1SSSD-LDAP(5) File Formats and Conventions SSSD-LDAP(5)
2
6 sssd-ldap - the configuration file for SSSD
7
9 This manual page describes the configuration of LDAP domains for
10 sssd(8). Refer to the “FILE FORMAT” section of the sssd.conf(5) manual
11 page for detailed syntax information.
12 You can configure SSSD to use more than one LDAP domain.
14 LDAP back end supports id, auth, access and chpass providers. If you
16 want to authenticate against an LDAP server either TLS/SSL or LDAPS is
17 required. sssd does not support authentication over an unencrypted
18 channel. If the LDAP server is used only as an identity provider, an
19 encrypted channel is not needed. Please refer to “ldap_access_filter”
20 config option for more information about using LDAP as an access
21 provider.
22
24 All of the common configuration options that apply to SSSD domains also
25 apply to LDAP domains. Refer to the “DOMAIN SECTIONS” section of the
26 sssd.conf(5) manual page for full details.
27 ldap_uri (string)
29 Specifies the comma-separated list of URIs of the LDAP servers to
30 which SSSD should connect in the order of preference. Refer to the
31 “FAILOVER” section for more information on failover and server
32 redundancy. If not specified, service discovery is enabled. For
33 more information, refer to the “SERVICE DISCOVERY” section.
34 The format of the URI must match the format defined in RFC 2732:
36 ldap[s]://<host>[:port]
38 For explicit IPv6 addresses, <host> must be enclosed in brackets []
40 example: ldap://[fc00::126:25]:389
42 ldap_chpass_uri (string)
44 Specifies the list of URIs of the LDAP servers to which SSSD should
45 connect in the order of preference to change the password of a
46 user. Refer to the “FAILOVER” section for more information on
47 failover and server redundancy.
48 To enable service discovery ldap_chpass_dns_service_name must be
50 set.
51 Default: empty, i.e. ldap_uri is used.
53 ldap_search_base (string)
55 The default base DN to use for performing LDAP user operations.
56 Default: If not set the value of the defaultNamingContext or
58 namingContexts attribute from the RootDSE of the LDAP server is
59 used. If defaultNamingContext does not exists or has an empty value
60 namingContexts is used. The namingContexts attribute must have a
61 single value with the DN of the search base of the LDAP server to
62 make this work. Multiple values are are not supported.
63 ldap_schema (string)
65 Specifies the Schema Type in use on the target LDAP server.
66 Depending on the selected schema, the default attribute names
67 retrieved from the servers may vary. The way that some attributes
68 are handled may also differ. Three schema types are currently
69 supported: rfc2307 rfc2307bis IPA The main difference between these
70 schema types is how group memberships are recorded in the server.
71 With rfc2307, group members are listed by name in the memberUid
72 attribute. With rfc2307bis and IPA, group members are listed by DN
73 and stored in the member attribute.
74 Default: rfc2307
76 ldap_default_bind_dn (string)
78 The default bind DN to use for performing LDAP operations.
79 ldap_default_authtok_type (string)
81 The type of the authentication token of the default bind DN.
82 The two mechanisms currently supported are:
84 password
86 obfuscated_password
88 Default: password
90 ldap_default_authtok (string)
92 The authentication token of the default bind DN. Only clear text
93 passwords are currently supported.
94 ldap_user_object_class (string)
96 The object class of a user entry in LDAP.
97 Default: posixAccount
99 ldap_user_name (string)
101 The LDAP attribute that corresponds to the user's login name.
102 Default: uid
104 ldap_user_uid_number (string)
106 The LDAP attribute that corresponds to the user's id.
107 Default: uidNumber
109 ldap_user_gid_number (string)
111 The LDAP attribute that corresponds to the user's primary group id.
112 Default: gidNumber
114 ldap_user_gecos (string)
116 The LDAP attribute that corresponds to the user's gecos field.
117 Default: gecos
119 ldap_user_home_directory (string)
121 The LDAP attribute that contains the name of the user's home
122 directory.
123 Default: homeDirectory
125 ldap_user_shell (string)
127 The LDAP attribute that contains the path to the user's default
128 shell.
129 Default: loginShell
131 ldap_user_uuid (string)
133 The LDAP attribute that contains the UUID/GUID of an LDAP user
134 object.
135 Default: nsUniqueId
137 ldap_user_modify_timestamp (string)
139 The LDAP attribute that contains timestamp of the last modification
140 of the parent object.
141 Default: modifyTimestamp
143 ldap_user_shadow_last_change (string)
145 When using ldap_pwd_policy=shadow, this parameter contains the name
146 of an LDAP attribute corresponding to its shadow(5) counterpart
147 (date of the last password change).
148 Default: shadowLastChange
150 ldap_user_shadow_min (string)
152 When using ldap_pwd_policy=shadow, this parameter contains the name
153 of an LDAP attribute corresponding to its shadow(5) counterpart
154 (minimum password age).
155 Default: shadowMin
157 ldap_user_shadow_max (string)
159 When using ldap_pwd_policy=shadow, this parameter contains the name
160 of an LDAP attribute corresponding to its shadow(5) counterpart
161 (maximum password age).
162 Default: shadowMax
164 ldap_user_shadow_warning (string)
166 When using ldap_pwd_policy=shadow, this parameter contains the name
167 of an LDAP attribute corresponding to its shadow(5) counterpart
168 (password warning period).
169 Default: shadowWarning
171 ldap_user_shadow_inactive (string)
173 When using ldap_pwd_policy=shadow, this parameter contains the name
174 of an LDAP attribute corresponding to its shadow(5) counterpart
175 (password inactivity period).
176 Default: shadowInactive
178 ldap_user_shadow_expire (string)
180 When using ldap_pwd_policy=shadow or
181 ldap_account_expire_policy=shadow, this parameter contains the name
182 of an LDAP attribute corresponding to its shadow(5) counterpart
183 (account expiration date).
184 Default: shadowExpire
186 ldap_user_krb_last_pwd_change (string)
188 When using ldap_pwd_policy=mit_kerberos, this parameter contains
189 the name of an LDAP attribute storing the date and time of last
190 password change in kerberos.
191 Default: krbLastPwdChange
193 ldap_user_krb_password_expiration (string)
195 When using ldap_pwd_policy=mit_kerberos, this parameter contains
196 the name of an LDAP attribute storing the date and time when
197 current password expires.
198 Default: krbPasswordExpiration
200 ldap_user_ad_account_expires (string)
202 When using ldap_account_expire_policy=ad, this parameter contains
203 the name of an LDAP attribute storing the expiration time of the
204 account.
205 Default: accountExpires
207 ldap_user_ad_user_account_control (string)
209 When using ldap_account_expire_policy=ad, this parameter contains
210 the name of an LDAP attribute storing the user account control bit
211 field.
212 Default: userAccountControl
214 ldap_ns_account_lock (string)
216 When using ldap_account_expire_policy=rhds or equivalent, this
217 parameter determines if access is allowed or not.
218 Default: nsAccountLock
220 ldap_user_principal (string)
222 The LDAP attribute that contains the user's Kerberos User Principal
223 Name (UPN).
224 Default: krbPrincipalName
226 ldap_force_upper_case_realm (boolean)
228 Some directory servers, for example Active Directory, might deliver
229 the realm part of the UPN in lower case, which might cause the
230 authentication to fail. Set this option to a non-zero value if you
231 want to use an upper-case realm.
232 Default: false
234 ldap_enumeration_refresh_timeout (integer)
236 The LDAP attribute that contains how many seconds SSSD has to wait
237 before refreshing its cache of enumerated records.
238 Default: 300
240 ldap_purge_cache_timeout
242 Determine how often to check the cache for inactive entries (such
243 as groups with no members and users who have never logged in) and
244 remove them to save space.
245 Setting this option to zero will disable the cache cleanup
247 operation.
248 Default: 10800 (12 hours)
250 ldap_user_fullname (string)
252 The LDAP attribute that corresponds to the user's full name.
253 Default: cn
255 ldap_user_member_of (string)
257 The LDAP attribute that lists the user's group memberships.
258 Default: memberOf
260 ldap_user_authorized_service (string)
262 If access_provider=ldap and ldap_access_order=authorized_service,
263 SSSD will use the presence of the authorizedService attribute in
264 the user's LDAP entry to determine access privilege.
265 An explicit deny (!svc) is resolved first. Second, SSSD searches
267 for explicit allow (svc) and finally for allow_all (*).
268 Default: authorizedService
270 ldap_group_object_class (string)
272 The object class of a group entry in LDAP.
273 Default: posixGroup
275 ldap_group_name (string)
277 The LDAP attribute that corresponds to the group name.
278 Default: cn
280 ldap_group_gid_number (string)
282 The LDAP attribute that corresponds to the group's id.
283 Default: gidNumber
285 ldap_group_member (string)
287 The LDAP attribute that contains the names of the group's members.
288 Default: memberuid (rfc2307) / member (rfc2307bis)
290 ldap_group_uuid (string)
292 The LDAP attribute that contains the UUID/GUID of an LDAP group
293 object.
294 Default: nsUniqueId
296 ldap_group_modify_timestamp (string)
298 The LDAP attribute that contains timestamp of the last modification
299 of the parent object.
300 Default: modifyTimestamp
302 ldap_group_nesting_level (integer)
304 If ldap_schema is set to a schema format that supports nested
305 groups (e.g. RFC2307bis), then this option controls how many levels
306 of nesting SSSD will follow. This option has no effect on the
307 RFC2307 schema.
308 Default: 2
310 ldap_netgroup_object_class (string)
312 The object class of a netgroup entry in LDAP.
313 Default: nisNetgroup
315 ldap_netgroup_name (string)
317 The LDAP attribute that corresponds to the netgroup name.
318 Default: cn
320 ldap_netgroup_member (string)
322 The LDAP attribute that contains the names of the netgroup's
323 members.
324 Default: memberNisNetgroup
326 ldap_netgroup_triple (string)
328 The LDAP attribute that contains the (host, user, domain) netgroup
329 triples.
330 Default: nisNetgroupTriple
332 ldap_netgroup_uuid (string)
334 The LDAP attribute that contains the UUID/GUID of an LDAP netgroup
335 object.
336 Default: nsUniqueId
338 ldap_netgroup_modify_timestamp (string)
340 The LDAP attribute that contains timestamp of the last modification
341 of the parent object.
342 Default: modifyTimestamp
344 ldap_search_timeout (integer)
346 Specifies the timeout (in seconds) that ldap searches are allowed
347 to run before they are cancelled and cached results are returned
348 (and offline mode is entered)
349 Note: this option is subject to change in future versions of the
351 SSSD. It will likely be replaced at some point by a series of
352 timeouts for specific lookup types.
353 Default: 6
355 ldap_enumeration_search_timeout (integer)
357 Specifies the timeout (in seconds) that ldap searches for user and
358 group enumerations are allowed to run before they are cancelled and
359 cached results are returned (and offline mode is entered)
360 Default: 60
362 ldap_network_timeout (integer)
364 Specifies the timeout (in seconds) after which the
365 poll(2)/select(2) following a connect(2) returns in case of no
366 activity.
367 Default: 6
369 ldap_opt_timeout (integer)
371 Specifies a timeout (in seconds) after which calls to synchronous
372 LDAP APIs will abort if no response is received. Also controls the
373 timeout when communicating with the KDC in case of SASL bind.
374 Default: 6
376 ldap_page_size (integer)
378 Specify the number of records to retrieve from LDAP in a single
379 request. Some LDAP servers enforce a maximum limit per-request.
380 Default: 1000
382 ldap_tls_reqcert (string)
384 Specifies what checks to perform on server certificates in a TLS
385 session, if any. It can be specified as one of the following
386 values:
387 never = The client will not request or check any server
390 certificate.
391 allow = The server certificate is requested. If no certificate is
394 provided, the session proceeds normally. If a bad certificate is
395 provided, it will be ignored and the session proceeds normally.
396 try = The server certificate is requested. If no certificate is
399 provided, the session proceeds normally. If a bad certificate is
400 provided, the session is immediately terminated.
401 demand = The server certificate is requested. If no certificate is
404 provided, or a bad certificate is provided, the session is
405 immediately terminated.
406 hard = Same as “demand”
409 Default: hard
411 ldap_tls_cacert (string)
413 Specifies the file that contains certificates for all of the
414 Certificate Authorities that sssd will recognize.
415 Default: use OpenLDAP defaults, typically in
417 /etc/openldap/ldap.conf
418 ldap_tls_cacertdir (string)
420 Specifies the path of a directory that contains Certificate
421 Authority certificates in separate individual files. Typically the
422 file names need to be the hash of the certificate followed by '.0'.
423 If available, cacertdir_rehash can be used to create the correct
424 names.
425 Default: use OpenLDAP defaults, typically in
427 /etc/openldap/ldap.conf
428 ldap_tls_cert (string)
430 Specifies the file that contains the certificate for the client's
431 key.
432 Default: not set
434 ldap_tls_key (string)
436 Specifies the file that contains the client's key.
437 Default: not set
439 ldap_tls_cipher_suite (string)
441 Specifies acceptable cipher suites. Typically this is a colon
442 sperated list. See ldap.conf(5) for format.
443 Default: use OpenLDAP defaults, typically in
445 /etc/openldap/ldap.conf
446 ldap_id_use_start_tls (boolean)
448 Specifies that the id_provider connection must also use tls to
449 protect the channel.
450 Default: false
452 ldap_sasl_mech (string)
454 Specify the SASL mechanism to use. Currently only GSSAPI is tested
455 and supported.
456 Default: none
458 ldap_sasl_authid (string)
460 Specify the SASL authorization id to use. When GSSAPI is used, this
461 represents the Kerberos principal used for authentication to the
462 directory.
463 Default: host/machine.fqdn@REALM
465 ldap_krb5_keytab (string)
467 Specify the keytab to use when using SASL/GSSAPI.
468 Default: System keytab, normally /etc/krb5.keytab
470 ldap_krb5_init_creds (boolean)
472 Specifies that the id_provider should init Kerberos credentials
473 (TGT). This action is performed only if SASL is used and the
474 mechanism selected is GSSAPI.
475 Default: true
477 ldap_krb5_ticket_lifetime (integer)
479 Specifies the lifetime in seconds of the TGT if GSSAPI is used.
480 Default: 86400 (24 hours)
482 krb5_server (string)
484 Specifies the list of IP addresses or hostnames of the Kerberos
485 servers to which SSSD should connect in the order of preference.
486 For more information on failover and server redundancy, see the
487 “FAILOVER” section. An optional port number (preceded by a colon)
488 may be appended to the addresses or hostnames. If empty, service
489 discovery is enabled - for more information, refer to the “SERVICE
490 DISCOVERY” section.
491 When using service discovery for KDC or kpasswd servers, SSSD first
493 searches for DNS entries that specify _udp as the protocol and
494 falls back to _tcp if none are found.
495 This option was named “krb5_kdcip” in earlier releases of SSSD.
497 While the legacy name is recognized for the time being, users are
498 advised to migrate their config files to use “krb5_server” instead.
499 krb5_realm (string)
501 Specify the Kerberos REALM (for SASL/GSSAPI auth).
502 Default: System defaults, see /etc/krb5.conf
504 ldap_pwd_policy (string)
506 Select the policy to evaluate the password expiration on the client
507 side. The following values are allowed:
508 none - No evaluation on the client side. This option cannot disable
511 server-side password policies.
512 shadow - Use shadow(5) style attributes to evaluate if the password
515 has expired. Note that the current version of sssd cannot update
516 this attribute during a password change.
517 mit_kerberos - Use the attributes used by MIT Kerberos to determine
520 if the password has expired. Use chpass_provider=krb5 to update
521 these attributes when the password is changed.
522 Default: none
524 ldap_referrals (boolean)
526 Specifies whether automatic referral chasing should be enabled.
527 Please note that sssd only supports referral chasing when it is
529 compiled with OpenLDAP version 2.4.13 or higher.
530 Default: true
532 ldap_dns_service_name (string)
534 Specifies the service name to use when service discovery is
535 enabled.
536 Default: ldap
538 ldap_chpass_dns_service_name (string)
540 Specifies the service name to use to find an LDAP server which
541 allows password changes when service discovery is enabled.
542 Default: not set, i.e. service discovery is disabled
544 ldap_access_filter (string)
546 If using access_provider = ldap, this option is mandatory. It
547 specifies an LDAP search filter criteria that must be met for the
548 user to be granted access on this host. If access_provider = ldap
549 and this option is not set, it will result in all users being
550 denied access. Use access_provider = allow to change this default
551 behavior.
552 Example:
554 access_provider = ldap
556 ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com
557 This example means that access to this host is restricted to
560 members of the "allowedusers" group in ldap.
561 Offline caching for this feature is limited to determining whether
563 the user's last online login was granted access permission. If they
564 were granted access during their last login, they will continue to
565 be granted access while offline and vice-versa.
566 Default: Empty
568 ldap_account_expire_policy (string)
570 With this option a client side evaluation of access control
571 attributes can be enabled.
572 Please note that it is always recommended to use server side access
574 control, i.e. the LDAP server should deny the bind request with a
575 suitable error code even if the password is correct.
576 The following values are allowed:
578 shadow: use the value of ldap_user_shadow_expire to determine if
581 the account is expired.
582 ad: use the value of the 32bit field
585 ldap_user_ad_user_account_control and allow access if the second
586 bit is not set. If the attribute is missing access is granted. Also
587 the expiration time of the account is checked.
588 rhds, ipa, 389ds: use the value of ldap_ns_account_lock to check if
591 access is allowed or not.
592 Default: Empty
594 ldap_access_order (string)
596 Comma separated list of access control options. Allowed values are:
597 filter: use ldap_access_filter
600 expire: use ldap_account_expire_policy
603 authorized_service: use the authorizedService attribute to
606 determine access
607 Default: filter
609 Please note that it is a configuration error if a value is used
611 more than once.
612 ldap_deref (string)
614 Specifies how alias dereferencing is done when performing a search.
615 The following options are allowed:
616 never: Aliases are never dereferenced.
619 searching: Aliases are dereferenced in subordinates of the base
622 object, but not in locating the base object of the search.
623 finding: Aliases are only dereferenced when locating the base
626 object of the search.
627 always: Aliases are dereferenced both in searching and in locating
630 the base object of the search.
631 Default: Empty (this is handled as never by the LDAP client
633 libraries)
634
636 These options are supported by LDAP domains, but they should be used
637 with caution. Please include them in your configuration only if you
638 know what you are doing.
639 ldap_netgroup_search_base (string)
641 An optional base DN to restrict netgroup searches to a specific
642 subtree.
643 Default: the value of ldap_search_base
645 ldap_user_search_base (string)
647 An optional base DN to restrict user searches to a specific
648 subtree.
649 Default: the value of ldap_search_base
651 ldap_group_search_base (string)
653 An optional base DN to restrict group searches to a specific
654 subtree.
655 Default: the value of ldap_search_base
657
659 The failover feature allows back ends to automatically switch to a
660 different server if the primary server fails.
661 Failover Syntax
663 The list of servers is given as a comma-separated list; any number of
664 spaces is allowed around the comma. The servers are listed in order of
665 preference. The list can contain any number of servers.
666 The Failover Mechanism
668 The failover mechanism distinguishes between a machine and a service.
669 The back end first tries to resolve the hostname of a given machine; if
670 this resolution attempt fails, the machine is considered offline. No
671 further attempts are made to connect to this machine for any other
672 service. If the resolution attempt succeeds, the back end tries to
673 connect to a service on this machine. If the service connection attempt
674 fails, then only this particular service is considered offline and the
675 back end automatically switches over to the next service. The machine
676 is still considered online and might still be tried for another
677 service.
678 Further connection attempts are made to machines or services marked as
680 offline after a specified period of time; this is currently hard coded
681 to 30 seconds.
682 If there are no more machines to try, the back end as a whole switches
684 to offline mode, and then attempts to reconnect every 30 seconds.
685
687 The service discovery feature allows back ends to automatically find
688 the appropriate servers to connect to using a special DNS query.
689 Configuration
691 If no servers are specified, the back end automatically uses service
692 discovery to try to find a server. Optionally, the user may choose to
693 use both fixed server addresses and service discovery by inserting a
694 special keyword, “_srv_”, in the list of servers. The order of
695 preference is maintained. This feature is useful if, for example, the
696 user prefers to use service discovery whenever possible, and fall back
697 to a specific server when no servers can be discovered using DNS.
698 The domain name
700 Please refer to the “dns_discovery_domain” parameter in the
701 sssd.conf(5) manual page for more details.
702 The protocol
704 The queries usually specify _tcp as the protocol. Exceptions are
705 documented in respective option description.
706 See Also
708 For more information on the service discovery mechanism, refer to RFC
709 2782.
710
712 The following example assumes that SSSD is correctly configured and
713 LDAP is set to one of the domains in the [domains] section.
714 [domain/LDAP]
716 id_provider = ldap
717 auth_provider = ldap
718 ldap_uri = ldap://ldap.mydomain.org
719 ldap_search_base = dc=mydomain,dc=org
720 ldap_tls_reqcert = demand
721 cache_credentials = true
722 enumerate = true
723
726 The descriptions of some of the configuration options in this manual
727 page are based on the ldap.conf(5) manual page from the OpenLDAP 2.4
728 distribution.
729
731 sssd.conf(5), sssd-krb5(5), sssd(8)
732
734 The SSSD upstream - http://fedorahosted.org/sssd
735SSSD 08/05/2011 SSSD-LDAP(5)