1SSSD-LDAP(5) File Formats and Conventions SSSD-LDAP(5)
2
6 sssd-ldap - SSSD LDAP provider
7
9 This manual page describes the configuration of LDAP domains for
10 sssd(8). Refer to the “FILE FORMAT” section of the sssd.conf(5) manual
11 page for detailed syntax information.
12 You can configure SSSD to use more than one LDAP domain.
14 LDAP back end supports id, auth, access and chpass providers. If you
16 want to authenticate against an LDAP server either TLS/SSL or LDAPS is
17 required. sssd does not support authentication over an unencrypted
18 channel. If the LDAP server is used only as an identity provider, an
19 encrypted channel is not needed. Please refer to “ldap_access_filter”
20 config option for more information about using LDAP as an access
21 provider.
22
24 All of the common configuration options that apply to SSSD domains also
25 apply to LDAP domains. Refer to the “DOMAIN SECTIONS” section of the
26 sssd.conf(5) manual page for full details. Note that SSSD LDAP mapping
27 attributes are described in the sssd-ldap-attributes(5) manual page.
28 ldap_uri, ldap_backup_uri (string)
30 Specifies the comma-separated list of URIs of the LDAP servers to
31 which SSSD should connect in the order of preference. Refer to the
32 “FAILOVER” section for more information on failover and server
33 redundancy. If neither option is specified, service discovery is
34 enabled. For more information, refer to the “SERVICE DISCOVERY”
35 section.
36 The format of the URI must match the format defined in RFC 2732:
38 ldap[s]://<host>[:port]
40 For explicit IPv6 addresses, <host> must be enclosed in brackets []
42 example: ldap://[fc00::126:25]:389
44 ldap_chpass_uri, ldap_chpass_backup_uri (string)
46 Specifies the comma-separated list of URIs of the LDAP servers to
47 which SSSD should connect in the order of preference to change the
48 password of a user. Refer to the “FAILOVER” section for more
49 information on failover and server redundancy.
50 To enable service discovery ldap_chpass_dns_service_name must be
52 set.
53 Default: empty, i.e. ldap_uri is used.
55 ldap_search_base (string)
57 The default base DN to use for performing LDAP user operations.
58 Starting with SSSD 1.7.0, SSSD supports multiple search bases using
60 the syntax:
61 search_base[?scope?[filter][?search_base?scope?[filter]]*]
63 The scope can be one of "base", "onelevel" or "subtree".
65 The filter must be a valid LDAP search filter as specified by
67 http://www.ietf.org/rfc/rfc2254.txt
68 Examples:
70 ldap_search_base = dc=example,dc=com (which is equivalent to)
72 ldap_search_base = dc=example,dc=com?subtree?
73 ldap_search_base =
75 cn=host_specific,dc=example,dc=com?subtree?(host=thishost)?dc=example.com?subtree?
76 Note: It is unsupported to have multiple search bases which
78 reference identically-named objects (for example, groups with the
79 same name in two different search bases). This will lead to
80 unpredictable behavior on client machines.
81 Default: If not set, the value of the defaultNamingContext or
83 namingContexts attribute from the RootDSE of the LDAP server is
84 used. If defaultNamingContext does not exist or has an empty value
85 namingContexts is used. The namingContexts attribute must have a
86 single value with the DN of the search base of the LDAP server to
87 make this work. Multiple values are are not supported.
88 ldap_schema (string)
90 Specifies the Schema Type in use on the target LDAP server.
91 Depending on the selected schema, the default attribute names
92 retrieved from the servers may vary. The way that some attributes
93 are handled may also differ.
94 Four schema types are currently supported:
96 · rfc2307
98 · rfc2307bis
100 · IPA
102 · AD
104 The main difference between these schema types is how group
106 memberships are recorded in the server. With rfc2307, group members
107 are listed by name in the memberUid attribute. With rfc2307bis and
108 IPA, group members are listed by DN and stored in the member
109 attribute. The AD schema type sets the attributes to correspond
110 with Active Directory 2008r2 values.
111 Default: rfc2307
113 ldap_pwmodify_mode (string)
115 Specify the operation that is used to modify user password.
116 Two modes are currently supported:
118 · exop - Password Modify Extended Operation (RFC 3062)
120 · ldap_modify - Direct modification of userPassword (not
122 recommended).
123 Note: First, a new connection is established to verify current
125 password by binding as the user that requested password change. If
126 successful, this connection is used to change the password
127 therefore the user must have write access to userPassword
128 attribute.
129 Default: exop
131 ldap_default_bind_dn (string)
133 The default bind DN to use for performing LDAP operations.
134 ldap_default_authtok_type (string)
136 The type of the authentication token of the default bind DN.
137 The two mechanisms currently supported are:
139 password
141 obfuscated_password
143 Default: password
145 ldap_default_authtok (string)
147 The authentication token of the default bind DN. Only clear text
148 passwords are currently supported.
149 ldap_force_upper_case_realm (boolean)
151 Some directory servers, for example Active Directory, might deliver
152 the realm part of the UPN in lower case, which might cause the
153 authentication to fail. Set this option to a non-zero value if you
154 want to use an upper-case realm.
155 Default: false
157 ldap_enumeration_refresh_timeout (integer)
159 Specifies how many seconds SSSD has to wait before refreshing its
160 cache of enumerated records.
161 Default: 300
163 ldap_purge_cache_timeout (integer)
165 Determine how often to check the cache for inactive entries (such
166 as groups with no members and users who have never logged in) and
167 remove them to save space.
168 Setting this option to zero will disable the cache cleanup
170 operation. Please note that if enumeration is enabled, the cleanup
171 task is required in order to detect entries removed from the server
172 and can't be disabled. By default, the cleanup task will run every
173 3 hours with enumeration enabled.
174 Default: 0 (disabled)
176 ldap_group_nesting_level (integer)
178 If ldap_schema is set to a schema format that supports nested
179 groups (e.g. RFC2307bis), then this option controls how many levels
180 of nesting SSSD will follow. This option has no effect on the
181 RFC2307 schema.
182 Note: This option specifies the guaranteed level of nested groups
184 to be processed for any lookup. However, nested groups beyond this
185 limit may be returned if previous lookups already resolved the
186 deeper nesting levels. Also, subsequent lookups for other groups
187 may enlarge the result set for original lookup if re-queried.
188 If ldap_group_nesting_level is set to 0 then no nested groups are
190 processed at all. However, when connected to Active-Directory
191 Server 2008 and later using “id_provider=ad” it is furthermore
192 required to disable usage of Token-Groups by setting
193 ldap_use_tokengroups to false in order to restrict group nesting.
194 Default: 2
196 ldap_use_tokengroups
198 This options enables or disables use of Token-Groups attribute when
199 performing initgroup for users from Active Directory Server 2008
200 and later.
201 Default: True for AD and IPA otherwise False.
203 ldap_host_search_base (string)
205 Optional. Use the given string as search base for host objects.
206 See “ldap_search_base” for information about configuring multiple
208 search bases.
209 Default: the value of ldap_search_base
211 ldap_service_search_base (string)
213 An optional base DN, search scope and LDAP filter to restrict LDAP
214 searches for this attribute type.
215 syntax:
217 search_base[?scope?[filter][?search_base?scope?[filter]]*]
219 The scope can be one of "base", "onelevel" or "subtree". The scope
221 functions as specified in section 4.5.1.2 of
222 http://tools.ietf.org/html/rfc4511
223 The filter must be a valid LDAP search filter as specified by
225 http://www.ietf.org/rfc/rfc2254.txt
226 For examples of this syntax, please refer to the “ldap_search_base”
228 examples section.
229 Default: the value of ldap_search_base
231 Please note that specifying scope or filter is not supported for
233 searches against an Active Directory Server that might yield a
234 large number of results and trigger the Range Retrieval extension
235 in the response.
236 ldap_search_timeout (integer)
238 Specifies the timeout (in seconds) that ldap searches are allowed
239 to run before they are cancelled and cached results are returned
240 (and offline mode is entered)
241 Note: this option is subject to change in future versions of the
243 SSSD. It will likely be replaced at some point by a series of
244 timeouts for specific lookup types.
245 Default: 6
247 ldap_enumeration_search_timeout (integer)
249 Specifies the timeout (in seconds) that ldap searches for user and
250 group enumerations are allowed to run before they are cancelled and
251 cached results are returned (and offline mode is entered)
252 Default: 60
254 ldap_network_timeout (integer)
256 Specifies the timeout (in seconds) after which the
257 poll(2)/select(2) following a connect(2) returns in case of no
258 activity.
259 Default: 6
261 ldap_opt_timeout (integer)
263 Specifies a timeout (in seconds) after which calls to synchronous
264 LDAP APIs will abort if no response is received. Also controls the
265 timeout when communicating with the KDC in case of SASL bind, the
266 timeout of an LDAP bind operation, password change extended
267 operation and the StartTLS operation.
268 Default: 8
270 ldap_connection_expire_timeout (integer)
272 Specifies a timeout (in seconds) that a connection to an LDAP
273 server will be maintained. After this time, the connection will be
274 re-established. If used in parallel with SASL/GSSAPI, the sooner of
275 the two values (this value vs. the TGT lifetime) will be used.
276 This timeout can be extended of a random value specified by
278 ldap_connection_expire_offset
279 Default: 900 (15 minutes)
281 ldap_connection_expire_offset (integer)
283 Random offset between 0 and configured value is added to
284 ldap_connection_expire_timeout.
285 Default: 0
287 ldap_page_size (integer)
289 Specify the number of records to retrieve from LDAP in a single
290 request. Some LDAP servers enforce a maximum limit per-request.
291 Default: 1000
293 ldap_disable_paging (boolean)
295 Disable the LDAP paging control. This option should be used if the
296 LDAP server reports that it supports the LDAP paging control in its
297 RootDSE but it is not enabled or does not behave properly.
298 Example: OpenLDAP servers with the paging control module installed
300 on the server but not enabled will report it in the RootDSE but be
301 unable to use it.
302 Example: 389 DS has a bug where it can only support a one paging
304 control at a time on a single connection. On busy clients, this can
305 result in some requests being denied.
306 Default: False
308 ldap_disable_range_retrieval (boolean)
310 Disable Active Directory range retrieval.
311 Active Directory limits the number of members to be retrieved in a
313 single lookup using the MaxValRange policy (which defaults to 1500
314 members). If a group contains more members, the reply would include
315 an AD-specific range extension. This option disables parsing of the
316 range extension, therefore large groups will appear as having no
317 members.
318 Default: False
320 ldap_sasl_minssf (integer)
322 When communicating with an LDAP server using SASL, specify the
323 minimum security level necessary to establish the connection. The
324 values of this option are defined by OpenLDAP.
325 Default: Use the system default (usually specified by ldap.conf)
327 ldap_sasl_maxssf (integer)
329 When communicating with an LDAP server using SASL, specify the
330 maximal security level necessary to establish the connection. The
331 values of this option are defined by OpenLDAP.
332 Default: Use the system default (usually specified by ldap.conf)
334 ldap_deref_threshold (integer)
336 Specify the number of group members that must be missing from the
337 internal cache in order to trigger a dereference lookup. If less
338 members are missing, they are looked up individually.
339 You can turn off dereference lookups completely by setting the
341 value to 0. Please note that there are some codepaths in SSSD, like
342 the IPA HBAC provider, that are only implemented using the
343 dereference call, so even with dereference explicitly disabled,
344 those parts will still use dereference if the server supports it
345 and advertises the dereference control in the rootDSE object.
346 A dereference lookup is a means of fetching all group members in a
348 single LDAP call. Different LDAP servers may implement different
349 dereference methods. The currently supported servers are 389/RHDS,
350 OpenLDAP and Active Directory.
351 Note: If any of the search bases specifies a search filter, then
353 the dereference lookup performance enhancement will be disabled
354 regardless of this setting.
355 Default: 10
357 ldap_tls_reqcert (string)
359 Specifies what checks to perform on server certificates in a TLS
360 session, if any. It can be specified as one of the following
361 values:
362 never = The client will not request or check any server
364 certificate.
365 allow = The server certificate is requested. If no certificate is
367 provided, the session proceeds normally. If a bad certificate is
368 provided, it will be ignored and the session proceeds normally.
369 try = The server certificate is requested. If no certificate is
371 provided, the session proceeds normally. If a bad certificate is
372 provided, the session is immediately terminated.
373 demand = The server certificate is requested. If no certificate is
375 provided, or a bad certificate is provided, the session is
376 immediately terminated.
377 hard = Same as “demand”
379 Default: hard
381 ldap_tls_cacert (string)
383 Specifies the file that contains certificates for all of the
384 Certificate Authorities that sssd will recognize.
385 Default: use OpenLDAP defaults, typically in
387 /etc/openldap/ldap.conf
388 ldap_tls_cacertdir (string)
390 Specifies the path of a directory that contains Certificate
391 Authority certificates in separate individual files. Typically the
392 file names need to be the hash of the certificate followed by '.0'.
393 If available, cacertdir_rehash can be used to create the correct
394 names.
395 Default: use OpenLDAP defaults, typically in
397 /etc/openldap/ldap.conf
398 ldap_tls_cert (string)
400 Specifies the file that contains the certificate for the client's
401 key.
402 Default: not set
404 ldap_tls_key (string)
406 Specifies the file that contains the client's key.
407 Default: not set
409 ldap_tls_cipher_suite (string)
411 Specifies acceptable cipher suites. Typically this is a colon
412 separated list. See ldap.conf(5) for format.
413 Default: use OpenLDAP defaults, typically in
415 /etc/openldap/ldap.conf
416 ldap_id_use_start_tls (boolean)
418 Specifies that the id_provider connection must also use tls to
419 protect the channel.
420 Default: false
422 ldap_id_mapping (boolean)
424 Specifies that SSSD should attempt to map user and group IDs from
425 the ldap_user_objectsid and ldap_group_objectsid attributes instead
426 of relying on ldap_user_uid_number and ldap_group_gid_number.
427 Currently this feature supports only ActiveDirectory objectSID
429 mapping.
430 Default: false
432 ldap_min_id, ldap_max_id (integer)
434 In contrast to the SID based ID mapping which is used if
435 ldap_id_mapping is set to true the allowed ID range for
436 ldap_user_uid_number and ldap_group_gid_number is unbound. In a
437 setup with sub/trusted-domains this might lead to ID collisions. To
438 avoid collisions ldap_min_id and ldap_max_id can be set to restrict
439 the allowed range for the IDs which are read directly from the
440 server. Sub-domains can then pick other ranges to map IDs.
441 Default: not set (both options are set to 0)
443 ldap_sasl_mech (string)
445 Specify the SASL mechanism to use. Currently only GSSAPI and
446 GSS-SPNEGO are tested and supported.
447 If the backend supports sub-domains the value of ldap_sasl_mech is
449 automatically inherited to the sub-domains. If a different value is
450 needed for a sub-domain it can be overwritten by setting
451 ldap_sasl_mech for this sub-domain explicitly. Please see TRUSTED
452 DOMAIN SECTION in sssd.conf(5) for details.
453 Default: not set
455 ldap_sasl_authid (string)
457 Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO
458 are used, this represents the Kerberos principal used for
459 authentication to the directory. This option can either contain the
460 full principal (for example host/myhost@EXAMPLE.COM) or just the
461 principal name (for example host/myhost). By default, the value is
462 not set and the following principals are used:
463 hostname@REALM
465 netbiosname$@REALM
466 host/hostname@REALM
467 *$@REALM
468 host/*@REALM
469 host/*
470 If none of them are found, the first principal in keytab is
473 returned.
474 Default: host/hostname@REALM
476 ldap_sasl_realm (string)
478 Specify the SASL realm to use. When not specified, this option
479 defaults to the value of krb5_realm. If the ldap_sasl_authid
480 contains the realm as well, this option is ignored.
481 Default: the value of krb5_realm.
483 ldap_sasl_canonicalize (boolean)
485 If set to true, the LDAP library would perform a reverse lookup to
486 canonicalize the host name during a SASL bind.
487 Default: false;
489 ldap_krb5_keytab (string)
491 Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO.
492 Default: System keytab, normally /etc/krb5.keytab
494 ldap_krb5_init_creds (boolean)
496 Specifies that the id_provider should init Kerberos credentials
497 (TGT). This action is performed only if SASL is used and the
498 mechanism selected is GSSAPI or GSS-SPNEGO.
499 Default: true
501 ldap_krb5_ticket_lifetime (integer)
503 Specifies the lifetime in seconds of the TGT if GSSAPI or
504 GSS-SPNEGO is used.
505 Default: 86400 (24 hours)
507 krb5_server, krb5_backup_server (string)
509 Specifies the comma-separated list of IP addresses or hostnames of
510 the Kerberos servers to which SSSD should connect in the order of
511 preference. For more information on failover and server redundancy,
512 see the “FAILOVER” section. An optional port number (preceded by a
513 colon) may be appended to the addresses or hostnames. If empty,
514 service discovery is enabled - for more information, refer to the
515 “SERVICE DISCOVERY” section.
516 When using service discovery for KDC or kpasswd servers, SSSD first
518 searches for DNS entries that specify _udp as the protocol and
519 falls back to _tcp if none are found.
520 This option was named “krb5_kdcip” in earlier releases of SSSD.
522 While the legacy name is recognized for the time being, users are
523 advised to migrate their config files to use “krb5_server” instead.
524 krb5_realm (string)
526 Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth).
527 Default: System defaults, see /etc/krb5.conf
529 krb5_canonicalize (boolean)
531 Specifies if the host principal should be canonicalized when
532 connecting to LDAP server. This feature is available with MIT
533 Kerberos >= 1.7
534 Default: false
536 krb5_use_kdcinfo (boolean)
538 Specifies if the SSSD should instruct the Kerberos libraries what
539 realm and which KDCs to use. This option is on by default, if you
540 disable it, you need to configure the Kerberos library using the
541 krb5.conf(5) configuration file.
542 See the sssd_krb5_locator_plugin(8) manual page for more
544 information on the locator plugin.
545 Default: true
547 ldap_pwd_policy (string)
549 Select the policy to evaluate the password expiration on the client
550 side. The following values are allowed:
551 none - No evaluation on the client side. This option cannot disable
553 server-side password policies.
554 shadow - Use shadow(5) style attributes to evaluate if the password
556 has expired.
557 mit_kerberos - Use the attributes used by MIT Kerberos to determine
559 if the password has expired. Use chpass_provider=krb5 to update
560 these attributes when the password is changed.
561 Default: none
563 Note: if a password policy is configured on server side, it always
565 takes precedence over policy set with this option.
566 ldap_referrals (boolean)
568 Specifies whether automatic referral chasing should be enabled.
569 Please note that sssd only supports referral chasing when it is
571 compiled with OpenLDAP version 2.4.13 or higher.
572 Chasing referrals may incur a performance penalty in environments
574 that use them heavily, a notable example is Microsoft Active
575 Directory. If your setup does not in fact require the use of
576 referrals, setting this option to false might bring a noticeable
577 performance improvement.
578 Default: true
580 ldap_dns_service_name (string)
582 Specifies the service name to use when service discovery is
583 enabled.
584 Default: ldap
586 ldap_chpass_dns_service_name (string)
588 Specifies the service name to use to find an LDAP server which
589 allows password changes when service discovery is enabled.
590 Default: not set, i.e. service discovery is disabled
592 ldap_chpass_update_last_change (bool)
594 Specifies whether to update the ldap_user_shadow_last_change
595 attribute with days since the Epoch after a password change
596 operation.
597 Default: False
599 ldap_access_filter (string)
601 If using access_provider = ldap and ldap_access_order = filter
602 (default), this option is mandatory. It specifies an LDAP search
603 filter criteria that must be met for the user to be granted access
604 on this host. If access_provider = ldap, ldap_access_order = filter
605 and this option is not set, it will result in all users being
606 denied access. Use access_provider = permit to change this default
607 behavior. Please note that this filter is applied on the LDAP user
608 entry only and thus filtering based on nested groups may not work
609 (e.g. memberOf attribute on AD entries points only to direct
610 parents). If filtering based on nested groups is required, please
611 see sssd-simple(5).
612 Example:
614 access_provider = ldap
616 ldap_access_filter = (employeeType=admin)
617 This example means that access to this host is restricted to users
620 whose employeeType attribute is set to "admin".
621 Offline caching for this feature is limited to determining whether
623 the user's last online login was granted access permission. If they
624 were granted access during their last login, they will continue to
625 be granted access while offline and vice versa.
626 Default: Empty
628 ldap_account_expire_policy (string)
630 With this option a client side evaluation of access control
631 attributes can be enabled.
632 Please note that it is always recommended to use server side access
634 control, i.e. the LDAP server should deny the bind request with a
635 suitable error code even if the password is correct.
636 The following values are allowed:
638 shadow: use the value of ldap_user_shadow_expire to determine if
640 the account is expired.
641 ad: use the value of the 32bit field
643 ldap_user_ad_user_account_control and allow access if the second
644 bit is not set. If the attribute is missing access is granted. Also
645 the expiration time of the account is checked.
646 rhds, ipa, 389ds: use the value of ldap_ns_account_lock to check if
648 access is allowed or not.
649 nds: the values of ldap_user_nds_login_allowed_time_map,
651 ldap_user_nds_login_disabled and
652 ldap_user_nds_login_expiration_time are used to check if access is
653 allowed. If both attributes are missing access is granted.
654 This is an experimental feature, please use
655 https://pagure.io/SSSD/sssd/ to report any issues.
656 Please note that the ldap_access_order configuration option must
658 include “expire” in order for the ldap_account_expire_policy option
659 to work.
660 Default: Empty
662 ldap_access_order (string)
664 Comma separated list of access control options. Allowed values are:
665 filter: use ldap_access_filter
667 lockout: use account locking. If set, this option denies access in
669 case that ldap attribute 'pwdAccountLockedTime' is present and has
670 value of '000001010000Z'. Please see the option ldap_pwdlockout_dn.
671 Please note that 'access_provider = ldap' must be set for this
672 feature to work.
673 Please note that this option is superseded by the “ppolicy” option
675 and might be removed in a future release.
676 ppolicy: use account locking. If set, this option denies access in
678 case that ldap attribute 'pwdAccountLockedTime' is present and has
679 value of '000001010000Z' or represents any time in the past. The
680 value of the 'pwdAccountLockedTime' attribute must end with 'Z',
681 which denotes the UTC time zone. Other time zones are not currently
682 supported and will result in "access-denied" when users attempt to
683 log in. Please see the option ldap_pwdlockout_dn. Please note that
684 'access_provider = ldap' must be set for this feature to work.
685 expire: use ldap_account_expire_policy
687 pwd_expire_policy_reject, pwd_expire_policy_warn,
689 pwd_expire_policy_renew: These options are useful if users are
690 interested in being warned that password is about to expire and
691 authentication is based on using a different method than passwords
692 - for example SSH keys.
693 The difference between these options is the action taken if user
695 password is expired: pwd_expire_policy_reject - user is denied to
696 log in, pwd_expire_policy_warn - user is still able to log in,
697 pwd_expire_policy_renew - user is prompted to change his password
698 immediately.
699 Note If user password is expired no explicit message is prompted by
701 SSSD.
702 Please note that 'access_provider = ldap' must be set for this
704 feature to work. Also 'ldap_pwd_policy' must be set to an
705 appropriate password policy.
706 authorized_service: use the authorizedService attribute to
708 determine access
709 host: use the host attribute to determine access
711 rhost: use the rhost attribute to determine whether remote host can
713 access
714 Please note, rhost field in pam is set by application, it is better
716 to check what the application sends to pam, before enabling this
717 access control option
718 Default: filter
720 Please note that it is a configuration error if a value is used
722 more than once.
723 ldap_pwdlockout_dn (string)
725 This option specifies the DN of password policy entry on LDAP
726 server. Please note that absence of this option in sssd.conf in
727 case of enabled account lockout checking will yield access denied
728 as ppolicy attributes on LDAP server cannot be checked properly.
729 Example: cn=ppolicy,ou=policies,dc=example,dc=com
731 Default: cn=ppolicy,ou=policies,$ldap_search_base
733 ldap_deref (string)
735 Specifies how alias dereferencing is done when performing a search.
736 The following options are allowed:
737 never: Aliases are never dereferenced.
739 searching: Aliases are dereferenced in subordinates of the base
741 object, but not in locating the base object of the search.
742 finding: Aliases are only dereferenced when locating the base
744 object of the search.
745 always: Aliases are dereferenced both in searching and in locating
747 the base object of the search.
748 Default: Empty (this is handled as never by the LDAP client
750 libraries)
751 ldap_rfc2307_fallback_to_local_users (boolean)
753 Allows to retain local users as members of an LDAP group for
754 servers that use the RFC2307 schema.
755 In some environments where the RFC2307 schema is used, local users
757 are made members of LDAP groups by adding their names to the
758 memberUid attribute. The self-consistency of the domain is
759 compromised when this is done, so SSSD would normally remove the
760 "missing" users from the cached group memberships as soon as
761 nsswitch tries to fetch information about the user via getpw*() or
762 initgroups() calls.
763 This option falls back to checking if local users are referenced,
765 and caches them so that later initgroups() calls will augment the
766 local users with the additional LDAP groups.
767 Default: false
769 wildcard_limit (integer)
771 Specifies an upper limit on the number of entries that are
772 downloaded during a wildcard lookup.
773 At the moment, only the InfoPipe responder supports wildcard
775 lookups.
776 Default: 1000 (often the size of one page)
778
780 The detailed instructions for configuration of sudo_provider are in the
781 manual page sssd-sudo(5).
782 ldap_sudo_full_refresh_interval (integer)
784 How many seconds SSSD will wait between executing a full refresh of
785 sudo rules (which downloads all rules that are stored on the
786 server).
787 The value must be greater than ldap_sudo_smart_refresh_interval
789 Default: 21600 (6 hours)
791 ldap_sudo_smart_refresh_interval (integer)
793 How many seconds SSSD has to wait before executing a smart refresh
794 of sudo rules (which downloads all rules that have USN higher than
795 the highest server USN value that is currently known by SSSD).
796 If USN attributes are not supported by the server, the
798 modifyTimestamp attribute is used instead.
799 Note: the highest USN value can be updated by three tasks: 1) By
801 sudo full and smart refresh (if updated rules are found), 2) by
802 enumeration of users and groups (if enabled and updated users or
803 groups are found) and 3) by reconnecting to the server (by default
804 every 15 minutes, see ldap_connection_expire_timeout).
805 Default: 900 (15 minutes)
807 ldap_sudo_use_host_filter (boolean)
809 If true, SSSD will download only rules that are applicable to this
810 machine (using the IPv4 or IPv6 host/network addresses and
811 hostnames).
812 Default: true
814 ldap_sudo_hostnames (string)
816 Space separated list of hostnames or fully qualified domain names
817 that should be used to filter the rules.
818 If this option is empty, SSSD will try to discover the hostname and
820 the fully qualified domain name automatically.
821 If ldap_sudo_use_host_filter is false then this option has no
823 effect.
824 Default: not specified
826 ldap_sudo_ip (string)
828 Space separated list of IPv4 or IPv6 host/network addresses that
829 should be used to filter the rules.
830 If this option is empty, SSSD will try to discover the addresses
832 automatically.
833 If ldap_sudo_use_host_filter is false then this option has no
835 effect.
836 Default: not specified
838 ldap_sudo_include_netgroups (boolean)
840 If true then SSSD will download every rule that contains a netgroup
841 in sudoHost attribute.
842 If ldap_sudo_use_host_filter is false then this option has no
844 effect.
845 Default: true
847 ldap_sudo_include_regexp (boolean)
849 If true then SSSD will download every rule that contains a wildcard
850 in sudoHost attribute.
851 If ldap_sudo_use_host_filter is false then this option has no
853 effect.
854 Note
856 Using wildcard is an operation that is very costly to evaluate
857 on the LDAP server side!
858 Default: false
859 This manual page only describes attribute name mapping. For detailed
861 explanation of sudo related attribute semantics, see sudoers.ldap(5)
862
864 Some of the defaults for the parameters below are dependent on the LDAP
865 schema.
866 ldap_autofs_map_master_name (string)
868 The name of the automount master map in LDAP.
869 Default: auto.master
871 ldap_autofs_map_object_class (string)
873 The object class of an automount map entry in LDAP.
874 Default: nisMap (rfc2307, autofs_provider=ad), otherwise
876 automountMap
877 ldap_autofs_map_name (string)
879 The name of an automount map entry in LDAP.
880 Default: nisMapName (rfc2307, autofs_provider=ad), otherwise
882 automountMapName
883 ldap_autofs_entry_object_class (string)
885 The object class of an automount entry in LDAP. The entry usually
886 corresponds to a mount point.
887 Default: nisObject (rfc2307, autofs_provider=ad), otherwise
889 automount
890 ldap_autofs_entry_key (string)
892 The key of an automount entry in LDAP. The entry usually
893 corresponds to a mount point.
894 Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey
896 ldap_autofs_entry_value (string)
898 The key of an automount entry in LDAP. The entry usually
899 corresponds to a mount point.
900 Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise
902 automountInformation
903 Please note that the automounter only reads the master map on startup,
905 so if any autofs-related changes are made to the sssd.conf, you
906 typically also need to restart the automounter daemon after restarting
907 the SSSD.
908
910 These options are supported by LDAP domains, but they should be used
911 with caution. Please include them in your configuration only if you
912 know what you are doing.
913 ldap_netgroup_search_base (string)
915 An optional base DN, search scope and LDAP filter to restrict LDAP
916 searches for this attribute type.
917 syntax:
919 search_base[?scope?[filter][?search_base?scope?[filter]]*]
921 The scope can be one of "base", "onelevel" or "subtree". The scope
923 functions as specified in section 4.5.1.2 of
924 http://tools.ietf.org/html/rfc4511
925 The filter must be a valid LDAP search filter as specified by
927 http://www.ietf.org/rfc/rfc2254.txt
928 For examples of this syntax, please refer to the “ldap_search_base”
930 examples section.
931 Default: the value of ldap_search_base
933 Please note that specifying scope or filter is not supported for
935 searches against an Active Directory Server that might yield a
936 large number of results and trigger the Range Retrieval extension
937 in the response.
938 ldap_user_search_base (string)
940 An optional base DN, search scope and LDAP filter to restrict LDAP
941 searches for this attribute type.
942 syntax:
944 search_base[?scope?[filter][?search_base?scope?[filter]]*]
946 The scope can be one of "base", "onelevel" or "subtree". The scope
948 functions as specified in section 4.5.1.2 of
949 http://tools.ietf.org/html/rfc4511
950 The filter must be a valid LDAP search filter as specified by
952 http://www.ietf.org/rfc/rfc2254.txt
953 For examples of this syntax, please refer to the “ldap_search_base”
955 examples section.
956 Default: the value of ldap_search_base
958 Please note that specifying scope or filter is not supported for
960 searches against an Active Directory Server that might yield a
961 large number of results and trigger the Range Retrieval extension
962 in the response.
963 ldap_group_search_base (string)
965 An optional base DN, search scope and LDAP filter to restrict LDAP
966 searches for this attribute type.
967 syntax:
969 search_base[?scope?[filter][?search_base?scope?[filter]]*]
971 The scope can be one of "base", "onelevel" or "subtree". The scope
973 functions as specified in section 4.5.1.2 of
974 http://tools.ietf.org/html/rfc4511
975 The filter must be a valid LDAP search filter as specified by
977 http://www.ietf.org/rfc/rfc2254.txt
978 For examples of this syntax, please refer to the “ldap_search_base”
980 examples section.
981 Default: the value of ldap_search_base
983 Please note that specifying scope or filter is not supported for
985 searches against an Active Directory Server that might yield a
986 large number of results and trigger the Range Retrieval extension
987 in the response.
988 Note
990 If the option “ldap_use_tokengroups” is enabled, the searches
991 against Active Directory will not be restricted and return all
992 groups memberships, even with no GID mapping. It is recommended to
993 disable this feature, if group names are not being displayed
994 correctly.
995 ldap_sudo_search_base (string)
997 An optional base DN, search scope and LDAP filter to restrict LDAP
998 searches for this attribute type.
999 syntax:
1001 search_base[?scope?[filter][?search_base?scope?[filter]]*]
1003 The scope can be one of "base", "onelevel" or "subtree". The scope
1005 functions as specified in section 4.5.1.2 of
1006 http://tools.ietf.org/html/rfc4511
1007 The filter must be a valid LDAP search filter as specified by
1009 http://www.ietf.org/rfc/rfc2254.txt
1010 For examples of this syntax, please refer to the “ldap_search_base”
1012 examples section.
1013 Default: the value of ldap_search_base
1015 Please note that specifying scope or filter is not supported for
1017 searches against an Active Directory Server that might yield a
1018 large number of results and trigger the Range Retrieval extension
1019 in the response.
1020 ldap_autofs_search_base (string)
1022 An optional base DN, search scope and LDAP filter to restrict LDAP
1023 searches for this attribute type.
1024 syntax:
1026 search_base[?scope?[filter][?search_base?scope?[filter]]*]
1028 The scope can be one of "base", "onelevel" or "subtree". The scope
1030 functions as specified in section 4.5.1.2 of
1031 http://tools.ietf.org/html/rfc4511
1032 The filter must be a valid LDAP search filter as specified by
1034 http://www.ietf.org/rfc/rfc2254.txt
1035 For examples of this syntax, please refer to the “ldap_search_base”
1037 examples section.
1038 Default: the value of ldap_search_base
1040 Please note that specifying scope or filter is not supported for
1042 searches against an Active Directory Server that might yield a
1043 large number of results and trigger the Range Retrieval extension
1044 in the response.
1045
1047 The failover feature allows back ends to automatically switch to a
1048 different server if the current server fails.
1049 Failover Syntax
1051 The list of servers is given as a comma-separated list; any number of
1052 spaces is allowed around the comma. The servers are listed in order of
1053 preference. The list can contain any number of servers.
1054 For each failover-enabled config option, two variants exist: primary
1056 and backup. The idea is that servers in the primary list are preferred
1057 and backup servers are only searched if no primary servers can be
1058 reached. If a backup server is selected, a timeout of 31 seconds is
1059 set. After this timeout SSSD will periodically try to reconnect to one
1060 of the primary servers. If it succeeds, it will replace the current
1061 active (backup) server.
1062 The Failover Mechanism
1064 The failover mechanism distinguishes between a machine and a service.
1065 The back end first tries to resolve the hostname of a given machine; if
1066 this resolution attempt fails, the machine is considered offline. No
1067 further attempts are made to connect to this machine for any other
1068 service. If the resolution attempt succeeds, the back end tries to
1069 connect to a service on this machine. If the service connection attempt
1070 fails, then only this particular service is considered offline and the
1071 back end automatically switches over to the next service. The machine
1072 is still considered online and might still be tried for another
1073 service.
1074 Further connection attempts are made to machines or services marked as
1076 offline after a specified period of time; this is currently hard coded
1077 to 30 seconds.
1078 If there are no more machines to try, the back end as a whole switches
1080 to offline mode, and then attempts to reconnect every 30 seconds.
1081 Failover time outs and tuning
1083 Resolving a server to connect to can be as simple as running a single
1084 DNS query or can involve several steps, such as finding the correct
1085 site or trying out multiple host names in case some of the configured
1086 servers are not reachable. The more complex scenarios can take some
1087 time and SSSD needs to balance between providing enough time to finish
1088 the resolution process but on the other hand, not trying for too long
1089 before falling back to offline mode. If the SSSD debug logs show that
1090 the server resolution is timing out before a live server is contacted,
1091 you can consider changing the time outs.
1092 This section lists the available tunables. Please refer to their
1094 description in the sssd.conf(5), manual page.
1095 dns_resolver_server_timeout
1097 Time in milliseconds that sets how long would SSSD talk to a single
1098 DNS server before trying next one.
1099 Default: 1000
1101 dns_resolver_op_timeout
1103 Time in seconds to tell how long would SSSD try to resolve single
1104 DNS query (e.g. resolution of a hostname or an SRV record) before
1105 trying the next hostname or discovery domain.
1106 Default: 2
1108 dns_resolver_timeout
1110 How long would SSSD try to resolve a failover service. This service
1111 resolution internally might include several steps, such as
1112 resolving DNS SRV queries or locating the site.
1113 Default: 4
1115 For LDAP-based providers, the resolve operation is performed as part of
1117 an LDAP connection operation. Therefore, also the “ldap_opt_timeout>”
1118 timeout should be set to a larger value than “dns_resolver_timeout”
1119 which in turn should be set to a larger value than
1120 “dns_resolver_op_timeout” which should be larger than
1121 “dns_resolver_server_timeout”.
1122
1124 The service discovery feature allows back ends to automatically find
1125 the appropriate servers to connect to using a special DNS query. This
1126 feature is not supported for backup servers.
1127 Configuration
1129 If no servers are specified, the back end automatically uses service
1130 discovery to try to find a server. Optionally, the user may choose to
1131 use both fixed server addresses and service discovery by inserting a
1132 special keyword, “_srv_”, in the list of servers. The order of
1133 preference is maintained. This feature is useful if, for example, the
1134 user prefers to use service discovery whenever possible, and fall back
1135 to a specific server when no servers can be discovered using DNS.
1136 The domain name
1138 Please refer to the “dns_discovery_domain” parameter in the
1139 sssd.conf(5) manual page for more details.
1140 The protocol
1142 The queries usually specify _tcp as the protocol. Exceptions are
1143 documented in respective option description.
1144 See Also
1146 For more information on the service discovery mechanism, refer to RFC
1147 2782.
1148
1150 The ID-mapping feature allows SSSD to act as a client of Active
1151 Directory without requiring administrators to extend user attributes to
1152 support POSIX attributes for user and group identifiers.
1153 NOTE: When ID-mapping is enabled, the uidNumber and gidNumber
1155 attributes are ignored. This is to avoid the possibility of conflicts
1156 between automatically-assigned and manually-assigned values. If you
1157 need to use manually-assigned values, ALL values must be
1158 manually-assigned.
1159 Please note that changing the ID mapping related configuration options
1161 will cause user and group IDs to change. At the moment, SSSD does not
1162 support changing IDs, so the SSSD database must be removed. Because
1163 cached passwords are also stored in the database, removing the database
1164 should only be performed while the authentication servers are
1165 reachable, otherwise users might get locked out. In order to cache the
1166 password, an authentication must be performed. It is not sufficient to
1167 use sss_cache(8) to remove the database, rather the process consists
1168 of:
1169 · Making sure the remote servers are reachable
1171 · Stopping the SSSD service
1173 · Removing the database
1175 · Starting the SSSD service
1177 Moreover, as the change of IDs might necessitate the adjustment of
1179 other system properties such as file and directory ownership, it's
1180 advisable to plan ahead and test the ID mapping configuration
1181 thoroughly.
1182 Mapping Algorithm
1184 Active Directory provides an objectSID for every user and group object
1185 in the directory. This objectSID can be broken up into components that
1186 represent the Active Directory domain identity and the relative
1187 identifier (RID) of the user or group object.
1188 The SSSD ID-mapping algorithm takes a range of available UIDs and
1190 divides it into equally-sized component sections - called "slices"-.
1191 Each slice represents the space available to an Active Directory
1192 domain.
1193 When a user or group entry for a particular domain is encountered for
1195 the first time, the SSSD allocates one of the available slices for that
1196 domain. In order to make this slice-assignment repeatable on different
1197 client machines, we select the slice based on the following algorithm:
1198 The SID string is passed through the murmurhash3 algorithm to convert
1200 it to a 32-bit hashed value. We then take the modulus of this value
1201 with the total number of available slices to pick the slice.
1202 NOTE: It is possible to encounter collisions in the hash and subsequent
1204 modulus. In these situations, we will select the next available slice,
1205 but it may not be possible to reproduce the same exact set of slices on
1206 other machines (since the order that they are encountered will
1207 determine their slice). In this situation, it is recommended to either
1208 switch to using explicit POSIX attributes in Active Directory
1209 (disabling ID-mapping) or configure a default domain to guarantee that
1210 at least one is always consistent. See “Configuration” for details.
1211 Configuration
1213 Minimum configuration (in the “[domain/DOMAINNAME]” section):
1214 ldap_id_mapping = True
1216 ldap_schema = ad
1217 The default configuration results in configuring 10,000 slices, each
1219 capable of holding up to 200,000 IDs, starting from 200,000 and going
1220 up to 2,000,200,000. This should be sufficient for most deployments.
1221 Advanced Configuration
1223 ldap_idmap_range_min (integer)
1224 Specifies the lower bound of the range of POSIX IDs to use for
1225 mapping Active Directory user and group SIDs.
1226 NOTE: This option is different from “min_id” in that “min_id”
1228 acts to filter the output of requests to this domain, whereas
1229 this option controls the range of ID assignment. This is a
1230 subtle distinction, but the good general advice would be to
1231 have “min_id” be less-than or equal to “ldap_idmap_range_min”
1232 Default: 200000
1234 ldap_idmap_range_max (integer)
1236 Specifies the upper bound of the range of POSIX IDs to use for
1237 mapping Active Directory user and group SIDs.
1238 NOTE: This option is different from “max_id” in that “max_id”
1240 acts to filter the output of requests to this domain, whereas
1241 this option controls the range of ID assignment. This is a
1242 subtle distinction, but the good general advice would be to
1243 have “max_id” be greater-than or equal to
1244 “ldap_idmap_range_max”
1245 Default: 2000200000
1247 ldap_idmap_range_size (integer)
1249 Specifies the number of IDs available for each slice. If the
1250 range size does not divide evenly into the min and max values,
1251 it will create as many complete slices as it can.
1252 NOTE: The value of this option must be at least as large as the
1254 highest user RID planned for use on the Active Directory
1255 server. User lookups and login will fail for any user whose RID
1256 is greater than this value.
1257 For example, if your most recently-added Active Directory user
1259 has objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107,
1260 “ldap_idmap_range_size” must be at least 1108 as range size is
1261 equal to maximal SID minus minimal SID plus one (e.g. 1108 =
1262 1107 - 0 + 1).
1263 It is important to plan ahead for future expansion, as changing
1265 this value will result in changing all of the ID mappings on
1266 the system, leading to users with different local IDs than they
1267 previously had.
1268 Default: 200000
1270 ldap_idmap_default_domain_sid (string)
1272 Specify the domain SID of the default domain. This will
1273 guarantee that this domain will always be assigned to slice
1274 zero in the ID map, bypassing the murmurhash algorithm
1275 described above.
1276 Default: not set
1278 ldap_idmap_default_domain (string)
1280 Specify the name of the default domain.
1281 Default: not set
1283 ldap_idmap_autorid_compat (boolean)
1285 Changes the behavior of the ID-mapping algorithm to behave more
1286 similarly to winbind's “idmap_autorid” algorithm.
1287 When this option is configured, domains will be allocated
1289 starting with slice zero and increasing monatomically with each
1290 additional domain.
1291 NOTE: This algorithm is non-deterministic (it depends on the
1293 order that users and groups are requested). If this mode is
1294 required for compatibility with machines running winbind, it is
1295 recommended to also use the “ldap_idmap_default_domain_sid”
1296 option to guarantee that at least one domain is consistently
1297 allocated to slice zero.
1298 Default: False
1300 ldap_idmap_helper_table_size (integer)
1302 Maximal number of secondary slices that is tried when
1303 performing mapping from UNIX id to SID.
1304 Note: Additional secondary slices might be generated when SID
1306 is being mapped to UNIX id and RID part of SID is out of range
1307 for secondary slices generated so far. If value of
1308 ldap_idmap_helper_table_size is equal to 0 then no additional
1309 secondary slices are generated.
1310 Default: 10
1312 Well-Known SIDs
1314 SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a
1315 special hardcoded meaning. Since the generic users and groups related
1316 to those Well-Known SIDs have no equivalent in a Linux/UNIX environment
1317 no POSIX IDs are available for those objects.
1318 The SID name space is organized in authorities which can be seen as
1320 different domains. The authorities for the Well-Known SIDs are
1321 · Null Authority
1323 · World Authority
1325 · Local Authority
1327 · Creator Authority
1329 · NT Authority
1331 · Built-in
1333 The capitalized version of these names are used as domain names when
1335 returning the fully qualified name of a Well-Known SID.
1336 Since some utilities allow to modify SID based access control
1338 information with the help of a name instead of using the SID directly
1339 SSSD supports to look up the SID by the name as well. To avoid
1340 collisions only the fully qualified names can be used to look up
1341 Well-Known SIDs. As a result the domain names “NULL AUTHORITY”, “WORLD
1342 AUTHORITY”, “ LOCAL AUTHORITY”, “CREATOR AUTHORITY”, “NT AUTHORITY” and
1343 “BUILTIN” should not be used as domain names in sssd.conf.
1344
1346 The following example assumes that SSSD is correctly configured and
1347 LDAP is set to one of the domains in the [domains] section.
1348 [domain/LDAP]
1350 id_provider = ldap
1351 auth_provider = ldap
1352 ldap_uri = ldap://ldap.mydomain.org
1353 ldap_search_base = dc=mydomain,dc=org
1354 ldap_tls_reqcert = demand
1355 cache_credentials = true
1356
1359 The following example assumes that SSSD is correctly configured and to
1360 use the ldap_access_order=lockout.
1361 [domain/LDAP]
1363 id_provider = ldap
1364 auth_provider = ldap
1365 access_provider = ldap
1366 ldap_access_order = lockout
1367 ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org
1368 ldap_uri = ldap://ldap.mydomain.org
1369 ldap_search_base = dc=mydomain,dc=org
1370 ldap_tls_reqcert = demand
1371 cache_credentials = true
1372
1375 The descriptions of some of the configuration options in this manual
1376 page are based on the ldap.conf(5) manual page from the OpenLDAP 2.4
1377 distribution.
1378
1380 sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
1381 sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-sudo(5), sssd-session-
1382 recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8),
1383 sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
1384 sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5)
1385 sssd-systemtap(5)
1386
1388 The SSSD upstream - https://pagure.io/SSSD/sssd/
1389SSSD 02/26/2020 SSSD-LDAP(5)