diff options
Diffstat (limited to 'server/man/sssd-ldap.5.xml')
-rw-r--r-- | server/man/sssd-ldap.5.xml | 688 |
1 files changed, 0 insertions, 688 deletions
diff --git a/server/man/sssd-ldap.5.xml b/server/man/sssd-ldap.5.xml deleted file mode 100644 index b79cbbc9a..000000000 --- a/server/man/sssd-ldap.5.xml +++ /dev/null @@ -1,688 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" -"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<reference> -<title>SSSD Manual pages</title> -<refentry> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" /> - - <refmeta> - <refentrytitle>sssd-ldap</refentrytitle> - <manvolnum>5</manvolnum> - <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo> - </refmeta> - - <refnamediv id='name'> - <refname>sssd-ldap</refname> - <refpurpose>the configuration file for SSSD</refpurpose> - </refnamediv> - - <refsect1 id='description'> - <title>DESCRIPTION</title> - <para> - This manual page describes the configuration of LDAP - domains for - <citerefentry> - <refentrytitle>sssd</refentrytitle> - <manvolnum>8</manvolnum> - </citerefentry>. - Refer to the <quote>FILE FORMAT</quote> section of the - <citerefentry> - <refentrytitle>sssd.conf</refentrytitle> - <manvolnum>5</manvolnum> - </citerefentry> manual page for detailed syntax information.</para> - <para> - You can configure SSSD to use more than one LDAP domain. - </para> - <para> - If you want to authenticate against an LDAP server then TLS/SSL is - required. <command>sssd</command> <emphasis>does not</emphasis> - support authentication over an unencrypted channel. If the LDAP - server is used only as an identify provider, an encrypted channel - is not needed. - </para> - </refsect1> - - <refsect1 id='file-format'> - <title>CONFIGURATION OPTIONS</title> - <para> - All of the common configuration options that apply to SSSD domains also apply - to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section of the - <citerefentry> - <refentrytitle>sssd.conf</refentrytitle> - <manvolnum>5</manvolnum> - </citerefentry> manual page for full details. - - <variablelist> - <varlistentry> - <term>ldap_uri (string)</term> - <listitem> - <para> - Specifies the list of URIs of the LDAP servers to which - SSSD should connect in the order of preference. Refer to the - <quote>FAILOVER</quote> section for more information on failover and server redundancy. - </para> - <para> - Default: ldap://localhost - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_search_base (string)</term> - <listitem> - <para> - The default base DN to use for - performing LDAP user operations. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_schema (string)</term> - <listitem> - <para> - Specifies the Schema Type in use on the target LDAP - server. - Depending on the selected schema, the default - attribute names retrieved from the servers may vary. - The way that some attributes are handled may also differ. - - Two schema types are currently supported: - rfc2307 - rfc2307bis - - The main difference between these two schema types is - how group memberships are recorded in the server. - With rfc2307, group members are listed by name in the - <emphasis>memberUid</emphasis> attribute. - With rfc2307bis, group members are listed by DN and - stored in the <emphasis>member</emphasis> attribute. - - </para> - <para> - Default: rfc2307 - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_default_bind_dn (string)</term> - <listitem> - <para> - The default bind DN to use for - performing LDAP operations. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_default_authtok_type (string)</term> - <listitem> - <para> - The type of the authentication token of the - default bind DN. The only currently supported value is "password". - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_default_authtok (string)</term> - <listitem> - <para> - The authentication token of the default bind DN. - Only clear text passwords are currently supported. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_user_search_base (string)</term> - <listitem> - <para> - An optional base DN to restrict user searches - to a specific subtree. - </para> - <para> - Default: the value of - <emphasis>ldap_search_base</emphasis> - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_user_object_class (string)</term> - <listitem> - <para> - The object class of a user entry in LDAP. - </para> - <para> - Default: posixAccount - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_user_name (string)</term> - <listitem> - <para> - The LDAP attribute that corresponds to the - user's login name. - </para> - <para> - Default: uid - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_user_uid_number (string)</term> - <listitem> - <para> - The LDAP attribute that corresponds to the - user's id. - </para> - <para> - Default: uidNumber - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_user_gid_number (string)</term> - <listitem> - <para> - The LDAP attribute that corresponds to the - user's primary group id. - </para> - <para> - Default: gidNumber - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_user_gecos (string)</term> - <listitem> - <para> - The LDAP attribute that corresponds to the - user's gecos field. - </para> - <para> - Default: gecos - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_user_home_directory (string)</term> - <listitem> - <para> - The LDAP attribute that contains the name of the user's - home directory. - </para> - <para> - Default: homeDirectory - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_user_shell (string)</term> - <listitem> - <para> - The LDAP attribute that contains the path to the - user's default shell. - </para> - <para> - Default: loginShell - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_user_uuid (string)</term> - <listitem> - <para> - The LDAP attribute that contains the UUID/GUID of - an LDAP user object. - </para> - <para> - Default: nsUniqueId - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_user_principal (string)</term> - <listitem> - <para> - The LDAP attribute that contains the user's Kerberos - User Principle Name (UPN). - </para> - <para> - Default: krbPrincipalName - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_force_upper_case_realm (boolean)</term> - <listitem> - <para> - Some directory servers, for example Active Directory, - might deliver the realm part of the UPN in lower case, - which might cause the authentication to fail. Set this - option to a non-zero value if you want to use an - upper-case realm. - </para> - <para> - Default: false - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_user_fullname (string)</term> - <listitem> - <para> - The LDAP attribute that corresponds to the - user's full name. - </para> - <para> - Default: cn - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_user_member_of (string)</term> - <listitem> - <para> - The LDAP attribute that lists the user's - group memberships. - </para> - <para> - Default: memberOf - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_group_search_base (string)</term> - <listitem> - <para> - An optional base DN to restrict group searches - to a specific subtree. - </para> - <para> - Default: the value of - <emphasis>ldap_search_base</emphasis> - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_group_object_class (string)</term> - <listitem> - <para> - The object class of a group entry in LDAP. - </para> - <para> - Default: posixGroup - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_group_name (string)</term> - <listitem> - <para> - The LDAP attribute that corresponds to - the group name. - </para> - <para> - Default: cn - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_group_gid_number (string)</term> - <listitem> - <para> - The LDAP attribute that corresponds to the - group's id. - </para> - <para> - Default: gidNumber - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_group_member (string)</term> - <listitem> - <para> - The LDAP attribute that contains the names of - the group's members. - </para> - <para> - Default: memberuid (rfc2307) / member (rfc2307bis) - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_group_uuid (string)</term> - <listitem> - <para> - The LDAP attribute that contains the UUID/GUID of - an LDAP group object. - </para> - <para> - Default: nsUniqueId - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_network_timeout (integer)</term> - <listitem> - <para> - Specifies the timeout (in seconds) after which - the - <citerefentry> - <refentrytitle>poll</refentrytitle> - <manvolnum>2</manvolnum> - </citerefentry>/<citerefentry> - <refentrytitle>select</refentrytitle> - <manvolnum>2</manvolnum> - </citerefentry> - following a - <citerefentry> - <refentrytitle>connect</refentrytitle> - <manvolnum>2</manvolnum> - </citerefentry> - returns in case of no activity. - </para> - <para> - Default: 5 - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_opt_timeout (integer)</term> - <listitem> - <para> - Specifies a timeout (in seconds) after which - calls to synchronous LDAP APIs will abort if no - response is received. Also controls the timeout - when communicating with the KDC in case of SASL bind. - </para> - <para> - Default: 5 - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_tls_reqcert (string)</term> - <listitem> - <para> - Specifies what checks to perform on server - certificates in a TLS session, if any. It - can be specified as one of the following - values: - </para> - <para> - <emphasis>never</emphasis> = The client will - not request or check any server certificate. - </para> - <para> - <emphasis>allow</emphasis> = The server - certificate is requested. If no certificate is - provided, the session proceeds normally. If a - bad certificate is provided, it will be ignored - and the session proceeds normally. - </para> - <para> - <emphasis>try</emphasis> = The server certificate - is requested. If no certificate is provided, the - session proceeds normally. If a bad certificate - is provided, the session is immediately terminated. - </para> - <para> - <emphasis>demand</emphasis> = The server - certificate is requested. If no certificate - is provided, or a bad certificate is provided, - the session is immediately terminated. - </para> - <para> - <emphasis>hard</emphasis> = Same as - <quote>demand</quote> - </para> - <para> - Default: hard - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_tls_cacert (string)</term> - <listitem> - <para> - Specifies the file that contains certificates for - all of the Certificate Authorities that - <command>sssd</command> will recognize. - </para> - <para> - Default: use OpenLDAP defaults, typically in - <filename>/etc/openldap/ldap.conf</filename> - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_tls_cacertdir (string)</term> - <listitem> - <para> - Specifies the path of a directory that contains - Certificate Authority certificates in separate - individual files. Typically the file names need to - be the hash of the certificate followed by '.0'. - If available, <command>cacertdir_rehash</command> - can be used to create the correct names. - </para> - <para> - Default: use OpenLDAP defaults, typically in - <filename>/etc/openldap/ldap.conf</filename> - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_id_use_start_tls (boolean)</term> - <listitem> - <para> - Specifies that the id_provider connection must also - use <systemitem class="protocol">tls</systemitem> to protect the channel. - </para> - <para> - Default: false - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_sasl_mech (string)</term> - <listitem> - <para> - Specify the SASL mechanism to use. - Currently only GSSAPI is tested and supported. - </para> - <para> - Default: none - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_sasl_authid (string)</term> - <listitem> - <para> - Specify the SASL authorization id to use. - When GSSAPI is used, this represents the Kerberos - principal used for authentication to the directory. - </para> - <para> - Default: host/machine.fqdn@REALM - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_krb5_keytab (string)</term> - <listitem> - <para> - Specify the keytab to use when using SASL/GSSAPI. - </para> - <para> - Default: System keytab, normally <filename>/etc/krb5.keytab</filename> - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_krb5_init_creds (boolean)</term> - <listitem> - <para> - Specifies that the id_provider should init - Kerberos credentials (TGT). - This action is performed only if SASL is used and - the mechanism selected is GSSAPI. - </para> - <para> - Default: true - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>krb5_realm (string)</term> - <listitem> - <para> - Specify the Kerberos REALM (for SASL/GSSAPI auth). - </para> - <para> - Default: System defaults, see <filename>/etc/krb5.conf</filename> - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_pwd_policy (string)</term> - <listitem> - <para> - Select the policy to evaluate the password - expiration on the client side. The following values - are allowed: - </para> - <para> - <emphasis>none</emphasis> - No evaluation on the - client side. This option cannot disable server-side - password policies. - </para> - <para> - <emphasis>shadow</emphasis> - Use - <citerefentry><refentrytitle>shadow</refentrytitle> - <manvolnum>5</manvolnum></citerefentry> style - attributes to evaluate if the password has expired. - Note that the current version of sssd cannot - update this attribute during a password change. - </para> - <para> - <emphasis>mit_kerberos</emphasis> - Use the attributes - used by MIT Kerberos to determine if the password has - expired. Use chpass_provider=krb5 to update these - attributes when the password is changed. - </para> - <para> - Default: none - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_referrals (boolean)</term> - <listitem> - <para> - Specifies whether automatic referral chasing should - be enabled. - </para> - <para> - Please note that sssd only supports referral chasing - when it is compiled with OpenLDAP version 2.4.13 or - higher. - </para> - <para> - Default: true - </para> - </listitem> - </varlistentry> - - </variablelist> - </para> - </refsect1> - - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/failover.xml" /> - - <refsect1 id='example'> - <title>EXAMPLE</title> - <para> - The following example assumes that SSSD is correctly - configured and LDAP is set to one of the domains in the - <replaceable>[domains]</replaceable> section. - </para> - <para> -<programlisting> - [domain/LDAP] - id_provider = ldap - auth_provider = ldap - ldap_uri = ldap://ldap.mydomain.org - ldap_search_base = dc=mydomain,dc=org - ldap_tls_reqcert = demand - cache_credentials = true - enumerate = true -</programlisting> - </para> - </refsect1> - - <refsect1 id='notes'> - <title>NOTES</title> - <para> - The descriptions of some of the configuration options in this manual - page are based on the <citerefentry> - <refentrytitle>ldap.conf</refentrytitle> - <manvolnum>5</manvolnum> - </citerefentry> manual page from the OpenLDAP 2.4 distribution. - </para> - </refsect1> - - <refsect1 id='see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> - </para> - </refsect1> -</refentry> -</reference> |