1SSSD-LDAP(5) File Formats and Conventions SSSD-LDAP(5)
2
6 sssd-ldap - SSSD LDAP provider
7
9 This manual page describes the configuration of LDAP domains for
10 sssd(8). Refer to the “FILE FORMAT” section of the sssd.conf(5) manual
11 page for detailed syntax information.
12 You can configure SSSD to use more than one LDAP domain.
14 LDAP back end supports id, auth, access and chpass providers. If you
16 want to authenticate against an LDAP server either TLS/SSL or LDAPS is
17 required. sssddoes not support authentication over an unencrypted
18 channel. If the LDAP server is used only as an identity provider, an
19 encrypted channel is not needed. Please refer to “ldap_access_filter”
20 config option for more information about using LDAP as an access
21 provider.
22
24 All of the common configuration options that apply to SSSD domains also
25 apply to LDAP domains. Refer to the “DOMAIN SECTIONS” section of the
26 sssd.conf(5) manual page for full details.
27 ldap_uri, ldap_backup_uri (string)
29 Specifies the comma-separated list of URIs of the LDAP servers to
30 which SSSD should connect in the order of preference. Refer to the
31 “FAILOVER” section for more information on failover and server
32 redundancy. If neither option is specified, service discovery is
33 enabled. For more information, refer to the “SERVICE DISCOVERY”
34 section.
35 The format of the URI must match the format defined in RFC 2732:
37 ldap[s]://<host>[:port]
39 For explicit IPv6 addresses, <host> must be enclosed in brackets []
41 example: ldap://[fc00::126:25]:389
43 ldap_chpass_uri, ldap_chpass_backup_uri (string)
45 Specifies the comma-separated list of URIs of the LDAP servers to
46 which SSSD should connect in the order of preference to change the
47 password of a user. Refer to the “FAILOVER” section for more
48 information on failover and server redundancy.
49 To enable service discovery ldap_chpass_dns_service_name must be
51 set.
52 Default: empty, i.e. ldap_uri is used.
54 ldap_search_base (string)
56 The default base DN to use for performing LDAP user operations.
57 Starting with SSSD 1.7.0, SSSD supports multiple search bases using
59 the syntax:
60 search_base[?scope?[filter][?search_base?scope?[filter]]*]
62 The scope can be one of "base", "onelevel" or "subtree".
64 The filter must be a valid LDAP search filter as specified by
66 http://www.ietf.org/rfc/rfc2254.txt
67 Examples:
69 ldap_search_base = dc=example,dc=com (which is equivalent to)
71 ldap_search_base = dc=example,dc=com?subtree?
72 ldap_search_base =
74 cn=host_specific,dc=example,dc=com?subtree?(host=thishost)?dc=example.com?subtree?
75 Note: It is unsupported to have multiple search bases which
77 reference identically-named objects (for example, groups with the
78 same name in two different search bases). This will lead to
79 unpredictable behavior on client machines.
80 Default: If not set, the value of the defaultNamingContext or
82 namingContexts attribute from the RootDSE of the LDAP server is
83 used. If defaultNamingContext does not exist or has an empty value
84 namingContexts is used. The namingContexts attribute must have a
85 single value with the DN of the search base of the LDAP server to
86 make this work. Multiple values are are not supported.
87 ldap_schema (string)
89 Specifies the Schema Type in use on the target LDAP server.
90 Depending on the selected schema, the default attribute names
91 retrieved from the servers may vary. The way that some attributes
92 are handled may also differ.
93 Four schema types are currently supported:
95 · rfc2307
97 · rfc2307bis
99 · IPA
101 · AD
103 The main difference between these schema types is how group
105 memberships are recorded in the server. With rfc2307, group members
106 are listed by name in the memberUid attribute. With rfc2307bis and
107 IPA, group members are listed by DN and stored in the member
108 attribute. The AD schema type sets the attributes to correspond
109 with Active Directory 2008r2 values.
110 Default: rfc2307
112 ldap_default_bind_dn (string)
114 The default bind DN to use for performing LDAP operations.
115 ldap_default_authtok_type (string)
117 The type of the authentication token of the default bind DN.
118 The two mechanisms currently supported are:
120 password
122 obfuscated_password
124 Default: password
126 ldap_default_authtok (string)
128 The authentication token of the default bind DN. Only clear text
129 passwords are currently supported.
130 ldap_user_object_class (string)
132 The object class of a user entry in LDAP.
133 Default: posixAccount
135 ldap_user_name (string)
137 The LDAP attribute that corresponds to the user's login name.
138 Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)
140 ldap_user_uid_number (string)
142 The LDAP attribute that corresponds to the user's id.
143 Default: uidNumber
145 ldap_user_gid_number (string)
147 The LDAP attribute that corresponds to the user's primary group id.
148 Default: gidNumber
150 ldap_user_primary_group (string)
152 Active Directory primary group attribute for ID-mapping. Note that
153 this attribute should only be set manually if you are running the
154 “ldap” provider with ID mapping.
155 Default: unset (LDAP), primaryGroupID (AD)
157 ldap_user_gecos (string)
159 The LDAP attribute that corresponds to the user's gecos field.
160 Default: gecos
162 ldap_user_home_directory (string)
164 The LDAP attribute that contains the name of the user's home
165 directory.
166 Default: homeDirectory
168 ldap_user_shell (string)
170 The LDAP attribute that contains the path to the user's default
171 shell.
172 Default: loginShell
174 ldap_user_uuid (string)
176 The LDAP attribute that contains the UUID/GUID of an LDAP user
177 object.
178 Default: not set in the general case, objectGUID for AD and
180 ipaUniqueID for IPA
181 ldap_user_objectsid (string)
183 The LDAP attribute that contains the objectSID of an LDAP user
184 object. This is usually only necessary for ActiveDirectory servers.
185 Default: objectSid for ActiveDirectory, not set for other servers.
187 ldap_user_modify_timestamp (string)
189 The LDAP attribute that contains timestamp of the last modification
190 of the parent object.
191 Default: modifyTimestamp
193 ldap_user_shadow_last_change (string)
195 When using ldap_pwd_policy=shadow, this parameter contains the name
196 of an LDAP attribute corresponding to its shadow(5) counterpart
197 (date of the last password change).
198 Default: shadowLastChange
200 ldap_user_shadow_min (string)
202 When using ldap_pwd_policy=shadow, this parameter contains the name
203 of an LDAP attribute corresponding to its shadow(5) counterpart
204 (minimum password age).
205 Default: shadowMin
207 ldap_user_shadow_max (string)
209 When using ldap_pwd_policy=shadow, this parameter contains the name
210 of an LDAP attribute corresponding to its shadow(5) counterpart
211 (maximum password age).
212 Default: shadowMax
214 ldap_user_shadow_warning (string)
216 When using ldap_pwd_policy=shadow, this parameter contains the name
217 of an LDAP attribute corresponding to its shadow(5) counterpart
218 (password warning period).
219 Default: shadowWarning
221 ldap_user_shadow_inactive (string)
223 When using ldap_pwd_policy=shadow, this parameter contains the name
224 of an LDAP attribute corresponding to its shadow(5) counterpart
225 (password inactivity period).
226 Default: shadowInactive
228 ldap_user_shadow_expire (string)
230 When using ldap_pwd_policy=shadow or
231 ldap_account_expire_policy=shadow, this parameter contains the name
232 of an LDAP attribute corresponding to its shadow(5) counterpart
233 (account expiration date).
234 Default: shadowExpire
236 ldap_user_krb_last_pwd_change (string)
238 When using ldap_pwd_policy=mit_kerberos, this parameter contains
239 the name of an LDAP attribute storing the date and time of last
240 password change in kerberos.
241 Default: krbLastPwdChange
243 ldap_user_krb_password_expiration (string)
245 When using ldap_pwd_policy=mit_kerberos, this parameter contains
246 the name of an LDAP attribute storing the date and time when
247 current password expires.
248 Default: krbPasswordExpiration
250 ldap_user_ad_account_expires (string)
252 When using ldap_account_expire_policy=ad, this parameter contains
253 the name of an LDAP attribute storing the expiration time of the
254 account.
255 Default: accountExpires
257 ldap_user_ad_user_account_control (string)
259 When using ldap_account_expire_policy=ad, this parameter contains
260 the name of an LDAP attribute storing the user account control bit
261 field.
262 Default: userAccountControl
264 ldap_ns_account_lock (string)
266 When using ldap_account_expire_policy=rhds or equivalent, this
267 parameter determines if access is allowed or not.
268 Default: nsAccountLock
270 ldap_user_nds_login_disabled (string)
272 When using ldap_account_expire_policy=nds, this attribute
273 determines if access is allowed or not.
274 Default: loginDisabled
276 ldap_user_nds_login_expiration_time (string)
278 When using ldap_account_expire_policy=nds, this attribute
279 determines until which date access is granted.
280 Default: loginDisabled
282 ldap_user_nds_login_allowed_time_map (string)
284 When using ldap_account_expire_policy=nds, this attribute
285 determines the hours of a day in a week when access is granted.
286 Default: loginAllowedTimeMap
288 ldap_user_principal (string)
290 The LDAP attribute that contains the user's Kerberos User Principal
291 Name (UPN).
292 Default: krbPrincipalName
294 ldap_user_extra_attrs (string)
296 Comma-separated list of LDAP attributes that SSSD would fetch along
297 with the usual set of user attributes.
298 The list can either contain LDAP attribute names only, or
300 colon-separated tuples of SSSD cache attribute name and LDAP
301 attribute name. In case only LDAP attribute name is specified, the
302 attribute is saved to the cache verbatim. Using a custom SSSD
303 attribute name might be required by environments that configure
304 several SSSD domains with different LDAP schemas.
305 Please note that several attribute names are reserved by SSSD,
307 notably the “name” attribute. SSSD would report an error if any of
308 the reserved attribute names is used as an extra attribute name.
309 Examples:
311 ldap_user_extra_attrs = telephoneNumber
313 Save the “telephoneNumber” attribute from LDAP as “telephoneNumber”
315 to the cache.
316 ldap_user_extra_attrs = phone:telephoneNumber
318 Save the “telephoneNumber” attribute from LDAP as “phone” to the
320 cache.
321 Default: not set
323 ldap_user_ssh_public_key (string)
325 The LDAP attribute that contains the user's SSH public keys.
326 Default: sshPublicKey
328 ldap_force_upper_case_realm (boolean)
330 Some directory servers, for example Active Directory, might deliver
331 the realm part of the UPN in lower case, which might cause the
332 authentication to fail. Set this option to a non-zero value if you
333 want to use an upper-case realm.
334 Default: false
336 ldap_enumeration_refresh_timeout (integer)
338 Specifies how many seconds SSSD has to wait before refreshing its
339 cache of enumerated records.
340 Default: 300
342 ldap_purge_cache_timeout (integer)
344 Determine how often to check the cache for inactive entries (such
345 as groups with no members and users who have never logged in) and
346 remove them to save space.
347 Setting this option to zero will disable the cache cleanup
349 operation. Please note that if enumeration is enabled, the cleanup
350 task is required in order to detect entries removed from the server
351 and can't be disabled. By default, the cleanup task will run every
352 3 hours with enumeration enabled.
353 Default: 0 (disabled)
355 ldap_user_fullname (string)
357 The LDAP attribute that corresponds to the user's full name.
358 Default: cn
360 ldap_user_member_of (string)
362 The LDAP attribute that lists the user's group memberships.
363 Default: memberOf
365 ldap_user_authorized_service (string)
367 If access_provider=ldap and ldap_access_order=authorized_service,
368 SSSD will use the presence of the authorizedService attribute in
369 the user's LDAP entry to determine access privilege.
370 An explicit deny (!svc) is resolved first. Second, SSSD searches
372 for explicit allow (svc) and finally for allow_all (*).
373 Please note that the ldap_access_order configuration option must
375 include “authorized_service” in order for the
376 ldap_user_authorized_service option to work.
377 Default: authorizedService
379 ldap_user_authorized_host (string)
381 If access_provider=ldap and ldap_access_order=host, SSSD will use
382 the presence of the host attribute in the user's LDAP entry to
383 determine access privilege.
384 An explicit deny (!host) is resolved first. Second, SSSD searches
386 for explicit allow (host) and finally for allow_all (*).
387 Please note that the ldap_access_order configuration option must
389 include “host” in order for the ldap_user_authorized_host option to
390 work.
391 Default: host
393 ldap_user_authorized_rhost (string)
395 If access_provider=ldap and ldap_access_order=rhost, SSSD will use
396 the presence of the rhost attribute in the user's LDAP entry to
397 determine access privilege. Similarly to host verification process.
398 An explicit deny (!rhost) is resolved first. Second, SSSD searches
400 for explicit allow (rhost) and finally for allow_all (*).
401 Please note that the ldap_access_order configuration option must
403 include “rhost” in order for the ldap_user_authorized_rhost option
404 to work.
405 Default: rhost
407 ldap_user_certificate (string)
409 Name of the LDAP attribute containing the X509 certificate of the
410 user.
411 Default: userCertificate;binary
413 ldap_user_email (string)
415 Name of the LDAP attribute containing the email address of the
416 user.
417 Note: If an email address of a user conflicts with an email address
419 or fully qualified name of another user, then SSSD will not be able
420 to serve those users properly. If for some reason several users
421 need to share the same email address then set this option to a
422 nonexistent attribute name in order to disable user lookup/login by
423 email.
424 Default: mail
426 ldap_group_object_class (string)
428 The object class of a group entry in LDAP.
429 Default: posixGroup
431 ldap_group_name (string)
433 The LDAP attribute that corresponds to the group name.
434 Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)
436 ldap_group_gid_number (string)
438 The LDAP attribute that corresponds to the group's id.
439 Default: gidNumber
441 ldap_group_member (string)
443 The LDAP attribute that contains the names of the group's members.
444 Default: memberuid (rfc2307) / member (rfc2307bis)
446 ldap_group_uuid (string)
448 The LDAP attribute that contains the UUID/GUID of an LDAP group
449 object.
450 Default: not set in the general case, objectGUID for AD and
452 ipaUniqueID for IPA
453 ldap_group_objectsid (string)
455 The LDAP attribute that contains the objectSID of an LDAP group
456 object. This is usually only necessary for ActiveDirectory servers.
457 Default: objectSid for ActiveDirectory, not set for other servers.
459 ldap_group_modify_timestamp (string)
461 The LDAP attribute that contains timestamp of the last modification
462 of the parent object.
463 Default: modifyTimestamp
465 ldap_group_type (integer)
467 The LDAP attribute that contains an integer value indicating the
468 type of the group and maybe other flags.
469 This attribute is currently only used by the AD provider to
471 determine if a group is a domain local groups and has to be
472 filtered out for trusted domains.
473 Default: groupType in the AD provider, otherwise not set
475 ldap_group_external_member (string)
477 The LDAP attribute that references group members that are defined
478 in an external domain. At the moment, only IPA's external members
479 are supported.
480 Default: ipaExternalMember in the IPA provider, otherwise unset.
482 ldap_group_nesting_level (integer)
484 If ldap_schema is set to a schema format that supports nested
485 groups (e.g. RFC2307bis), then this option controls how many levels
486 of nesting SSSD will follow. This option has no effect on the
487 RFC2307 schema.
488 Note: This option specifies the guaranteed level of nested groups
490 to be processed for any lookup. However, nested groups beyond this
491 limit may be returned if previous lookups already resolved the
492 deeper nesting levels. Also, subsequent lookups for other groups
493 may enlarge the result set for original lookup if re-queried.
494 If ldap_group_nesting_level is set to 0 then no nested groups are
496 processed at all. However, when connected to Active-Directory
497 Server 2008 and later using “id_provider=ad” it is furthermore
498 required to disable usage of Token-Groups by setting
499 ldap_use_tokengroups to false in order to restrict group nesting.
500 Default: 2
502 ldap_groups_use_matching_rule_in_chain
504 This option tells SSSD to take advantage of an Active
505 Directory-specific feature which may speed up group lookup
506 operations on deployments with complex or deep nested groups.
507 In most common cases, it is best to leave this option disabled. It
509 generally only provides a performance increase on very complex
510 nestings.
511 If this option is enabled, SSSD will use it if it detects that the
513 server supports it during initial connection. So "True" here
514 essentially means "auto-detect".
515 Note: This feature is currently known to work only with Active
517 Directory 2008 R1 and later. See MSDN(TM) documentation[1] for more
518 details.
519 Default: False
521 ldap_initgroups_use_matching_rule_in_chain
523 This option tells SSSD to take advantage of an Active
524 Directory-specific feature which might speed up initgroups
525 operations (most notably when dealing with complex or deep nested
526 groups).
527 If this option is enabled, SSSD will use it if it detects that the
529 server supports it during initial connection. So "True" here
530 essentially means "auto-detect".
531 Note: This feature is currently known to work only with Active
533 Directory 2008 R1 and later. See MSDN(TM) documentation[1] for more
534 details.
535 Default: False
537 ldap_use_tokengroups
539 This options enables or disables use of Token-Groups attribute when
540 performing initgroup for users from Active Directory Server 2008
541 and later.
542 Default: True for AD and IPA otherwise False.
544 ldap_netgroup_object_class (string)
546 The object class of a netgroup entry in LDAP.
547 In IPA provider, ipa_netgroup_object_class should be used instead.
549 Default: nisNetgroup
551 ldap_netgroup_name (string)
553 The LDAP attribute that corresponds to the netgroup name.
554 In IPA provider, ipa_netgroup_name should be used instead.
556 Default: cn
558 ldap_netgroup_member (string)
560 The LDAP attribute that contains the names of the netgroup's
561 members.
562 In IPA provider, ipa_netgroup_member should be used instead.
564 Default: memberNisNetgroup
566 ldap_netgroup_triple (string)
568 The LDAP attribute that contains the (host, user, domain) netgroup
569 triples.
570 This option is not available in IPA provider.
572 Default: nisNetgroupTriple
574 ldap_netgroup_modify_timestamp (string)
576 The LDAP attribute that contains timestamp of the last modification
577 of the parent object.
578 This option is not available in IPA provider.
580 Default: modifyTimestamp
582 ldap_host_object_class (string)
584 The object class of a host entry in LDAP.
585 Default: ipService
587 ldap_host_name (string)
589 The LDAP attribute that corresponds to the host's name.
590 Default: cn
592 ldap_host_fqdn (string)
594 The LDAP attribute that corresponds to the host's fully-qualified
595 domain name.
596 Default: fqdn
598 ldap_host_serverhostname (string)
600 The LDAP attribute that corresponds to the host's name.
601 Default: serverHostname
603 ldap_host_member_of (string)
605 The LDAP attribute that lists the host's group memberships.
606 Default: memberOf
608 ldap_host_search_base (string)
610 Optional. Use the given string as search base for host objects.
611 See “ldap_search_base” for information about configuring multiple
613 search bases.
614 Default: the value of ldap_search_base
616 ldap_host_ssh_public_key (string)
618 The LDAP attribute that contains the host's SSH public keys.
619 Default: sshPublicKey
621 ldap_host_uuid (string)
623 The LDAP attribute that contains the UUID/GUID of an LDAP host
624 object.
625 Default: not set
627 ldap_service_object_class (string)
629 The object class of a service entry in LDAP.
630 Default: ipService
632 ldap_service_name (string)
634 The LDAP attribute that contains the name of service attributes and
635 their aliases.
636 Default: cn
638 ldap_service_port (string)
640 The LDAP attribute that contains the port managed by this service.
641 Default: ipServicePort
643 ldap_service_proto (string)
645 The LDAP attribute that contains the protocols understood by this
646 service.
647 Default: ipServiceProtocol
649 ldap_service_search_base (string)
651 An optional base DN, search scope and LDAP filter to restrict LDAP
652 searches for this attribute type.
653 syntax:
655 search_base[?scope?[filter][?search_base?scope?[filter]]*]
657 The scope can be one of "base", "onelevel" or "subtree". The scope
659 functions as specified in section 4.5.1.2 of
660 http://tools.ietf.org/html/rfc4511
661 The filter must be a valid LDAP search filter as specified by
663 http://www.ietf.org/rfc/rfc2254.txt
664 For examples of this syntax, please refer to the “ldap_search_base”
666 examples section.
667 Default: the value of ldap_search_base
669 Please note that specifying scope or filter is not supported for
671 searches against an Active Directory Server that might yield a
672 large number of results and trigger the Range Retrieval extension
673 in the response.
674 ldap_search_timeout (integer)
676 Specifies the timeout (in seconds) that ldap searches are allowed
677 to run before they are cancelled and cached results are returned
678 (and offline mode is entered)
679 Note: this option is subject to change in future versions of the
681 SSSD. It will likely be replaced at some point by a series of
682 timeouts for specific lookup types.
683 Default: 6
685 ldap_enumeration_search_timeout (integer)
687 Specifies the timeout (in seconds) that ldap searches for user and
688 group enumerations are allowed to run before they are cancelled and
689 cached results are returned (and offline mode is entered)
690 Default: 60
692 ldap_network_timeout (integer)
694 Specifies the timeout (in seconds) after which the
695 poll(2)/select(2) following a connect(2) returns in case of no
696 activity.
697 Default: 6
699 ldap_opt_timeout (integer)
701 Specifies a timeout (in seconds) after which calls to synchronous
702 LDAP APIs will abort if no response is received. Also controls the
703 timeout when communicating with the KDC in case of SASL bind, the
704 timeout of an LDAP bind operation, password change extended
705 operation and the StartTLS operation.
706 Default: 6
708 ldap_connection_expire_timeout (integer)
710 Specifies a timeout (in seconds) that a connection to an LDAP
711 server will be maintained. After this time, the connection will be
712 re-established. If used in parallel with SASL/GSSAPI, the sooner of
713 the two values (this value vs. the TGT lifetime) will be used.
714 Default: 900 (15 minutes)
716 ldap_page_size (integer)
718 Specify the number of records to retrieve from LDAP in a single
719 request. Some LDAP servers enforce a maximum limit per-request.
720 Default: 1000
722 ldap_disable_paging (boolean)
724 Disable the LDAP paging control. This option should be used if the
725 LDAP server reports that it supports the LDAP paging control in its
726 RootDSE but it is not enabled or does not behave properly.
727 Example: OpenLDAP servers with the paging control module installed
729 on the server but not enabled will report it in the RootDSE but be
730 unable to use it.
731 Example: 389 DS has a bug where it can only support a one paging
733 control at a time on a single connection. On busy clients, this can
734 result in some requests being denied.
735 Default: False
737 ldap_disable_range_retrieval (boolean)
739 Disable Active Directory range retrieval.
740 Active Directory limits the number of members to be retrieved in a
742 single lookup using the MaxValRange policy (which defaults to 1500
743 members). If a group contains more members, the reply would include
744 an AD-specific range extension. This option disables parsing of the
745 range extension, therefore large groups will appear as having no
746 members.
747 Default: False
749 ldap_sasl_minssf (integer)
751 When communicating with an LDAP server using SASL, specify the
752 minimum security level necessary to establish the connection. The
753 values of this option are defined by OpenLDAP.
754 Default: Use the system default (usually specified by ldap.conf)
756 ldap_deref_threshold (integer)
758 Specify the number of group members that must be missing from the
759 internal cache in order to trigger a dereference lookup. If less
760 members are missing, they are looked up individually.
761 You can turn off dereference lookups completely by setting the
763 value to 0.
764 A dereference lookup is a means of fetching all group members in a
766 single LDAP call. Different LDAP servers may implement different
767 dereference methods. The currently supported servers are 389/RHDS,
768 OpenLDAP and Active Directory.
769 Note: If any of the search bases specifies a search filter, then
771 the dereference lookup performance enhancement will be disabled
772 regardless of this setting.
773 Default: 10
775 ldap_tls_reqcert (string)
777 Specifies what checks to perform on server certificates in a TLS
778 session, if any. It can be specified as one of the following
779 values:
780 never = The client will not request or check any server
782 certificate.
783 allow = The server certificate is requested. If no certificate is
785 provided, the session proceeds normally. If a bad certificate is
786 provided, it will be ignored and the session proceeds normally.
787 try = The server certificate is requested. If no certificate is
789 provided, the session proceeds normally. If a bad certificate is
790 provided, the session is immediately terminated.
791 demand = The server certificate is requested. If no certificate is
793 provided, or a bad certificate is provided, the session is
794 immediately terminated.
795 hard = Same as “demand”
797 Default: hard
799 ldap_tls_cacert (string)
801 Specifies the file that contains certificates for all of the
802 Certificate Authorities that sssd will recognize.
803 Default: use OpenLDAP defaults, typically in
805 /etc/openldap/ldap.conf
806 ldap_tls_cacertdir (string)
808 Specifies the path of a directory that contains Certificate
809 Authority certificates in separate individual files. Typically the
810 file names need to be the hash of the certificate followed by '.0'.
811 If available, cacertdir_rehash can be used to create the correct
812 names.
813 Default: use OpenLDAP defaults, typically in
815 /etc/openldap/ldap.conf
816 ldap_tls_cert (string)
818 Specifies the file that contains the certificate for the client's
819 key.
820 Default: not set
822 ldap_tls_key (string)
824 Specifies the file that contains the client's key.
825 Default: not set
827 ldap_tls_cipher_suite (string)
829 Specifies acceptable cipher suites. Typically this is a colon
830 separated list. See ldap.conf(5) for format.
831 Default: use OpenLDAP defaults, typically in
833 /etc/openldap/ldap.conf
834 ldap_id_use_start_tls (boolean)
836 Specifies that the id_provider connection must also use tls to
837 protect the channel.
838 Default: false
840 ldap_id_mapping (boolean)
842 Specifies that SSSD should attempt to map user and group IDs from
843 the ldap_user_objectsid and ldap_group_objectsid attributes instead
844 of relying on ldap_user_uid_number and ldap_group_gid_number.
845 Currently this feature supports only ActiveDirectory objectSID
847 mapping.
848 Default: false
850 ldap_min_id, ldap_max_id (integer)
852 In contrast to the SID based ID mapping which is used if
853 ldap_id_mapping is set to true the allowed ID range for
854 ldap_user_uid_number and ldap_group_gid_number is unbound. In a
855 setup with sub/trusted-domains this might lead to ID collisions. To
856 avoid collisions ldap_min_id and ldap_max_id can be set to restrict
857 the allowed range for the IDs which are read directly from the
858 server. Sub-domains can then pick other ranges to map IDs.
859 Default: not set (both options are set to 0)
861 ldap_sasl_mech (string)
863 Specify the SASL mechanism to use. Currently only GSSAPI is tested
864 and supported.
865 Default: not set
867 ldap_sasl_authid (string)
869 Specify the SASL authorization id to use. When GSSAPI is used, this
870 represents the Kerberos principal used for authentication to the
871 directory. This option can either contain the full principal (for
872 example host/myhost@EXAMPLE.COM) or just the principal name (for
873 example host/myhost). By default, the value is not set and the
874 following principals are used:
875 hostname@REALM
877 netbiosname$@REALM
878 host/hostname@REALM
879 *$@REALM
880 host/*@REALM
881 host/*
882 If none of them are found, the first principal in keytab is
885 returned.
886 Default: host/hostname@REALM
888 ldap_sasl_realm (string)
890 Specify the SASL realm to use. When not specified, this option
891 defaults to the value of krb5_realm. If the ldap_sasl_authid
892 contains the realm as well, this option is ignored.
893 Default: the value of krb5_realm.
895 ldap_sasl_canonicalize (boolean)
897 If set to true, the LDAP library would perform a reverse lookup to
898 canonicalize the host name during a SASL bind.
899 Default: false;
901 ldap_krb5_keytab (string)
903 Specify the keytab to use when using SASL/GSSAPI.
904 Default: System keytab, normally /etc/krb5.keytab
906 ldap_krb5_init_creds (boolean)
908 Specifies that the id_provider should init Kerberos credentials
909 (TGT). This action is performed only if SASL is used and the
910 mechanism selected is GSSAPI.
911 Default: true
913 ldap_krb5_ticket_lifetime (integer)
915 Specifies the lifetime in seconds of the TGT if GSSAPI is used.
916 Default: 86400 (24 hours)
918 krb5_server, krb5_backup_server (string)
920 Specifies the comma-separated list of IP addresses or hostnames of
921 the Kerberos servers to which SSSD should connect in the order of
922 preference. For more information on failover and server redundancy,
923 see the “FAILOVER” section. An optional port number (preceded by a
924 colon) may be appended to the addresses or hostnames. If empty,
925 service discovery is enabled - for more information, refer to the
926 “SERVICE DISCOVERY” section.
927 When using service discovery for KDC or kpasswd servers, SSSD first
929 searches for DNS entries that specify _udp as the protocol and
930 falls back to _tcp if none are found.
931 This option was named “krb5_kdcip” in earlier releases of SSSD.
933 While the legacy name is recognized for the time being, users are
934 advised to migrate their config files to use “krb5_server” instead.
935 krb5_realm (string)
937 Specify the Kerberos REALM (for SASL/GSSAPI auth).
938 Default: System defaults, see /etc/krb5.conf
940 krb5_canonicalize (boolean)
942 Specifies if the host principal should be canonicalized when
943 connecting to LDAP server. This feature is available with MIT
944 Kerberos >= 1.7
945 Default: false
947 krb5_use_kdcinfo (boolean)
949 Specifies if the SSSD should instruct the Kerberos libraries what
950 realm and which KDCs to use. This option is on by default, if you
951 disable it, you need to configure the Kerberos library using the
952 krb5.conf(5) configuration file.
953 See the sssd_krb5_locator_plugin(8) manual page for more
955 information on the locator plugin.
956 Default: true
958 ldap_pwd_policy (string)
960 Select the policy to evaluate the password expiration on the client
961 side. The following values are allowed:
962 none - No evaluation on the client side. This option cannot disable
964 server-side password policies.
965 shadow - Use shadow(5) style attributes to evaluate if the password
967 has expired.
968 mit_kerberos - Use the attributes used by MIT Kerberos to determine
970 if the password has expired. Use chpass_provider=krb5 to update
971 these attributes when the password is changed.
972 Default: none
974 Note: if a password policy is configured on server side, it always
976 takes precedence over policy set with this option.
977 ldap_referrals (boolean)
979 Specifies whether automatic referral chasing should be enabled.
980 Please note that sssd only supports referral chasing when it is
982 compiled with OpenLDAP version 2.4.13 or higher.
983 Chasing referrals may incur a performance penalty in environments
985 that use them heavily, a notable example is Microsoft Active
986 Directory. If your setup does not in fact require the use of
987 referrals, setting this option to false might bring a noticeable
988 performance improvement.
989 Default: true
991 ldap_dns_service_name (string)
993 Specifies the service name to use when service discovery is
994 enabled.
995 Default: ldap
997 ldap_chpass_dns_service_name (string)
999 Specifies the service name to use to find an LDAP server which
1000 allows password changes when service discovery is enabled.
1001 Default: not set, i.e. service discovery is disabled
1003 ldap_chpass_update_last_change (bool)
1005 Specifies whether to update the ldap_user_shadow_last_change
1006 attribute with days since the Epoch after a password change
1007 operation.
1008 Default: False
1010 ldap_access_filter (string)
1012 If using access_provider = ldap and ldap_access_order = filter
1013 (default), this option is mandatory. It specifies an LDAP search
1014 filter criteria that must be met for the user to be granted access
1015 on this host. If access_provider = ldap, ldap_access_order = filter
1016 and this option is not set, it will result in all users being
1017 denied access. Use access_provider = permit to change this default
1018 behavior. Please note that this filter is applied on the LDAP user
1019 entry only and thus filtering based on nested groups may not work
1020 (e.g. memberOf attribute on AD entries points only to direct
1021 parents). If filtering based on nested groups is required, please
1022 see sssd-simple(5).
1023 Example:
1025 access_provider = ldap
1027 ldap_access_filter = (employeeType=admin)
1028 This example means that access to this host is restricted to users
1031 whose employeeType attribute is set to "admin".
1032 Offline caching for this feature is limited to determining whether
1034 the user's last online login was granted access permission. If they
1035 were granted access during their last login, they will continue to
1036 be granted access while offline and vice versa.
1037 Default: Empty
1039 ldap_account_expire_policy (string)
1041 With this option a client side evaluation of access control
1042 attributes can be enabled.
1043 Please note that it is always recommended to use server side access
1045 control, i.e. the LDAP server should deny the bind request with a
1046 suitable error code even if the password is correct.
1047 The following values are allowed:
1049 shadow: use the value of ldap_user_shadow_expire to determine if
1051 the account is expired.
1052 ad: use the value of the 32bit field
1054 ldap_user_ad_user_account_control and allow access if the second
1055 bit is not set. If the attribute is missing access is granted. Also
1056 the expiration time of the account is checked.
1057 rhds, ipa, 389ds: use the value of ldap_ns_account_lock to check if
1059 access is allowed or not.
1060 nds: the values of ldap_user_nds_login_allowed_time_map,
1062 ldap_user_nds_login_disabled and
1063 ldap_user_nds_login_expiration_time are used to check if access is
1064 allowed. If both attributes are missing access is granted.
1065 This is an experimental feature, please use
1066 https://pagure.io/SSSD/sssd/ to report any issues.
1067 Please note that the ldap_access_order configuration option must
1069 include “expire” in order for the ldap_account_expire_policy option
1070 to work.
1071 Default: Empty
1073 ldap_access_order (string)
1075 Comma separated list of access control options. Allowed values are:
1076 filter: use ldap_access_filter
1078 lockout: use account locking. If set, this option denies access in
1080 case that ldap attribute 'pwdAccountLockedTime' is present and has
1081 value of '000001010000Z'. Please see the option ldap_pwdlockout_dn.
1082 Please note that 'access_provider = ldap' must be set for this
1083 feature to work.
1084 Please note that this option is superseded by the “ppolicy” option
1086 and might be removed in a future release.
1087 ppolicy: use account locking. If set, this option denies access in
1089 case that ldap attribute 'pwdAccountLockedTime' is present and has
1090 value of '000001010000Z' or represents any time in the past. The
1091 value of the 'pwdAccountLockedTime' attribute must end with 'Z',
1092 which denotes the UTC time zone. Other time zones are not currently
1093 supported and will result in "access-denied" when users attempt to
1094 log in. Please see the option ldap_pwdlockout_dn. Please note that
1095 'access_provider = ldap' must be set for this feature to work.
1096 expire: use ldap_account_expire_policy
1098 pwd_expire_policy_reject, pwd_expire_policy_warn,
1100 pwd_expire_policy_renew: These options are useful if users are
1101 interested in being warned that password is about to expire and
1102 authentication is based on using a different method than passwords
1103 - for example SSH keys.
1104 The difference between these options is the action taken if user
1106 password is expired: pwd_expire_policy_reject - user is denied to
1107 log in, pwd_expire_policy_warn - user is still able to log in,
1108 pwd_expire_policy_renew - user is prompted to change his password
1109 immediately.
1110 Note If user password is expired no explicit message is prompted by
1112 SSSD.
1113 Please note that 'access_provider = ldap' must be set for this
1115 feature to work. Also 'ldap_pwd_policy' must be set to an
1116 appropriate password policy.
1117 authorized_service: use the authorizedService attribute to
1119 determine access
1120 host: use the host attribute to determine access
1122 rhost: use the rhost attribute to determine whether remote host can
1124 access
1125 Please note, rhost field in pam is set by application, it is better
1127 to check what the application sends to pam, before enabling this
1128 access control option
1129 Default: filter
1131 Please note that it is a configuration error if a value is used
1133 more than once.
1134 ldap_pwdlockout_dn (string)
1136 This option specifies the DN of password policy entry on LDAP
1137 server. Please note that absence of this option in sssd.conf in
1138 case of enabled account lockout checking will yield access denied
1139 as ppolicy attributes on LDAP server cannot be checked properly.
1140 Example: cn=ppolicy,ou=policies,dc=example,dc=com
1142 Default: cn=ppolicy,ou=policies,$ldap_search_base
1144 ldap_deref (string)
1146 Specifies how alias dereferencing is done when performing a search.
1147 The following options are allowed:
1148 never: Aliases are never dereferenced.
1150 searching: Aliases are dereferenced in subordinates of the base
1152 object, but not in locating the base object of the search.
1153 finding: Aliases are only dereferenced when locating the base
1155 object of the search.
1156 always: Aliases are dereferenced both in searching and in locating
1158 the base object of the search.
1159 Default: Empty (this is handled as never by the LDAP client
1161 libraries)
1162 ldap_rfc2307_fallback_to_local_users (boolean)
1164 Allows to retain local users as members of an LDAP group for
1165 servers that use the RFC2307 schema.
1166 In some environments where the RFC2307 schema is used, local users
1168 are made members of LDAP groups by adding their names to the
1169 memberUid attribute. The self-consistency of the domain is
1170 compromised when this is done, so SSSD would normally remove the
1171 "missing" users from the cached group memberships as soon as
1172 nsswitch tries to fetch information about the user via getpw*() or
1173 initgroups() calls.
1174 This option falls back to checking if local users are referenced,
1176 and caches them so that later initgroups() calls will augment the
1177 local users with the additional LDAP groups.
1178 Default: false
1180 wildcard_limit (integer)
1182 Specifies an upper limit on the number of entries that are
1183 downloaded during a wildcard lookup.
1184 At the moment, only the InfoPipe responder supports wildcard
1186 lookups.
1187 Default: 1000 (often the size of one page)
1189
1191 The detailed instructions for configuration of sudo_provider are in the
1192 manual page sssd-sudo(5).
1193 ldap_sudorule_object_class (string)
1195 The object class of a sudo rule entry in LDAP.
1196 Default: sudoRole
1198 ldap_sudorule_name (string)
1200 The LDAP attribute that corresponds to the sudo rule name.
1201 Default: cn
1203 ldap_sudorule_command (string)
1205 The LDAP attribute that corresponds to the command name.
1206 Default: sudoCommand
1208 ldap_sudorule_host (string)
1210 The LDAP attribute that corresponds to the host name (or host IP
1211 address, host IP network, or host netgroup)
1212 Default: sudoHost
1214 ldap_sudorule_user (string)
1216 The LDAP attribute that corresponds to the user name (or UID, group
1217 name or user's netgroup)
1218 Default: sudoUser
1220 ldap_sudorule_option (string)
1222 The LDAP attribute that corresponds to the sudo options.
1223 Default: sudoOption
1225 ldap_sudorule_runasuser (string)
1227 The LDAP attribute that corresponds to the user name that commands
1228 may be run as.
1229 Default: sudoRunAsUser
1231 ldap_sudorule_runasgroup (string)
1233 The LDAP attribute that corresponds to the group name or group GID
1234 that commands may be run as.
1235 Default: sudoRunAsGroup
1237 ldap_sudorule_notbefore (string)
1239 The LDAP attribute that corresponds to the start date/time for when
1240 the sudo rule is valid.
1241 Default: sudoNotBefore
1243 ldap_sudorule_notafter (string)
1245 The LDAP attribute that corresponds to the expiration date/time,
1246 after which the sudo rule will no longer be valid.
1247 Default: sudoNotAfter
1249 ldap_sudorule_order (string)
1251 The LDAP attribute that corresponds to the ordering index of the
1252 rule.
1253 Default: sudoOrder
1255 ldap_sudo_full_refresh_interval (integer)
1257 How many seconds SSSD will wait between executing a full refresh of
1258 sudo rules (which downloads all rules that are stored on the
1259 server).
1260 The value must be greater than ldap_sudo_smart_refresh_interval
1262 Default: 21600 (6 hours)
1264 ldap_sudo_smart_refresh_interval (integer)
1266 How many seconds SSSD has to wait before executing a smart refresh
1267 of sudo rules (which downloads all rules that have USN higher than
1268 the highest USN of cached rules).
1269 If USN attributes are not supported by the server, the
1271 modifyTimestamp attribute is used instead.
1272 Default: 900 (15 minutes)
1274 ldap_sudo_use_host_filter (boolean)
1276 If true, SSSD will download only rules that are applicable to this
1277 machine (using the IPv4 or IPv6 host/network addresses and
1278 hostnames).
1279 Default: true
1281 ldap_sudo_hostnames (string)
1283 Space separated list of hostnames or fully qualified domain names
1284 that should be used to filter the rules.
1285 If this option is empty, SSSD will try to discover the hostname and
1287 the fully qualified domain name automatically.
1288 If ldap_sudo_use_host_filter is false then this option has no
1290 effect.
1291 Default: not specified
1293 ldap_sudo_ip (string)
1295 Space separated list of IPv4 or IPv6 host/network addresses that
1296 should be used to filter the rules.
1297 If this option is empty, SSSD will try to discover the addresses
1299 automatically.
1300 If ldap_sudo_use_host_filter is false then this option has no
1302 effect.
1303 Default: not specified
1305 ldap_sudo_include_netgroups (boolean)
1307 If true then SSSD will download every rule that contains a netgroup
1308 in sudoHost attribute.
1309 If ldap_sudo_use_host_filter is false then this option has no
1311 effect.
1312 Default: true
1314 ldap_sudo_include_regexp (boolean)
1316 If true then SSSD will download every rule that contains a wildcard
1317 in sudoHost attribute.
1318 If ldap_sudo_use_host_filter is false then this option has no
1320 effect.
1321 Default: true
1323 This manual page only describes attribute name mapping. For detailed
1325 explanation of sudo related attribute semantics, see sudoers.ldap(5)
1326
1328 Some of the defaults for the parameters below are dependent on the LDAP
1329 schema.
1330 ldap_autofs_map_master_name (string)
1332 The name of the automount master map in LDAP.
1333 Default: auto.master
1335 ldap_autofs_map_object_class (string)
1337 The object class of an automount map entry in LDAP.
1338 Default: nisMap (rfc2307, autofs_provider=ad), otherwise
1340 automountMap
1341 ldap_autofs_map_name (string)
1343 The name of an automount map entry in LDAP.
1344 Default: nisMapName (rfc2307, autofs_provider=ad), otherwise
1346 automountMapName
1347 ldap_autofs_entry_object_class (string)
1349 The object class of an automount entry in LDAP. The entry usually
1350 corresponds to a mount point.
1351 Default: nisObject (rfc2307, autofs_provider=ad), otherwise
1353 automount
1354 ldap_autofs_entry_key (string)
1356 The key of an automount entry in LDAP. The entry usually
1357 corresponds to a mount point.
1358 Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey
1360 ldap_autofs_entry_value (string)
1362 The key of an automount entry in LDAP. The entry usually
1363 corresponds to a mount point.
1364 Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise
1366 automountInformation
1367 Please note that the automounter only reads the master map on startup,
1369 so if any autofs-related changes are made to the sssd.conf, you
1370 typically also need to restart the automounter daemon after restarting
1371 the SSSD.
1372
1374 These options are supported by LDAP domains, but they should be used
1375 with caution. Please include them in your configuration only if you
1376 know what you are doing.
1377 ldap_netgroup_search_base (string)
1379 An optional base DN, search scope and LDAP filter to restrict LDAP
1380 searches for this attribute type.
1381 syntax:
1383 search_base[?scope?[filter][?search_base?scope?[filter]]*]
1385 The scope can be one of "base", "onelevel" or "subtree". The scope
1387 functions as specified in section 4.5.1.2 of
1388 http://tools.ietf.org/html/rfc4511
1389 The filter must be a valid LDAP search filter as specified by
1391 http://www.ietf.org/rfc/rfc2254.txt
1392 For examples of this syntax, please refer to the “ldap_search_base”
1394 examples section.
1395 Default: the value of ldap_search_base
1397 Please note that specifying scope or filter is not supported for
1399 searches against an Active Directory Server that might yield a
1400 large number of results and trigger the Range Retrieval extension
1401 in the response.
1402 ldap_user_search_base (string)
1404 An optional base DN, search scope and LDAP filter to restrict LDAP
1405 searches for this attribute type.
1406 syntax:
1408 search_base[?scope?[filter][?search_base?scope?[filter]]*]
1410 The scope can be one of "base", "onelevel" or "subtree". The scope
1412 functions as specified in section 4.5.1.2 of
1413 http://tools.ietf.org/html/rfc4511
1414 The filter must be a valid LDAP search filter as specified by
1416 http://www.ietf.org/rfc/rfc2254.txt
1417 For examples of this syntax, please refer to the “ldap_search_base”
1419 examples section.
1420 Default: the value of ldap_search_base
1422 Please note that specifying scope or filter is not supported for
1424 searches against an Active Directory Server that might yield a
1425 large number of results and trigger the Range Retrieval extension
1426 in the response.
1427 ldap_group_search_base (string)
1429 An optional base DN, search scope and LDAP filter to restrict LDAP
1430 searches for this attribute type.
1431 syntax:
1433 search_base[?scope?[filter][?search_base?scope?[filter]]*]
1435 The scope can be one of "base", "onelevel" or "subtree". The scope
1437 functions as specified in section 4.5.1.2 of
1438 http://tools.ietf.org/html/rfc4511
1439 The filter must be a valid LDAP search filter as specified by
1441 http://www.ietf.org/rfc/rfc2254.txt
1442 For examples of this syntax, please refer to the “ldap_search_base”
1444 examples section.
1445 Default: the value of ldap_search_base
1447 Please note that specifying scope or filter is not supported for
1449 searches against an Active Directory Server that might yield a
1450 large number of results and trigger the Range Retrieval extension
1451 in the response.
1452 Note
1454 If the option “ldap_use_tokengroups” is enabled, the searches
1455 against Active Directory will not be restricted and return all
1456 groups memberships, even with no GID mapping. It is recommended to
1457 disable this feature, if group names are not being displayed
1458 correctly.
1459 ldap_sudo_search_base (string)
1461 An optional base DN, search scope and LDAP filter to restrict LDAP
1462 searches for this attribute type.
1463 syntax:
1465 search_base[?scope?[filter][?search_base?scope?[filter]]*]
1467 The scope can be one of "base", "onelevel" or "subtree". The scope
1469 functions as specified in section 4.5.1.2 of
1470 http://tools.ietf.org/html/rfc4511
1471 The filter must be a valid LDAP search filter as specified by
1473 http://www.ietf.org/rfc/rfc2254.txt
1474 For examples of this syntax, please refer to the “ldap_search_base”
1476 examples section.
1477 Default: the value of ldap_search_base
1479 Please note that specifying scope or filter is not supported for
1481 searches against an Active Directory Server that might yield a
1482 large number of results and trigger the Range Retrieval extension
1483 in the response.
1484 ldap_autofs_search_base (string)
1486 An optional base DN, search scope and LDAP filter to restrict LDAP
1487 searches for this attribute type.
1488 syntax:
1490 search_base[?scope?[filter][?search_base?scope?[filter]]*]
1492 The scope can be one of "base", "onelevel" or "subtree". The scope
1494 functions as specified in section 4.5.1.2 of
1495 http://tools.ietf.org/html/rfc4511
1496 The filter must be a valid LDAP search filter as specified by
1498 http://www.ietf.org/rfc/rfc2254.txt
1499 For examples of this syntax, please refer to the “ldap_search_base”
1501 examples section.
1502 Default: the value of ldap_search_base
1504 Please note that specifying scope or filter is not supported for
1506 searches against an Active Directory Server that might yield a
1507 large number of results and trigger the Range Retrieval extension
1508 in the response.
1509
1511 The failover feature allows back ends to automatically switch to a
1512 different server if the current server fails.
1513 Failover Syntax
1515 The list of servers is given as a comma-separated list; any number of
1516 spaces is allowed around the comma. The servers are listed in order of
1517 preference. The list can contain any number of servers.
1518 For each failover-enabled config option, two variants exist: primary
1520 and backup. The idea is that servers in the primary list are preferred
1521 and backup servers are only searched if no primary servers can be
1522 reached. If a backup server is selected, a timeout of 31 seconds is
1523 set. After this timeout SSSD will periodically try to reconnect to one
1524 of the primary servers. If it succeeds, it will replace the current
1525 active (backup) server.
1526 The Failover Mechanism
1528 The failover mechanism distinguishes between a machine and a service.
1529 The back end first tries to resolve the hostname of a given machine; if
1530 this resolution attempt fails, the machine is considered offline. No
1531 further attempts are made to connect to this machine for any other
1532 service. If the resolution attempt succeeds, the back end tries to
1533 connect to a service on this machine. If the service connection attempt
1534 fails, then only this particular service is considered offline and the
1535 back end automatically switches over to the next service. The machine
1536 is still considered online and might still be tried for another
1537 service.
1538 Further connection attempts are made to machines or services marked as
1540 offline after a specified period of time; this is currently hard coded
1541 to 30 seconds.
1542 If there are no more machines to try, the back end as a whole switches
1544 to offline mode, and then attempts to reconnect every 30 seconds.
1545 Failover time outs and tuning
1547 Resolving a server to connect to can be as simple as running a single
1548 DNS query or can involve several steps, such as finding the correct
1549 site or trying out multiple host names in case some of the configured
1550 servers are not reachable. The more complex scenarios can take some
1551 time and SSSD needs to balance between providing enough time to finish
1552 the resolution process but on the other hand, not trying for too long
1553 before falling back to offline mode. If the SSSD debug logs show that
1554 the server resolution is timing out before a live server is contacted,
1555 you can consider changing the time outs.
1556 This section lists the available tunables. Please refer to their
1558 description in the sssd.conf(5), manual page.
1559 dns_resolver_op_timeout
1561 How long would SSSD talk to a single DNS server.
1562 dns_resolver_timeout
1564 How long would SSSD try to resolve a failover service. This service
1565 resolution internally might include several steps, such as
1566 resolving DNS SRV queries or locating the site.
1567 For LDAP-based providers, the resolve operation is performed as part of
1569 an LDAP connection operation. Therefore, also the “ldap_opt_timeout>”
1570 timeout should be set to a larger value than “dns_resolver_timeout”
1571 which in turn should be set to a larger value than
1572 “dns_resolver_op_timeout”.
1573
1575 The service discovery feature allows back ends to automatically find
1576 the appropriate servers to connect to using a special DNS query. This
1577 feature is not supported for backup servers.
1578 Configuration
1580 If no servers are specified, the back end automatically uses service
1581 discovery to try to find a server. Optionally, the user may choose to
1582 use both fixed server addresses and service discovery by inserting a
1583 special keyword, “_srv_”, in the list of servers. The order of
1584 preference is maintained. This feature is useful if, for example, the
1585 user prefers to use service discovery whenever possible, and fall back
1586 to a specific server when no servers can be discovered using DNS.
1587 The domain name
1589 Please refer to the “dns_discovery_domain” parameter in the
1590 sssd.conf(5) manual page for more details.
1591 The protocol
1593 The queries usually specify _tcp as the protocol. Exceptions are
1594 documented in respective option description.
1595 See Also
1597 For more information on the service discovery mechanism, refer to RFC
1598 2782.
1599
1601 The ID-mapping feature allows SSSD to act as a client of Active
1602 Directory without requiring administrators to extend user attributes to
1603 support POSIX attributes for user and group identifiers.
1604 NOTE: When ID-mapping is enabled, the uidNumber and gidNumber
1606 attributes are ignored. This is to avoid the possibility of conflicts
1607 between automatically-assigned and manually-assigned values. If you
1608 need to use manually-assigned values, ALL values must be
1609 manually-assigned.
1610 Please note that changing the ID mapping related configuration options
1612 will cause user and group IDs to change. At the moment, SSSD does not
1613 support changing IDs, so the SSSD database must be removed. Because
1614 cached passwords are also stored in the database, removing the database
1615 should only be performed while the authentication servers are
1616 reachable, otherwise users might get locked out. In order to cache the
1617 password, an authentication must be performed. It is not sufficient to
1618 use sss_cache(8) to remove the database, rather the process consists
1619 of:
1620 · Making sure the remote servers are reachable
1622 · Stopping the SSSD service
1624 · Removing the database
1626 · Starting the SSSD service
1628 Moreover, as the change of IDs might necessitate the adjustment of
1630 other system properties such as file and directory ownership, it's
1631 advisable to plan ahead and test the ID mapping configuration
1632 thoroughly.
1633 Mapping Algorithm
1635 Active Directory provides an objectSID for every user and group object
1636 in the directory. This objectSID can be broken up into components that
1637 represent the Active Directory domain identity and the relative
1638 identifier (RID) of the user or group object.
1639 The SSSD ID-mapping algorithm takes a range of available UIDs and
1641 divides it into equally-sized component sections - called "slices"-.
1642 Each slice represents the space available to an Active Directory
1643 domain.
1644 When a user or group entry for a particular domain is encountered for
1646 the first time, the SSSD allocates one of the available slices for that
1647 domain. In order to make this slice-assignment repeatable on different
1648 client machines, we select the slice based on the following algorithm:
1649 The SID string is passed through the murmurhash3 algorithm to convert
1651 it to a 32-bit hashed value. We then take the modulus of this value
1652 with the total number of available slices to pick the slice.
1653 NOTE: It is possible to encounter collisions in the hash and subsequent
1655 modulus. In these situations, we will select the next available slice,
1656 but it may not be possible to reproduce the same exact set of slices on
1657 other machines (since the order that they are encountered will
1658 determine their slice). In this situation, it is recommended to either
1659 switch to using explicit POSIX attributes in Active Directory
1660 (disabling ID-mapping) or configure a default domain to guarantee that
1661 at least one is always consistent. See “Configuration” for details.
1662 Configuration
1664 Minimum configuration (in the “[domain/DOMAINNAME]” section):
1665 ldap_id_mapping = True
1667 ldap_schema = ad
1668 The default configuration results in configuring 10,000 slices, each
1670 capable of holding up to 200,000 IDs, starting from 200,000 and going
1671 up to 2,000,200,000. This should be sufficient for most deployments.
1672 Advanced Configuration
1674 ldap_idmap_range_min (integer)
1675 Specifies the lower bound of the range of POSIX IDs to use for
1676 mapping Active Directory user and group SIDs.
1677 NOTE: This option is different from “min_id” in that “min_id”
1679 acts to filter the output of requests to this domain, whereas
1680 this option controls the range of ID assignment. This is a
1681 subtle distinction, but the good general advice would be to
1682 have “min_id” be less-than or equal to “ldap_idmap_range_min”
1683 Default: 200000
1685 ldap_idmap_range_max (integer)
1687 Specifies the upper bound of the range of POSIX IDs to use for
1688 mapping Active Directory user and group SIDs.
1689 NOTE: This option is different from “max_id” in that “max_id”
1691 acts to filter the output of requests to this domain, whereas
1692 this option controls the range of ID assignment. This is a
1693 subtle distinction, but the good general advice would be to
1694 have “max_id” be greater-than or equal to
1695 “ldap_idmap_range_max”
1696 Default: 2000200000
1698 ldap_idmap_range_size (integer)
1700 Specifies the number of IDs available for each slice. If the
1701 range size does not divide evenly into the min and max values,
1702 it will create as many complete slices as it can.
1703 NOTE: The value of this option must be at least as large as the
1705 highest user RID planned for use on the Active Directory
1706 server. User lookups and login will fail for any user whose RID
1707 is greater than this value.
1708 For example, if your most recently-added Active Directory user
1710 has objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107,
1711 “ldap_idmap_range_size” must be at least 1108 as range size is
1712 equal to maximal SID minus minimal SID plus one (e.g. 1108 =
1713 1107 - 0 + 1).
1714 It is important to plan ahead for future expansion, as changing
1716 this value will result in changing all of the ID mappings on
1717 the system, leading to users with different local IDs than they
1718 previously had.
1719 Default: 200000
1721 ldap_idmap_default_domain_sid (string)
1723 Specify the domain SID of the default domain. This will
1724 guarantee that this domain will always be assigned to slice
1725 zero in the ID map, bypassing the murmurhash algorithm
1726 described above.
1727 Default: not set
1729 ldap_idmap_default_domain (string)
1731 Specify the name of the default domain.
1732 Default: not set
1734 ldap_idmap_autorid_compat (boolean)
1736 Changes the behavior of the ID-mapping algorithm to behave more
1737 similarly to winbind's “idmap_autorid” algorithm.
1738 When this option is configured, domains will be allocated
1740 starting with slice zero and increasing monatomically with each
1741 additional domain.
1742 NOTE: This algorithm is non-deterministic (it depends on the
1744 order that users and groups are requested). If this mode is
1745 required for compatibility with machines running winbind, it is
1746 recommended to also use the “ldap_idmap_default_domain_sid”
1747 option to guarantee that at least one domain is consistently
1748 allocated to slice zero.
1749 Default: False
1751 ldap_idmap_helper_table_size (integer)
1753 Maximal number of secondary slices that is tried when
1754 performing mapping from UNIX id to SID.
1755 Note: Additional secondary slices might be generated when SID
1757 is being mapped to UNIX id and RID part of SID is out of range
1758 for secondary slices generated so far. If value of
1759 ldap_idmap_helper_table_size is equal to 0 then no additional
1760 secondary slices are generated.
1761 Default: 10
1763 Well-Known SIDs
1765 SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a
1766 special hardcoded meaning. Since the generic users and groups related
1767 to those Well-Known SIDs have no equivalent in a Linux/UNIX environment
1768 no POSIX IDs are available for those objects.
1769 The SID name space is organized in authorities which can be seen as
1771 different domains. The authorities for the Well-Known SIDs are
1772 · Null Authority
1774 · World Authority
1776 · Local Authority
1778 · Creator Authority
1780 · NT Authority
1782 · Built-in
1784 The capitalized version of these names are used as domain names when
1786 returning the fully qualified name of a Well-Known SID.
1787 Since some utilities allow to modify SID based access control
1789 information with the help of a name instead of using the SID directly
1790 SSSD supports to look up the SID by the name as well. To avoid
1791 collisions only the fully qualified names can be used to look up
1792 Well-Known SIDs. As a result the domain names “NULL AUTHORITY”, “WORLD
1793 AUTHORITY”, “ LOCAL AUTHORITY”, “CREATOR AUTHORITY”, “NT AUTHORITY” and
1794 “BUILTIN” should not be used as domain names in sssd.conf.
1795
1797 The following example assumes that SSSD is correctly configured and
1798 LDAP is set to one of the domains in the [domains] section.
1799 [domain/LDAP]
1801 id_provider = ldap
1802 auth_provider = ldap
1803 ldap_uri = ldap://ldap.mydomain.org
1804 ldap_search_base = dc=mydomain,dc=org
1805 ldap_tls_reqcert = demand
1806 cache_credentials = true
1807
1810 The following example assumes that SSSD is correctly configured and to
1811 use the ldap_access_order=lockout.
1812 [domain/LDAP]
1814 id_provider = ldap
1815 auth_provider = ldap
1816 access_provider = ldap
1817 ldap_access_order = lockout
1818 ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org
1819 ldap_uri = ldap://ldap.mydomain.org
1820 ldap_search_base = dc=mydomain,dc=org
1821 ldap_tls_reqcert = demand
1822 cache_credentials = true
1823
1826 The descriptions of some of the configuration options in this manual
1827 page are based on the ldap.conf(5) manual page from the OpenLDAP 2.4
1828 distribution.
1829
1831 sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
1832 sssd-ipa(5), sssd-ad(5), sssd-sudo(5),sssd-secrets(5),sssd-session-
1833 recording(5), sss_cache(8), sss_debuglevel(8), sss_groupadd(8),
1834 sss_groupdel(8), sss_groupshow(8), sss_groupmod(8), sss_useradd(8),
1835 sss_userdel(8), sss_usermod(8), sss_obfuscate(8), sss_seed(8),
1836 sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
1837 sss_ssh_knownhostsproxy(8),sssd-ifp(5),pam_sss(8).
1838 sss_rpcidmapd(5)sssd-systemtap(5)
1839
1841 The SSSD upstream - https://pagure.io/SSSD/sssd/
1842
1844 1. MSDN(TM) documentation
1845 http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475%28v=vs.85%29.aspx
1846SSSD 04/25/2019 SSSD-LDAP(5)