1SSSD-LDAP(5)             File Formats and Conventions             SSSD-LDAP(5)
2
3
4

NAME

6       sssd-ldap - SSSD LDAP provider
7

DESCRIPTION

9       This manual page describes the configuration of LDAP domains for
10       sssd(8). Refer to the “FILE FORMAT” section of the sssd.conf(5) manual
11       page for detailed syntax information.
12
13       You can configure SSSD to use more than one LDAP domain.
14
15       LDAP back end supports id, auth, access and chpass providers. If you
16       want to authenticate against an LDAP server either TLS/SSL or LDAPS is
17       required.  sssd does not support authentication over an unencrypted
18       channel. If the LDAP server is used only as an identity provider, an
19       encrypted channel is not needed. Please refer to “ldap_access_filter”
20       config option for more information about using LDAP as an access
21       provider.
22

CONFIGURATION OPTIONS

24       All of the common configuration options that apply to SSSD domains also
25       apply to LDAP domains. Refer to the “DOMAIN SECTIONS” section of the
26       sssd.conf(5) manual page for full details.
27
28       ldap_uri, ldap_backup_uri (string)
29           Specifies the comma-separated list of URIs of the LDAP servers to
30           which SSSD should connect in the order of preference. Refer to the
31           “FAILOVER” section for more information on failover and server
32           redundancy. If neither option is specified, service discovery is
33           enabled. For more information, refer to the “SERVICE DISCOVERY”
34           section.
35
36           The format of the URI must match the format defined in RFC 2732:
37
38           ldap[s]://<host>[:port]
39
40           For explicit IPv6 addresses, <host> must be enclosed in brackets []
41
42           example: ldap://[fc00::126:25]:389
43
44       ldap_chpass_uri, ldap_chpass_backup_uri (string)
45           Specifies the comma-separated list of URIs of the LDAP servers to
46           which SSSD should connect in the order of preference to change the
47           password of a user. Refer to the “FAILOVER” section for more
48           information on failover and server redundancy.
49
50           To enable service discovery ldap_chpass_dns_service_name must be
51           set.
52
53           Default: empty, i.e. ldap_uri is used.
54
55       ldap_search_base (string)
56           The default base DN to use for performing LDAP user operations.
57
58           Starting with SSSD 1.7.0, SSSD supports multiple search bases using
59           the syntax:
60
61           search_base[?scope?[filter][?search_base?scope?[filter]]*]
62
63           The scope can be one of "base", "onelevel" or "subtree".
64
65           The filter must be a valid LDAP search filter as specified by
66           http://www.ietf.org/rfc/rfc2254.txt
67
68           Examples:
69
70           ldap_search_base = dc=example,dc=com (which is equivalent to)
71           ldap_search_base = dc=example,dc=com?subtree?
72
73           ldap_search_base =
74           cn=host_specific,dc=example,dc=com?subtree?(host=thishost)?dc=example.com?subtree?
75
76           Note: It is unsupported to have multiple search bases which
77           reference identically-named objects (for example, groups with the
78           same name in two different search bases). This will lead to
79           unpredictable behavior on client machines.
80
81           Default: If not set, the value of the defaultNamingContext or
82           namingContexts attribute from the RootDSE of the LDAP server is
83           used. If defaultNamingContext does not exist or has an empty value
84           namingContexts is used. The namingContexts attribute must have a
85           single value with the DN of the search base of the LDAP server to
86           make this work. Multiple values are are not supported.
87
88       ldap_schema (string)
89           Specifies the Schema Type in use on the target LDAP server.
90           Depending on the selected schema, the default attribute names
91           retrieved from the servers may vary. The way that some attributes
92           are handled may also differ.
93
94           Four schema types are currently supported:
95
96           ·   rfc2307
97
98           ·   rfc2307bis
99
100           ·   IPA
101
102           ·   AD
103
104           The main difference between these schema types is how group
105           memberships are recorded in the server. With rfc2307, group members
106           are listed by name in the memberUid attribute. With rfc2307bis and
107           IPA, group members are listed by DN and stored in the member
108           attribute. The AD schema type sets the attributes to correspond
109           with Active Directory 2008r2 values.
110
111           Default: rfc2307
112
113       ldap_default_bind_dn (string)
114           The default bind DN to use for performing LDAP operations.
115
116       ldap_default_authtok_type (string)
117           The type of the authentication token of the default bind DN.
118
119           The two mechanisms currently supported are:
120
121           password
122
123           obfuscated_password
124
125           Default: password
126
127       ldap_default_authtok (string)
128           The authentication token of the default bind DN. Only clear text
129           passwords are currently supported.
130
131       ldap_user_object_class (string)
132           The object class of a user entry in LDAP.
133
134           Default: posixAccount
135
136       ldap_user_name (string)
137           The LDAP attribute that corresponds to the user's login name.
138
139           Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)
140
141       ldap_user_uid_number (string)
142           The LDAP attribute that corresponds to the user's id.
143
144           Default: uidNumber
145
146       ldap_user_gid_number (string)
147           The LDAP attribute that corresponds to the user's primary group id.
148
149           Default: gidNumber
150
151       ldap_user_primary_group (string)
152           Active Directory primary group attribute for ID-mapping. Note that
153           this attribute should only be set manually if you are running the
154           “ldap” provider with ID mapping.
155
156           Default: unset (LDAP), primaryGroupID (AD)
157
158       ldap_user_gecos (string)
159           The LDAP attribute that corresponds to the user's gecos field.
160
161           Default: gecos
162
163       ldap_user_home_directory (string)
164           The LDAP attribute that contains the name of the user's home
165           directory.
166
167           Default: homeDirectory
168
169       ldap_user_shell (string)
170           The LDAP attribute that contains the path to the user's default
171           shell.
172
173           Default: loginShell
174
175       ldap_user_uuid (string)
176           The LDAP attribute that contains the UUID/GUID of an LDAP user
177           object.
178
179           Default: not set in the general case, objectGUID for AD and
180           ipaUniqueID for IPA
181
182       ldap_user_objectsid (string)
183           The LDAP attribute that contains the objectSID of an LDAP user
184           object. This is usually only necessary for ActiveDirectory servers.
185
186           Default: objectSid for ActiveDirectory, not set for other servers.
187
188       ldap_user_modify_timestamp (string)
189           The LDAP attribute that contains timestamp of the last modification
190           of the parent object.
191
192           Default: modifyTimestamp
193
194       ldap_user_shadow_last_change (string)
195           When using ldap_pwd_policy=shadow, this parameter contains the name
196           of an LDAP attribute corresponding to its shadow(5) counterpart
197           (date of the last password change).
198
199           Default: shadowLastChange
200
201       ldap_user_shadow_min (string)
202           When using ldap_pwd_policy=shadow, this parameter contains the name
203           of an LDAP attribute corresponding to its shadow(5) counterpart
204           (minimum password age).
205
206           Default: shadowMin
207
208       ldap_user_shadow_max (string)
209           When using ldap_pwd_policy=shadow, this parameter contains the name
210           of an LDAP attribute corresponding to its shadow(5) counterpart
211           (maximum password age).
212
213           Default: shadowMax
214
215       ldap_user_shadow_warning (string)
216           When using ldap_pwd_policy=shadow, this parameter contains the name
217           of an LDAP attribute corresponding to its shadow(5) counterpart
218           (password warning period).
219
220           Default: shadowWarning
221
222       ldap_user_shadow_inactive (string)
223           When using ldap_pwd_policy=shadow, this parameter contains the name
224           of an LDAP attribute corresponding to its shadow(5) counterpart
225           (password inactivity period).
226
227           Default: shadowInactive
228
229       ldap_user_shadow_expire (string)
230           When using ldap_pwd_policy=shadow or
231           ldap_account_expire_policy=shadow, this parameter contains the name
232           of an LDAP attribute corresponding to its shadow(5) counterpart
233           (account expiration date).
234
235           Default: shadowExpire
236
237       ldap_user_krb_last_pwd_change (string)
238           When using ldap_pwd_policy=mit_kerberos, this parameter contains
239           the name of an LDAP attribute storing the date and time of last
240           password change in kerberos.
241
242           Default: krbLastPwdChange
243
244       ldap_user_krb_password_expiration (string)
245           When using ldap_pwd_policy=mit_kerberos, this parameter contains
246           the name of an LDAP attribute storing the date and time when
247           current password expires.
248
249           Default: krbPasswordExpiration
250
251       ldap_user_ad_account_expires (string)
252           When using ldap_account_expire_policy=ad, this parameter contains
253           the name of an LDAP attribute storing the expiration time of the
254           account.
255
256           Default: accountExpires
257
258       ldap_user_ad_user_account_control (string)
259           When using ldap_account_expire_policy=ad, this parameter contains
260           the name of an LDAP attribute storing the user account control bit
261           field.
262
263           Default: userAccountControl
264
265       ldap_ns_account_lock (string)
266           When using ldap_account_expire_policy=rhds or equivalent, this
267           parameter determines if access is allowed or not.
268
269           Default: nsAccountLock
270
271       ldap_user_nds_login_disabled (string)
272           When using ldap_account_expire_policy=nds, this attribute
273           determines if access is allowed or not.
274
275           Default: loginDisabled
276
277       ldap_user_nds_login_expiration_time (string)
278           When using ldap_account_expire_policy=nds, this attribute
279           determines until which date access is granted.
280
281           Default: loginDisabled
282
283       ldap_user_nds_login_allowed_time_map (string)
284           When using ldap_account_expire_policy=nds, this attribute
285           determines the hours of a day in a week when access is granted.
286
287           Default: loginAllowedTimeMap
288
289       ldap_user_principal (string)
290           The LDAP attribute that contains the user's Kerberos User Principal
291           Name (UPN).
292
293           Default: krbPrincipalName
294
295       ldap_user_extra_attrs (string)
296           Comma-separated list of LDAP attributes that SSSD would fetch along
297           with the usual set of user attributes.
298
299           The list can either contain LDAP attribute names only, or
300           colon-separated tuples of SSSD cache attribute name and LDAP
301           attribute name. In case only LDAP attribute name is specified, the
302           attribute is saved to the cache verbatim. Using a custom SSSD
303           attribute name might be required by environments that configure
304           several SSSD domains with different LDAP schemas.
305
306           Please note that several attribute names are reserved by SSSD,
307           notably the “name” attribute. SSSD would report an error if any of
308           the reserved attribute names is used as an extra attribute name.
309
310           Examples:
311
312           ldap_user_extra_attrs = telephoneNumber
313
314           Save the “telephoneNumber” attribute from LDAP as “telephoneNumber”
315           to the cache.
316
317           ldap_user_extra_attrs = phone:telephoneNumber
318
319           Save the “telephoneNumber” attribute from LDAP as “phone” to the
320           cache.
321
322           Default: not set
323
324       ldap_user_ssh_public_key (string)
325           The LDAP attribute that contains the user's SSH public keys.
326
327           Default: sshPublicKey
328
329       ldap_force_upper_case_realm (boolean)
330           Some directory servers, for example Active Directory, might deliver
331           the realm part of the UPN in lower case, which might cause the
332           authentication to fail. Set this option to a non-zero value if you
333           want to use an upper-case realm.
334
335           Default: false
336
337       ldap_enumeration_refresh_timeout (integer)
338           Specifies how many seconds SSSD has to wait before refreshing its
339           cache of enumerated records.
340
341           Default: 300
342
343       ldap_purge_cache_timeout (integer)
344           Determine how often to check the cache for inactive entries (such
345           as groups with no members and users who have never logged in) and
346           remove them to save space.
347
348           Setting this option to zero will disable the cache cleanup
349           operation. Please note that if enumeration is enabled, the cleanup
350           task is required in order to detect entries removed from the server
351           and can't be disabled. By default, the cleanup task will run every
352           3 hours with enumeration enabled.
353
354           Default: 0 (disabled)
355
356       ldap_user_fullname (string)
357           The LDAP attribute that corresponds to the user's full name.
358
359           Default: cn
360
361       ldap_user_member_of (string)
362           The LDAP attribute that lists the user's group memberships.
363
364           Default: memberOf
365
366       ldap_user_authorized_service (string)
367           If access_provider=ldap and ldap_access_order=authorized_service,
368           SSSD will use the presence of the authorizedService attribute in
369           the user's LDAP entry to determine access privilege.
370
371           An explicit deny (!svc) is resolved first. Second, SSSD searches
372           for explicit allow (svc) and finally for allow_all (*).
373
374           Please note that the ldap_access_order configuration option must
375           include “authorized_service” in order for the
376           ldap_user_authorized_service option to work.
377
378           Default: authorizedService
379
380       ldap_user_authorized_host (string)
381           If access_provider=ldap and ldap_access_order=host, SSSD will use
382           the presence of the host attribute in the user's LDAP entry to
383           determine access privilege.
384
385           An explicit deny (!host) is resolved first. Second, SSSD searches
386           for explicit allow (host) and finally for allow_all (*).
387
388           Please note that the ldap_access_order configuration option must
389           include “host” in order for the ldap_user_authorized_host option to
390           work.
391
392           Default: host
393
394       ldap_user_authorized_rhost (string)
395           If access_provider=ldap and ldap_access_order=rhost, SSSD will use
396           the presence of the rhost attribute in the user's LDAP entry to
397           determine access privilege. Similarly to host verification process.
398
399           An explicit deny (!rhost) is resolved first. Second, SSSD searches
400           for explicit allow (rhost) and finally for allow_all (*).
401
402           Please note that the ldap_access_order configuration option must
403           include “rhost” in order for the ldap_user_authorized_rhost option
404           to work.
405
406           Default: rhost
407
408       ldap_user_certificate (string)
409           Name of the LDAP attribute containing the X509 certificate of the
410           user.
411
412           Default: userCertificate;binary
413
414       ldap_user_email (string)
415           Name of the LDAP attribute containing the email address of the
416           user.
417
418           Note: If an email address of a user conflicts with an email address
419           or fully qualified name of another user, then SSSD will not be able
420           to serve those users properly. If for some reason several users
421           need to share the same email address then set this option to a
422           nonexistent attribute name in order to disable user lookup/login by
423           email.
424
425           Default: mail
426
427       ldap_group_object_class (string)
428           The object class of a group entry in LDAP.
429
430           Default: posixGroup
431
432       ldap_group_name (string)
433           The LDAP attribute that corresponds to the group name.
434
435           Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)
436
437       ldap_group_gid_number (string)
438           The LDAP attribute that corresponds to the group's id.
439
440           Default: gidNumber
441
442       ldap_group_member (string)
443           The LDAP attribute that contains the names of the group's members.
444
445           Default: memberuid (rfc2307) / member (rfc2307bis)
446
447       ldap_group_uuid (string)
448           The LDAP attribute that contains the UUID/GUID of an LDAP group
449           object.
450
451           Default: not set in the general case, objectGUID for AD and
452           ipaUniqueID for IPA
453
454       ldap_group_objectsid (string)
455           The LDAP attribute that contains the objectSID of an LDAP group
456           object. This is usually only necessary for ActiveDirectory servers.
457
458           Default: objectSid for ActiveDirectory, not set for other servers.
459
460       ldap_group_modify_timestamp (string)
461           The LDAP attribute that contains timestamp of the last modification
462           of the parent object.
463
464           Default: modifyTimestamp
465
466       ldap_group_type (integer)
467           The LDAP attribute that contains an integer value indicating the
468           type of the group and maybe other flags.
469
470           This attribute is currently only used by the AD provider to
471           determine if a group is a domain local groups and has to be
472           filtered out for trusted domains.
473
474           Default: groupType in the AD provider, otherwise not set
475
476       ldap_group_external_member (string)
477           The LDAP attribute that references group members that are defined
478           in an external domain. At the moment, only IPA's external members
479           are supported.
480
481           Default: ipaExternalMember in the IPA provider, otherwise unset.
482
483       ldap_group_nesting_level (integer)
484           If ldap_schema is set to a schema format that supports nested
485           groups (e.g. RFC2307bis), then this option controls how many levels
486           of nesting SSSD will follow. This option has no effect on the
487           RFC2307 schema.
488
489           Note: This option specifies the guaranteed level of nested groups
490           to be processed for any lookup. However, nested groups beyond this
491           limit may be returned if previous lookups already resolved the
492           deeper nesting levels. Also, subsequent lookups for other groups
493           may enlarge the result set for original lookup if re-queried.
494
495           If ldap_group_nesting_level is set to 0 then no nested groups are
496           processed at all. However, when connected to Active-Directory
497           Server 2008 and later using “id_provider=ad” it is furthermore
498           required to disable usage of Token-Groups by setting
499           ldap_use_tokengroups to false in order to restrict group nesting.
500
501           Default: 2
502
503       ldap_use_tokengroups
504           This options enables or disables use of Token-Groups attribute when
505           performing initgroup for users from Active Directory Server 2008
506           and later.
507
508           Default: True for AD and IPA otherwise False.
509
510       ldap_netgroup_object_class (string)
511           The object class of a netgroup entry in LDAP.
512
513           In IPA provider, ipa_netgroup_object_class should be used instead.
514
515           Default: nisNetgroup
516
517       ldap_netgroup_name (string)
518           The LDAP attribute that corresponds to the netgroup name.
519
520           In IPA provider, ipa_netgroup_name should be used instead.
521
522           Default: cn
523
524       ldap_netgroup_member (string)
525           The LDAP attribute that contains the names of the netgroup's
526           members.
527
528           In IPA provider, ipa_netgroup_member should be used instead.
529
530           Default: memberNisNetgroup
531
532       ldap_netgroup_triple (string)
533           The LDAP attribute that contains the (host, user, domain) netgroup
534           triples.
535
536           This option is not available in IPA provider.
537
538           Default: nisNetgroupTriple
539
540       ldap_netgroup_modify_timestamp (string)
541           The LDAP attribute that contains timestamp of the last modification
542           of the parent object.
543
544           This option is not available in IPA provider.
545
546           Default: modifyTimestamp
547
548       ldap_host_object_class (string)
549           The object class of a host entry in LDAP.
550
551           Default: ipService
552
553       ldap_host_name (string)
554           The LDAP attribute that corresponds to the host's name.
555
556           Default: cn
557
558       ldap_host_fqdn (string)
559           The LDAP attribute that corresponds to the host's fully-qualified
560           domain name.
561
562           Default: fqdn
563
564       ldap_host_serverhostname (string)
565           The LDAP attribute that corresponds to the host's name.
566
567           Default: serverHostname
568
569       ldap_host_member_of (string)
570           The LDAP attribute that lists the host's group memberships.
571
572           Default: memberOf
573
574       ldap_host_search_base (string)
575           Optional. Use the given string as search base for host objects.
576
577           See “ldap_search_base” for information about configuring multiple
578           search bases.
579
580           Default: the value of ldap_search_base
581
582       ldap_host_ssh_public_key (string)
583           The LDAP attribute that contains the host's SSH public keys.
584
585           Default: sshPublicKey
586
587       ldap_host_uuid (string)
588           The LDAP attribute that contains the UUID/GUID of an LDAP host
589           object.
590
591           Default: not set
592
593       ldap_service_object_class (string)
594           The object class of a service entry in LDAP.
595
596           Default: ipService
597
598       ldap_service_name (string)
599           The LDAP attribute that contains the name of service attributes and
600           their aliases.
601
602           Default: cn
603
604       ldap_service_port (string)
605           The LDAP attribute that contains the port managed by this service.
606
607           Default: ipServicePort
608
609       ldap_service_proto (string)
610           The LDAP attribute that contains the protocols understood by this
611           service.
612
613           Default: ipServiceProtocol
614
615       ldap_service_search_base (string)
616           An optional base DN, search scope and LDAP filter to restrict LDAP
617           searches for this attribute type.
618
619           syntax:
620
621               search_base[?scope?[filter][?search_base?scope?[filter]]*]
622
623           The scope can be one of "base", "onelevel" or "subtree". The scope
624           functions as specified in section 4.5.1.2 of
625           http://tools.ietf.org/html/rfc4511
626
627           The filter must be a valid LDAP search filter as specified by
628           http://www.ietf.org/rfc/rfc2254.txt
629
630           For examples of this syntax, please refer to the “ldap_search_base”
631           examples section.
632
633           Default: the value of ldap_search_base
634
635           Please note that specifying scope or filter is not supported for
636           searches against an Active Directory Server that might yield a
637           large number of results and trigger the Range Retrieval extension
638           in the response.
639
640       ldap_search_timeout (integer)
641           Specifies the timeout (in seconds) that ldap searches are allowed
642           to run before they are cancelled and cached results are returned
643           (and offline mode is entered)
644
645           Note: this option is subject to change in future versions of the
646           SSSD. It will likely be replaced at some point by a series of
647           timeouts for specific lookup types.
648
649           Default: 6
650
651       ldap_enumeration_search_timeout (integer)
652           Specifies the timeout (in seconds) that ldap searches for user and
653           group enumerations are allowed to run before they are cancelled and
654           cached results are returned (and offline mode is entered)
655
656           Default: 60
657
658       ldap_network_timeout (integer)
659           Specifies the timeout (in seconds) after which the
660           poll(2)/select(2) following a connect(2) returns in case of no
661           activity.
662
663           Default: 6
664
665       ldap_opt_timeout (integer)
666           Specifies a timeout (in seconds) after which calls to synchronous
667           LDAP APIs will abort if no response is received. Also controls the
668           timeout when communicating with the KDC in case of SASL bind, the
669           timeout of an LDAP bind operation, password change extended
670           operation and the StartTLS operation.
671
672           Default: 6
673
674       ldap_connection_expire_timeout (integer)
675           Specifies a timeout (in seconds) that a connection to an LDAP
676           server will be maintained. After this time, the connection will be
677           re-established. If used in parallel with SASL/GSSAPI, the sooner of
678           the two values (this value vs. the TGT lifetime) will be used.
679
680           Default: 900 (15 minutes)
681
682       ldap_page_size (integer)
683           Specify the number of records to retrieve from LDAP in a single
684           request. Some LDAP servers enforce a maximum limit per-request.
685
686           Default: 1000
687
688       ldap_disable_paging (boolean)
689           Disable the LDAP paging control. This option should be used if the
690           LDAP server reports that it supports the LDAP paging control in its
691           RootDSE but it is not enabled or does not behave properly.
692
693           Example: OpenLDAP servers with the paging control module installed
694           on the server but not enabled will report it in the RootDSE but be
695           unable to use it.
696
697           Example: 389 DS has a bug where it can only support a one paging
698           control at a time on a single connection. On busy clients, this can
699           result in some requests being denied.
700
701           Default: False
702
703       ldap_disable_range_retrieval (boolean)
704           Disable Active Directory range retrieval.
705
706           Active Directory limits the number of members to be retrieved in a
707           single lookup using the MaxValRange policy (which defaults to 1500
708           members). If a group contains more members, the reply would include
709           an AD-specific range extension. This option disables parsing of the
710           range extension, therefore large groups will appear as having no
711           members.
712
713           Default: False
714
715       ldap_sasl_minssf (integer)
716           When communicating with an LDAP server using SASL, specify the
717           minimum security level necessary to establish the connection. The
718           values of this option are defined by OpenLDAP.
719
720           Default: Use the system default (usually specified by ldap.conf)
721
722       ldap_deref_threshold (integer)
723           Specify the number of group members that must be missing from the
724           internal cache in order to trigger a dereference lookup. If less
725           members are missing, they are looked up individually.
726
727           You can turn off dereference lookups completely by setting the
728           value to 0.
729
730           A dereference lookup is a means of fetching all group members in a
731           single LDAP call. Different LDAP servers may implement different
732           dereference methods. The currently supported servers are 389/RHDS,
733           OpenLDAP and Active Directory.
734
735           Note: If any of the search bases specifies a search filter, then
736           the dereference lookup performance enhancement will be disabled
737           regardless of this setting.
738
739           Default: 10
740
741       ldap_tls_reqcert (string)
742           Specifies what checks to perform on server certificates in a TLS
743           session, if any. It can be specified as one of the following
744           values:
745
746           never = The client will not request or check any server
747           certificate.
748
749           allow = The server certificate is requested. If no certificate is
750           provided, the session proceeds normally. If a bad certificate is
751           provided, it will be ignored and the session proceeds normally.
752
753           try = The server certificate is requested. If no certificate is
754           provided, the session proceeds normally. If a bad certificate is
755           provided, the session is immediately terminated.
756
757           demand = The server certificate is requested. If no certificate is
758           provided, or a bad certificate is provided, the session is
759           immediately terminated.
760
761           hard = Same as “demand”
762
763           Default: hard
764
765       ldap_tls_cacert (string)
766           Specifies the file that contains certificates for all of the
767           Certificate Authorities that sssd will recognize.
768
769           Default: use OpenLDAP defaults, typically in
770           /etc/openldap/ldap.conf
771
772       ldap_tls_cacertdir (string)
773           Specifies the path of a directory that contains Certificate
774           Authority certificates in separate individual files. Typically the
775           file names need to be the hash of the certificate followed by '.0'.
776           If available, cacertdir_rehash can be used to create the correct
777           names.
778
779           Default: use OpenLDAP defaults, typically in
780           /etc/openldap/ldap.conf
781
782       ldap_tls_cert (string)
783           Specifies the file that contains the certificate for the client's
784           key.
785
786           Default: not set
787
788       ldap_tls_key (string)
789           Specifies the file that contains the client's key.
790
791           Default: not set
792
793       ldap_tls_cipher_suite (string)
794           Specifies acceptable cipher suites. Typically this is a colon
795           separated list. See ldap.conf(5) for format.
796
797           Default: use OpenLDAP defaults, typically in
798           /etc/openldap/ldap.conf
799
800       ldap_id_use_start_tls (boolean)
801           Specifies that the id_provider connection must also use tls to
802           protect the channel.
803
804           Default: false
805
806       ldap_id_mapping (boolean)
807           Specifies that SSSD should attempt to map user and group IDs from
808           the ldap_user_objectsid and ldap_group_objectsid attributes instead
809           of relying on ldap_user_uid_number and ldap_group_gid_number.
810
811           Currently this feature supports only ActiveDirectory objectSID
812           mapping.
813
814           Default: false
815
816       ldap_min_id, ldap_max_id (integer)
817           In contrast to the SID based ID mapping which is used if
818           ldap_id_mapping is set to true the allowed ID range for
819           ldap_user_uid_number and ldap_group_gid_number is unbound. In a
820           setup with sub/trusted-domains this might lead to ID collisions. To
821           avoid collisions ldap_min_id and ldap_max_id can be set to restrict
822           the allowed range for the IDs which are read directly from the
823           server. Sub-domains can then pick other ranges to map IDs.
824
825           Default: not set (both options are set to 0)
826
827       ldap_sasl_mech (string)
828           Specify the SASL mechanism to use. Currently only GSSAPI is tested
829           and supported.
830
831           Default: not set
832
833       ldap_sasl_authid (string)
834           Specify the SASL authorization id to use. When GSSAPI is used, this
835           represents the Kerberos principal used for authentication to the
836           directory. This option can either contain the full principal (for
837           example host/myhost@EXAMPLE.COM) or just the principal name (for
838           example host/myhost). By default, the value is not set and the
839           following principals are used:
840
841               hostname@REALM
842               netbiosname$@REALM
843               host/hostname@REALM
844               *$@REALM
845               host/*@REALM
846               host/*
847
848
849           If none of them are found, the first principal in keytab is
850           returned.
851
852           Default: host/hostname@REALM
853
854       ldap_sasl_realm (string)
855           Specify the SASL realm to use. When not specified, this option
856           defaults to the value of krb5_realm. If the ldap_sasl_authid
857           contains the realm as well, this option is ignored.
858
859           Default: the value of krb5_realm.
860
861       ldap_sasl_canonicalize (boolean)
862           If set to true, the LDAP library would perform a reverse lookup to
863           canonicalize the host name during a SASL bind.
864
865           Default: false;
866
867       ldap_krb5_keytab (string)
868           Specify the keytab to use when using SASL/GSSAPI.
869
870           Default: System keytab, normally /etc/krb5.keytab
871
872       ldap_krb5_init_creds (boolean)
873           Specifies that the id_provider should init Kerberos credentials
874           (TGT). This action is performed only if SASL is used and the
875           mechanism selected is GSSAPI.
876
877           Default: true
878
879       ldap_krb5_ticket_lifetime (integer)
880           Specifies the lifetime in seconds of the TGT if GSSAPI is used.
881
882           Default: 86400 (24 hours)
883
884       krb5_server, krb5_backup_server (string)
885           Specifies the comma-separated list of IP addresses or hostnames of
886           the Kerberos servers to which SSSD should connect in the order of
887           preference. For more information on failover and server redundancy,
888           see the “FAILOVER” section. An optional port number (preceded by a
889           colon) may be appended to the addresses or hostnames. If empty,
890           service discovery is enabled - for more information, refer to the
891           “SERVICE DISCOVERY” section.
892
893           When using service discovery for KDC or kpasswd servers, SSSD first
894           searches for DNS entries that specify _udp as the protocol and
895           falls back to _tcp if none are found.
896
897           This option was named “krb5_kdcip” in earlier releases of SSSD.
898           While the legacy name is recognized for the time being, users are
899           advised to migrate their config files to use “krb5_server” instead.
900
901       krb5_realm (string)
902           Specify the Kerberos REALM (for SASL/GSSAPI auth).
903
904           Default: System defaults, see /etc/krb5.conf
905
906       krb5_canonicalize (boolean)
907           Specifies if the host principal should be canonicalized when
908           connecting to LDAP server. This feature is available with MIT
909           Kerberos >= 1.7
910
911           Default: false
912
913       krb5_use_kdcinfo (boolean)
914           Specifies if the SSSD should instruct the Kerberos libraries what
915           realm and which KDCs to use. This option is on by default, if you
916           disable it, you need to configure the Kerberos library using the
917           krb5.conf(5) configuration file.
918
919           See the sssd_krb5_locator_plugin(8) manual page for more
920           information on the locator plugin.
921
922           Default: true
923
924       ldap_pwd_policy (string)
925           Select the policy to evaluate the password expiration on the client
926           side. The following values are allowed:
927
928           none - No evaluation on the client side. This option cannot disable
929           server-side password policies.
930
931           shadow - Use shadow(5) style attributes to evaluate if the password
932           has expired.
933
934           mit_kerberos - Use the attributes used by MIT Kerberos to determine
935           if the password has expired. Use chpass_provider=krb5 to update
936           these attributes when the password is changed.
937
938           Default: none
939
940           Note: if a password policy is configured on server side, it always
941           takes precedence over policy set with this option.
942
943       ldap_referrals (boolean)
944           Specifies whether automatic referral chasing should be enabled.
945
946           Please note that sssd only supports referral chasing when it is
947           compiled with OpenLDAP version 2.4.13 or higher.
948
949           Chasing referrals may incur a performance penalty in environments
950           that use them heavily, a notable example is Microsoft Active
951           Directory. If your setup does not in fact require the use of
952           referrals, setting this option to false might bring a noticeable
953           performance improvement.
954
955           Default: true
956
957       ldap_dns_service_name (string)
958           Specifies the service name to use when service discovery is
959           enabled.
960
961           Default: ldap
962
963       ldap_chpass_dns_service_name (string)
964           Specifies the service name to use to find an LDAP server which
965           allows password changes when service discovery is enabled.
966
967           Default: not set, i.e. service discovery is disabled
968
969       ldap_chpass_update_last_change (bool)
970           Specifies whether to update the ldap_user_shadow_last_change
971           attribute with days since the Epoch after a password change
972           operation.
973
974           Default: False
975
976       ldap_access_filter (string)
977           If using access_provider = ldap and ldap_access_order = filter
978           (default), this option is mandatory. It specifies an LDAP search
979           filter criteria that must be met for the user to be granted access
980           on this host. If access_provider = ldap, ldap_access_order = filter
981           and this option is not set, it will result in all users being
982           denied access. Use access_provider = permit to change this default
983           behavior. Please note that this filter is applied on the LDAP user
984           entry only and thus filtering based on nested groups may not work
985           (e.g. memberOf attribute on AD entries points only to direct
986           parents). If filtering based on nested groups is required, please
987           see sssd-simple(5).
988
989           Example:
990
991               access_provider = ldap
992               ldap_access_filter = (employeeType=admin)
993
994
995           This example means that access to this host is restricted to users
996           whose employeeType attribute is set to "admin".
997
998           Offline caching for this feature is limited to determining whether
999           the user's last online login was granted access permission. If they
1000           were granted access during their last login, they will continue to
1001           be granted access while offline and vice versa.
1002
1003           Default: Empty
1004
1005       ldap_account_expire_policy (string)
1006           With this option a client side evaluation of access control
1007           attributes can be enabled.
1008
1009           Please note that it is always recommended to use server side access
1010           control, i.e. the LDAP server should deny the bind request with a
1011           suitable error code even if the password is correct.
1012
1013           The following values are allowed:
1014
1015           shadow: use the value of ldap_user_shadow_expire to determine if
1016           the account is expired.
1017
1018           ad: use the value of the 32bit field
1019           ldap_user_ad_user_account_control and allow access if the second
1020           bit is not set. If the attribute is missing access is granted. Also
1021           the expiration time of the account is checked.
1022
1023           rhds, ipa, 389ds: use the value of ldap_ns_account_lock to check if
1024           access is allowed or not.
1025
1026           nds: the values of ldap_user_nds_login_allowed_time_map,
1027           ldap_user_nds_login_disabled and
1028           ldap_user_nds_login_expiration_time are used to check if access is
1029           allowed. If both attributes are missing access is granted.
1030            This is an experimental feature, please use
1031           https://pagure.io/SSSD/sssd/ to report any issues.
1032
1033           Please note that the ldap_access_order configuration option must
1034           include “expire” in order for the ldap_account_expire_policy option
1035           to work.
1036
1037           Default: Empty
1038
1039       ldap_access_order (string)
1040           Comma separated list of access control options. Allowed values are:
1041
1042           filter: use ldap_access_filter
1043
1044           lockout: use account locking. If set, this option denies access in
1045           case that ldap attribute 'pwdAccountLockedTime' is present and has
1046           value of '000001010000Z'. Please see the option ldap_pwdlockout_dn.
1047           Please note that 'access_provider = ldap' must be set for this
1048           feature to work.
1049
1050            Please note that this option is superseded by the “ppolicy” option
1051           and might be removed in a future release.
1052
1053           ppolicy: use account locking. If set, this option denies access in
1054           case that ldap attribute 'pwdAccountLockedTime' is present and has
1055           value of '000001010000Z' or represents any time in the past. The
1056           value of the 'pwdAccountLockedTime' attribute must end with 'Z',
1057           which denotes the UTC time zone. Other time zones are not currently
1058           supported and will result in "access-denied" when users attempt to
1059           log in. Please see the option ldap_pwdlockout_dn. Please note that
1060           'access_provider = ldap' must be set for this feature to work.
1061
1062           expire: use ldap_account_expire_policy
1063
1064           pwd_expire_policy_reject, pwd_expire_policy_warn,
1065           pwd_expire_policy_renew: These options are useful if users are
1066           interested in being warned that password is about to expire and
1067           authentication is based on using a different method than passwords
1068           - for example SSH keys.
1069
1070           The difference between these options is the action taken if user
1071           password is expired: pwd_expire_policy_reject - user is denied to
1072           log in, pwd_expire_policy_warn - user is still able to log in,
1073           pwd_expire_policy_renew - user is prompted to change his password
1074           immediately.
1075
1076           Note If user password is expired no explicit message is prompted by
1077           SSSD.
1078
1079           Please note that 'access_provider = ldap' must be set for this
1080           feature to work. Also 'ldap_pwd_policy' must be set to an
1081           appropriate password policy.
1082
1083           authorized_service: use the authorizedService attribute to
1084           determine access
1085
1086           host: use the host attribute to determine access
1087
1088           rhost: use the rhost attribute to determine whether remote host can
1089           access
1090
1091           Please note, rhost field in pam is set by application, it is better
1092           to check what the application sends to pam, before enabling this
1093           access control option
1094
1095           Default: filter
1096
1097           Please note that it is a configuration error if a value is used
1098           more than once.
1099
1100       ldap_pwdlockout_dn (string)
1101           This option specifies the DN of password policy entry on LDAP
1102           server. Please note that absence of this option in sssd.conf in
1103           case of enabled account lockout checking will yield access denied
1104           as ppolicy attributes on LDAP server cannot be checked properly.
1105
1106           Example: cn=ppolicy,ou=policies,dc=example,dc=com
1107
1108           Default: cn=ppolicy,ou=policies,$ldap_search_base
1109
1110       ldap_deref (string)
1111           Specifies how alias dereferencing is done when performing a search.
1112           The following options are allowed:
1113
1114           never: Aliases are never dereferenced.
1115
1116           searching: Aliases are dereferenced in subordinates of the base
1117           object, but not in locating the base object of the search.
1118
1119           finding: Aliases are only dereferenced when locating the base
1120           object of the search.
1121
1122           always: Aliases are dereferenced both in searching and in locating
1123           the base object of the search.
1124
1125           Default: Empty (this is handled as never by the LDAP client
1126           libraries)
1127
1128       ldap_rfc2307_fallback_to_local_users (boolean)
1129           Allows to retain local users as members of an LDAP group for
1130           servers that use the RFC2307 schema.
1131
1132           In some environments where the RFC2307 schema is used, local users
1133           are made members of LDAP groups by adding their names to the
1134           memberUid attribute. The self-consistency of the domain is
1135           compromised when this is done, so SSSD would normally remove the
1136           "missing" users from the cached group memberships as soon as
1137           nsswitch tries to fetch information about the user via getpw*() or
1138           initgroups() calls.
1139
1140           This option falls back to checking if local users are referenced,
1141           and caches them so that later initgroups() calls will augment the
1142           local users with the additional LDAP groups.
1143
1144           Default: false
1145
1146       wildcard_limit (integer)
1147           Specifies an upper limit on the number of entries that are
1148           downloaded during a wildcard lookup.
1149
1150           At the moment, only the InfoPipe responder supports wildcard
1151           lookups.
1152
1153           Default: 1000 (often the size of one page)
1154

SUDO OPTIONS

1156       The detailed instructions for configuration of sudo_provider are in the
1157       manual page sssd-sudo(5).
1158
1159       ldap_sudorule_object_class (string)
1160           The object class of a sudo rule entry in LDAP.
1161
1162           Default: sudoRole
1163
1164       ldap_sudorule_name (string)
1165           The LDAP attribute that corresponds to the sudo rule name.
1166
1167           Default: cn
1168
1169       ldap_sudorule_command (string)
1170           The LDAP attribute that corresponds to the command name.
1171
1172           Default: sudoCommand
1173
1174       ldap_sudorule_host (string)
1175           The LDAP attribute that corresponds to the host name (or host IP
1176           address, host IP network, or host netgroup)
1177
1178           Default: sudoHost
1179
1180       ldap_sudorule_user (string)
1181           The LDAP attribute that corresponds to the user name (or UID, group
1182           name or user's netgroup)
1183
1184           Default: sudoUser
1185
1186       ldap_sudorule_option (string)
1187           The LDAP attribute that corresponds to the sudo options.
1188
1189           Default: sudoOption
1190
1191       ldap_sudorule_runasuser (string)
1192           The LDAP attribute that corresponds to the user name that commands
1193           may be run as.
1194
1195           Default: sudoRunAsUser
1196
1197       ldap_sudorule_runasgroup (string)
1198           The LDAP attribute that corresponds to the group name or group GID
1199           that commands may be run as.
1200
1201           Default: sudoRunAsGroup
1202
1203       ldap_sudorule_notbefore (string)
1204           The LDAP attribute that corresponds to the start date/time for when
1205           the sudo rule is valid.
1206
1207           Default: sudoNotBefore
1208
1209       ldap_sudorule_notafter (string)
1210           The LDAP attribute that corresponds to the expiration date/time,
1211           after which the sudo rule will no longer be valid.
1212
1213           Default: sudoNotAfter
1214
1215       ldap_sudorule_order (string)
1216           The LDAP attribute that corresponds to the ordering index of the
1217           rule.
1218
1219           Default: sudoOrder
1220
1221       ldap_sudo_full_refresh_interval (integer)
1222           How many seconds SSSD will wait between executing a full refresh of
1223           sudo rules (which downloads all rules that are stored on the
1224           server).
1225
1226           The value must be greater than ldap_sudo_smart_refresh_interval
1227
1228           Default: 21600 (6 hours)
1229
1230       ldap_sudo_smart_refresh_interval (integer)
1231           How many seconds SSSD has to wait before executing a smart refresh
1232           of sudo rules (which downloads all rules that have USN higher than
1233           the highest USN of cached rules).
1234
1235           If USN attributes are not supported by the server, the
1236           modifyTimestamp attribute is used instead.
1237
1238           Default: 900 (15 minutes)
1239
1240       ldap_sudo_use_host_filter (boolean)
1241           If true, SSSD will download only rules that are applicable to this
1242           machine (using the IPv4 or IPv6 host/network addresses and
1243           hostnames).
1244
1245           Default: true
1246
1247       ldap_sudo_hostnames (string)
1248           Space separated list of hostnames or fully qualified domain names
1249           that should be used to filter the rules.
1250
1251           If this option is empty, SSSD will try to discover the hostname and
1252           the fully qualified domain name automatically.
1253
1254           If ldap_sudo_use_host_filter is false then this option has no
1255           effect.
1256
1257           Default: not specified
1258
1259       ldap_sudo_ip (string)
1260           Space separated list of IPv4 or IPv6 host/network addresses that
1261           should be used to filter the rules.
1262
1263           If this option is empty, SSSD will try to discover the addresses
1264           automatically.
1265
1266           If ldap_sudo_use_host_filter is false then this option has no
1267           effect.
1268
1269           Default: not specified
1270
1271       ldap_sudo_include_netgroups (boolean)
1272           If true then SSSD will download every rule that contains a netgroup
1273           in sudoHost attribute.
1274
1275           If ldap_sudo_use_host_filter is false then this option has no
1276           effect.
1277
1278           Default: true
1279
1280       ldap_sudo_include_regexp (boolean)
1281           If true then SSSD will download every rule that contains a wildcard
1282           in sudoHost attribute.
1283
1284           If ldap_sudo_use_host_filter is false then this option has no
1285           effect.
1286
1287               Note
1288               Using wildcard is an operation that is very costly to evaluate
1289               on the LDAP server side!
1290           Default: false
1291
1292       This manual page only describes attribute name mapping. For detailed
1293       explanation of sudo related attribute semantics, see sudoers.ldap(5)
1294

AUTOFS OPTIONS

1296       Some of the defaults for the parameters below are dependent on the LDAP
1297       schema.
1298
1299       ldap_autofs_map_master_name (string)
1300           The name of the automount master map in LDAP.
1301
1302           Default: auto.master
1303
1304       ldap_autofs_map_object_class (string)
1305           The object class of an automount map entry in LDAP.
1306
1307           Default: nisMap (rfc2307, autofs_provider=ad), otherwise
1308           automountMap
1309
1310       ldap_autofs_map_name (string)
1311           The name of an automount map entry in LDAP.
1312
1313           Default: nisMapName (rfc2307, autofs_provider=ad), otherwise
1314           automountMapName
1315
1316       ldap_autofs_entry_object_class (string)
1317           The object class of an automount entry in LDAP. The entry usually
1318           corresponds to a mount point.
1319
1320           Default: nisObject (rfc2307, autofs_provider=ad), otherwise
1321           automount
1322
1323       ldap_autofs_entry_key (string)
1324           The key of an automount entry in LDAP. The entry usually
1325           corresponds to a mount point.
1326
1327           Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey
1328
1329       ldap_autofs_entry_value (string)
1330           The key of an automount entry in LDAP. The entry usually
1331           corresponds to a mount point.
1332
1333           Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise
1334           automountInformation
1335
1336       Please note that the automounter only reads the master map on startup,
1337       so if any autofs-related changes are made to the sssd.conf, you
1338       typically also need to restart the automounter daemon after restarting
1339       the SSSD.
1340

ADVANCED OPTIONS

1342       These options are supported by LDAP domains, but they should be used
1343       with caution. Please include them in your configuration only if you
1344       know what you are doing.
1345
1346       ldap_netgroup_search_base (string)
1347           An optional base DN, search scope and LDAP filter to restrict LDAP
1348           searches for this attribute type.
1349
1350           syntax:
1351
1352               search_base[?scope?[filter][?search_base?scope?[filter]]*]
1353
1354           The scope can be one of "base", "onelevel" or "subtree". The scope
1355           functions as specified in section 4.5.1.2 of
1356           http://tools.ietf.org/html/rfc4511
1357
1358           The filter must be a valid LDAP search filter as specified by
1359           http://www.ietf.org/rfc/rfc2254.txt
1360
1361           For examples of this syntax, please refer to the “ldap_search_base”
1362           examples section.
1363
1364           Default: the value of ldap_search_base
1365
1366           Please note that specifying scope or filter is not supported for
1367           searches against an Active Directory Server that might yield a
1368           large number of results and trigger the Range Retrieval extension
1369           in the response.
1370
1371       ldap_user_search_base (string)
1372           An optional base DN, search scope and LDAP filter to restrict LDAP
1373           searches for this attribute type.
1374
1375           syntax:
1376
1377               search_base[?scope?[filter][?search_base?scope?[filter]]*]
1378
1379           The scope can be one of "base", "onelevel" or "subtree". The scope
1380           functions as specified in section 4.5.1.2 of
1381           http://tools.ietf.org/html/rfc4511
1382
1383           The filter must be a valid LDAP search filter as specified by
1384           http://www.ietf.org/rfc/rfc2254.txt
1385
1386           For examples of this syntax, please refer to the “ldap_search_base”
1387           examples section.
1388
1389           Default: the value of ldap_search_base
1390
1391           Please note that specifying scope or filter is not supported for
1392           searches against an Active Directory Server that might yield a
1393           large number of results and trigger the Range Retrieval extension
1394           in the response.
1395
1396       ldap_group_search_base (string)
1397           An optional base DN, search scope and LDAP filter to restrict LDAP
1398           searches for this attribute type.
1399
1400           syntax:
1401
1402               search_base[?scope?[filter][?search_base?scope?[filter]]*]
1403
1404           The scope can be one of "base", "onelevel" or "subtree". The scope
1405           functions as specified in section 4.5.1.2 of
1406           http://tools.ietf.org/html/rfc4511
1407
1408           The filter must be a valid LDAP search filter as specified by
1409           http://www.ietf.org/rfc/rfc2254.txt
1410
1411           For examples of this syntax, please refer to the “ldap_search_base”
1412           examples section.
1413
1414           Default: the value of ldap_search_base
1415
1416           Please note that specifying scope or filter is not supported for
1417           searches against an Active Directory Server that might yield a
1418           large number of results and trigger the Range Retrieval extension
1419           in the response.
1420
1421           Note
1422           If the option “ldap_use_tokengroups” is enabled, the searches
1423           against Active Directory will not be restricted and return all
1424           groups memberships, even with no GID mapping. It is recommended to
1425           disable this feature, if group names are not being displayed
1426           correctly.
1427
1428       ldap_sudo_search_base (string)
1429           An optional base DN, search scope and LDAP filter to restrict LDAP
1430           searches for this attribute type.
1431
1432           syntax:
1433
1434               search_base[?scope?[filter][?search_base?scope?[filter]]*]
1435
1436           The scope can be one of "base", "onelevel" or "subtree". The scope
1437           functions as specified in section 4.5.1.2 of
1438           http://tools.ietf.org/html/rfc4511
1439
1440           The filter must be a valid LDAP search filter as specified by
1441           http://www.ietf.org/rfc/rfc2254.txt
1442
1443           For examples of this syntax, please refer to the “ldap_search_base”
1444           examples section.
1445
1446           Default: the value of ldap_search_base
1447
1448           Please note that specifying scope or filter is not supported for
1449           searches against an Active Directory Server that might yield a
1450           large number of results and trigger the Range Retrieval extension
1451           in the response.
1452
1453       ldap_autofs_search_base (string)
1454           An optional base DN, search scope and LDAP filter to restrict LDAP
1455           searches for this attribute type.
1456
1457           syntax:
1458
1459               search_base[?scope?[filter][?search_base?scope?[filter]]*]
1460
1461           The scope can be one of "base", "onelevel" or "subtree". The scope
1462           functions as specified in section 4.5.1.2 of
1463           http://tools.ietf.org/html/rfc4511
1464
1465           The filter must be a valid LDAP search filter as specified by
1466           http://www.ietf.org/rfc/rfc2254.txt
1467
1468           For examples of this syntax, please refer to the “ldap_search_base”
1469           examples section.
1470
1471           Default: the value of ldap_search_base
1472
1473           Please note that specifying scope or filter is not supported for
1474           searches against an Active Directory Server that might yield a
1475           large number of results and trigger the Range Retrieval extension
1476           in the response.
1477

FAILOVER

1479       The failover feature allows back ends to automatically switch to a
1480       different server if the current server fails.
1481
1482   Failover Syntax
1483       The list of servers is given as a comma-separated list; any number of
1484       spaces is allowed around the comma. The servers are listed in order of
1485       preference. The list can contain any number of servers.
1486
1487       For each failover-enabled config option, two variants exist: primary
1488       and backup. The idea is that servers in the primary list are preferred
1489       and backup servers are only searched if no primary servers can be
1490       reached. If a backup server is selected, a timeout of 31 seconds is
1491       set. After this timeout SSSD will periodically try to reconnect to one
1492       of the primary servers. If it succeeds, it will replace the current
1493       active (backup) server.
1494
1495   The Failover Mechanism
1496       The failover mechanism distinguishes between a machine and a service.
1497       The back end first tries to resolve the hostname of a given machine; if
1498       this resolution attempt fails, the machine is considered offline. No
1499       further attempts are made to connect to this machine for any other
1500       service. If the resolution attempt succeeds, the back end tries to
1501       connect to a service on this machine. If the service connection attempt
1502       fails, then only this particular service is considered offline and the
1503       back end automatically switches over to the next service. The machine
1504       is still considered online and might still be tried for another
1505       service.
1506
1507       Further connection attempts are made to machines or services marked as
1508       offline after a specified period of time; this is currently hard coded
1509       to 30 seconds.
1510
1511       If there are no more machines to try, the back end as a whole switches
1512       to offline mode, and then attempts to reconnect every 30 seconds.
1513
1514   Failover time outs and tuning
1515       Resolving a server to connect to can be as simple as running a single
1516       DNS query or can involve several steps, such as finding the correct
1517       site or trying out multiple host names in case some of the configured
1518       servers are not reachable. The more complex scenarios can take some
1519       time and SSSD needs to balance between providing enough time to finish
1520       the resolution process but on the other hand, not trying for too long
1521       before falling back to offline mode. If the SSSD debug logs show that
1522       the server resolution is timing out before a live server is contacted,
1523       you can consider changing the time outs.
1524
1525       This section lists the available tunables. Please refer to their
1526       description in the sssd.conf(5), manual page.
1527
1528       dns_resolver_op_timeout
1529           How long would SSSD talk to a single DNS server.
1530
1531       dns_resolver_timeout
1532           How long would SSSD try to resolve a failover service. This service
1533           resolution internally might include several steps, such as
1534           resolving DNS SRV queries or locating the site.
1535
1536       For LDAP-based providers, the resolve operation is performed as part of
1537       an LDAP connection operation. Therefore, also the “ldap_opt_timeout>”
1538       timeout should be set to a larger value than “dns_resolver_timeout”
1539       which in turn should be set to a larger value than
1540       “dns_resolver_op_timeout”.
1541

SERVICE DISCOVERY

1543       The service discovery feature allows back ends to automatically find
1544       the appropriate servers to connect to using a special DNS query. This
1545       feature is not supported for backup servers.
1546
1547   Configuration
1548       If no servers are specified, the back end automatically uses service
1549       discovery to try to find a server. Optionally, the user may choose to
1550       use both fixed server addresses and service discovery by inserting a
1551       special keyword, “_srv_”, in the list of servers. The order of
1552       preference is maintained. This feature is useful if, for example, the
1553       user prefers to use service discovery whenever possible, and fall back
1554       to a specific server when no servers can be discovered using DNS.
1555
1556   The domain name
1557       Please refer to the “dns_discovery_domain” parameter in the
1558       sssd.conf(5) manual page for more details.
1559
1560   The protocol
1561       The queries usually specify _tcp as the protocol. Exceptions are
1562       documented in respective option description.
1563
1564   See Also
1565       For more information on the service discovery mechanism, refer to RFC
1566       2782.
1567

ID MAPPING

1569       The ID-mapping feature allows SSSD to act as a client of Active
1570       Directory without requiring administrators to extend user attributes to
1571       support POSIX attributes for user and group identifiers.
1572
1573       NOTE: When ID-mapping is enabled, the uidNumber and gidNumber
1574       attributes are ignored. This is to avoid the possibility of conflicts
1575       between automatically-assigned and manually-assigned values. If you
1576       need to use manually-assigned values, ALL values must be
1577       manually-assigned.
1578
1579       Please note that changing the ID mapping related configuration options
1580       will cause user and group IDs to change. At the moment, SSSD does not
1581       support changing IDs, so the SSSD database must be removed. Because
1582       cached passwords are also stored in the database, removing the database
1583       should only be performed while the authentication servers are
1584       reachable, otherwise users might get locked out. In order to cache the
1585       password, an authentication must be performed. It is not sufficient to
1586       use sss_cache(8) to remove the database, rather the process consists
1587       of:
1588
1589       ·   Making sure the remote servers are reachable
1590
1591       ·   Stopping the SSSD service
1592
1593       ·   Removing the database
1594
1595       ·   Starting the SSSD service
1596
1597       Moreover, as the change of IDs might necessitate the adjustment of
1598       other system properties such as file and directory ownership, it's
1599       advisable to plan ahead and test the ID mapping configuration
1600       thoroughly.
1601
1602   Mapping Algorithm
1603       Active Directory provides an objectSID for every user and group object
1604       in the directory. This objectSID can be broken up into components that
1605       represent the Active Directory domain identity and the relative
1606       identifier (RID) of the user or group object.
1607
1608       The SSSD ID-mapping algorithm takes a range of available UIDs and
1609       divides it into equally-sized component sections - called "slices"-.
1610       Each slice represents the space available to an Active Directory
1611       domain.
1612
1613       When a user or group entry for a particular domain is encountered for
1614       the first time, the SSSD allocates one of the available slices for that
1615       domain. In order to make this slice-assignment repeatable on different
1616       client machines, we select the slice based on the following algorithm:
1617
1618       The SID string is passed through the murmurhash3 algorithm to convert
1619       it to a 32-bit hashed value. We then take the modulus of this value
1620       with the total number of available slices to pick the slice.
1621
1622       NOTE: It is possible to encounter collisions in the hash and subsequent
1623       modulus. In these situations, we will select the next available slice,
1624       but it may not be possible to reproduce the same exact set of slices on
1625       other machines (since the order that they are encountered will
1626       determine their slice). In this situation, it is recommended to either
1627       switch to using explicit POSIX attributes in Active Directory
1628       (disabling ID-mapping) or configure a default domain to guarantee that
1629       at least one is always consistent. See “Configuration” for details.
1630
1631   Configuration
1632       Minimum configuration (in the “[domain/DOMAINNAME]” section):
1633
1634           ldap_id_mapping = True
1635           ldap_schema = ad
1636
1637       The default configuration results in configuring 10,000 slices, each
1638       capable of holding up to 200,000 IDs, starting from 200,000 and going
1639       up to 2,000,200,000. This should be sufficient for most deployments.
1640
1641       Advanced Configuration
1642           ldap_idmap_range_min (integer)
1643               Specifies the lower bound of the range of POSIX IDs to use for
1644               mapping Active Directory user and group SIDs.
1645
1646               NOTE: This option is different from “min_id” in that “min_id”
1647               acts to filter the output of requests to this domain, whereas
1648               this option controls the range of ID assignment. This is a
1649               subtle distinction, but the good general advice would be to
1650               have “min_id” be less-than or equal to “ldap_idmap_range_min”
1651
1652               Default: 200000
1653
1654           ldap_idmap_range_max (integer)
1655               Specifies the upper bound of the range of POSIX IDs to use for
1656               mapping Active Directory user and group SIDs.
1657
1658               NOTE: This option is different from “max_id” in that “max_id”
1659               acts to filter the output of requests to this domain, whereas
1660               this option controls the range of ID assignment. This is a
1661               subtle distinction, but the good general advice would be to
1662               have “max_id” be greater-than or equal to
1663               “ldap_idmap_range_max”
1664
1665               Default: 2000200000
1666
1667           ldap_idmap_range_size (integer)
1668               Specifies the number of IDs available for each slice. If the
1669               range size does not divide evenly into the min and max values,
1670               it will create as many complete slices as it can.
1671
1672               NOTE: The value of this option must be at least as large as the
1673               highest user RID planned for use on the Active Directory
1674               server. User lookups and login will fail for any user whose RID
1675               is greater than this value.
1676
1677               For example, if your most recently-added Active Directory user
1678               has objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107,
1679               “ldap_idmap_range_size” must be at least 1108 as range size is
1680               equal to maximal SID minus minimal SID plus one (e.g. 1108 =
1681               1107 - 0 + 1).
1682
1683               It is important to plan ahead for future expansion, as changing
1684               this value will result in changing all of the ID mappings on
1685               the system, leading to users with different local IDs than they
1686               previously had.
1687
1688               Default: 200000
1689
1690           ldap_idmap_default_domain_sid (string)
1691               Specify the domain SID of the default domain. This will
1692               guarantee that this domain will always be assigned to slice
1693               zero in the ID map, bypassing the murmurhash algorithm
1694               described above.
1695
1696               Default: not set
1697
1698           ldap_idmap_default_domain (string)
1699               Specify the name of the default domain.
1700
1701               Default: not set
1702
1703           ldap_idmap_autorid_compat (boolean)
1704               Changes the behavior of the ID-mapping algorithm to behave more
1705               similarly to winbind's “idmap_autorid” algorithm.
1706
1707               When this option is configured, domains will be allocated
1708               starting with slice zero and increasing monatomically with each
1709               additional domain.
1710
1711               NOTE: This algorithm is non-deterministic (it depends on the
1712               order that users and groups are requested). If this mode is
1713               required for compatibility with machines running winbind, it is
1714               recommended to also use the “ldap_idmap_default_domain_sid”
1715               option to guarantee that at least one domain is consistently
1716               allocated to slice zero.
1717
1718               Default: False
1719
1720           ldap_idmap_helper_table_size (integer)
1721               Maximal number of secondary slices that is tried when
1722               performing mapping from UNIX id to SID.
1723
1724               Note: Additional secondary slices might be generated when SID
1725               is being mapped to UNIX id and RID part of SID is out of range
1726               for secondary slices generated so far. If value of
1727               ldap_idmap_helper_table_size is equal to 0 then no additional
1728               secondary slices are generated.
1729
1730               Default: 10
1731
1732   Well-Known SIDs
1733       SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a
1734       special hardcoded meaning. Since the generic users and groups related
1735       to those Well-Known SIDs have no equivalent in a Linux/UNIX environment
1736       no POSIX IDs are available for those objects.
1737
1738       The SID name space is organized in authorities which can be seen as
1739       different domains. The authorities for the Well-Known SIDs are
1740
1741       ·   Null Authority
1742
1743       ·   World Authority
1744
1745       ·   Local Authority
1746
1747       ·   Creator Authority
1748
1749       ·   NT Authority
1750
1751       ·   Built-in
1752
1753       The capitalized version of these names are used as domain names when
1754       returning the fully qualified name of a Well-Known SID.
1755
1756       Since some utilities allow to modify SID based access control
1757       information with the help of a name instead of using the SID directly
1758       SSSD supports to look up the SID by the name as well. To avoid
1759       collisions only the fully qualified names can be used to look up
1760       Well-Known SIDs. As a result the domain names “NULL AUTHORITY”, “WORLD
1761       AUTHORITY”, “ LOCAL AUTHORITY”, “CREATOR AUTHORITY”, “NT AUTHORITY” and
1762       “BUILTIN” should not be used as domain names in sssd.conf.
1763

EXAMPLE

1765       The following example assumes that SSSD is correctly configured and
1766       LDAP is set to one of the domains in the [domains] section.
1767
1768           [domain/LDAP]
1769           id_provider = ldap
1770           auth_provider = ldap
1771           ldap_uri = ldap://ldap.mydomain.org
1772           ldap_search_base = dc=mydomain,dc=org
1773           ldap_tls_reqcert = demand
1774           cache_credentials = true
1775
1776

LDAP ACCESS FILTER EXAMPLE

1778       The following example assumes that SSSD is correctly configured and to
1779       use the ldap_access_order=lockout.
1780
1781           [domain/LDAP]
1782           id_provider = ldap
1783           auth_provider = ldap
1784           access_provider = ldap
1785           ldap_access_order = lockout
1786           ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org
1787           ldap_uri = ldap://ldap.mydomain.org
1788           ldap_search_base = dc=mydomain,dc=org
1789           ldap_tls_reqcert = demand
1790           cache_credentials = true
1791
1792

NOTES

1794       The descriptions of some of the configuration options in this manual
1795       page are based on the ldap.conf(5) manual page from the OpenLDAP 2.4
1796       distribution.
1797

SEE ALSO

1799       sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
1800       sssd-ipa(5), sssd-ad(5), sssd-sudo(5), sssd-session-recording(5),
1801       sss_cache(8), sss_debuglevel(8), sss_obfuscate(8), sss_seed(8),
1802       sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
1803       sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8).  sss_rpcidmapd(5)
1804       sssd-systemtap(5)
1805

AUTHORS

1807       The SSSD upstream - https://pagure.io/SSSD/sssd/
1808
1809
1810
1811SSSD                              07/01/2019                      SSSD-LDAP(5)
Impressum