1SSSD-IPA(5) File Formats and Conventions SSSD-IPA(5)
2
6 sssd-ipa - SSSD IPA provider
7
9 This manual page describes the configuration of the IPA provider for
10 sssd(8). For a detailed syntax reference, refer to the “FILE FORMAT”
11 section of the sssd.conf(5) manual page.
12 The IPA provider is a back end used to connect to an IPA server. (Refer
14 to the freeipa.org web site for information about IPA servers.) This
15 provider requires that the machine be joined to the IPA domain;
16 configuration is almost entirely self-discovered and obtained directly
17 from the server.
18 The IPA provider accepts the same options used by the sssd-ldap(5)
20 identity provider and the sssd-krb5(5) authentication provider with
21 some exceptions described below.
22 However, it is neither necessary nor recommended to set these options.
24 IPA provider can also be used as an access and chpass provider. As an
25 access provider it uses HBAC (host-based access control) rules. Please
26 refer to freeipa.org for more information about HBAC. No configuration
27 of access provider is required on the client side.
28 The IPA provider will use the PAC responder if the Kerberos tickets of
30 users from trusted realms contain a PAC. To make configuration easier
31 the PAC responder is started automatically if the IPA ID provider is
32 configured.
33
35 Refer to the section “DOMAIN SECTIONS” of the sssd.conf(5) manual page
36 for details on the configuration of an SSSD domain.
37 ipa_domain (string)
39 Specifies the name of the IPA domain. This is optional. If not
40 provided, the configuration domain name is used.
41 ipa_server, ipa_backup_server (string)
43 The comma-separated list of IP addresses or hostnames of the IPA
44 servers to which SSSD should connect in the order of preference.
45 For more information on failover and server redundancy, see the
46 “FAILOVER” section. This is optional if autodiscovery is enabled.
47 For more information on service discovery, refer to the “SERVICE
48 DISCOVERY” section.
49 ipa_hostname (string)
51 Optional. May be set on machines where the hostname(5) does not
52 reflect the fully qualified name used in the IPA domain to identify
53 this host.
54 dyndns_update (boolean)
56 Optional. This option tells SSSD to automatically update the DNS
57 server built into FreeIPA v2 with the IP address of this client.
58 The update is secured using GSS-TSIG. The IP address of the IPA
59 LDAP connection is used for the updates, if it is not otherwise
60 specified by using the “dyndns_iface” option.
61 NOTE: On older systems (such as RHEL 5), for this behavior to work
63 reliably, the default Kerberos realm must be set properly in
64 /etc/krb5.conf
65 NOTE: While it is still possible to use the old ipa_dyndns_update
67 option, users should migrate to using dyndns_update in their config
68 file.
69 Default: false
71 dyndns_ttl (integer)
73 The TTL to apply to the client DNS record when updating it. If
74 dyndns_update is false this has no effect. This will override the
75 TTL serverside if set by an administrator.
76 NOTE: While it is still possible to use the old ipa_dyndns_ttl
78 option, users should migrate to using dyndns_ttl in their config
79 file.
80 Default: 1200 (seconds)
82 dyndns_iface (string)
84 Optional. Applicable only when dyndns_update is true. Choose the
85 interface or a list of interfaces whose IP addresses should be used
86 for dynamic DNS updates. Special value “*” implies that IPs from
87 all interfaces should be used.
88 NOTE: While it is still possible to use the old ipa_dyndns_iface
90 option, users should migrate to using dyndns_iface in their config
91 file.
92 Default: Use the IP addresses of the interface which is used for
94 IPA LDAP connection
95 Example: dyndns_iface = em1, vnet1, vnet2
97 ipa_enable_dns_sites (boolean)
99 Enables DNS sites - location based service discovery.
100 If true and service discovery (see Service Discovery paragraph at
102 the bottom of the man page) is enabled, then the SSSD will first
103 attempt location based discovery using a query that contains
104 "_location.hostname.example.com" and then fall back to traditional
105 SRV discovery. If the location based discovery succeeds, the IPA
106 servers located with the location based discovery are treated as
107 primary servers and the IPA servers located using the traditional
108 SRV discovery are used as back up servers
109 Default: false
111 dyndns_refresh_interval (integer)
113 How often should the back end perform periodic DNS update in
114 addition to the automatic update performed when the back end goes
115 online. This option is optional and applicable only when
116 dyndns_update is true.
117 Default: 0 (disabled)
119 dyndns_update_ptr (bool)
121 Whether the PTR record should also be explicitly updated when
122 updating the client´s DNS records. Applicable only when
123 dyndns_update is true.
124 This option should be False in most IPA deployments as the IPA
126 server generates the PTR records automatically when forward records
127 are changed.
128 Default: False (disabled)
130 dyndns_force_tcp (bool)
132 Whether the nsupdate utility should default to using TCP for
133 communicating with the DNS server.
134 Default: False (let nsupdate choose the protocol)
136 dyndns_server (string)
138 The DNS server to use when performing a DNS update. In most setups,
139 it´s recommended to leave this option unset.
140 Setting this option makes sense for environments where the DNS
142 server is different from the identity server.
143 Please note that this option will be only used in fallback attempt
145 when previous attempt using autodetected settings failed.
146 Default: None (let nsupdate choose the server)
148 ipa_hbac_search_base (string)
150 Optional. Use the given string as search base for HBAC related
151 objects.
152 Default: Use base DN
154 ipa_host_search_base (string)
156 Optional. Use the given string as search base for host objects.
157 See “ldap_search_base” for information about configuring multiple
159 search bases.
160 Default: the value of ldap_search_base
162 ipa_selinux_search_base (string)
164 Optional. Use the given string as search base for SELinux user
165 maps.
166 See “ldap_search_base” for information about configuring multiple
168 search bases.
169 Default: the value of ldap_search_base
171 ipa_subdomains_search_base (string)
173 Optional. Use the given string as search base for trusted domains.
174 See “ldap_search_base” for information about configuring multiple
176 search bases.
177 Default: the value of cn=trusts,%basedn
179 ipa_master_domain_search_base (string)
181 Optional. Use the given string as search base for master domain
182 object.
183 See “ldap_search_base” for information about configuring multiple
185 search bases.
186 Default: the value of cn=ad,cn=etc,%basedn
188 ipa_views_search_base (string)
190 Optional. Use the given string as search base for views containers.
191 See “ldap_search_base” for information about configuring multiple
193 search bases.
194 Default: the value of cn=views,cn=accounts,%basedn
196 krb5_validate (boolean)
198 Verify with the help of krb5_keytab that the TGT obtained has not
199 been spoofed.
200 Default: true
202 Note that this default differs from the traditional Kerberos
204 provider back end.
205 krb5_realm (string)
207 The name of the Kerberos realm. This is optional and defaults to
208 the value of “ipa_domain”.
209 The name of the Kerberos realm has a special meaning in IPA - it is
211 converted into the base DN to use for performing LDAP operations.
212 krb5_canonicalize (boolean)
214 Specifies if the host and user principal should be canonicalized
215 when connecting to IPA LDAP and also for AS requests. This feature
216 is available with MIT Kerberos >= 1.7
217 Default: true
219 krb5_use_fast (string)
221 Enables flexible authentication secure tunneling (FAST) for
222 Kerberos pre-authentication. The following options are supported:
223 never use FAST.
226 try to use FAST. If the server does not support FAST, continue the
229 authentication without it. This is equivalent to not setting this
230 option at all.
231 demand to use FAST. The authentication fails if the server does not
234 require fast.
235 Default: try
237 NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and
239 later. If SSSD is used with an older version of MIT Kerberos, using
240 this option is a configuration error.
241 krb5_confd_path (string)
243 Absolute path of a directory where SSSD should place Kerberos
244 configuration snippets.
245 To disable the creation of the configuration snippets set the
247 parameter to ´none´.
248 Default: not set (krb5.include.d subdirectory of SSSD´s pubconf
250 directory)
251 ipa_hbac_refresh (integer)
253 The amount of time between lookups of the HBAC rules against the
254 IPA server. This will reduce the latency and load on the IPA server
255 if there are many access-control requests made in a short period.
256 Default: 5 (seconds)
258 ipa_hbac_selinux (integer)
260 The amount of time between lookups of the SELinux maps against the
261 IPA server. This will reduce the latency and load on the IPA server
262 if there are many user login requests made in a short period.
263 Default: 5 (seconds)
265 ipa_server_mode (boolean)
267 This option should only be set by the IPA installer.
268 The option denotes that the SSSD is running on IPA server and
270 should perform lookups of users and groups from trusted domains
271 differently.
272 Default: false
274 ipa_automount_location (string)
276 The automounter location this IPA client will be using
277 Default: The location named "default"
279 Please note that the automounter only reads the master map on
281 startup, so if any autofs-related changes are made to the
282 sssd.conf, you typically also need to restart the automounter
283 daemon after restarting the SSSD.
284 VIEWS AND OVERRIDES
286 SSSD can handle views and overrides which are offered by FreeIPA 4.1
287 and later version. Since all paths and objectclasses are fixed on the
288 server side there is basically no need to configure anything. For
289 completeness the related options are listed here with their default
290 values.
291 ipa_view_class (string)
293 Objectclass of the view container.
294 Default: nsContainer
296 ipa_view_name (string)
298 Name of the attribute holding the name of the view.
299 Default: cn
301 ipa_overide_object_class (string)
303 Objectclass of the override objects.
304 Default: ipaOverrideAnchor
306 ipa_anchor_uuid (string)
308 Name of the attribute containing the reference to the original
309 object in a remote domain.
310 Default: ipaAnchorUUID
312 ipa_user_override_object_class (string)
314 Name of the objectclass for user overrides. It is used to determine
315 if the found override object is related to a user or a group.
316 User overrides can contain attributes given by
318 · ldap_user_name
320 · ldap_user_uid_number
322 · ldap_user_gid_number
324 · ldap_user_gecos
326 · ldap_user_home_directory
328 · ldap_user_shell
330 · ldap_user_ssh_public_key
332 Default: ipaUserOverride
334 ipa_group_override_object_class (string)
336 Name of the objectclass for group overrides. It is used to
337 determine if the found override object is related to a user or
338 a group.
339 Group overrides can contain attributes given by
341 · ldap_group_name
343 · ldap_group_gid_number
345 Default: ipaGroupOverride
347
349 The IPA subdomains provider behaves slightly differently if it is
350 configured explicitly or implicitly.
351 If the option ´subdomains_provider = ipa´ is found in the domain
353 section of sssd.conf, the IPA subdomains provider is configured
354 explicitly, and all subdomain requests are sent to the IPA server if
355 necessary.
356 If the option ´subdomains_provider´ is not set in the domain section of
358 sssd.conf but there is the option ´id_provider = ipa´, the IPA
359 subdomains provider is configured implicitly. In this case, if a
360 subdomain request fails and indicates that the server does not support
361 subdomains, i.e. is not configured for trusts, the IPA subdomains
362 provider is disabled. After an hour or after the IPA provider goes
363 online, the subdomains provider is enabled again.
364
366 The failover feature allows back ends to automatically switch to a
367 different server if the current server fails.
368 Failover Syntax
370 The list of servers is given as a comma-separated list; any number of
371 spaces is allowed around the comma. The servers are listed in order of
372 preference. The list can contain any number of servers.
373 For each failover-enabled config option, two variants exist: primary
375 and backup. The idea is that servers in the primary list are preferred
376 and backup servers are only searched if no primary servers can be
377 reached. If a backup server is selected, a timeout of 31 seconds is
378 set. After this timeout SSSD will periodically try to reconnect to one
379 of the primary servers. If it succeeds, it will replace the current
380 active (backup) server.
381 The Failover Mechanism
383 The failover mechanism distinguishes between a machine and a service.
384 The back end first tries to resolve the hostname of a given machine; if
385 this resolution attempt fails, the machine is considered offline. No
386 further attempts are made to connect to this machine for any other
387 service. If the resolution attempt succeeds, the back end tries to
388 connect to a service on this machine. If the service connection attempt
389 fails, then only this particular service is considered offline and the
390 back end automatically switches over to the next service. The machine
391 is still considered online and might still be tried for another
392 service.
393 Further connection attempts are made to machines or services marked as
395 offline after a specified period of time; this is currently hard coded
396 to 30 seconds.
397 If there are no more machines to try, the back end as a whole switches
399 to offline mode, and then attempts to reconnect every 30 seconds.
400
402 The service discovery feature allows back ends to automatically find
403 the appropriate servers to connect to using a special DNS query. This
404 feature is not supported for backup servers.
405 Configuration
407 If no servers are specified, the back end automatically uses service
408 discovery to try to find a server. Optionally, the user may choose to
409 use both fixed server addresses and service discovery by inserting a
410 special keyword, “_srv_”, in the list of servers. The order of
411 preference is maintained. This feature is useful if, for example, the
412 user prefers to use service discovery whenever possible, and fall back
413 to a specific server when no servers can be discovered using DNS.
414 The domain name
416 Please refer to the “dns_discovery_domain” parameter in the
417 sssd.conf(5) manual page for more details.
418 The protocol
420 The queries usually specify _tcp as the protocol. Exceptions are
421 documented in respective option description.
422 See Also
424 For more information on the service discovery mechanism, refer to RFC
425 2782.
426
428 The following example assumes that SSSD is correctly configured and
429 example.com is one of the domains in the [sssd] section. This examples
430 shows only the ipa provider-specific options.
431 [domain/example.com]
433 id_provider = ipa
434 ipa_server = ipaserver.example.com
435 ipa_hostname = myhost.example.com
436
439 sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
440 sssd-ipa(5), sssd-ad(5), sssd-sudo(5), sss_cache(8), sss_debuglevel(8),
441 sss_groupadd(8), sss_groupdel(8), sss_groupshow(8), sss_groupmod(8),
442 sss_useradd(8), sss_userdel(8), sss_usermod(8), sss_obfuscate(8),
443 sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
444 sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5)
445
447 The SSSD upstream - http://fedorahosted.org/sssd
448SSSD 01/15/2019 SSSD-IPA(5)