1SSSD-LDAP-ATTRIBUT(5) File Formats and Conventions SSSD-LDAP-ATTRIBUT(5)
2
3
4
6 sssd-ldap-attributes - SSSD LDAP Provider: Mapping Attributes
7
9 This manual page describes the mapping attributes of SSSD LDAP provider
10 sssd-ldap(5). Refer to the sssd-ldap(5) manual page for full details
11 about SSSD LDAP provider configuration options.
12
14 ldap_user_object_class (string)
15 The object class of a user entry in LDAP.
16
17 Default: posixAccount
18
19 ldap_user_name (string)
20 The LDAP attribute that corresponds to the user's login name.
21
22 Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)
23
24 ldap_user_uid_number (string)
25 The LDAP attribute that corresponds to the user's id.
26
27 Default: uidNumber
28
29 ldap_user_gid_number (string)
30 The LDAP attribute that corresponds to the user's primary group id.
31
32 Default: gidNumber
33
34 ldap_user_primary_group (string)
35 Active Directory primary group attribute for ID-mapping. Note that
36 this attribute should only be set manually if you are running the
37 “ldap” provider with ID mapping.
38
39 Default: unset (LDAP), primaryGroupID (AD)
40
41 ldap_user_gecos (string)
42 The LDAP attribute that corresponds to the user's gecos field.
43
44 Default: gecos
45
46 ldap_user_home_directory (string)
47 The LDAP attribute that contains the name of the user's home
48 directory.
49
50 Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)
51
52 ldap_user_shell (string)
53 The LDAP attribute that contains the path to the user's default
54 shell.
55
56 Default: loginShell
57
58 ldap_user_uuid (string)
59 The LDAP attribute that contains the UUID/GUID of an LDAP user
60 object.
61
62 Default: not set in the general case, objectGUID for AD and
63 ipaUniqueID for IPA
64
65 ldap_user_objectsid (string)
66 The LDAP attribute that contains the objectSID of an LDAP user
67 object. This is usually only necessary for ActiveDirectory servers.
68
69 Default: objectSid for ActiveDirectory, not set for other servers.
70
71 ldap_user_modify_timestamp (string)
72 The LDAP attribute that contains timestamp of the last modification
73 of the parent object.
74
75 Default: modifyTimestamp
76
77 ldap_user_shadow_last_change (string)
78 When using ldap_pwd_policy=shadow, this parameter contains the name
79 of an LDAP attribute corresponding to its shadow(5) counterpart
80 (date of the last password change).
81
82 Default: shadowLastChange
83
84 ldap_user_shadow_min (string)
85 When using ldap_pwd_policy=shadow, this parameter contains the name
86 of an LDAP attribute corresponding to its shadow(5) counterpart
87 (minimum password age).
88
89 Default: shadowMin
90
91 ldap_user_shadow_max (string)
92 When using ldap_pwd_policy=shadow, this parameter contains the name
93 of an LDAP attribute corresponding to its shadow(5) counterpart
94 (maximum password age).
95
96 Default: shadowMax
97
98 ldap_user_shadow_warning (string)
99 When using ldap_pwd_policy=shadow, this parameter contains the name
100 of an LDAP attribute corresponding to its shadow(5) counterpart
101 (password warning period).
102
103 Default: shadowWarning
104
105 ldap_user_shadow_inactive (string)
106 When using ldap_pwd_policy=shadow, this parameter contains the name
107 of an LDAP attribute corresponding to its shadow(5) counterpart
108 (password inactivity period).
109
110 Default: shadowInactive
111
112 ldap_user_shadow_expire (string)
113 When using ldap_pwd_policy=shadow or
114 ldap_account_expire_policy=shadow, this parameter contains the name
115 of an LDAP attribute corresponding to its shadow(5) counterpart
116 (account expiration date).
117
118 Default: shadowExpire
119
120 ldap_user_krb_last_pwd_change (string)
121 When using ldap_pwd_policy=mit_kerberos, this parameter contains
122 the name of an LDAP attribute storing the date and time of last
123 password change in kerberos.
124
125 Default: krbLastPwdChange
126
127 ldap_user_krb_password_expiration (string)
128 When using ldap_pwd_policy=mit_kerberos, this parameter contains
129 the name of an LDAP attribute storing the date and time when
130 current password expires.
131
132 Default: krbPasswordExpiration
133
134 ldap_user_ad_account_expires (string)
135 When using ldap_account_expire_policy=ad, this parameter contains
136 the name of an LDAP attribute storing the expiration time of the
137 account.
138
139 Default: accountExpires
140
141 ldap_user_ad_user_account_control (string)
142 When using ldap_account_expire_policy=ad, this parameter contains
143 the name of an LDAP attribute storing the user account control bit
144 field.
145
146 Default: userAccountControl
147
148 ldap_ns_account_lock (string)
149 When using ldap_account_expire_policy=rhds or equivalent, this
150 parameter determines if access is allowed or not.
151
152 Default: nsAccountLock
153
154 ldap_user_nds_login_disabled (string)
155 When using ldap_account_expire_policy=nds, this attribute
156 determines if access is allowed or not.
157
158 Default: loginDisabled
159
160 ldap_user_nds_login_expiration_time (string)
161 When using ldap_account_expire_policy=nds, this attribute
162 determines until which date access is granted.
163
164 Default: loginDisabled
165
166 ldap_user_nds_login_allowed_time_map (string)
167 When using ldap_account_expire_policy=nds, this attribute
168 determines the hours of a day in a week when access is granted.
169
170 Default: loginAllowedTimeMap
171
172 ldap_user_principal (string)
173 The LDAP attribute that contains the user's Kerberos User Principal
174 Name (UPN).
175
176 Default: krbPrincipalName
177
178 ldap_user_extra_attrs (string)
179 Comma-separated list of LDAP attributes that SSSD would fetch along
180 with the usual set of user attributes.
181
182 The list can either contain LDAP attribute names only, or
183 colon-separated tuples of SSSD cache attribute name and LDAP
184 attribute name. In case only LDAP attribute name is specified, the
185 attribute is saved to the cache verbatim. Using a custom SSSD
186 attribute name might be required by environments that configure
187 several SSSD domains with different LDAP schemas.
188
189 Please note that several attribute names are reserved by SSSD,
190 notably the “name” attribute. SSSD would report an error if any of
191 the reserved attribute names is used as an extra attribute name.
192
193 Examples:
194
195 ldap_user_extra_attrs = telephoneNumber
196
197 Save the “telephoneNumber” attribute from LDAP as “telephoneNumber”
198 to the cache.
199
200 ldap_user_extra_attrs = phone:telephoneNumber
201
202 Save the “telephoneNumber” attribute from LDAP as “phone” to the
203 cache.
204
205 Default: not set
206
207 ldap_user_ssh_public_key (string)
208 The LDAP attribute that contains the user's SSH public keys.
209
210 Default: sshPublicKey
211
212 ldap_user_fullname (string)
213 The LDAP attribute that corresponds to the user's full name.
214
215 Default: cn
216
217 ldap_user_member_of (string)
218 The LDAP attribute that lists the user's group memberships.
219
220 Default: memberOf
221
222 ldap_user_authorized_service (string)
223 If access_provider=ldap and ldap_access_order=authorized_service,
224 SSSD will use the presence of the authorizedService attribute in
225 the user's LDAP entry to determine access privilege.
226
227 An explicit deny (!svc) is resolved first. Second, SSSD searches
228 for explicit allow (svc) and finally for allow_all (*).
229
230 Please note that the ldap_access_order configuration option must
231 include “authorized_service” in order for the
232 ldap_user_authorized_service option to work.
233
234 Some distributions (such as Fedora-29+ or RHEL-8) always include
235 the “systemd-user” PAM service as part of the login process.
236 Therefore when using service-based access control, the
237 “systemd-user” service might need to be added to the list of
238 allowed services.
239
240 Default: authorizedService
241
242 ldap_user_authorized_host (string)
243 If access_provider=ldap and ldap_access_order=host, SSSD will use
244 the presence of the host attribute in the user's LDAP entry to
245 determine access privilege.
246
247 An explicit deny (!host) is resolved first. Second, SSSD searches
248 for explicit allow (host) and finally for allow_all (*).
249
250 Please note that the ldap_access_order configuration option must
251 include “host” in order for the ldap_user_authorized_host option to
252 work.
253
254 Default: host
255
256 ldap_user_authorized_rhost (string)
257 If access_provider=ldap and ldap_access_order=rhost, SSSD will use
258 the presence of the rhost attribute in the user's LDAP entry to
259 determine access privilege. Similarly to host verification process.
260
261 An explicit deny (!rhost) is resolved first. Second, SSSD searches
262 for explicit allow (rhost) and finally for allow_all (*).
263
264 Please note that the ldap_access_order configuration option must
265 include “rhost” in order for the ldap_user_authorized_rhost option
266 to work.
267
268 Default: rhost
269
270 ldap_user_certificate (string)
271 Name of the LDAP attribute containing the X509 certificate of the
272 user.
273
274 Default: userCertificate;binary
275
276 ldap_user_email (string)
277 Name of the LDAP attribute containing the email address of the
278 user.
279
280 Note: If an email address of a user conflicts with an email address
281 or fully qualified name of another user, then SSSD will not be able
282 to serve those users properly. If for some reason several users
283 need to share the same email address then set this option to a
284 nonexistent attribute name in order to disable user lookup/login by
285 email.
286
287 Default: mail
288
290 ldap_group_object_class (string)
291 The object class of a group entry in LDAP.
292
293 Default: posixGroup
294
295 ldap_group_name (string)
296 The LDAP attribute that corresponds to the group name.
297
298 Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)
299
300 ldap_group_gid_number (string)
301 The LDAP attribute that corresponds to the group's id.
302
303 Default: gidNumber
304
305 ldap_group_member (string)
306 The LDAP attribute that contains the names of the group's members.
307
308 Default: memberuid (rfc2307) / member (rfc2307bis)
309
310 ldap_group_uuid (string)
311 The LDAP attribute that contains the UUID/GUID of an LDAP group
312 object.
313
314 Default: not set in the general case, objectGUID for AD and
315 ipaUniqueID for IPA
316
317 ldap_group_objectsid (string)
318 The LDAP attribute that contains the objectSID of an LDAP group
319 object. This is usually only necessary for ActiveDirectory servers.
320
321 Default: objectSid for ActiveDirectory, not set for other servers.
322
323 ldap_group_modify_timestamp (string)
324 The LDAP attribute that contains timestamp of the last modification
325 of the parent object.
326
327 Default: modifyTimestamp
328
329 ldap_group_type (string)
330 The LDAP attribute that contains an integer value indicating the
331 type of the group and maybe other flags.
332
333 This attribute is currently only used by the AD provider to
334 determine if a group is a domain local groups and has to be
335 filtered out for trusted domains.
336
337 Default: groupType in the AD provider, otherwise not set
338
339 ldap_group_external_member (string)
340 The LDAP attribute that references group members that are defined
341 in an external domain. At the moment, only IPA's external members
342 are supported.
343
344 Default: ipaExternalMember in the IPA provider, otherwise unset.
345
347 ldap_netgroup_object_class (string)
348 The object class of a netgroup entry in LDAP.
349
350 In IPA provider, ipa_netgroup_object_class should be used instead.
351
352 Default: nisNetgroup
353
354 ldap_netgroup_name (string)
355 The LDAP attribute that corresponds to the netgroup name.
356
357 In IPA provider, ipa_netgroup_name should be used instead.
358
359 Default: cn
360
361 ldap_netgroup_member (string)
362 The LDAP attribute that contains the names of the netgroup's
363 members.
364
365 In IPA provider, ipa_netgroup_member should be used instead.
366
367 Default: memberNisNetgroup
368
369 ldap_netgroup_triple (string)
370 The LDAP attribute that contains the (host, user, domain) netgroup
371 triples.
372
373 This option is not available in IPA provider.
374
375 Default: nisNetgroupTriple
376
377 ldap_netgroup_modify_timestamp (string)
378 The LDAP attribute that contains timestamp of the last modification
379 of the parent object.
380
381 This option is not available in IPA provider.
382
383 Default: modifyTimestamp
384
386 ldap_host_object_class (string)
387 The object class of a host entry in LDAP.
388
389 Default: ipService
390
391 ldap_host_name (string)
392 The LDAP attribute that corresponds to the host's name.
393
394 Default: cn
395
396 ldap_host_fqdn (string)
397 The LDAP attribute that corresponds to the host's fully-qualified
398 domain name.
399
400 Default: fqdn
401
402 ldap_host_serverhostname (string)
403 The LDAP attribute that corresponds to the host's name.
404
405 Default: serverHostname
406
407 ldap_host_member_of (string)
408 The LDAP attribute that lists the host's group memberships.
409
410 Default: memberOf
411
412 ldap_host_ssh_public_key (string)
413 The LDAP attribute that contains the host's SSH public keys.
414
415 Default: sshPublicKey
416
417 ldap_host_uuid (string)
418 The LDAP attribute that contains the UUID/GUID of an LDAP host
419 object.
420
421 Default: not set
422
424 ldap_service_object_class (string)
425 The object class of a service entry in LDAP.
426
427 Default: ipService
428
429 ldap_service_name (string)
430 The LDAP attribute that contains the name of service attributes and
431 their aliases.
432
433 Default: cn
434
435 ldap_service_port (string)
436 The LDAP attribute that contains the port managed by this service.
437
438 Default: ipServicePort
439
440 ldap_service_proto (string)
441 The LDAP attribute that contains the protocols understood by this
442 service.
443
444 Default: ipServiceProtocol
445
447 ldap_sudorule_object_class (string)
448 The object class of a sudo rule entry in LDAP.
449
450 Default: sudoRole
451
452 ldap_sudorule_name (string)
453 The LDAP attribute that corresponds to the sudo rule name.
454
455 Default: cn
456
457 ldap_sudorule_command (string)
458 The LDAP attribute that corresponds to the command name.
459
460 Default: sudoCommand
461
462 ldap_sudorule_host (string)
463 The LDAP attribute that corresponds to the host name (or host IP
464 address, host IP network, or host netgroup)
465
466 Default: sudoHost
467
468 ldap_sudorule_user (string)
469 The LDAP attribute that corresponds to the user name (or UID, group
470 name or user's netgroup)
471
472 Default: sudoUser
473
474 ldap_sudorule_option (string)
475 The LDAP attribute that corresponds to the sudo options.
476
477 Default: sudoOption
478
479 ldap_sudorule_runasuser (string)
480 The LDAP attribute that corresponds to the user name that commands
481 may be run as.
482
483 Default: sudoRunAsUser
484
485 ldap_sudorule_runasgroup (string)
486 The LDAP attribute that corresponds to the group name or group GID
487 that commands may be run as.
488
489 Default: sudoRunAsGroup
490
491 ldap_sudorule_notbefore (string)
492 The LDAP attribute that corresponds to the start date/time for when
493 the sudo rule is valid.
494
495 Default: sudoNotBefore
496
497 ldap_sudorule_notafter (string)
498 The LDAP attribute that corresponds to the expiration date/time,
499 after which the sudo rule will no longer be valid.
500
501 Default: sudoNotAfter
502
503 ldap_sudorule_order (string)
504 The LDAP attribute that corresponds to the ordering index of the
505 rule.
506
507 Default: sudoOrder
508
510 ldap_autofs_map_object_class (string)
511 The object class of an automount map entry in LDAP.
512
513 Default: nisMap (rfc2307, autofs_provider=ad), otherwise
514 automountMap
515
516 ldap_autofs_map_name (string)
517 The name of an automount map entry in LDAP.
518
519 Default: nisMapName (rfc2307, autofs_provider=ad), otherwise
520 automountMapName
521
522 ldap_autofs_entry_object_class (string)
523 The object class of an automount entry in LDAP. The entry usually
524 corresponds to a mount point.
525
526 Default: nisObject (rfc2307, autofs_provider=ad), otherwise
527 automount
528
529 ldap_autofs_entry_key (string)
530 The key of an automount entry in LDAP. The entry usually
531 corresponds to a mount point.
532
533 Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey
534
535 ldap_autofs_entry_value (string)
536 The key of an automount entry in LDAP. The entry usually
537 corresponds to a mount point.
538
539 Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise
540 automountInformation
541
543 ldap_iphost_object_class (string)
544 The object class of an iphost entry in LDAP.
545
546 Default: ipHost
547
548 ldap_iphost_name (string)
549 The LDAP attribute that contains the name of the IP host attributes
550 and their aliases.
551
552 Default: cn
553
554 ldap_iphost_number (string)
555 The LDAP attribute that contains the IP host address.
556
557 Default: ipHostNumber
558
560 ldap_ipnetwork_object_class (string)
561 The object class of an ipnetwork entry in LDAP.
562
563 Default: ipNetwork
564
565 ldap_ipnetwork_name (string)
566 The LDAP attribute that contains the name of the IP network
567 attributes and their aliases.
568
569 Default: cn
570
571 ldap_ipnetwork_number (string)
572 The LDAP attribute that contains the IP network address.
573
574 Default: ipNetworkNumber
575
577 sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
578 sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-sudo(5), sssd-session-
579 recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8),
580 sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
581 sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5)
582 sssd-systemtap(5)
583
585 The SSSD upstream - https://github.com/SSSD/sssd/
586
587
588
589SSSD 05/19/2021 SSSD-LDAP-ATTRIBUT(5)