1SSSD-LDAP-ATTRIBUT(5) File Formats and Conventions SSSD-LDAP-ATTRIBUT(5)
2
6 sssd-ldap-attributes - SSSD LDAP Provider: Mapping Attributes
7
9 This manual page describes the mapping attributes of SSSD LDAP provider
10 sssd-ldap(5). Refer to the sssd-ldap(5) manual page for full details
11 about SSSD LDAP provider configuration options.
12
14 ldap_user_object_class (string)
15 The object class of a user entry in LDAP.
16 Default: posixAccount
18 ldap_user_name (string)
20 The LDAP attribute that corresponds to the user's login name.
21 Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)
23 ldap_user_uid_number (string)
25 The LDAP attribute that corresponds to the user's id.
26 Default: uidNumber
28 ldap_user_gid_number (string)
30 The LDAP attribute that corresponds to the user's primary group id.
31 Default: gidNumber
33 ldap_user_primary_group (string)
35 Active Directory primary group attribute for ID-mapping. Note that
36 this attribute should only be set manually if you are running the
37 “ldap” provider with ID mapping.
38 Default: unset (LDAP), primaryGroupID (AD)
40 ldap_user_gecos (string)
42 The LDAP attribute that corresponds to the user's gecos field.
43 Default: gecos
45 ldap_user_home_directory (string)
47 The LDAP attribute that contains the name of the user's home
48 directory.
49 Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)
51 ldap_user_shell (string)
53 The LDAP attribute that contains the path to the user's default
54 shell.
55 Default: loginShell
57 ldap_user_uuid (string)
59 The LDAP attribute that contains the UUID/GUID of an LDAP user
60 object.
61 Default: not set in the general case, objectGUID for AD and
63 ipaUniqueID for IPA
64 ldap_user_objectsid (string)
66 The LDAP attribute that contains the objectSID of an LDAP user
67 object. This is usually only necessary for ActiveDirectory servers.
68 Default: objectSid for ActiveDirectory, not set for other servers.
70 ldap_user_modify_timestamp (string)
72 The LDAP attribute that contains timestamp of the last modification
73 of the parent object.
74 Default: modifyTimestamp
76 ldap_user_shadow_last_change (string)
78 When using ldap_pwd_policy=shadow, this parameter contains the name
79 of an LDAP attribute corresponding to its shadow(5) counterpart
80 (date of the last password change).
81 Default: shadowLastChange
83 ldap_user_shadow_min (string)
85 When using ldap_pwd_policy=shadow, this parameter contains the name
86 of an LDAP attribute corresponding to its shadow(5) counterpart
87 (minimum password age).
88 Default: shadowMin
90 ldap_user_shadow_max (string)
92 When using ldap_pwd_policy=shadow, this parameter contains the name
93 of an LDAP attribute corresponding to its shadow(5) counterpart
94 (maximum password age).
95 Default: shadowMax
97 ldap_user_shadow_warning (string)
99 When using ldap_pwd_policy=shadow, this parameter contains the name
100 of an LDAP attribute corresponding to its shadow(5) counterpart
101 (password warning period).
102 Default: shadowWarning
104 ldap_user_shadow_inactive (string)
106 When using ldap_pwd_policy=shadow, this parameter contains the name
107 of an LDAP attribute corresponding to its shadow(5) counterpart
108 (password inactivity period).
109 Default: shadowInactive
111 ldap_user_shadow_expire (string)
113 When using ldap_pwd_policy=shadow or
114 ldap_account_expire_policy=shadow, this parameter contains the name
115 of an LDAP attribute corresponding to its shadow(5) counterpart
116 (account expiration date).
117 Default: shadowExpire
119 ldap_user_krb_last_pwd_change (string)
121 When using ldap_pwd_policy=mit_kerberos, this parameter contains
122 the name of an LDAP attribute storing the date and time of last
123 password change in kerberos.
124 Default: krbLastPwdChange
126 ldap_user_krb_password_expiration (string)
128 When using ldap_pwd_policy=mit_kerberos, this parameter contains
129 the name of an LDAP attribute storing the date and time when
130 current password expires.
131 Default: krbPasswordExpiration
133 ldap_user_ad_account_expires (string)
135 When using ldap_account_expire_policy=ad, this parameter contains
136 the name of an LDAP attribute storing the expiration time of the
137 account.
138 Default: accountExpires
140 ldap_user_ad_user_account_control (string)
142 When using ldap_account_expire_policy=ad, this parameter contains
143 the name of an LDAP attribute storing the user account control bit
144 field.
145 Default: userAccountControl
147 ldap_ns_account_lock (string)
149 When using ldap_account_expire_policy=rhds or equivalent, this
150 parameter determines if access is allowed or not.
151 Default: nsAccountLock
153 ldap_user_nds_login_disabled (string)
155 When using ldap_account_expire_policy=nds, this attribute
156 determines if access is allowed or not.
157 Default: loginDisabled
159 ldap_user_nds_login_expiration_time (string)
161 When using ldap_account_expire_policy=nds, this attribute
162 determines until which date access is granted.
163 Default: loginDisabled
165 ldap_user_nds_login_allowed_time_map (string)
167 When using ldap_account_expire_policy=nds, this attribute
168 determines the hours of a day in a week when access is granted.
169 Default: loginAllowedTimeMap
171 ldap_user_principal (string)
173 The LDAP attribute that contains the user's Kerberos User Principal
174 Name (UPN).
175 Default: krbPrincipalName
177 ldap_user_extra_attrs (string)
179 Comma-separated list of LDAP attributes that SSSD would fetch along
180 with the usual set of user attributes.
181 The list can either contain LDAP attribute names only, or
183 colon-separated tuples of SSSD cache attribute name and LDAP
184 attribute name. In case only LDAP attribute name is specified, the
185 attribute is saved to the cache verbatim. Using a custom SSSD
186 attribute name might be required by environments that configure
187 several SSSD domains with different LDAP schemas.
188 Please note that several attribute names are reserved by SSSD,
190 notably the “name” attribute. SSSD would report an error if any of
191 the reserved attribute names is used as an extra attribute name.
192 Examples:
194 ldap_user_extra_attrs = telephoneNumber
196 Save the “telephoneNumber” attribute from LDAP as “telephoneNumber”
198 to the cache.
199 ldap_user_extra_attrs = phone:telephoneNumber
201 Save the “telephoneNumber” attribute from LDAP as “phone” to the
203 cache.
204 Default: not set
206 ldap_user_ssh_public_key (string)
208 The LDAP attribute that contains the user's SSH public keys.
209 Default: sshPublicKey
211 ldap_user_fullname (string)
213 The LDAP attribute that corresponds to the user's full name.
214 Default: cn
216 ldap_user_member_of (string)
218 The LDAP attribute that lists the user's group memberships.
219 Default: memberOf
221 ldap_user_authorized_service (string)
223 If access_provider=ldap and ldap_access_order=authorized_service,
224 SSSD will use the presence of the authorizedService attribute in
225 the user's LDAP entry to determine access privilege.
226 An explicit deny (!svc) is resolved first. Second, SSSD searches
228 for explicit allow (svc) and finally for allow_all (*).
229 Please note that the ldap_access_order configuration option must
231 include “authorized_service” in order for the
232 ldap_user_authorized_service option to work.
233 Some distributions (such as Fedora-29+ or RHEL-8) always include
235 the “systemd-user” PAM service as part of the login process.
236 Therefore when using service-based access control, the
237 “systemd-user” service might need to be added to the list of
238 allowed services.
239 Default: authorizedService
241 ldap_user_authorized_host (string)
243 If access_provider=ldap and ldap_access_order=host, SSSD will use
244 the presence of the host attribute in the user's LDAP entry to
245 determine access privilege.
246 An explicit deny (!host) is resolved first. Second, SSSD searches
248 for explicit allow (host) and finally for allow_all (*).
249 Please note that the ldap_access_order configuration option must
251 include “host” in order for the ldap_user_authorized_host option to
252 work.
253 Default: host
255 ldap_user_authorized_rhost (string)
257 If access_provider=ldap and ldap_access_order=rhost, SSSD will use
258 the presence of the rhost attribute in the user's LDAP entry to
259 determine access privilege. Similarly to host verification process.
260 An explicit deny (!rhost) is resolved first. Second, SSSD searches
262 for explicit allow (rhost) and finally for allow_all (*).
263 Please note that the ldap_access_order configuration option must
265 include “rhost” in order for the ldap_user_authorized_rhost option
266 to work.
267 Default: rhost
269 ldap_user_certificate (string)
271 Name of the LDAP attribute containing the X509 certificate of the
272 user.
273 Default: userCertificate;binary
275 ldap_user_email (string)
277 Name of the LDAP attribute containing the email address of the
278 user.
279 Note: If an email address of a user conflicts with an email address
281 or fully qualified name of another user, then SSSD will not be able
282 to serve those users properly. If for some reason several users
283 need to share the same email address then set this option to a
284 nonexistent attribute name in order to disable user lookup/login by
285 email.
286 Default: mail
288 ldap_user_passkey (string)
290 Name of the LDAP attribute containing the passkey mapping data of
291 the user.
292 Default: passkey (LDAP), ipaPassKey (IPA), altSecurityIdentities
294 (AD)
295
297 ldap_group_object_class (string)
298 The object class of a group entry in LDAP.
299 Default: posixGroup
301 ldap_group_name (string)
303 The LDAP attribute that corresponds to the group name. In an
304 environment with nested groups, this value must be an LDAP
305 attribute which has a unique name for every group. This requirement
306 includes non-POSIX groups in the tree of nested groups.
307 Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)
309 ldap_group_gid_number (string)
311 The LDAP attribute that corresponds to the group's id.
312 Default: gidNumber
314 ldap_group_member (string)
316 The LDAP attribute that contains the names of the group's members.
317 Default: memberuid (rfc2307) / member (rfc2307bis)
319 ldap_group_uuid (string)
321 The LDAP attribute that contains the UUID/GUID of an LDAP group
322 object.
323 Default: not set in the general case, objectGUID for AD and
325 ipaUniqueID for IPA
326 ldap_group_objectsid (string)
328 The LDAP attribute that contains the objectSID of an LDAP group
329 object. This is usually only necessary for ActiveDirectory servers.
330 Default: objectSid for ActiveDirectory, not set for other servers.
332 ldap_group_modify_timestamp (string)
334 The LDAP attribute that contains timestamp of the last modification
335 of the parent object.
336 Default: modifyTimestamp
338 ldap_group_type (string)
340 The LDAP attribute that contains an integer value indicating the
341 type of the group and maybe other flags.
342 This attribute is currently only used by the AD provider to
344 determine if a group is a domain local groups and has to be
345 filtered out for trusted domains.
346 Default: groupType in the AD provider, otherwise not set
348 ldap_group_external_member (string)
350 The LDAP attribute that references group members that are defined
351 in an external domain. At the moment, only IPA's external members
352 are supported.
353 Default: ipaExternalMember in the IPA provider, otherwise unset.
355
357 ldap_netgroup_object_class (string)
358 The object class of a netgroup entry in LDAP.
359 In IPA provider, ipa_netgroup_object_class should be used instead.
361 Default: nisNetgroup
363 ldap_netgroup_name (string)
365 The LDAP attribute that corresponds to the netgroup name.
366 In IPA provider, ipa_netgroup_name should be used instead.
368 Default: cn
370 ldap_netgroup_member (string)
372 The LDAP attribute that contains the names of the netgroup's
373 members.
374 In IPA provider, ipa_netgroup_member should be used instead.
376 Default: memberNisNetgroup
378 ldap_netgroup_triple (string)
380 The LDAP attribute that contains the (host, user, domain) netgroup
381 triples.
382 This option is not available in IPA provider.
384 Default: nisNetgroupTriple
386 ldap_netgroup_modify_timestamp (string)
388 The LDAP attribute that contains timestamp of the last modification
389 of the parent object.
390 This option is not available in IPA provider.
392 Default: modifyTimestamp
394
396 ldap_host_object_class (string)
397 The object class of a host entry in LDAP.
398 Default: ipService
400 ldap_host_name (string)
402 The LDAP attribute that corresponds to the host's name.
403 Default: cn
405 ldap_host_fqdn (string)
407 The LDAP attribute that corresponds to the host's fully-qualified
408 domain name.
409 Default: fqdn
411 ldap_host_serverhostname (string)
413 The LDAP attribute that corresponds to the host's name.
414 Default: serverHostname
416 ldap_host_member_of (string)
418 The LDAP attribute that lists the host's group memberships.
419 Default: memberOf
421 ldap_host_ssh_public_key (string)
423 The LDAP attribute that contains the host's SSH public keys.
424 Default: sshPublicKey
426 ldap_host_uuid (string)
428 The LDAP attribute that contains the UUID/GUID of an LDAP host
429 object.
430 Default: not set
432
434 ldap_service_object_class (string)
435 The object class of a service entry in LDAP.
436 Default: ipService
438 ldap_service_name (string)
440 The LDAP attribute that contains the name of service attributes and
441 their aliases.
442 Default: cn
444 ldap_service_port (string)
446 The LDAP attribute that contains the port managed by this service.
447 Default: ipServicePort
449 ldap_service_proto (string)
451 The LDAP attribute that contains the protocols understood by this
452 service.
453 Default: ipServiceProtocol
455
457 ldap_sudorule_object_class (string)
458 The object class of a sudo rule entry in LDAP.
459 Default: sudoRole
461 ldap_sudorule_name (string)
463 The LDAP attribute that corresponds to the sudo rule name.
464 Default: cn
466 ldap_sudorule_command (string)
468 The LDAP attribute that corresponds to the command name.
469 Default: sudoCommand
471 ldap_sudorule_host (string)
473 The LDAP attribute that corresponds to the host name (or host IP
474 address, host IP network, or host netgroup)
475 Default: sudoHost
477 ldap_sudorule_user (string)
479 The LDAP attribute that corresponds to the user name (or UID, group
480 name or user's netgroup)
481 Default: sudoUser
483 ldap_sudorule_option (string)
485 The LDAP attribute that corresponds to the sudo options.
486 Default: sudoOption
488 ldap_sudorule_runasuser (string)
490 The LDAP attribute that corresponds to the user name that commands
491 may be run as.
492 Default: sudoRunAsUser
494 ldap_sudorule_runasgroup (string)
496 The LDAP attribute that corresponds to the group name or group GID
497 that commands may be run as.
498 Default: sudoRunAsGroup
500 ldap_sudorule_notbefore (string)
502 The LDAP attribute that corresponds to the start date/time for when
503 the sudo rule is valid.
504 Default: sudoNotBefore
506 ldap_sudorule_notafter (string)
508 The LDAP attribute that corresponds to the expiration date/time,
509 after which the sudo rule will no longer be valid.
510 Default: sudoNotAfter
512 ldap_sudorule_order (string)
514 The LDAP attribute that corresponds to the ordering index of the
515 rule.
516 Default: sudoOrder
518
520 ldap_autofs_map_object_class (string)
521 The object class of an automount map entry in LDAP.
522 Default: nisMap (rfc2307, autofs_provider=ad), otherwise
524 automountMap
525 ldap_autofs_map_name (string)
527 The name of an automount map entry in LDAP.
528 Default: nisMapName (rfc2307, autofs_provider=ad), otherwise
530 automountMapName
531 ldap_autofs_entry_object_class (string)
533 The object class of an automount entry in LDAP. The entry usually
534 corresponds to a mount point.
535 Default: nisObject (rfc2307, autofs_provider=ad), otherwise
537 automount
538 ldap_autofs_entry_key (string)
540 The key of an automount entry in LDAP. The entry usually
541 corresponds to a mount point.
542 Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey
544 ldap_autofs_entry_value (string)
546 The key of an automount entry in LDAP. The entry usually
547 corresponds to a mount point.
548 Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise
550 automountInformation
551
553 ldap_iphost_object_class (string)
554 The object class of an iphost entry in LDAP.
555 Default: ipHost
557 ldap_iphost_name (string)
559 The LDAP attribute that contains the name of the IP host attributes
560 and their aliases.
561 Default: cn
563 ldap_iphost_number (string)
565 The LDAP attribute that contains the IP host address.
566 Default: ipHostNumber
568
570 ldap_ipnetwork_object_class (string)
571 The object class of an ipnetwork entry in LDAP.
572 Default: ipNetwork
574 ldap_ipnetwork_name (string)
576 The LDAP attribute that contains the name of the IP network
577 attributes and their aliases.
578 Default: cn
580 ldap_ipnetwork_number (string)
582 The LDAP attribute that contains the IP network address.
583 Default: ipNetworkNumber
585
587 sssd(8), sssd.conf(5), sssd-ldap(5), sssd-ldap-attributes(5), sssd-
588 krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-
589 sudo(5), sssd-session-recording(5), sss_cache(8), sss_debuglevel(8),
590 sss_obfuscate(8), sss_seed(8), sssd_krb5_locator_plugin(8),
591 sss_ssh_authorizedkeys(8), sss_ssh_knownhostsproxy(8), sssd-ifp(5),
592 pam_sss(8). sss_rpcidmapd(5) sssd-systemtap(5)
593
595 The SSSD upstream - https://github.com/SSSD/sssd/
596SSSD 11/15/2023 SSSD-LDAP-ATTRIBUT(5)