diff options
Diffstat (limited to 'install/tools/man/ipa-adtrust-install.1')
-rw-r--r-- | install/tools/man/ipa-adtrust-install.1 | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1 index 38957f3a4..7f0566e13 100644 --- a/install/tools/man/ipa-adtrust-install.1 +++ b/install/tools/man/ipa-adtrust-install.1 @@ -106,6 +106,29 @@ The password of the user with administrative privileges for this IPA server. Wil .TP The credentials of the admin user will be used to obtain Kerberos ticket before configuring cross-realm trusts support and afterwards, to ensure that the ticket contains MS-PAC information required to actually add a trust with Active Directory domain via 'ipa trust-add --type=ad' command. .TP +\fB\-\-enable\-compat\fR +Enables support for trusted domains users for old clients through Schema Compatibility plugin. +SSSD supports trusted domains natively starting with version 1.9. For platforms that +lack SSSD or run older SSSD version one needs to use this option. When enabled, slapi\-nis package +needs to be installed and schema\-compat\-plugin will be configured to provide lookup of +users and groups from trusted domains via SSSD on IPA server. These users and groups will be +available under \fBcn=users,cn=compat,$SUFFIX\fR and \fBcn=groups,cn=compat,$SUFFIX\fR trees. +SSSD will normalize names of users and groups to lower case. +.IP +In addition to providing these users and groups through the compat tree, this option enables +authentication over LDAP for trusted domain users with DN under compat tree, i.e. using bind DN +\fBuid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX\fR. +.IP +LDAP authentication performed by the compat tree is done via PAM '\fBsystem\-auth\fR' service. +This service exists by default on Linux systems and is provided by pam package as /etc/pam.d/system\-auth. +If your IPA install does not have default HBAC rule 'allow_all' enabled, then make sure +to define in IPA special service called '\fBsystem\-auth\fR' and create an HBAC +rule to allow access to anyone to this rule on IPA masters. +.IP +As '\fBsystem\-auth\fR' PAM service is not used directly by any other +application, it is safe to use it for trusted domain users via compatibility +path. +.TP .SH "EXIT STATUS" 0 if the installation was successful |