1SSSD-LDAP-ATTRIBUT(5)    File Formats and Conventions    SSSD-LDAP-ATTRIBUT(5)
2
3
4

NAME

6       sssd-ldap-attributes - SSSD LDAP Provider: Mapping Attributes
7

DESCRIPTION

9       This manual page describes the mapping attributes of SSSD LDAP provider
10       sssd-ldap(5). Refer to the sssd-ldap(5) manual page for full details
11       about SSSD LDAP provider configuration options.
12

USER ATTRIBUTES

14       ldap_user_object_class (string)
15           The object class of a user entry in LDAP.
16
17           Default: posixAccount
18
19       ldap_user_name (string)
20           The LDAP attribute that corresponds to the user's login name.
21
22           Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)
23
24       ldap_user_uid_number (string)
25           The LDAP attribute that corresponds to the user's id.
26
27           Default: uidNumber
28
29       ldap_user_gid_number (string)
30           The LDAP attribute that corresponds to the user's primary group id.
31
32           Default: gidNumber
33
34       ldap_user_primary_group (string)
35           Active Directory primary group attribute for ID-mapping. Note that
36           this attribute should only be set manually if you are running the
37           “ldap” provider with ID mapping.
38
39           Default: unset (LDAP), primaryGroupID (AD)
40
41       ldap_user_gecos (string)
42           The LDAP attribute that corresponds to the user's gecos field.
43
44           Default: gecos
45
46       ldap_user_home_directory (string)
47           The LDAP attribute that contains the name of the user's home
48           directory.
49
50           Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)
51
52       ldap_user_shell (string)
53           The LDAP attribute that contains the path to the user's default
54           shell.
55
56           Default: loginShell
57
58       ldap_user_uuid (string)
59           The LDAP attribute that contains the UUID/GUID of an LDAP user
60           object.
61
62           Default: not set in the general case, objectGUID for AD and
63           ipaUniqueID for IPA
64
65       ldap_user_objectsid (string)
66           The LDAP attribute that contains the objectSID of an LDAP user
67           object. This is usually only necessary for ActiveDirectory servers.
68
69           Default: objectSid for ActiveDirectory, not set for other servers.
70
71       ldap_user_modify_timestamp (string)
72           The LDAP attribute that contains timestamp of the last modification
73           of the parent object.
74
75           Default: modifyTimestamp
76
77       ldap_user_shadow_last_change (string)
78           When using ldap_pwd_policy=shadow, this parameter contains the name
79           of an LDAP attribute corresponding to its shadow(5) counterpart
80           (date of the last password change).
81
82           Default: shadowLastChange
83
84       ldap_user_shadow_min (string)
85           When using ldap_pwd_policy=shadow, this parameter contains the name
86           of an LDAP attribute corresponding to its shadow(5) counterpart
87           (minimum password age).
88
89           Default: shadowMin
90
91       ldap_user_shadow_max (string)
92           When using ldap_pwd_policy=shadow, this parameter contains the name
93           of an LDAP attribute corresponding to its shadow(5) counterpart
94           (maximum password age).
95
96           Default: shadowMax
97
98       ldap_user_shadow_warning (string)
99           When using ldap_pwd_policy=shadow, this parameter contains the name
100           of an LDAP attribute corresponding to its shadow(5) counterpart
101           (password warning period).
102
103           Default: shadowWarning
104
105       ldap_user_shadow_inactive (string)
106           When using ldap_pwd_policy=shadow, this parameter contains the name
107           of an LDAP attribute corresponding to its shadow(5) counterpart
108           (password inactivity period).
109
110           Default: shadowInactive
111
112       ldap_user_shadow_expire (string)
113           When using ldap_pwd_policy=shadow or
114           ldap_account_expire_policy=shadow, this parameter contains the name
115           of an LDAP attribute corresponding to its shadow(5) counterpart
116           (account expiration date).
117
118           Default: shadowExpire
119
120       ldap_user_krb_last_pwd_change (string)
121           When using ldap_pwd_policy=mit_kerberos, this parameter contains
122           the name of an LDAP attribute storing the date and time of last
123           password change in kerberos.
124
125           Default: krbLastPwdChange
126
127       ldap_user_krb_password_expiration (string)
128           When using ldap_pwd_policy=mit_kerberos, this parameter contains
129           the name of an LDAP attribute storing the date and time when
130           current password expires.
131
132           Default: krbPasswordExpiration
133
134       ldap_user_ad_account_expires (string)
135           When using ldap_account_expire_policy=ad, this parameter contains
136           the name of an LDAP attribute storing the expiration time of the
137           account.
138
139           Default: accountExpires
140
141       ldap_user_ad_user_account_control (string)
142           When using ldap_account_expire_policy=ad, this parameter contains
143           the name of an LDAP attribute storing the user account control bit
144           field.
145
146           Default: userAccountControl
147
148       ldap_ns_account_lock (string)
149           When using ldap_account_expire_policy=rhds or equivalent, this
150           parameter determines if access is allowed or not.
151
152           Default: nsAccountLock
153
154       ldap_user_nds_login_disabled (string)
155           When using ldap_account_expire_policy=nds, this attribute
156           determines if access is allowed or not.
157
158           Default: loginDisabled
159
160       ldap_user_nds_login_expiration_time (string)
161           When using ldap_account_expire_policy=nds, this attribute
162           determines until which date access is granted.
163
164           Default: loginDisabled
165
166       ldap_user_nds_login_allowed_time_map (string)
167           When using ldap_account_expire_policy=nds, this attribute
168           determines the hours of a day in a week when access is granted.
169
170           Default: loginAllowedTimeMap
171
172       ldap_user_principal (string)
173           The LDAP attribute that contains the user's Kerberos User Principal
174           Name (UPN).
175
176           Default: krbPrincipalName
177
178       ldap_user_extra_attrs (string)
179           Comma-separated list of LDAP attributes that SSSD would fetch along
180           with the usual set of user attributes.
181
182           The list can either contain LDAP attribute names only, or
183           colon-separated tuples of SSSD cache attribute name and LDAP
184           attribute name. In case only LDAP attribute name is specified, the
185           attribute is saved to the cache verbatim. Using a custom SSSD
186           attribute name might be required by environments that configure
187           several SSSD domains with different LDAP schemas.
188
189           Please note that several attribute names are reserved by SSSD,
190           notably the “name” attribute. SSSD would report an error if any of
191           the reserved attribute names is used as an extra attribute name.
192
193           Examples:
194
195           ldap_user_extra_attrs = telephoneNumber
196
197           Save the “telephoneNumber” attribute from LDAP as “telephoneNumber”
198           to the cache.
199
200           ldap_user_extra_attrs = phone:telephoneNumber
201
202           Save the “telephoneNumber” attribute from LDAP as “phone” to the
203           cache.
204
205           Default: not set
206
207       ldap_user_ssh_public_key (string)
208           The LDAP attribute that contains the user's SSH public keys.
209
210           Default: sshPublicKey
211
212       ldap_user_fullname (string)
213           The LDAP attribute that corresponds to the user's full name.
214
215           Default: cn
216
217       ldap_user_member_of (string)
218           The LDAP attribute that lists the user's group memberships.
219
220           Default: memberOf
221
222       ldap_user_authorized_service (string)
223           If access_provider=ldap and ldap_access_order=authorized_service,
224           SSSD will use the presence of the authorizedService attribute in
225           the user's LDAP entry to determine access privilege.
226
227           An explicit deny (!svc) is resolved first. Second, SSSD searches
228           for explicit allow (svc) and finally for allow_all (*).
229
230           Please note that the ldap_access_order configuration option must
231           include “authorized_service” in order for the
232           ldap_user_authorized_service option to work.
233
234           Some distributions (such as Fedora-29+ or RHEL-8) always include
235           the “systemd-user” PAM service as part of the login process.
236           Therefore when using service-based access control, the
237           “systemd-user” service might need to be added to the list of
238           allowed services.
239
240           Default: authorizedService
241
242       ldap_user_authorized_host (string)
243           If access_provider=ldap and ldap_access_order=host, SSSD will use
244           the presence of the host attribute in the user's LDAP entry to
245           determine access privilege.
246
247           An explicit deny (!host) is resolved first. Second, SSSD searches
248           for explicit allow (host) and finally for allow_all (*).
249
250           Please note that the ldap_access_order configuration option must
251           include “host” in order for the ldap_user_authorized_host option to
252           work.
253
254           Default: host
255
256       ldap_user_authorized_rhost (string)
257           If access_provider=ldap and ldap_access_order=rhost, SSSD will use
258           the presence of the rhost attribute in the user's LDAP entry to
259           determine access privilege. Similarly to host verification process.
260
261           An explicit deny (!rhost) is resolved first. Second, SSSD searches
262           for explicit allow (rhost) and finally for allow_all (*).
263
264           Please note that the ldap_access_order configuration option must
265           include “rhost” in order for the ldap_user_authorized_rhost option
266           to work.
267
268           Default: rhost
269
270       ldap_user_certificate (string)
271           Name of the LDAP attribute containing the X509 certificate of the
272           user.
273
274           Default: userCertificate;binary
275
276       ldap_user_email (string)
277           Name of the LDAP attribute containing the email address of the
278           user.
279
280           Note: If an email address of a user conflicts with an email address
281           or fully qualified name of another user, then SSSD will not be able
282           to serve those users properly. If for some reason several users
283           need to share the same email address then set this option to a
284           nonexistent attribute name in order to disable user lookup/login by
285           email.
286
287           Default: mail
288

GROUP ATTRIBUTES

290       ldap_group_object_class (string)
291           The object class of a group entry in LDAP.
292
293           Default: posixGroup
294
295       ldap_group_name (string)
296           The LDAP attribute that corresponds to the group name.
297
298           Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)
299
300       ldap_group_gid_number (string)
301           The LDAP attribute that corresponds to the group's id.
302
303           Default: gidNumber
304
305       ldap_group_member (string)
306           The LDAP attribute that contains the names of the group's members.
307
308           Default: memberuid (rfc2307) / member (rfc2307bis)
309
310       ldap_group_uuid (string)
311           The LDAP attribute that contains the UUID/GUID of an LDAP group
312           object.
313
314           Default: not set in the general case, objectGUID for AD and
315           ipaUniqueID for IPA
316
317       ldap_group_objectsid (string)
318           The LDAP attribute that contains the objectSID of an LDAP group
319           object. This is usually only necessary for ActiveDirectory servers.
320
321           Default: objectSid for ActiveDirectory, not set for other servers.
322
323       ldap_group_modify_timestamp (string)
324           The LDAP attribute that contains timestamp of the last modification
325           of the parent object.
326
327           Default: modifyTimestamp
328
329       ldap_group_type (string)
330           The LDAP attribute that contains an integer value indicating the
331           type of the group and maybe other flags.
332
333           This attribute is currently only used by the AD provider to
334           determine if a group is a domain local groups and has to be
335           filtered out for trusted domains.
336
337           Default: groupType in the AD provider, otherwise not set
338
339       ldap_group_external_member (string)
340           The LDAP attribute that references group members that are defined
341           in an external domain. At the moment, only IPA's external members
342           are supported.
343
344           Default: ipaExternalMember in the IPA provider, otherwise unset.
345

NETGROUP ATTRIBUTES

347       ldap_netgroup_object_class (string)
348           The object class of a netgroup entry in LDAP.
349
350           In IPA provider, ipa_netgroup_object_class should be used instead.
351
352           Default: nisNetgroup
353
354       ldap_netgroup_name (string)
355           The LDAP attribute that corresponds to the netgroup name.
356
357           In IPA provider, ipa_netgroup_name should be used instead.
358
359           Default: cn
360
361       ldap_netgroup_member (string)
362           The LDAP attribute that contains the names of the netgroup's
363           members.
364
365           In IPA provider, ipa_netgroup_member should be used instead.
366
367           Default: memberNisNetgroup
368
369       ldap_netgroup_triple (string)
370           The LDAP attribute that contains the (host, user, domain) netgroup
371           triples.
372
373           This option is not available in IPA provider.
374
375           Default: nisNetgroupTriple
376
377       ldap_netgroup_modify_timestamp (string)
378           The LDAP attribute that contains timestamp of the last modification
379           of the parent object.
380
381           This option is not available in IPA provider.
382
383           Default: modifyTimestamp
384

HOST ATTRIBUTES

386       ldap_host_object_class (string)
387           The object class of a host entry in LDAP.
388
389           Default: ipService
390
391       ldap_host_name (string)
392           The LDAP attribute that corresponds to the host's name.
393
394           Default: cn
395
396       ldap_host_fqdn (string)
397           The LDAP attribute that corresponds to the host's fully-qualified
398           domain name.
399
400           Default: fqdn
401
402       ldap_host_serverhostname (string)
403           The LDAP attribute that corresponds to the host's name.
404
405           Default: serverHostname
406
407       ldap_host_member_of (string)
408           The LDAP attribute that lists the host's group memberships.
409
410           Default: memberOf
411
412       ldap_host_ssh_public_key (string)
413           The LDAP attribute that contains the host's SSH public keys.
414
415           Default: sshPublicKey
416
417       ldap_host_uuid (string)
418           The LDAP attribute that contains the UUID/GUID of an LDAP host
419           object.
420
421           Default: not set
422

SERVICE ATTRIBUTES

424       ldap_service_object_class (string)
425           The object class of a service entry in LDAP.
426
427           Default: ipService
428
429       ldap_service_name (string)
430           The LDAP attribute that contains the name of service attributes and
431           their aliases.
432
433           Default: cn
434
435       ldap_service_port (string)
436           The LDAP attribute that contains the port managed by this service.
437
438           Default: ipServicePort
439
440       ldap_service_proto (string)
441           The LDAP attribute that contains the protocols understood by this
442           service.
443
444           Default: ipServiceProtocol
445

SUDO ATTRIBUTES

447       ldap_sudorule_object_class (string)
448           The object class of a sudo rule entry in LDAP.
449
450           Default: sudoRole
451
452       ldap_sudorule_name (string)
453           The LDAP attribute that corresponds to the sudo rule name.
454
455           Default: cn
456
457       ldap_sudorule_command (string)
458           The LDAP attribute that corresponds to the command name.
459
460           Default: sudoCommand
461
462       ldap_sudorule_host (string)
463           The LDAP attribute that corresponds to the host name (or host IP
464           address, host IP network, or host netgroup)
465
466           Default: sudoHost
467
468       ldap_sudorule_user (string)
469           The LDAP attribute that corresponds to the user name (or UID, group
470           name or user's netgroup)
471
472           Default: sudoUser
473
474       ldap_sudorule_option (string)
475           The LDAP attribute that corresponds to the sudo options.
476
477           Default: sudoOption
478
479       ldap_sudorule_runasuser (string)
480           The LDAP attribute that corresponds to the user name that commands
481           may be run as.
482
483           Default: sudoRunAsUser
484
485       ldap_sudorule_runasgroup (string)
486           The LDAP attribute that corresponds to the group name or group GID
487           that commands may be run as.
488
489           Default: sudoRunAsGroup
490
491       ldap_sudorule_notbefore (string)
492           The LDAP attribute that corresponds to the start date/time for when
493           the sudo rule is valid.
494
495           Default: sudoNotBefore
496
497       ldap_sudorule_notafter (string)
498           The LDAP attribute that corresponds to the expiration date/time,
499           after which the sudo rule will no longer be valid.
500
501           Default: sudoNotAfter
502
503       ldap_sudorule_order (string)
504           The LDAP attribute that corresponds to the ordering index of the
505           rule.
506
507           Default: sudoOrder
508

AUTOFS ATTRIBUTES

510       ldap_autofs_map_object_class (string)
511           The object class of an automount map entry in LDAP.
512
513           Default: nisMap (rfc2307, autofs_provider=ad), otherwise
514           automountMap
515
516       ldap_autofs_map_name (string)
517           The name of an automount map entry in LDAP.
518
519           Default: nisMapName (rfc2307, autofs_provider=ad), otherwise
520           automountMapName
521
522       ldap_autofs_entry_object_class (string)
523           The object class of an automount entry in LDAP. The entry usually
524           corresponds to a mount point.
525
526           Default: nisObject (rfc2307, autofs_provider=ad), otherwise
527           automount
528
529       ldap_autofs_entry_key (string)
530           The key of an automount entry in LDAP. The entry usually
531           corresponds to a mount point.
532
533           Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey
534
535       ldap_autofs_entry_value (string)
536           The key of an automount entry in LDAP. The entry usually
537           corresponds to a mount point.
538
539           Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise
540           automountInformation
541

IP HOST ATTRIBUTES

543       ldap_iphost_object_class (string)
544           The object class of an iphost entry in LDAP.
545
546           Default: ipHost
547
548       ldap_iphost_name (string)
549           The LDAP attribute that contains the name of the IP host attributes
550           and their aliases.
551
552           Default: cn
553
554       ldap_iphost_number (string)
555           The LDAP attribute that contains the IP host address.
556
557           Default: ipHostNumber
558

IP NETWORK ATTRIBUTES

560       ldap_ipnetwork_object_class (string)
561           The object class of an ipnetwork entry in LDAP.
562
563           Default: ipNetwork
564
565       ldap_ipnetwork_name (string)
566           The LDAP attribute that contains the name of the IP network
567           attributes and their aliases.
568
569           Default: cn
570
571       ldap_ipnetwork_number (string)
572           The LDAP attribute that contains the IP network address.
573
574           Default: ipNetworkNumber
575

SEE ALSO

577       sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
578       sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-sudo(5), sssd-session-
579       recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8),
580       sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
581       sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8).  sss_rpcidmapd(5)
582       sssd-systemtap(5)
583

AUTHORS

585       The SSSD upstream - https://github.com/SSSD/sssd/
586
587
588
589SSSD                              05/19/2021             SSSD-LDAP-ATTRIBUT(5)
Impressum