1SSSD-IPA(5)              File Formats and Conventions              SSSD-IPA(5)
2
3
4

NAME

6       sssd-ipa - SSSD IPA provider
7

DESCRIPTION

9       This manual page describes the configuration of the IPA provider for
10       sssd(8). For a detailed syntax reference, refer to the “FILE FORMAT”
11       section of the sssd.conf(5) manual page.
12
13       The IPA provider is a back end used to connect to an IPA server. (Refer
14       to the freeipa.org web site for information about IPA servers.) This
15       provider requires that the machine be joined to the IPA domain;
16       configuration is almost entirely self-discovered and obtained directly
17       from the server.
18
19       The IPA provider accepts the same options used by the sssd-ldap(5)
20       identity provider and the sssd-krb5(5) authentication provider with
21       some exceptions described below.
22
23       However, it is neither necessary nor recommended to set these options.
24       IPA provider can also be used as an access and chpass provider. As an
25       access provider it uses HBAC (host-based access control) rules. Please
26       refer to freeipa.org for more information about HBAC. No configuration
27       of access provider is required on the client side.
28
29       The IPA provider will use the PAC responder if the Kerberos tickets of
30       users from trusted realms contain a PAC. To make configuration easier
31       the PAC responder is started automatically if the IPA ID provider is
32       configured.
33

CONFIGURATION OPTIONS

35       Refer to the section “DOMAIN SECTIONS” of the sssd.conf(5) manual page
36       for details on the configuration of an SSSD domain.
37
38       ipa_domain (string)
39           Specifies the name of the IPA domain. This is optional. If not
40           provided, the configuration domain name is used.
41
42       ipa_server, ipa_backup_server (string)
43           The comma-separated list of IP addresses or hostnames of the IPA
44           servers to which SSSD should connect in the order of preference.
45           For more information on failover and server redundancy, see the
46           “FAILOVER” section. This is optional if autodiscovery is enabled.
47           For more information on service discovery, refer to the “SERVICE
48           DISCOVERY” section.
49
50       ipa_hostname (string)
51           Optional. May be set on machines where the hostname(5) does not
52           reflect the fully qualified name used in the IPA domain to identify
53           this host.
54
55       dyndns_update (boolean)
56           Optional. This option tells SSSD to automatically update the DNS
57           server built into FreeIPA v2 with the IP address of this client.
58           The update is secured using GSS-TSIG. The IP address of the IPA
59           LDAP connection is used for the updates, if it is not otherwise
60           specified by using the “dyndns_iface” option.
61
62           NOTE: On older systems (such as RHEL 5), for this behavior to work
63           reliably, the default Kerberos realm must be set properly in
64           /etc/krb5.conf
65
66           NOTE: While it is still possible to use the old ipa_dyndns_update
67           option, users should migrate to using dyndns_update in their config
68           file.
69
70           Default: false
71
72       dyndns_ttl (integer)
73           The TTL to apply to the client DNS record when updating it. If
74           dyndns_update is false this has no effect. This will override the
75           TTL serverside if set by an administrator.
76
77           NOTE: While it is still possible to use the old ipa_dyndns_ttl
78           option, users should migrate to using dyndns_ttl in their config
79           file.
80
81           Default: 1200 (seconds)
82
83       dyndns_iface (string)
84           Optional. Applicable only when dyndns_update is true. Choose the
85           interface or a list of interfaces whose IP addresses should be used
86           for dynamic DNS updates. Special value “*” implies that IPs from
87           all interfaces should be used.
88
89           NOTE: While it is still possible to use the old ipa_dyndns_iface
90           option, users should migrate to using dyndns_iface in their config
91           file.
92
93           Default: Use the IP addresses of the interface which is used for
94           IPA LDAP connection
95
96           Example: dyndns_iface = em1, vnet1, vnet2
97
98       ipa_enable_dns_sites (boolean)
99           Enables DNS sites - location based service discovery.
100
101           If true and service discovery (see Service Discovery paragraph at
102           the bottom of the man page) is enabled, then the SSSD will first
103           attempt location based discovery using a query that contains
104           "_location.hostname.example.com" and then fall back to traditional
105           SRV discovery. If the location based discovery succeeds, the IPA
106           servers located with the location based discovery are treated as
107           primary servers and the IPA servers located using the traditional
108           SRV discovery are used as back up servers
109
110           Default: false
111
112       dyndns_refresh_interval (integer)
113           How often should the back end perform periodic DNS update in
114           addition to the automatic update performed when the back end goes
115           online. This option is optional and applicable only when
116           dyndns_update is true.
117
118           Default: 0 (disabled)
119
120       dyndns_update_ptr (bool)
121           Whether the PTR record should also be explicitly updated when
122           updating the client´s DNS records. Applicable only when
123           dyndns_update is true.
124
125           This option should be False in most IPA deployments as the IPA
126           server generates the PTR records automatically when forward records
127           are changed.
128
129           Default: False (disabled)
130
131       dyndns_force_tcp (bool)
132           Whether the nsupdate utility should default to using TCP for
133           communicating with the DNS server.
134
135           Default: False (let nsupdate choose the protocol)
136
137       dyndns_server (string)
138           The DNS server to use when performing a DNS update. In most setups,
139           it´s recommended to leave this option unset.
140
141           Setting this option makes sense for environments where the DNS
142           server is different from the identity server.
143
144           Please note that this option will be only used in fallback attempt
145           when previous attempt using autodetected settings failed.
146
147           Default: None (let nsupdate choose the server)
148
149       ipa_hbac_search_base (string)
150           Optional. Use the given string as search base for HBAC related
151           objects.
152
153           Default: Use base DN
154
155       ipa_host_search_base (string)
156           Optional. Use the given string as search base for host objects.
157
158           See “ldap_search_base” for information about configuring multiple
159           search bases.
160
161           Default: the value of ldap_search_base
162
163       ipa_selinux_search_base (string)
164           Optional. Use the given string as search base for SELinux user
165           maps.
166
167           See “ldap_search_base” for information about configuring multiple
168           search bases.
169
170           Default: the value of ldap_search_base
171
172       ipa_subdomains_search_base (string)
173           Optional. Use the given string as search base for trusted domains.
174
175           See “ldap_search_base” for information about configuring multiple
176           search bases.
177
178           Default: the value of cn=trusts,%basedn
179
180       ipa_master_domain_search_base (string)
181           Optional. Use the given string as search base for master domain
182           object.
183
184           See “ldap_search_base” for information about configuring multiple
185           search bases.
186
187           Default: the value of cn=ad,cn=etc,%basedn
188
189       ipa_views_search_base (string)
190           Optional. Use the given string as search base for views containers.
191
192           See “ldap_search_base” for information about configuring multiple
193           search bases.
194
195           Default: the value of cn=views,cn=accounts,%basedn
196
197       krb5_validate (boolean)
198           Verify with the help of krb5_keytab that the TGT obtained has not
199           been spoofed.
200
201           Default: true
202
203           Note that this default differs from the traditional Kerberos
204           provider back end.
205
206       krb5_realm (string)
207           The name of the Kerberos realm. This is optional and defaults to
208           the value of “ipa_domain”.
209
210           The name of the Kerberos realm has a special meaning in IPA - it is
211           converted into the base DN to use for performing LDAP operations.
212
213       krb5_canonicalize (boolean)
214           Specifies if the host and user principal should be canonicalized
215           when connecting to IPA LDAP and also for AS requests. This feature
216           is available with MIT Kerberos >= 1.7
217
218           Default: true
219
220       krb5_use_fast (string)
221           Enables flexible authentication secure tunneling (FAST) for
222           Kerberos pre-authentication. The following options are supported:
223
224
225           never use FAST.
226
227
228           try to use FAST. If the server does not support FAST, continue the
229           authentication without it. This is equivalent to not setting this
230           option at all.
231
232
233           demand to use FAST. The authentication fails if the server does not
234           require fast.
235
236           Default: try
237
238           NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and
239           later. If SSSD is used with an older version of MIT Kerberos, using
240           this option is a configuration error.
241
242       krb5_confd_path (string)
243           Absolute path of a directory where SSSD should place Kerberos
244           configuration snippets.
245
246           To disable the creation of the configuration snippets set the
247           parameter to ´none´.
248
249           Default: not set (krb5.include.d subdirectory of SSSD´s pubconf
250           directory)
251
252       ipa_hbac_refresh (integer)
253           The amount of time between lookups of the HBAC rules against the
254           IPA server. This will reduce the latency and load on the IPA server
255           if there are many access-control requests made in a short period.
256
257           Default: 5 (seconds)
258
259       ipa_hbac_selinux (integer)
260           The amount of time between lookups of the SELinux maps against the
261           IPA server. This will reduce the latency and load on the IPA server
262           if there are many user login requests made in a short period.
263
264           Default: 5 (seconds)
265
266       ipa_server_mode (boolean)
267           This option should only be set by the IPA installer.
268
269           The option denotes that the SSSD is running on IPA server and
270           should perform lookups of users and groups from trusted domains
271           differently.
272
273           Default: false
274
275       ipa_automount_location (string)
276           The automounter location this IPA client will be using
277
278           Default: The location named "default"
279
280           Please note that the automounter only reads the master map on
281           startup, so if any autofs-related changes are made to the
282           sssd.conf, you typically also need to restart the automounter
283           daemon after restarting the SSSD.
284
285   VIEWS AND OVERRIDES
286       SSSD can handle views and overrides which are offered by FreeIPA 4.1
287       and later version. Since all paths and objectclasses are fixed on the
288       server side there is basically no need to configure anything. For
289       completeness the related options are listed here with their default
290       values.
291
292       ipa_view_class (string)
293           Objectclass of the view container.
294
295           Default: nsContainer
296
297       ipa_view_name (string)
298           Name of the attribute holding the name of the view.
299
300           Default: cn
301
302       ipa_overide_object_class (string)
303           Objectclass of the override objects.
304
305           Default: ipaOverrideAnchor
306
307       ipa_anchor_uuid (string)
308           Name of the attribute containing the reference to the original
309           object in a remote domain.
310
311           Default: ipaAnchorUUID
312
313       ipa_user_override_object_class (string)
314           Name of the objectclass for user overrides. It is used to determine
315           if the found override object is related to a user or a group.
316
317           User overrides can contain attributes given by
318
319           ·   ldap_user_name
320
321           ·   ldap_user_uid_number
322
323           ·   ldap_user_gid_number
324
325           ·   ldap_user_gecos
326
327           ·   ldap_user_home_directory
328
329           ·   ldap_user_shell
330
331           ·   ldap_user_ssh_public_key
332
333               Default: ipaUserOverride
334
335           ipa_group_override_object_class (string)
336               Name of the objectclass for group overrides. It is used to
337               determine if the found override object is related to a user or
338               a group.
339
340               Group overrides can contain attributes given by
341
342               ·   ldap_group_name
343
344               ·   ldap_group_gid_number
345
346                   Default: ipaGroupOverride
347

SUBDOMAINS PROVIDER

349       The IPA subdomains provider behaves slightly differently if it is
350       configured explicitly or implicitly.
351
352       If the option ´subdomains_provider = ipa´ is found in the domain
353       section of sssd.conf, the IPA subdomains provider is configured
354       explicitly, and all subdomain requests are sent to the IPA server if
355       necessary.
356
357       If the option ´subdomains_provider´ is not set in the domain section of
358       sssd.conf but there is the option ´id_provider = ipa´, the IPA
359       subdomains provider is configured implicitly. In this case, if a
360       subdomain request fails and indicates that the server does not support
361       subdomains, i.e. is not configured for trusts, the IPA subdomains
362       provider is disabled. After an hour or after the IPA provider goes
363       online, the subdomains provider is enabled again.
364

FAILOVER

366       The failover feature allows back ends to automatically switch to a
367       different server if the current server fails.
368
369   Failover Syntax
370       The list of servers is given as a comma-separated list; any number of
371       spaces is allowed around the comma. The servers are listed in order of
372       preference. The list can contain any number of servers.
373
374       For each failover-enabled config option, two variants exist: primary
375       and backup. The idea is that servers in the primary list are preferred
376       and backup servers are only searched if no primary servers can be
377       reached. If a backup server is selected, a timeout of 31 seconds is
378       set. After this timeout SSSD will periodically try to reconnect to one
379       of the primary servers. If it succeeds, it will replace the current
380       active (backup) server.
381
382   The Failover Mechanism
383       The failover mechanism distinguishes between a machine and a service.
384       The back end first tries to resolve the hostname of a given machine; if
385       this resolution attempt fails, the machine is considered offline. No
386       further attempts are made to connect to this machine for any other
387       service. If the resolution attempt succeeds, the back end tries to
388       connect to a service on this machine. If the service connection attempt
389       fails, then only this particular service is considered offline and the
390       back end automatically switches over to the next service. The machine
391       is still considered online and might still be tried for another
392       service.
393
394       Further connection attempts are made to machines or services marked as
395       offline after a specified period of time; this is currently hard coded
396       to 30 seconds.
397
398       If there are no more machines to try, the back end as a whole switches
399       to offline mode, and then attempts to reconnect every 30 seconds.
400

SERVICE DISCOVERY

402       The service discovery feature allows back ends to automatically find
403       the appropriate servers to connect to using a special DNS query. This
404       feature is not supported for backup servers.
405
406   Configuration
407       If no servers are specified, the back end automatically uses service
408       discovery to try to find a server. Optionally, the user may choose to
409       use both fixed server addresses and service discovery by inserting a
410       special keyword, “_srv_”, in the list of servers. The order of
411       preference is maintained. This feature is useful if, for example, the
412       user prefers to use service discovery whenever possible, and fall back
413       to a specific server when no servers can be discovered using DNS.
414
415   The domain name
416       Please refer to the “dns_discovery_domain” parameter in the
417       sssd.conf(5) manual page for more details.
418
419   The protocol
420       The queries usually specify _tcp as the protocol. Exceptions are
421       documented in respective option description.
422
423   See Also
424       For more information on the service discovery mechanism, refer to RFC
425       2782.
426

EXAMPLE

428       The following example assumes that SSSD is correctly configured and
429       example.com is one of the domains in the [sssd] section. This examples
430       shows only the ipa provider-specific options.
431
432           [domain/example.com]
433           id_provider = ipa
434           ipa_server = ipaserver.example.com
435           ipa_hostname = myhost.example.com
436
437

SEE ALSO

439       sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
440       sssd-ipa(5), sssd-ad(5), sssd-sudo(5), sss_cache(8), sss_debuglevel(8),
441       sss_groupadd(8), sss_groupdel(8), sss_groupshow(8), sss_groupmod(8),
442       sss_useradd(8), sss_userdel(8), sss_usermod(8), sss_obfuscate(8),
443       sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
444       sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8).  sss_rpcidmapd(5)
445

AUTHORS

447       The SSSD upstream - http://fedorahosted.org/sssd
448
449
450
451SSSD                              01/15/2019                       SSSD-IPA(5)
Impressum