1SSSD-LDAP-ATTRIBUT(5) File Formats and Conventions SSSD-LDAP-ATTRIBUT(5)
2
6 sssd-ldap-attributes - SSSD LDAP Provider: Mapping Attributes
7
9 This manual page describes the mapping attributes of SSSD LDAP provider
10 sssd-ldap(5). Refer to the sssd-ldap(5) manual page for full details
11 about SSSD LDAP provider configuration options.
12
14 ldap_user_object_class (string)
15 The object class of a user entry in LDAP.
16 Default: posixAccount
18 ldap_user_name (string)
20 The LDAP attribute that corresponds to the user's login name.
21 Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)
23 ldap_user_uid_number (string)
25 The LDAP attribute that corresponds to the user's id.
26 Default: uidNumber
28 ldap_user_gid_number (string)
30 The LDAP attribute that corresponds to the user's primary group id.
31 Default: gidNumber
33 ldap_user_primary_group (string)
35 Active Directory primary group attribute for ID-mapping. Note that
36 this attribute should only be set manually if you are running the
37 “ldap” provider with ID mapping.
38 Default: unset (LDAP), primaryGroupID (AD)
40 ldap_user_gecos (string)
42 The LDAP attribute that corresponds to the user's gecos field.
43 Default: gecos
45 ldap_user_home_directory (string)
47 The LDAP attribute that contains the name of the user's home
48 directory.
49 Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)
51 ldap_user_shell (string)
53 The LDAP attribute that contains the path to the user's default
54 shell.
55 Default: loginShell
57 ldap_user_uuid (string)
59 The LDAP attribute that contains the UUID/GUID of an LDAP user
60 object.
61 Default: not set in the general case, objectGUID for AD and
63 ipaUniqueID for IPA
64 ldap_user_objectsid (string)
66 The LDAP attribute that contains the objectSID of an LDAP user
67 object. This is usually only necessary for ActiveDirectory servers.
68 Default: objectSid for ActiveDirectory, not set for other servers.
70 ldap_user_modify_timestamp (string)
72 The LDAP attribute that contains timestamp of the last modification
73 of the parent object.
74 Default: modifyTimestamp
76 ldap_user_shadow_last_change (string)
78 When using ldap_pwd_policy=shadow, this parameter contains the name
79 of an LDAP attribute corresponding to its shadow(5) counterpart
80 (date of the last password change).
81 Default: shadowLastChange
83 ldap_user_shadow_min (string)
85 When using ldap_pwd_policy=shadow, this parameter contains the name
86 of an LDAP attribute corresponding to its shadow(5) counterpart
87 (minimum password age).
88 Default: shadowMin
90 ldap_user_shadow_max (string)
92 When using ldap_pwd_policy=shadow, this parameter contains the name
93 of an LDAP attribute corresponding to its shadow(5) counterpart
94 (maximum password age).
95 Default: shadowMax
97 ldap_user_shadow_warning (string)
99 When using ldap_pwd_policy=shadow, this parameter contains the name
100 of an LDAP attribute corresponding to its shadow(5) counterpart
101 (password warning period).
102 Default: shadowWarning
104 ldap_user_shadow_inactive (string)
106 When using ldap_pwd_policy=shadow, this parameter contains the name
107 of an LDAP attribute corresponding to its shadow(5) counterpart
108 (password inactivity period).
109 Default: shadowInactive
111 ldap_user_shadow_expire (string)
113 When using ldap_pwd_policy=shadow or
114 ldap_account_expire_policy=shadow, this parameter contains the name
115 of an LDAP attribute corresponding to its shadow(5) counterpart
116 (account expiration date).
117 Default: shadowExpire
119 ldap_user_krb_last_pwd_change (string)
121 When using ldap_pwd_policy=mit_kerberos, this parameter contains
122 the name of an LDAP attribute storing the date and time of last
123 password change in kerberos.
124 Default: krbLastPwdChange
126 ldap_user_krb_password_expiration (string)
128 When using ldap_pwd_policy=mit_kerberos, this parameter contains
129 the name of an LDAP attribute storing the date and time when
130 current password expires.
131 Default: krbPasswordExpiration
133 ldap_user_ad_account_expires (string)
135 When using ldap_account_expire_policy=ad, this parameter contains
136 the name of an LDAP attribute storing the expiration time of the
137 account.
138 Default: accountExpires
140 ldap_user_ad_user_account_control (string)
142 When using ldap_account_expire_policy=ad, this parameter contains
143 the name of an LDAP attribute storing the user account control bit
144 field.
145 Default: userAccountControl
147 ldap_ns_account_lock (string)
149 When using ldap_account_expire_policy=rhds or equivalent, this
150 parameter determines if access is allowed or not.
151 Default: nsAccountLock
153 ldap_user_nds_login_disabled (string)
155 When using ldap_account_expire_policy=nds, this attribute
156 determines if access is allowed or not.
157 Default: loginDisabled
159 ldap_user_nds_login_expiration_time (string)
161 When using ldap_account_expire_policy=nds, this attribute
162 determines until which date access is granted.
163 Default: loginDisabled
165 ldap_user_nds_login_allowed_time_map (string)
167 When using ldap_account_expire_policy=nds, this attribute
168 determines the hours of a day in a week when access is granted.
169 Default: loginAllowedTimeMap
171 ldap_user_principal (string)
173 The LDAP attribute that contains the user's Kerberos User Principal
174 Name (UPN).
175 Default: krbPrincipalName
177 ldap_user_extra_attrs (string)
179 Comma-separated list of LDAP attributes that SSSD would fetch along
180 with the usual set of user attributes.
181 The list can either contain LDAP attribute names only, or
183 colon-separated tuples of SSSD cache attribute name and LDAP
184 attribute name. In case only LDAP attribute name is specified, the
185 attribute is saved to the cache verbatim. Using a custom SSSD
186 attribute name might be required by environments that configure
187 several SSSD domains with different LDAP schemas.
188 Please note that several attribute names are reserved by SSSD,
190 notably the “name” attribute. SSSD would report an error if any of
191 the reserved attribute names is used as an extra attribute name.
192 Examples:
194 ldap_user_extra_attrs = telephoneNumber
196 Save the “telephoneNumber” attribute from LDAP as “telephoneNumber”
198 to the cache.
199 ldap_user_extra_attrs = phone:telephoneNumber
201 Save the “telephoneNumber” attribute from LDAP as “phone” to the
203 cache.
204 Default: not set
206 ldap_user_ssh_public_key (string)
208 The LDAP attribute that contains the user's SSH public keys.
209 Default: sshPublicKey
211 ldap_user_fullname (string)
213 The LDAP attribute that corresponds to the user's full name.
214 Default: cn
216 ldap_user_member_of (string)
218 The LDAP attribute that lists the user's group memberships.
219 Default: memberOf
221 ldap_user_authorized_service (string)
223 If access_provider=ldap and ldap_access_order=authorized_service,
224 SSSD will use the presence of the authorizedService attribute in
225 the user's LDAP entry to determine access privilege.
226 An explicit deny (!svc) is resolved first. Second, SSSD searches
228 for explicit allow (svc) and finally for allow_all (*).
229 Please note that the ldap_access_order configuration option must
231 include “authorized_service” in order for the
232 ldap_user_authorized_service option to work.
233 Some distributions (such as Fedora-29+ or RHEL-8) always include
235 the “systemd-user” PAM service as part of the login process.
236 Therefore when using service-based access control, the
237 “systemd-user” service might need to be added to the list of
238 allowed services.
239 Default: authorizedService
241 ldap_user_authorized_host (string)
243 If access_provider=ldap and ldap_access_order=host, SSSD will use
244 the presence of the host attribute in the user's LDAP entry to
245 determine access privilege.
246 An explicit deny (!host) is resolved first. Second, SSSD searches
248 for explicit allow (host) and finally for allow_all (*).
249 Please note that the ldap_access_order configuration option must
251 include “host” in order for the ldap_user_authorized_host option to
252 work.
253 Default: host
255 ldap_user_authorized_rhost (string)
257 If access_provider=ldap and ldap_access_order=rhost, SSSD will use
258 the presence of the rhost attribute in the user's LDAP entry to
259 determine access privilege. Similarly to host verification process.
260 An explicit deny (!rhost) is resolved first. Second, SSSD searches
262 for explicit allow (rhost) and finally for allow_all (*).
263 Please note that the ldap_access_order configuration option must
265 include “rhost” in order for the ldap_user_authorized_rhost option
266 to work.
267 Default: rhost
269 ldap_user_certificate (string)
271 Name of the LDAP attribute containing the X509 certificate of the
272 user.
273 Default: userCertificate;binary
275 ldap_user_email (string)
277 Name of the LDAP attribute containing the email address of the
278 user.
279 Note: If an email address of a user conflicts with an email address
281 or fully qualified name of another user, then SSSD will not be able
282 to serve those users properly. If for some reason several users
283 need to share the same email address then set this option to a
284 nonexistent attribute name in order to disable user lookup/login by
285 email.
286 Default: mail
288
290 ldap_group_object_class (string)
291 The object class of a group entry in LDAP.
292 Default: posixGroup
294 ldap_group_name (string)
296 The LDAP attribute that corresponds to the group name. In an
297 environment with nested groups, this value must be an LDAP
298 attribute which has a unique name for every group. This requirement
299 includes non-POSIX groups in the tree of nested groups.
300 Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)
302 ldap_group_gid_number (string)
304 The LDAP attribute that corresponds to the group's id.
305 Default: gidNumber
307 ldap_group_member (string)
309 The LDAP attribute that contains the names of the group's members.
310 Default: memberuid (rfc2307) / member (rfc2307bis)
312 ldap_group_uuid (string)
314 The LDAP attribute that contains the UUID/GUID of an LDAP group
315 object.
316 Default: not set in the general case, objectGUID for AD and
318 ipaUniqueID for IPA
319 ldap_group_objectsid (string)
321 The LDAP attribute that contains the objectSID of an LDAP group
322 object. This is usually only necessary for ActiveDirectory servers.
323 Default: objectSid for ActiveDirectory, not set for other servers.
325 ldap_group_modify_timestamp (string)
327 The LDAP attribute that contains timestamp of the last modification
328 of the parent object.
329 Default: modifyTimestamp
331 ldap_group_type (string)
333 The LDAP attribute that contains an integer value indicating the
334 type of the group and maybe other flags.
335 This attribute is currently only used by the AD provider to
337 determine if a group is a domain local groups and has to be
338 filtered out for trusted domains.
339 Default: groupType in the AD provider, otherwise not set
341 ldap_group_external_member (string)
343 The LDAP attribute that references group members that are defined
344 in an external domain. At the moment, only IPA's external members
345 are supported.
346 Default: ipaExternalMember in the IPA provider, otherwise unset.
348
350 ldap_netgroup_object_class (string)
351 The object class of a netgroup entry in LDAP.
352 In IPA provider, ipa_netgroup_object_class should be used instead.
354 Default: nisNetgroup
356 ldap_netgroup_name (string)
358 The LDAP attribute that corresponds to the netgroup name.
359 In IPA provider, ipa_netgroup_name should be used instead.
361 Default: cn
363 ldap_netgroup_member (string)
365 The LDAP attribute that contains the names of the netgroup's
366 members.
367 In IPA provider, ipa_netgroup_member should be used instead.
369 Default: memberNisNetgroup
371 ldap_netgroup_triple (string)
373 The LDAP attribute that contains the (host, user, domain) netgroup
374 triples.
375 This option is not available in IPA provider.
377 Default: nisNetgroupTriple
379 ldap_netgroup_modify_timestamp (string)
381 The LDAP attribute that contains timestamp of the last modification
382 of the parent object.
383 This option is not available in IPA provider.
385 Default: modifyTimestamp
387
389 ldap_host_object_class (string)
390 The object class of a host entry in LDAP.
391 Default: ipService
393 ldap_host_name (string)
395 The LDAP attribute that corresponds to the host's name.
396 Default: cn
398 ldap_host_fqdn (string)
400 The LDAP attribute that corresponds to the host's fully-qualified
401 domain name.
402 Default: fqdn
404 ldap_host_serverhostname (string)
406 The LDAP attribute that corresponds to the host's name.
407 Default: serverHostname
409 ldap_host_member_of (string)
411 The LDAP attribute that lists the host's group memberships.
412 Default: memberOf
414 ldap_host_ssh_public_key (string)
416 The LDAP attribute that contains the host's SSH public keys.
417 Default: sshPublicKey
419 ldap_host_uuid (string)
421 The LDAP attribute that contains the UUID/GUID of an LDAP host
422 object.
423 Default: not set
425
427 ldap_service_object_class (string)
428 The object class of a service entry in LDAP.
429 Default: ipService
431 ldap_service_name (string)
433 The LDAP attribute that contains the name of service attributes and
434 their aliases.
435 Default: cn
437 ldap_service_port (string)
439 The LDAP attribute that contains the port managed by this service.
440 Default: ipServicePort
442 ldap_service_proto (string)
444 The LDAP attribute that contains the protocols understood by this
445 service.
446 Default: ipServiceProtocol
448
450 ldap_sudorule_object_class (string)
451 The object class of a sudo rule entry in LDAP.
452 Default: sudoRole
454 ldap_sudorule_name (string)
456 The LDAP attribute that corresponds to the sudo rule name.
457 Default: cn
459 ldap_sudorule_command (string)
461 The LDAP attribute that corresponds to the command name.
462 Default: sudoCommand
464 ldap_sudorule_host (string)
466 The LDAP attribute that corresponds to the host name (or host IP
467 address, host IP network, or host netgroup)
468 Default: sudoHost
470 ldap_sudorule_user (string)
472 The LDAP attribute that corresponds to the user name (or UID, group
473 name or user's netgroup)
474 Default: sudoUser
476 ldap_sudorule_option (string)
478 The LDAP attribute that corresponds to the sudo options.
479 Default: sudoOption
481 ldap_sudorule_runasuser (string)
483 The LDAP attribute that corresponds to the user name that commands
484 may be run as.
485 Default: sudoRunAsUser
487 ldap_sudorule_runasgroup (string)
489 The LDAP attribute that corresponds to the group name or group GID
490 that commands may be run as.
491 Default: sudoRunAsGroup
493 ldap_sudorule_notbefore (string)
495 The LDAP attribute that corresponds to the start date/time for when
496 the sudo rule is valid.
497 Default: sudoNotBefore
499 ldap_sudorule_notafter (string)
501 The LDAP attribute that corresponds to the expiration date/time,
502 after which the sudo rule will no longer be valid.
503 Default: sudoNotAfter
505 ldap_sudorule_order (string)
507 The LDAP attribute that corresponds to the ordering index of the
508 rule.
509 Default: sudoOrder
511
513 ldap_autofs_map_object_class (string)
514 The object class of an automount map entry in LDAP.
515 Default: nisMap (rfc2307, autofs_provider=ad), otherwise
517 automountMap
518 ldap_autofs_map_name (string)
520 The name of an automount map entry in LDAP.
521 Default: nisMapName (rfc2307, autofs_provider=ad), otherwise
523 automountMapName
524 ldap_autofs_entry_object_class (string)
526 The object class of an automount entry in LDAP. The entry usually
527 corresponds to a mount point.
528 Default: nisObject (rfc2307, autofs_provider=ad), otherwise
530 automount
531 ldap_autofs_entry_key (string)
533 The key of an automount entry in LDAP. The entry usually
534 corresponds to a mount point.
535 Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey
537 ldap_autofs_entry_value (string)
539 The key of an automount entry in LDAP. The entry usually
540 corresponds to a mount point.
541 Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise
543 automountInformation
544
546 ldap_iphost_object_class (string)
547 The object class of an iphost entry in LDAP.
548 Default: ipHost
550 ldap_iphost_name (string)
552 The LDAP attribute that contains the name of the IP host attributes
553 and their aliases.
554 Default: cn
556 ldap_iphost_number (string)
558 The LDAP attribute that contains the IP host address.
559 Default: ipHostNumber
561
563 ldap_ipnetwork_object_class (string)
564 The object class of an ipnetwork entry in LDAP.
565 Default: ipNetwork
567 ldap_ipnetwork_name (string)
569 The LDAP attribute that contains the name of the IP network
570 attributes and their aliases.
571 Default: cn
573 ldap_ipnetwork_number (string)
575 The LDAP attribute that contains the IP network address.
576 Default: ipNetworkNumber
578
580 sssd(8), sssd.conf(5), sssd-ldap(5), sssd-ldap-attributes(5), sssd-
581 krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-
582 sudo(5), sssd-session-recording(5), sss_cache(8), sss_debuglevel(8),
583 sss_obfuscate(8), sss_seed(8), sssd_krb5_locator_plugin(8),
584 sss_ssh_authorizedkeys(8), sss_ssh_knownhostsproxy(8), sssd-ifp(5),
585 pam_sss(8). sss_rpcidmapd(5) sssd-systemtap(5)
586
588 The SSSD upstream - https://github.com/SSSD/sssd/
589SSSD 11/15/2023 SSSD-LDAP-ATTRIBUT(5)