1SSSD-IPA(5) File Formats and Conventions SSSD-IPA(5)
2
3
4
6 sssd-ipa - SSSD IPA provider
7
9 This manual page describes the configuration of the IPA provider for
10 sssd(8). For a detailed syntax reference, refer to the “FILE FORMAT”
11 section of the sssd.conf(5) manual page.
12
13 The IPA provider is a back end used to connect to an IPA server. (Refer
14 to the freeipa.org web site for information about IPA servers.) This
15 provider requires that the machine be joined to the IPA domain;
16 configuration is almost entirely self-discovered and obtained directly
17 from the server.
18
19 The IPA provider accepts the same options used by the sssd-ldap(5)
20 identity provider and the sssd-krb5(5) authentication provider with
21 some exceptions described below.
22
23 However, it is neither necessary nor recommended to set these options.
24 IPA provider can also be used as an access and chpass provider. As an
25 access provider it uses HBAC (host-based access control) rules. Please
26 refer to freeipa.org for more information about HBAC. No configuration
27 of access provider is required on the client side.
28
29 The IPA provider will use the PAC responder if the Kerberos tickets of
30 users from trusted realms contain a PAC. To make configuration easier
31 the PAC responder is started automatically if the IPA ID provider is
32 configured.
33
35 Refer to the section “DOMAIN SECTIONS” of the sssd.conf(5) manual page
36 for details on the configuration of an SSSD domain.
37
38 ipa_domain (string)
39 Specifies the name of the IPA domain. This is optional. If not
40 provided, the configuration domain name is used.
41
42 ipa_server, ipa_backup_server (string)
43 The comma-separated list of IP addresses or hostnames of the IPA
44 servers to which SSSD should connect in the order of preference.
45 For more information on failover and server redundancy, see the
46 “FAILOVER” section. This is optional if autodiscovery is enabled.
47 For more information on service discovery, refer to the “SERVICE
48 DISCOVERY” section.
49
50 ipa_hostname (string)
51 Optional. May be set on machines where the hostname(5) does not
52 reflect the fully qualified name used in the IPA domain to identify
53 this host.
54
55 dyndns_update (boolean)
56 Optional. This option tells SSSD to automatically update the DNS
57 server built into FreeIPA v2 with the IP address of this client.
58 The update is secured using GSS-TSIG. The IP address of the IPA
59 LDAP connection is used for the updates, if it is not otherwise
60 specified by using the “dyndns_iface” option.
61
62 NOTE: On older systems (such as RHEL 5), for this behavior to work
63 reliably, the default Kerberos realm must be set properly in
64 /etc/krb5.conf
65
66 NOTE: While it is still possible to use the old ipa_dyndns_update
67 option, users should migrate to using dyndns_update in their config
68 file.
69
70 Default: false
71
72 dyndns_ttl (integer)
73 The TTL to apply to the client DNS record when updating it. If
74 dyndns_update is false this has no effect. This will override the
75 TTL serverside if set by an administrator.
76
77 NOTE: While it is still possible to use the old ipa_dyndns_ttl
78 option, users should migrate to using dyndns_ttl in their config
79 file.
80
81 Default: 1200 (seconds)
82
83 dyndns_iface (string)
84 Optional. Applicable only when dyndns_update is true. Choose the
85 interface or a list of interfaces whose IP addresses should be used
86 for dynamic DNS updates. Special value “*” implies that IPs from
87 all interfaces should be used.
88
89 NOTE: While it is still possible to use the old ipa_dyndns_iface
90 option, users should migrate to using dyndns_iface in their config
91 file.
92
93 Default: Use the IP addresses of the interface which is used for
94 IPA LDAP connection
95
96 Example: dyndns_iface = em1, vnet1, vnet2
97
98 ipa_enable_dns_sites (boolean)
99 Enables DNS sites - location based service discovery.
100
101 If true and service discovery (see Service Discovery paragraph at
102 the bottom of the man page) is enabled, then the SSSD will first
103 attempt location based discovery using a query that contains
104 "_location.hostname.example.com" and then fall back to traditional
105 SRV discovery. If the location based discovery succeeds, the IPA
106 servers located with the location based discovery are treated as
107 primary servers and the IPA servers located using the traditional
108 SRV discovery are used as back up servers
109
110 Default: false
111
112 dyndns_refresh_interval (integer)
113 How often should the back end perform periodic DNS update in
114 addition to the automatic update performed when the back end goes
115 online. This option is optional and applicable only when
116 dyndns_update is true.
117
118 Default: 0 (disabled)
119
120 dyndns_update_ptr (bool)
121 Whether the PTR record should also be explicitly updated when
122 updating the client´s DNS records. Applicable only when
123 dyndns_update is true.
124
125 This option should be False in most IPA deployments as the IPA
126 server generates the PTR records automatically when forward records
127 are changed.
128
129 Default: False (disabled)
130
131 dyndns_force_tcp (bool)
132 Whether the nsupdate utility should default to using TCP for
133 communicating with the DNS server.
134
135 Default: False (let nsupdate choose the protocol)
136
137 dyndns_server (string)
138 The DNS server to use when performing a DNS update. In most setups,
139 it´s recommended to leave this option unset.
140
141 Setting this option makes sense for environments where the DNS
142 server is different from the identity server.
143
144 Please note that this option will be only used in fallback attempt
145 when previous attempt using autodetected settings failed.
146
147 Default: None (let nsupdate choose the server)
148
149 ipa_hbac_search_base (string)
150 Optional. Use the given string as search base for HBAC related
151 objects.
152
153 Default: Use base DN
154
155 ipa_host_search_base (string)
156 Optional. Use the given string as search base for host objects.
157
158 See “ldap_search_base” for information about configuring multiple
159 search bases.
160
161 Default: the value of ldap_search_base
162
163 ipa_selinux_search_base (string)
164 Optional. Use the given string as search base for SELinux user
165 maps.
166
167 See “ldap_search_base” for information about configuring multiple
168 search bases.
169
170 Default: the value of ldap_search_base
171
172 ipa_subdomains_search_base (string)
173 Optional. Use the given string as search base for trusted domains.
174
175 See “ldap_search_base” for information about configuring multiple
176 search bases.
177
178 Default: the value of cn=trusts,%basedn
179
180 ipa_master_domain_search_base (string)
181 Optional. Use the given string as search base for master domain
182 object.
183
184 See “ldap_search_base” for information about configuring multiple
185 search bases.
186
187 Default: the value of cn=ad,cn=etc,%basedn
188
189 ipa_views_search_base (string)
190 Optional. Use the given string as search base for views containers.
191
192 See “ldap_search_base” for information about configuring multiple
193 search bases.
194
195 Default: the value of cn=views,cn=accounts,%basedn
196
197 krb5_validate (boolean)
198 Verify with the help of krb5_keytab that the TGT obtained has not
199 been spoofed.
200
201 Default: true
202
203 Note that this default differs from the traditional Kerberos
204 provider back end.
205
206 krb5_realm (string)
207 The name of the Kerberos realm. This is optional and defaults to
208 the value of “ipa_domain”.
209
210 The name of the Kerberos realm has a special meaning in IPA - it is
211 converted into the base DN to use for performing LDAP operations.
212
213 krb5_canonicalize (boolean)
214 Specifies if the host and user principal should be canonicalized
215 when connecting to IPA LDAP and also for AS requests. This feature
216 is available with MIT Kerberos >= 1.7
217
218 Default: true
219
220 krb5_use_fast (string)
221 Enables flexible authentication secure tunneling (FAST) for
222 Kerberos pre-authentication. The following options are supported:
223
224
225 never use FAST.
226
227
228 try to use FAST. If the server does not support FAST, continue the
229 authentication without it. This is equivalent to not setting this
230 option at all.
231
232
233 demand to use FAST. The authentication fails if the server does not
234 require fast.
235
236 Default: try
237
238 NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and
239 later. If SSSD is used with an older version of MIT Kerberos, using
240 this option is a configuration error.
241
242 krb5_confd_path (string)
243 Absolute path of a directory where SSSD should place Kerberos
244 configuration snippets.
245
246 To disable the creation of the configuration snippets set the
247 parameter to ´none´.
248
249 Default: not set (krb5.include.d subdirectory of SSSD´s pubconf
250 directory)
251
252 ipa_hbac_refresh (integer)
253 The amount of time between lookups of the HBAC rules against the
254 IPA server. This will reduce the latency and load on the IPA server
255 if there are many access-control requests made in a short period.
256
257 Default: 5 (seconds)
258
259 ipa_hbac_selinux (integer)
260 The amount of time between lookups of the SELinux maps against the
261 IPA server. This will reduce the latency and load on the IPA server
262 if there are many user login requests made in a short period.
263
264 Default: 5 (seconds)
265
266 ipa_server_mode (boolean)
267 This option should only be set by the IPA installer.
268
269 The option denotes that the SSSD is running on IPA server and
270 should perform lookups of users and groups from trusted domains
271 differently.
272
273 Default: false
274
275 ipa_automount_location (string)
276 The automounter location this IPA client will be using
277
278 Default: The location named "default"
279
280 Please note that the automounter only reads the master map on
281 startup, so if any autofs-related changes are made to the
282 sssd.conf, you typically also need to restart the automounter
283 daemon after restarting the SSSD.
284
285 VIEWS AND OVERRIDES
286 SSSD can handle views and overrides which are offered by FreeIPA 4.1
287 and later version. Since all paths and objectclasses are fixed on the
288 server side there is basically no need to configure anything. For
289 completeness the related options are listed here with their default
290 values.
291
292 ipa_view_class (string)
293 Objectclass of the view container.
294
295 Default: nsContainer
296
297 ipa_view_name (string)
298 Name of the attribute holding the name of the view.
299
300 Default: cn
301
302 ipa_overide_object_class (string)
303 Objectclass of the override objects.
304
305 Default: ipaOverrideAnchor
306
307 ipa_anchor_uuid (string)
308 Name of the attribute containing the reference to the original
309 object in a remote domain.
310
311 Default: ipaAnchorUUID
312
313 ipa_user_override_object_class (string)
314 Name of the objectclass for user overrides. It is used to determine
315 if the found override object is related to a user or a group.
316
317 User overrides can contain attributes given by
318
319 · ldap_user_name
320
321 · ldap_user_uid_number
322
323 · ldap_user_gid_number
324
325 · ldap_user_gecos
326
327 · ldap_user_home_directory
328
329 · ldap_user_shell
330
331 · ldap_user_ssh_public_key
332
333 Default: ipaUserOverride
334
335 ipa_group_override_object_class (string)
336 Name of the objectclass for group overrides. It is used to
337 determine if the found override object is related to a user or
338 a group.
339
340 Group overrides can contain attributes given by
341
342 · ldap_group_name
343
344 · ldap_group_gid_number
345
346 Default: ipaGroupOverride
347
349 The IPA subdomains provider behaves slightly differently if it is
350 configured explicitly or implicitly.
351
352 If the option ´subdomains_provider = ipa´ is found in the domain
353 section of sssd.conf, the IPA subdomains provider is configured
354 explicitly, and all subdomain requests are sent to the IPA server if
355 necessary.
356
357 If the option ´subdomains_provider´ is not set in the domain section of
358 sssd.conf but there is the option ´id_provider = ipa´, the IPA
359 subdomains provider is configured implicitly. In this case, if a
360 subdomain request fails and indicates that the server does not support
361 subdomains, i.e. is not configured for trusts, the IPA subdomains
362 provider is disabled. After an hour or after the IPA provider goes
363 online, the subdomains provider is enabled again.
364
366 The failover feature allows back ends to automatically switch to a
367 different server if the current server fails.
368
369 Failover Syntax
370 The list of servers is given as a comma-separated list; any number of
371 spaces is allowed around the comma. The servers are listed in order of
372 preference. The list can contain any number of servers.
373
374 For each failover-enabled config option, two variants exist: primary
375 and backup. The idea is that servers in the primary list are preferred
376 and backup servers are only searched if no primary servers can be
377 reached. If a backup server is selected, a timeout of 31 seconds is
378 set. After this timeout SSSD will periodically try to reconnect to one
379 of the primary servers. If it succeeds, it will replace the current
380 active (backup) server.
381
382 The Failover Mechanism
383 The failover mechanism distinguishes between a machine and a service.
384 The back end first tries to resolve the hostname of a given machine; if
385 this resolution attempt fails, the machine is considered offline. No
386 further attempts are made to connect to this machine for any other
387 service. If the resolution attempt succeeds, the back end tries to
388 connect to a service on this machine. If the service connection attempt
389 fails, then only this particular service is considered offline and the
390 back end automatically switches over to the next service. The machine
391 is still considered online and might still be tried for another
392 service.
393
394 Further connection attempts are made to machines or services marked as
395 offline after a specified period of time; this is currently hard coded
396 to 30 seconds.
397
398 If there are no more machines to try, the back end as a whole switches
399 to offline mode, and then attempts to reconnect every 30 seconds.
400
402 The service discovery feature allows back ends to automatically find
403 the appropriate servers to connect to using a special DNS query. This
404 feature is not supported for backup servers.
405
406 Configuration
407 If no servers are specified, the back end automatically uses service
408 discovery to try to find a server. Optionally, the user may choose to
409 use both fixed server addresses and service discovery by inserting a
410 special keyword, “_srv_”, in the list of servers. The order of
411 preference is maintained. This feature is useful if, for example, the
412 user prefers to use service discovery whenever possible, and fall back
413 to a specific server when no servers can be discovered using DNS.
414
415 The domain name
416 Please refer to the “dns_discovery_domain” parameter in the
417 sssd.conf(5) manual page for more details.
418
419 The protocol
420 The queries usually specify _tcp as the protocol. Exceptions are
421 documented in respective option description.
422
423 See Also
424 For more information on the service discovery mechanism, refer to RFC
425 2782.
426
428 The following example assumes that SSSD is correctly configured and
429 example.com is one of the domains in the [sssd] section. This examples
430 shows only the ipa provider-specific options.
431
432 [domain/example.com]
433 id_provider = ipa
434 ipa_server = ipaserver.example.com
435 ipa_hostname = myhost.example.com
436
437
439 sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
440 sssd-ipa(5), sssd-ad(5), sssd-sudo(5), sss_cache(8), sss_debuglevel(8),
441 sss_groupadd(8), sss_groupdel(8), sss_groupshow(8), sss_groupmod(8),
442 sss_useradd(8), sss_userdel(8), sss_usermod(8), sss_obfuscate(8),
443 sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
444 sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5)
445
447 The SSSD upstream - http://fedorahosted.org/sssd
448
449
450
451SSSD 01/15/2019 SSSD-IPA(5)