diff options
Diffstat (limited to 'src/man/sssd-ldap.5.xml')
| -rw-r--r-- | src/man/sssd-ldap.5.xml | 688 |
1 files changed, 688 insertions, 0 deletions
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml new file mode 100644 index 000000000..b79cbbc9a --- /dev/null +++ b/src/man/sssd-ldap.5.xml @@ -0,0 +1,688 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" +"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<reference> +<title>SSSD Manual pages</title> +<refentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" /> + + <refmeta> + <refentrytitle>sssd-ldap</refentrytitle> + <manvolnum>5</manvolnum> + <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo> + </refmeta> + + <refnamediv id='name'> + <refname>sssd-ldap</refname> + <refpurpose>the configuration file for SSSD</refpurpose> + </refnamediv> + + <refsect1 id='description'> + <title>DESCRIPTION</title> + <para> + This manual page describes the configuration of LDAP + domains for + <citerefentry> + <refentrytitle>sssd</refentrytitle> + <manvolnum>8</manvolnum> + </citerefentry>. + Refer to the <quote>FILE FORMAT</quote> section of the + <citerefentry> + <refentrytitle>sssd.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> manual page for detailed syntax information.</para> + <para> + You can configure SSSD to use more than one LDAP domain. + </para> + <para> + If you want to authenticate against an LDAP server then TLS/SSL is + required. <command>sssd</command> <emphasis>does not</emphasis> + support authentication over an unencrypted channel. If the LDAP + server is used only as an identify provider, an encrypted channel + is not needed. + </para> + </refsect1> + + <refsect1 id='file-format'> + <title>CONFIGURATION OPTIONS</title> + <para> + All of the common configuration options that apply to SSSD domains also apply + to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section of the + <citerefentry> + <refentrytitle>sssd.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> manual page for full details. + + <variablelist> + <varlistentry> + <term>ldap_uri (string)</term> + <listitem> + <para> + Specifies the list of URIs of the LDAP servers to which + SSSD should connect in the order of preference. Refer to the + <quote>FAILOVER</quote> section for more information on failover and server redundancy. + </para> + <para> + Default: ldap://localhost + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_search_base (string)</term> + <listitem> + <para> + The default base DN to use for + performing LDAP user operations. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_schema (string)</term> + <listitem> + <para> + Specifies the Schema Type in use on the target LDAP + server. + Depending on the selected schema, the default + attribute names retrieved from the servers may vary. + The way that some attributes are handled may also differ. + + Two schema types are currently supported: + rfc2307 + rfc2307bis + + The main difference between these two schema types is + how group memberships are recorded in the server. + With rfc2307, group members are listed by name in the + <emphasis>memberUid</emphasis> attribute. + With rfc2307bis, group members are listed by DN and + stored in the <emphasis>member</emphasis> attribute. + + </para> + <para> + Default: rfc2307 + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_default_bind_dn (string)</term> + <listitem> + <para> + The default bind DN to use for + performing LDAP operations. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_default_authtok_type (string)</term> + <listitem> + <para> + The type of the authentication token of the + default bind DN. The only currently supported value is "password". + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_default_authtok (string)</term> + <listitem> + <para> + The authentication token of the default bind DN. + Only clear text passwords are currently supported. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_user_search_base (string)</term> + <listitem> + <para> + An optional base DN to restrict user searches + to a specific subtree. + </para> + <para> + Default: the value of + <emphasis>ldap_search_base</emphasis> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_user_object_class (string)</term> + <listitem> + <para> + The object class of a user entry in LDAP. + </para> + <para> + Default: posixAccount + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_user_name (string)</term> + <listitem> + <para> + The LDAP attribute that corresponds to the + user's login name. + </para> + <para> + Default: uid + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_user_uid_number (string)</term> + <listitem> + <para> + The LDAP attribute that corresponds to the + user's id. + </para> + <para> + Default: uidNumber + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_user_gid_number (string)</term> + <listitem> + <para> + The LDAP attribute that corresponds to the + user's primary group id. + </para> + <para> + Default: gidNumber + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_user_gecos (string)</term> + <listitem> + <para> + The LDAP attribute that corresponds to the + user's gecos field. + </para> + <para> + Default: gecos + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_user_home_directory (string)</term> + <listitem> + <para> + The LDAP attribute that contains the name of the user's + home directory. + </para> + <para> + Default: homeDirectory + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_user_shell (string)</term> + <listitem> + <para> + The LDAP attribute that contains the path to the + user's default shell. + </para> + <para> + Default: loginShell + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_user_uuid (string)</term> + <listitem> + <para> + The LDAP attribute that contains the UUID/GUID of + an LDAP user object. + </para> + <para> + Default: nsUniqueId + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_user_principal (string)</term> + <listitem> + <para> + The LDAP attribute that contains the user's Kerberos + User Principle Name (UPN). + </para> + <para> + Default: krbPrincipalName + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_force_upper_case_realm (boolean)</term> + <listitem> + <para> + Some directory servers, for example Active Directory, + might deliver the realm part of the UPN in lower case, + which might cause the authentication to fail. Set this + option to a non-zero value if you want to use an + upper-case realm. + </para> + <para> + Default: false + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_user_fullname (string)</term> + <listitem> + <para> + The LDAP attribute that corresponds to the + user's full name. + </para> + <para> + Default: cn + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_user_member_of (string)</term> + <listitem> + <para> + The LDAP attribute that lists the user's + group memberships. + </para> + <para> + Default: memberOf + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_group_search_base (string)</term> + <listitem> + <para> + An optional base DN to restrict group searches + to a specific subtree. + </para> + <para> + Default: the value of + <emphasis>ldap_search_base</emphasis> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_group_object_class (string)</term> + <listitem> + <para> + The object class of a group entry in LDAP. + </para> + <para> + Default: posixGroup + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_group_name (string)</term> + <listitem> + <para> + The LDAP attribute that corresponds to + the group name. + </para> + <para> + Default: cn + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_group_gid_number (string)</term> + <listitem> + <para> + The LDAP attribute that corresponds to the + group's id. + </para> + <para> + Default: gidNumber + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_group_member (string)</term> + <listitem> + <para> + The LDAP attribute that contains the names of + the group's members. + </para> + <para> + Default: memberuid (rfc2307) / member (rfc2307bis) + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_group_uuid (string)</term> + <listitem> + <para> + The LDAP attribute that contains the UUID/GUID of + an LDAP group object. + </para> + <para> + Default: nsUniqueId + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_network_timeout (integer)</term> + <listitem> + <para> + Specifies the timeout (in seconds) after which + the + <citerefentry> + <refentrytitle>poll</refentrytitle> + <manvolnum>2</manvolnum> + </citerefentry>/<citerefentry> + <refentrytitle>select</refentrytitle> + <manvolnum>2</manvolnum> + </citerefentry> + following a + <citerefentry> + <refentrytitle>connect</refentrytitle> + <manvolnum>2</manvolnum> + </citerefentry> + returns in case of no activity. + </para> + <para> + Default: 5 + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_opt_timeout (integer)</term> + <listitem> + <para> + Specifies a timeout (in seconds) after which + calls to synchronous LDAP APIs will abort if no + response is received. Also controls the timeout + when communicating with the KDC in case of SASL bind. + </para> + <para> + Default: 5 + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_tls_reqcert (string)</term> + <listitem> + <para> + Specifies what checks to perform on server + certificates in a TLS session, if any. It + can be specified as one of the following + values: + </para> + <para> + <emphasis>never</emphasis> = The client will + not request or check any server certificate. + </para> + <para> + <emphasis>allow</emphasis> = The server + certificate is requested. If no certificate is + provided, the session proceeds normally. If a + bad certificate is provided, it will be ignored + and the session proceeds normally. + </para> + <para> + <emphasis>try</emphasis> = The server certificate + is requested. If no certificate is provided, the + session proceeds normally. If a bad certificate + is provided, the session is immediately terminated. + </para> + <para> + <emphasis>demand</emphasis> = The server + certificate is requested. If no certificate + is provided, or a bad certificate is provided, + the session is immediately terminated. + </para> + <para> + <emphasis>hard</emphasis> = Same as + <quote>demand</quote> + </para> + <para> + Default: hard + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_tls_cacert (string)</term> + <listitem> + <para> + Specifies the file that contains certificates for + all of the Certificate Authorities that + <command>sssd</command> will recognize. + </para> + <para> + Default: use OpenLDAP defaults, typically in + <filename>/etc/openldap/ldap.conf</filename> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_tls_cacertdir (string)</term> + <listitem> + <para> + Specifies the path of a directory that contains + Certificate Authority certificates in separate + individual files. Typically the file names need to + be the hash of the certificate followed by '.0'. + If available, <command>cacertdir_rehash</command> + can be used to create the correct names. + </para> + <para> + Default: use OpenLDAP defaults, typically in + <filename>/etc/openldap/ldap.conf</filename> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_id_use_start_tls (boolean)</term> + <listitem> + <para> + Specifies that the id_provider connection must also + use <systemitem class="protocol">tls</systemitem> to protect the channel. + </para> + <para> + Default: false + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_sasl_mech (string)</term> + <listitem> + <para> + Specify the SASL mechanism to use. + Currently only GSSAPI is tested and supported. + </para> + <para> + Default: none + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_sasl_authid (string)</term> + <listitem> + <para> + Specify the SASL authorization id to use. + When GSSAPI is used, this represents the Kerberos + principal used for authentication to the directory. + </para> + <para> + Default: host/machine.fqdn@REALM + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_krb5_keytab (string)</term> + <listitem> + <para> + Specify the keytab to use when using SASL/GSSAPI. + </para> + <para> + Default: System keytab, normally <filename>/etc/krb5.keytab</filename> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_krb5_init_creds (boolean)</term> + <listitem> + <para> + Specifies that the id_provider should init + Kerberos credentials (TGT). + This action is performed only if SASL is used and + the mechanism selected is GSSAPI. + </para> + <para> + Default: true + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>krb5_realm (string)</term> + <listitem> + <para> + Specify the Kerberos REALM (for SASL/GSSAPI auth). + </para> + <para> + Default: System defaults, see <filename>/etc/krb5.conf</filename> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_pwd_policy (string)</term> + <listitem> + <para> + Select the policy to evaluate the password + expiration on the client side. The following values + are allowed: + </para> + <para> + <emphasis>none</emphasis> - No evaluation on the + client side. This option cannot disable server-side + password policies. + </para> + <para> + <emphasis>shadow</emphasis> - Use + <citerefentry><refentrytitle>shadow</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> style + attributes to evaluate if the password has expired. + Note that the current version of sssd cannot + update this attribute during a password change. + </para> + <para> + <emphasis>mit_kerberos</emphasis> - Use the attributes + used by MIT Kerberos to determine if the password has + expired. Use chpass_provider=krb5 to update these + attributes when the password is changed. + </para> + <para> + Default: none + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_referrals (boolean)</term> + <listitem> + <para> + Specifies whether automatic referral chasing should + be enabled. + </para> + <para> + Please note that sssd only supports referral chasing + when it is compiled with OpenLDAP version 2.4.13 or + higher. + </para> + <para> + Default: true + </para> + </listitem> + </varlistentry> + + </variablelist> + </para> + </refsect1> + + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/failover.xml" /> + + <refsect1 id='example'> + <title>EXAMPLE</title> + <para> + The following example assumes that SSSD is correctly + configured and LDAP is set to one of the domains in the + <replaceable>[domains]</replaceable> section. + </para> + <para> +<programlisting> + [domain/LDAP] + id_provider = ldap + auth_provider = ldap + ldap_uri = ldap://ldap.mydomain.org + ldap_search_base = dc=mydomain,dc=org + ldap_tls_reqcert = demand + cache_credentials = true + enumerate = true +</programlisting> + </para> + </refsect1> + + <refsect1 id='notes'> + <title>NOTES</title> + <para> + The descriptions of some of the configuration options in this manual + page are based on the <citerefentry> + <refentrytitle>ldap.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> manual page from the OpenLDAP 2.4 distribution. + </para> + </refsect1> + + <refsect1 id='see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> +</refentry> +</reference> |