1SSSD-IPA(5)              File Formats and Conventions              SSSD-IPA(5)
2
3
4

NAME

6       sssd-ipa - the configuration file for SSSD
7

DESCRIPTION

9       This manual page describes the configuration of the IPA provider for
10       sssd(8). For a detailed syntax reference, refer to the “FILE FORMAT”
11       section of the sssd.conf(5) manual page.
12
13       The IPA provider is a back end used to connect to an IPA server. (Refer
14       to the freeipa.org web site for information about IPA servers.) This
15       provider requires that the machine be joined to the IPA domain;
16       configuration is almost entirely self-discovered and obtained directly
17       from the server.
18
19       The IPA provider accepts the same options used by the sssd-ldap(5)
20       identity provider and the sssd-krb5(5) authentication provider.
21       However, it is neither necessary nor recommended to set these options.
22       IPA provider can also be used as an access and chpass provider. As an
23       access provider it uses HBAC (host-based access control) rules. Please
24       refer to freeipa.org for more information about HBAC. No configuration
25       of access provider is required on the client side.
26

CONFIGURATION OPTIONS

28       Refer to the section “DOMAIN SECTIONS” of the sssd.conf(5) manual page
29       for details on the configuration of an SSSD domain.
30
31       ipa_domain (string)
32           Specifies the name of the IPA domain. This is optional. If not
33           provided, the configuration domain name is used.
34
35       ipa_server (string)
36           The list of IP addresses or hostnames of the IPA servers to which
37           SSSD should connect in the order of preference. For more
38           information on failover and server redundancy, see the “FAILOVER”
39           section. This is optional if autodiscovery is enabled. For more
40           information on service discovery, refer to the the “SERVICE
41           DISCOVERY” section.
42
43       ipa_hostname (string)
44           Optional. May be set on machines where the hostname(5) does not
45           reflect the fully qualified name used in the IPA domain to identify
46           this host.
47
48       ipa_dyndns_update (boolean)
49           Optional. This option tells SSSD to automatically update the DNS
50           server built into FreeIPA v2 with the IP address of this client.
51
52           Default: false
53
54       ipa_dyndns_iface (string)
55           Optional. Applicable only when ipa_dyndns_update is true. Choose
56           the interface whose IP address should be used for dynamic DNS
57           updates.
58
59           Default: Use the IP address of the IPA LDAP connection
60
61       ipa_hbac_search_base (string)
62           Optional. Use the given string as search base for HBAC related
63           objects.
64
65           Default: Use base DN
66
67       krb5_validate (boolean)
68           Verify with the help of krb5_keytab that the TGT obtained has not
69           been spoofed.
70
71           Default: true
72
73           Note that this default differs from the traditional Kerberos
74           provider back end.
75
76       krb5_realm (string)
77           The name of the Kerberos realm. This is optional and defaults to
78           the value of “ipa_domain”.
79
80           The name of the Kerberos realm has a special meaning in IPA - it is
81           converted into the base DN to use for performing LDAP operations.
82
83       ipa_hbac_refresh (integer)
84           The amount of time between lookups of the HBAC rules against the
85           IPA server. This will reduce the latency and load on the IPA server
86           if there are many access-control requests made in a short period.
87
88           Default: 5 (seconds)
89
90       ipa_hbac_treat_deny_as (string)
91           This option specifies how to treat the deprecated DENY-type HBAC
92           rules. As of FreeIPA v2.1, DENY rules are no longer supported on
93           the server. All users of FreeIPA will need to migrate their rules
94           to use only the ALLOW rules. The client will support two modes of
95           operation during this transition period:
96
97
98           DENY_ALL: If any HBAC DENY rules are detected, all users will be
99           denied access.
100
101
102           IGNORE: SSSD will ignore any DENY rules. Be very careful with this
103           option, as it may result in opening unintended access.
104
105           Default: DENY_ALL
106

FAILOVER

108       The failover feature allows back ends to automatically switch to a
109       different server if the primary server fails.
110
111   Failover Syntax
112       The list of servers is given as a comma-separated list; any number of
113       spaces is allowed around the comma. The servers are listed in order of
114       preference. The list can contain any number of servers.
115
116   The Failover Mechanism
117       The failover mechanism distinguishes between a machine and a service.
118       The back end first tries to resolve the hostname of a given machine; if
119       this resolution attempt fails, the machine is considered offline. No
120       further attempts are made to connect to this machine for any other
121       service. If the resolution attempt succeeds, the back end tries to
122       connect to a service on this machine. If the service connection attempt
123       fails, then only this particular service is considered offline and the
124       back end automatically switches over to the next service. The machine
125       is still considered online and might still be tried for another
126       service.
127
128       Further connection attempts are made to machines or services marked as
129       offline after a specified period of time; this is currently hard coded
130       to 30 seconds.
131
132       If there are no more machines to try, the back end as a whole switches
133       to offline mode, and then attempts to reconnect every 30 seconds.
134

SERVICE DISCOVERY

136       The service discovery feature allows back ends to automatically find
137       the appropriate servers to connect to using a special DNS query.
138
139   Configuration
140       If no servers are specified, the back end automatically uses service
141       discovery to try to find a server. Optionally, the user may choose to
142       use both fixed server addresses and service discovery by inserting a
143       special keyword, “_srv_”, in the list of servers. The order of
144       preference is maintained. This feature is useful if, for example, the
145       user prefers to use service discovery whenever possible, and fall back
146       to a specific server when no servers can be discovered using DNS.
147
148   The domain name
149       Please refer to the “dns_discovery_domain” parameter in the
150       sssd.conf(5) manual page for more details.
151
152   The protocol
153       The queries usually specify _tcp as the protocol. Exceptions are
154       documented in respective option description.
155
156   See Also
157       For more information on the service discovery mechanism, refer to RFC
158       2782.
159

EXAMPLE

161       The following example assumes that SSSD is correctly configured and
162       example.com is one of the domains in the [sssd] section. This examples
163       shows only the ipa provider-specific options.
164
165               [domain/example.com]
166               id_provider = ipa
167               ipa_server = ipaserver.example.com
168               ipa_hostname = myhost.example.com
169
170

SEE ALSO

172       sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd(8)
173

AUTHORS

175       The SSSD upstream - http://fedorahosted.org/sssd
176
177
178
179SSSD                              08/05/2011                       SSSD-IPA(5)
Impressum