1SSSD-LDAP-ATTRIBUT(5) File Formats and Conventions SSSD-LDAP-ATTRIBUT(5)
2
3
4
6 sssd-ldap-attributes - SSSD LDAP Provider: Mapping Attributes
7
9 This manual page describes the mapping attributes of SSSD LDAP provider
10 sssd-ldap(5). Refer to the sssd-ldap(5) manual page for full details
11 about SSSD LDAP provider configuration options.
12
14 ldap_user_object_class (string)
15 The object class of a user entry in LDAP.
16
17 Default: posixAccount
18
19 ldap_user_name (string)
20 The LDAP attribute that corresponds to the user's login name.
21
22 Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)
23
24 ldap_user_uid_number (string)
25 The LDAP attribute that corresponds to the user's id.
26
27 Default: uidNumber
28
29 ldap_user_gid_number (string)
30 The LDAP attribute that corresponds to the user's primary group id.
31
32 Default: gidNumber
33
34 ldap_user_primary_group (string)
35 Active Directory primary group attribute for ID-mapping. Note that
36 this attribute should only be set manually if you are running the
37 “ldap” provider with ID mapping.
38
39 Default: unset (LDAP), primaryGroupID (AD)
40
41 ldap_user_gecos (string)
42 The LDAP attribute that corresponds to the user's gecos field.
43
44 Default: gecos
45
46 ldap_user_home_directory (string)
47 The LDAP attribute that contains the name of the user's home
48 directory.
49
50 Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)
51
52 ldap_user_shell (string)
53 The LDAP attribute that contains the path to the user's default
54 shell.
55
56 Default: loginShell
57
58 ldap_user_uuid (string)
59 The LDAP attribute that contains the UUID/GUID of an LDAP user
60 object.
61
62 Default: not set in the general case, objectGUID for AD and
63 ipaUniqueID for IPA
64
65 ldap_user_objectsid (string)
66 The LDAP attribute that contains the objectSID of an LDAP user
67 object. This is usually only necessary for ActiveDirectory servers.
68
69 Default: objectSid for ActiveDirectory, not set for other servers.
70
71 ldap_user_modify_timestamp (string)
72 The LDAP attribute that contains timestamp of the last modification
73 of the parent object.
74
75 Default: modifyTimestamp
76
77 ldap_user_shadow_last_change (string)
78 When using ldap_pwd_policy=shadow, this parameter contains the name
79 of an LDAP attribute corresponding to its shadow(5) counterpart
80 (date of the last password change).
81
82 Default: shadowLastChange
83
84 ldap_user_shadow_min (string)
85 When using ldap_pwd_policy=shadow, this parameter contains the name
86 of an LDAP attribute corresponding to its shadow(5) counterpart
87 (minimum password age).
88
89 Default: shadowMin
90
91 ldap_user_shadow_max (string)
92 When using ldap_pwd_policy=shadow, this parameter contains the name
93 of an LDAP attribute corresponding to its shadow(5) counterpart
94 (maximum password age).
95
96 Default: shadowMax
97
98 ldap_user_shadow_warning (string)
99 When using ldap_pwd_policy=shadow, this parameter contains the name
100 of an LDAP attribute corresponding to its shadow(5) counterpart
101 (password warning period).
102
103 Default: shadowWarning
104
105 ldap_user_shadow_inactive (string)
106 When using ldap_pwd_policy=shadow, this parameter contains the name
107 of an LDAP attribute corresponding to its shadow(5) counterpart
108 (password inactivity period).
109
110 Default: shadowInactive
111
112 ldap_user_shadow_expire (string)
113 When using ldap_pwd_policy=shadow or
114 ldap_account_expire_policy=shadow, this parameter contains the name
115 of an LDAP attribute corresponding to its shadow(5) counterpart
116 (account expiration date).
117
118 Default: shadowExpire
119
120 ldap_user_krb_last_pwd_change (string)
121 When using ldap_pwd_policy=mit_kerberos, this parameter contains
122 the name of an LDAP attribute storing the date and time of last
123 password change in kerberos.
124
125 Default: krbLastPwdChange
126
127 ldap_user_krb_password_expiration (string)
128 When using ldap_pwd_policy=mit_kerberos, this parameter contains
129 the name of an LDAP attribute storing the date and time when
130 current password expires.
131
132 Default: krbPasswordExpiration
133
134 ldap_user_ad_account_expires (string)
135 When using ldap_account_expire_policy=ad, this parameter contains
136 the name of an LDAP attribute storing the expiration time of the
137 account.
138
139 Default: accountExpires
140
141 ldap_user_ad_user_account_control (string)
142 When using ldap_account_expire_policy=ad, this parameter contains
143 the name of an LDAP attribute storing the user account control bit
144 field.
145
146 Default: userAccountControl
147
148 ldap_ns_account_lock (string)
149 When using ldap_account_expire_policy=rhds or equivalent, this
150 parameter determines if access is allowed or not.
151
152 Default: nsAccountLock
153
154 ldap_user_nds_login_disabled (string)
155 When using ldap_account_expire_policy=nds, this attribute
156 determines if access is allowed or not.
157
158 Default: loginDisabled
159
160 ldap_user_nds_login_expiration_time (string)
161 When using ldap_account_expire_policy=nds, this attribute
162 determines until which date access is granted.
163
164 Default: loginDisabled
165
166 ldap_user_nds_login_allowed_time_map (string)
167 When using ldap_account_expire_policy=nds, this attribute
168 determines the hours of a day in a week when access is granted.
169
170 Default: loginAllowedTimeMap
171
172 ldap_user_principal (string)
173 The LDAP attribute that contains the user's Kerberos User Principal
174 Name (UPN).
175
176 Default: krbPrincipalName
177
178 ldap_user_extra_attrs (string)
179 Comma-separated list of LDAP attributes that SSSD would fetch along
180 with the usual set of user attributes.
181
182 The list can either contain LDAP attribute names only, or
183 colon-separated tuples of SSSD cache attribute name and LDAP
184 attribute name. In case only LDAP attribute name is specified, the
185 attribute is saved to the cache verbatim. Using a custom SSSD
186 attribute name might be required by environments that configure
187 several SSSD domains with different LDAP schemas.
188
189 Please note that several attribute names are reserved by SSSD,
190 notably the “name” attribute. SSSD would report an error if any of
191 the reserved attribute names is used as an extra attribute name.
192
193 Examples:
194
195 ldap_user_extra_attrs = telephoneNumber
196
197 Save the “telephoneNumber” attribute from LDAP as “telephoneNumber”
198 to the cache.
199
200 ldap_user_extra_attrs = phone:telephoneNumber
201
202 Save the “telephoneNumber” attribute from LDAP as “phone” to the
203 cache.
204
205 Default: not set
206
207 ldap_user_ssh_public_key (string)
208 The LDAP attribute that contains the user's SSH public keys.
209
210 Default: sshPublicKey
211
212 ldap_user_fullname (string)
213 The LDAP attribute that corresponds to the user's full name.
214
215 Default: cn
216
217 ldap_user_member_of (string)
218 The LDAP attribute that lists the user's group memberships.
219
220 Default: memberOf
221
222 ldap_user_authorized_service (string)
223 If access_provider=ldap and ldap_access_order=authorized_service,
224 SSSD will use the presence of the authorizedService attribute in
225 the user's LDAP entry to determine access privilege.
226
227 An explicit deny (!svc) is resolved first. Second, SSSD searches
228 for explicit allow (svc) and finally for allow_all (*).
229
230 Please note that the ldap_access_order configuration option must
231 include “authorized_service” in order for the
232 ldap_user_authorized_service option to work.
233
234 Some distributions (such as Fedora-29+ or RHEL-8) always include
235 the “systemd-user” PAM service as part of the login process.
236 Therefore when using service-based access control, the
237 “systemd-user” service might need to be added to the list of
238 allowed services.
239
240 Default: authorizedService
241
242 ldap_user_authorized_host (string)
243 If access_provider=ldap and ldap_access_order=host, SSSD will use
244 the presence of the host attribute in the user's LDAP entry to
245 determine access privilege.
246
247 An explicit deny (!host) is resolved first. Second, SSSD searches
248 for explicit allow (host) and finally for allow_all (*).
249
250 Please note that the ldap_access_order configuration option must
251 include “host” in order for the ldap_user_authorized_host option to
252 work.
253
254 Default: host
255
256 ldap_user_authorized_rhost (string)
257 If access_provider=ldap and ldap_access_order=rhost, SSSD will use
258 the presence of the rhost attribute in the user's LDAP entry to
259 determine access privilege. Similarly to host verification process.
260
261 An explicit deny (!rhost) is resolved first. Second, SSSD searches
262 for explicit allow (rhost) and finally for allow_all (*).
263
264 Please note that the ldap_access_order configuration option must
265 include “rhost” in order for the ldap_user_authorized_rhost option
266 to work.
267
268 Default: rhost
269
270 ldap_user_certificate (string)
271 Name of the LDAP attribute containing the X509 certificate of the
272 user.
273
274 Default: userCertificate;binary
275
276 ldap_user_email (string)
277 Name of the LDAP attribute containing the email address of the
278 user.
279
280 Note: If an email address of a user conflicts with an email address
281 or fully qualified name of another user, then SSSD will not be able
282 to serve those users properly. If for some reason several users
283 need to share the same email address then set this option to a
284 nonexistent attribute name in order to disable user lookup/login by
285 email.
286
287 Default: mail
288
289 ldap_user_passkey (string)
290 Name of the LDAP attribute containing the passkey mapping data of
291 the user.
292
293 Default: passkey (LDAP), ipaPassKey (IPA), altSecurityIdentities
294 (AD)
295
297 ldap_group_object_class (string)
298 The object class of a group entry in LDAP.
299
300 Default: posixGroup
301
302 ldap_group_name (string)
303 The LDAP attribute that corresponds to the group name. In an
304 environment with nested groups, this value must be an LDAP
305 attribute which has a unique name for every group. This requirement
306 includes non-POSIX groups in the tree of nested groups.
307
308 Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)
309
310 ldap_group_gid_number (string)
311 The LDAP attribute that corresponds to the group's id.
312
313 Default: gidNumber
314
315 ldap_group_member (string)
316 The LDAP attribute that contains the names of the group's members.
317
318 Default: memberuid (rfc2307) / member (rfc2307bis)
319
320 ldap_group_uuid (string)
321 The LDAP attribute that contains the UUID/GUID of an LDAP group
322 object.
323
324 Default: not set in the general case, objectGUID for AD and
325 ipaUniqueID for IPA
326
327 ldap_group_objectsid (string)
328 The LDAP attribute that contains the objectSID of an LDAP group
329 object. This is usually only necessary for ActiveDirectory servers.
330
331 Default: objectSid for ActiveDirectory, not set for other servers.
332
333 ldap_group_modify_timestamp (string)
334 The LDAP attribute that contains timestamp of the last modification
335 of the parent object.
336
337 Default: modifyTimestamp
338
339 ldap_group_type (string)
340 The LDAP attribute that contains an integer value indicating the
341 type of the group and maybe other flags.
342
343 This attribute is currently only used by the AD provider to
344 determine if a group is a domain local groups and has to be
345 filtered out for trusted domains.
346
347 Default: groupType in the AD provider, otherwise not set
348
349 ldap_group_external_member (string)
350 The LDAP attribute that references group members that are defined
351 in an external domain. At the moment, only IPA's external members
352 are supported.
353
354 Default: ipaExternalMember in the IPA provider, otherwise unset.
355
357 ldap_netgroup_object_class (string)
358 The object class of a netgroup entry in LDAP.
359
360 In IPA provider, ipa_netgroup_object_class should be used instead.
361
362 Default: nisNetgroup
363
364 ldap_netgroup_name (string)
365 The LDAP attribute that corresponds to the netgroup name.
366
367 In IPA provider, ipa_netgroup_name should be used instead.
368
369 Default: cn
370
371 ldap_netgroup_member (string)
372 The LDAP attribute that contains the names of the netgroup's
373 members.
374
375 In IPA provider, ipa_netgroup_member should be used instead.
376
377 Default: memberNisNetgroup
378
379 ldap_netgroup_triple (string)
380 The LDAP attribute that contains the (host, user, domain) netgroup
381 triples.
382
383 This option is not available in IPA provider.
384
385 Default: nisNetgroupTriple
386
387 ldap_netgroup_modify_timestamp (string)
388 The LDAP attribute that contains timestamp of the last modification
389 of the parent object.
390
391 This option is not available in IPA provider.
392
393 Default: modifyTimestamp
394
396 ldap_host_object_class (string)
397 The object class of a host entry in LDAP.
398
399 Default: ipService
400
401 ldap_host_name (string)
402 The LDAP attribute that corresponds to the host's name.
403
404 Default: cn
405
406 ldap_host_fqdn (string)
407 The LDAP attribute that corresponds to the host's fully-qualified
408 domain name.
409
410 Default: fqdn
411
412 ldap_host_serverhostname (string)
413 The LDAP attribute that corresponds to the host's name.
414
415 Default: serverHostname
416
417 ldap_host_member_of (string)
418 The LDAP attribute that lists the host's group memberships.
419
420 Default: memberOf
421
422 ldap_host_ssh_public_key (string)
423 The LDAP attribute that contains the host's SSH public keys.
424
425 Default: sshPublicKey
426
427 ldap_host_uuid (string)
428 The LDAP attribute that contains the UUID/GUID of an LDAP host
429 object.
430
431 Default: not set
432
434 ldap_service_object_class (string)
435 The object class of a service entry in LDAP.
436
437 Default: ipService
438
439 ldap_service_name (string)
440 The LDAP attribute that contains the name of service attributes and
441 their aliases.
442
443 Default: cn
444
445 ldap_service_port (string)
446 The LDAP attribute that contains the port managed by this service.
447
448 Default: ipServicePort
449
450 ldap_service_proto (string)
451 The LDAP attribute that contains the protocols understood by this
452 service.
453
454 Default: ipServiceProtocol
455
457 ldap_sudorule_object_class (string)
458 The object class of a sudo rule entry in LDAP.
459
460 Default: sudoRole
461
462 ldap_sudorule_name (string)
463 The LDAP attribute that corresponds to the sudo rule name.
464
465 Default: cn
466
467 ldap_sudorule_command (string)
468 The LDAP attribute that corresponds to the command name.
469
470 Default: sudoCommand
471
472 ldap_sudorule_host (string)
473 The LDAP attribute that corresponds to the host name (or host IP
474 address, host IP network, or host netgroup)
475
476 Default: sudoHost
477
478 ldap_sudorule_user (string)
479 The LDAP attribute that corresponds to the user name (or UID, group
480 name or user's netgroup)
481
482 Default: sudoUser
483
484 ldap_sudorule_option (string)
485 The LDAP attribute that corresponds to the sudo options.
486
487 Default: sudoOption
488
489 ldap_sudorule_runasuser (string)
490 The LDAP attribute that corresponds to the user name that commands
491 may be run as.
492
493 Default: sudoRunAsUser
494
495 ldap_sudorule_runasgroup (string)
496 The LDAP attribute that corresponds to the group name or group GID
497 that commands may be run as.
498
499 Default: sudoRunAsGroup
500
501 ldap_sudorule_notbefore (string)
502 The LDAP attribute that corresponds to the start date/time for when
503 the sudo rule is valid.
504
505 Default: sudoNotBefore
506
507 ldap_sudorule_notafter (string)
508 The LDAP attribute that corresponds to the expiration date/time,
509 after which the sudo rule will no longer be valid.
510
511 Default: sudoNotAfter
512
513 ldap_sudorule_order (string)
514 The LDAP attribute that corresponds to the ordering index of the
515 rule.
516
517 Default: sudoOrder
518
520 ldap_autofs_map_object_class (string)
521 The object class of an automount map entry in LDAP.
522
523 Default: nisMap (rfc2307, autofs_provider=ad), otherwise
524 automountMap
525
526 ldap_autofs_map_name (string)
527 The name of an automount map entry in LDAP.
528
529 Default: nisMapName (rfc2307, autofs_provider=ad), otherwise
530 automountMapName
531
532 ldap_autofs_entry_object_class (string)
533 The object class of an automount entry in LDAP. The entry usually
534 corresponds to a mount point.
535
536 Default: nisObject (rfc2307, autofs_provider=ad), otherwise
537 automount
538
539 ldap_autofs_entry_key (string)
540 The key of an automount entry in LDAP. The entry usually
541 corresponds to a mount point.
542
543 Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey
544
545 ldap_autofs_entry_value (string)
546 The key of an automount entry in LDAP. The entry usually
547 corresponds to a mount point.
548
549 Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise
550 automountInformation
551
553 ldap_iphost_object_class (string)
554 The object class of an iphost entry in LDAP.
555
556 Default: ipHost
557
558 ldap_iphost_name (string)
559 The LDAP attribute that contains the name of the IP host attributes
560 and their aliases.
561
562 Default: cn
563
564 ldap_iphost_number (string)
565 The LDAP attribute that contains the IP host address.
566
567 Default: ipHostNumber
568
570 ldap_ipnetwork_object_class (string)
571 The object class of an ipnetwork entry in LDAP.
572
573 Default: ipNetwork
574
575 ldap_ipnetwork_name (string)
576 The LDAP attribute that contains the name of the IP network
577 attributes and their aliases.
578
579 Default: cn
580
581 ldap_ipnetwork_number (string)
582 The LDAP attribute that contains the IP network address.
583
584 Default: ipNetworkNumber
585
587 sssd(8), sssd.conf(5), sssd-ldap(5), sssd-ldap-attributes(5), sssd-
588 krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-
589 sudo(5), sssd-session-recording(5), sss_cache(8), sss_debuglevel(8),
590 sss_obfuscate(8), sss_seed(8), sssd_krb5_locator_plugin(8),
591 sss_ssh_authorizedkeys(8), sss_ssh_knownhostsproxy(8), sssd-ifp(5),
592 pam_sss(8). sss_rpcidmapd(5) sssd-systemtap(5)
593
595 The SSSD upstream - https://github.com/SSSD/sssd/
596
597
598
599SSSD 11/15/2023 SSSD-LDAP-ATTRIBUT(5)