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Specifies acceptable cipher suites. Typically this
3db86aab554edbb4244c8d1a1c90f152eee768afstevel is a colon sperated list. See
193974072f41a843678abf5f61979c748687e66bSherry Moore <citerefentry><refentrytitle>ldap.conf</refentrytitle>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: use OpenLDAP defaults, typically in
193974072f41a843678abf5f61979c748687e66bSherry Moore </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Specifies that the id_provider connection must also
3db86aab554edbb4244c8d1a1c90f152eee768afstevel use <systemitem class="protocol">tls</systemitem> to protect the channel.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: false
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Specify the SASL mechanism to use.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Currently only GSSAPI is tested and supported.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: none
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Specify the SASL authorization id to use.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel When GSSAPI is used, this represents the Kerberos
3db86aab554edbb4244c8d1a1c90f152eee768afstevel principal used for authentication to the directory.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel If set to true, the LDAP library would perform
3db86aab554edbb4244c8d1a1c90f152eee768afstevel a reverse lookup to canonicalize the host name
3db86aab554edbb4244c8d1a1c90f152eee768afstevel during a SASL bind.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: false;
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: System keytab, normally <filename>/etc/krb5.keytab</filename>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Specifies that the id_provider should init
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Kerberos credentials (TGT).
3db86aab554edbb4244c8d1a1c90f152eee768afstevel This action is performed only if SASL is used and
3db86aab554edbb4244c8d1a1c90f152eee768afstevel the mechanism selected is GSSAPI.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: true
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Specifies the lifetime in seconds of the TGT if
3db86aab554edbb4244c8d1a1c90f152eee768afstevel GSSAPI is used.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: 86400 (24 hours)
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Specifies the comma-separated list of IP addresses or hostnames
193974072f41a843678abf5f61979c748687e66bSherry Moore of the Kerberos servers to which SSSD should
3db86aab554edbb4244c8d1a1c90f152eee768afstevel connect in the order of preference. For more
193974072f41a843678abf5f61979c748687e66bSherry Moore information on failover and server redundancy,
3db86aab554edbb4244c8d1a1c90f152eee768afstevel port number (preceded by a colon) may be appended to
3db86aab554edbb4244c8d1a1c90f152eee768afstevel the addresses or hostnames.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel If empty, service discovery is enabled -
3db86aab554edbb4244c8d1a1c90f152eee768afstevel for more information, refer to the
3db86aab554edbb4244c8d1a1c90f152eee768afstevel When using service discovery for KDC or kpasswd servers,
3db86aab554edbb4244c8d1a1c90f152eee768afstevel SSSD first searches for DNS entries that specify _udp as
3db86aab554edbb4244c8d1a1c90f152eee768afstevel the protocol and falls back to _tcp if none are found.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel earlier releases of SSSD. While the legacy name is recognized
3db86aab554edbb4244c8d1a1c90f152eee768afstevel for the time being, users are advised to migrate their config
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: System defaults, see <filename>/etc/krb5.conf</filename>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Select the policy to evaluate the password
3db86aab554edbb4244c8d1a1c90f152eee768afstevel expiration on the client side. The following values
3db86aab554edbb4244c8d1a1c90f152eee768afstevel are allowed:
3db86aab554edbb4244c8d1a1c90f152eee768afstevel client side. This option cannot disable server-side
3db86aab554edbb4244c8d1a1c90f152eee768afstevel password policies.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel attributes to evaluate if the password has expired.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Note that the current version of sssd cannot
3db86aab554edbb4244c8d1a1c90f152eee768afstevel update this attribute during a password change.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <emphasis>mit_kerberos</emphasis> - Use the attributes
3db86aab554edbb4244c8d1a1c90f152eee768afstevel used by MIT Kerberos to determine if the password has
193974072f41a843678abf5f61979c748687e66bSherry Moore expired. Use chpass_provider=krb5 to update these
3db86aab554edbb4244c8d1a1c90f152eee768afstevel attributes when the password is changed.
193974072f41a843678abf5f61979c748687e66bSherry Moore Default: none
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Specifies whether automatic referral chasing should
3db86aab554edbb4244c8d1a1c90f152eee768afstevel be enabled.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Please note that sssd only supports referral chasing
193974072f41a843678abf5f61979c748687e66bSherry Moore when it is compiled with OpenLDAP version 2.4.13 or
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: true
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Specifies the service name to use when service
3db86aab554edbb4244c8d1a1c90f152eee768afstevel discovery is enabled.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: ldap
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Specifies the service name to use to find an LDAP
193974072f41a843678abf5f61979c748687e66bSherry Moore server which allows password changes when service
193974072f41a843678abf5f61979c748687e66bSherry Moore discovery is enabled.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: not set, i.e. service discovery is disabled
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel If using access_provider = ldap, this option is
3db86aab554edbb4244c8d1a1c90f152eee768afstevel mandatory. It specifies an LDAP search filter
3db86aab554edbb4244c8d1a1c90f152eee768afstevel criteria that must be met for the user to be
3db86aab554edbb4244c8d1a1c90f152eee768afstevel granted access on this host. If
3db86aab554edbb4244c8d1a1c90f152eee768afstevel access_provider = ldap and this option is
193974072f41a843678abf5f61979c748687e66bSherry Moore not set, it will result in all users being
193974072f41a843678abf5f61979c748687e66bSherry Moore denied access. Use access_provider = allow to
3db86aab554edbb4244c8d1a1c90f152eee768afstevel change this default behavior.
193974072f41a843678abf5f61979c748687e66bSherry Moore <programlisting>
193974072f41a843678abf5f61979c748687e66bSherry Mooreaccess_provider = ldap
3db86aab554edbb4244c8d1a1c90f152eee768afstevelldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </programlisting>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel This example means that access to this host is
3db86aab554edbb4244c8d1a1c90f152eee768afstevel restricted to members of the "allowedusers" group
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Offline caching for this feature is limited to
193974072f41a843678abf5f61979c748687e66bSherry Moore determining whether the user's last online login
3db86aab554edbb4244c8d1a1c90f152eee768afstevel was granted access permission. If they were
3db86aab554edbb4244c8d1a1c90f152eee768afstevel granted access during their last login, they will
3db86aab554edbb4244c8d1a1c90f152eee768afstevel continue to be granted access while offline and
3db86aab554edbb4244c8d1a1c90f152eee768afstevel vice-versa.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: Empty
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
193974072f41a843678abf5f61979c748687e66bSherry Moore With this option a client side evaluation of
3db86aab554edbb4244c8d1a1c90f152eee768afstevel access control attributes can be enabled.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Please note that it is always recommended to
3db86aab554edbb4244c8d1a1c90f152eee768afstevel use server side access control, i.e. the LDAP
3db86aab554edbb4244c8d1a1c90f152eee768afstevel server should deny the bind request with a
3db86aab554edbb4244c8d1a1c90f152eee768afstevel suitable error code even if the password is
3db86aab554edbb4244c8d1a1c90f152eee768afstevel The following values are allowed:
3db86aab554edbb4244c8d1a1c90f152eee768afstevel ldap_user_shadow_expire to determine if the account
3db86aab554edbb4244c8d1a1c90f152eee768afstevel is expired.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel field ldap_user_ad_user_account_control and allow
3db86aab554edbb4244c8d1a1c90f152eee768afstevel access if the second bit is not set. If the
3db86aab554edbb4244c8d1a1c90f152eee768afstevel attribute is missing access is granted. Also the
3db86aab554edbb4244c8d1a1c90f152eee768afstevel expiration time of the account is checked.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel use the value of ldap_ns_account_lock to check if
3db86aab554edbb4244c8d1a1c90f152eee768afstevel access is allowed or not.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel ldap_user_nds_login_allowed_time_map,
3db86aab554edbb4244c8d1a1c90f152eee768afstevel ldap_user_nds_login_disabled and
3db86aab554edbb4244c8d1a1c90f152eee768afstevel ldap_user_nds_login_expiration_time are used to
3db86aab554edbb4244c8d1a1c90f152eee768afstevel check if access is allowed. If both attributes are
3db86aab554edbb4244c8d1a1c90f152eee768afstevel missing access is granted.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/experimental.xml" />
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: Empty
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Comma separated list of access control options.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Allowed values are:
3db86aab554edbb4244c8d1a1c90f152eee768afstevel ldap_account_expire_policy
3db86aab554edbb4244c8d1a1c90f152eee768afstevel the authorizedService attribute to determine
3db86aab554edbb4244c8d1a1c90f152eee768afstevel to determine access
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: filter
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Please note that it is a configuration error if a
3db86aab554edbb4244c8d1a1c90f152eee768afstevel value is used more than once.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Specifies how alias dereferencing is done when
3db86aab554edbb4244c8d1a1c90f152eee768afstevel performing a search. The following options are
3db86aab554edbb4244c8d1a1c90f152eee768afstevel dereferenced.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel dereferenced in subordinates of the base object,
3db86aab554edbb4244c8d1a1c90f152eee768afstevel but not in locating the base object of the search.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel dereferenced when locating the base object of the
3db86aab554edbb4244c8d1a1c90f152eee768afstevel dereferenced both in searching and in locating the
3db86aab554edbb4244c8d1a1c90f152eee768afstevel base object of the search.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: Empty (this is handled as
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </variablelist>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </refsect1>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel These options are supported by LDAP domains, but they should be used
3db86aab554edbb4244c8d1a1c90f152eee768afstevel with caution. Please include them in your configuration only if you
3db86aab554edbb4244c8d1a1c90f152eee768afstevel know what you are doing.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <variablelist>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel An optional base DN to restrict netgroup searches
3db86aab554edbb4244c8d1a1c90f152eee768afstevel to a specific subtree.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel information about configuring multiple search
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: the value of
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel An optional base DN to restrict user searches
3db86aab554edbb4244c8d1a1c90f152eee768afstevel to a specific subtree.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel information about configuring multiple search
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: the value of
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel An optional base DN to restrict group searches
3db86aab554edbb4244c8d1a1c90f152eee768afstevel to a specific subtree.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel information about configuring multiple search
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: the value of
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel This option specifies an additional LDAP search
3db86aab554edbb4244c8d1a1c90f152eee768afstevel filter criteria that restrict user searches.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel favor of the syntax used by ldap_user_search_base.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: not set
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <programlisting>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </programlisting>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel This filter would restrict user searches to users
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel This option specifies an additional LDAP search
3db86aab554edbb4244c8d1a1c90f152eee768afstevel filter criteria that restrict group searches.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel favor of the syntax used by ldap_group_search_base.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel Default: not set
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </listitem>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </varlistentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </variablelist>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </refsect1>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/failover.xml" />
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/service_discovery.xml" />
3db86aab554edbb4244c8d1a1c90f152eee768afstevel The following example assumes that SSSD is correctly
3db86aab554edbb4244c8d1a1c90f152eee768afstevel configured and LDAP is set to one of the domains in the
3db86aab554edbb4244c8d1a1c90f152eee768afstevel<programlisting>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel id_provider = ldap
3db86aab554edbb4244c8d1a1c90f152eee768afstevel auth_provider = ldap
3db86aab554edbb4244c8d1a1c90f152eee768afstevel ldap_uri = ldap://ldap.mydomain.org
193974072f41a843678abf5f61979c748687e66bSherry Moore ldap_search_base = dc=mydomain,dc=org
3db86aab554edbb4244c8d1a1c90f152eee768afstevel ldap_tls_reqcert = demand
3db86aab554edbb4244c8d1a1c90f152eee768afstevel cache_credentials = true
3db86aab554edbb4244c8d1a1c90f152eee768afstevel enumerate = true
3db86aab554edbb4244c8d1a1c90f152eee768afstevel</programlisting>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </refsect1>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel The descriptions of some of the configuration options in this manual
3db86aab554edbb4244c8d1a1c90f152eee768afstevel page are based on the <citerefentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </citerefentry> manual page from the OpenLDAP 2.4 distribution.
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </refsect1>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <citerefentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </citerefentry>,
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <citerefentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </citerefentry>,
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <citerefentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </citerefentry>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel </refsect1>
3db86aab554edbb4244c8d1a1c90f152eee768afstevel</reference>