From 1c48b5a62f73234ed26bb20f0ab345ab61cda0ab Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Thu, 18 Feb 2010 07:49:04 -0500 Subject: Rename server/ directory to src/ Also update BUILD.txt --- src/man/sssd-ldap.5.xml | 688 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 688 insertions(+) create mode 100644 src/man/sssd-ldap.5.xml (limited to 'src/man/sssd-ldap.5.xml') diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml new file mode 100644 index 000000000..b79cbbc9a --- /dev/null +++ b/src/man/sssd-ldap.5.xml @@ -0,0 +1,688 @@ + + + +SSSD Manual pages + + + + + sssd-ldap + 5 + File Formats and Conventions + + + + sssd-ldap + the configuration file for SSSD + + + + DESCRIPTION + + This manual page describes the configuration of LDAP + domains for + + sssd + 8 + . + Refer to the FILE FORMAT section of the + + sssd.conf + 5 + manual page for detailed syntax information. + + You can configure SSSD to use more than one LDAP domain. + + + If you want to authenticate against an LDAP server then TLS/SSL is + required. sssd does not + support authentication over an unencrypted channel. If the LDAP + server is used only as an identify provider, an encrypted channel + is not needed. + + + + + CONFIGURATION OPTIONS + + All of the common configuration options that apply to SSSD domains also apply + to LDAP domains. Refer to the DOMAIN SECTIONS section of the + + sssd.conf + 5 + manual page for full details. + + + + ldap_uri (string) + + + Specifies the list of URIs of the LDAP servers to which + SSSD should connect in the order of preference. Refer to the + FAILOVER section for more information on failover and server redundancy. + + + Default: ldap://localhost + + + + + + ldap_search_base (string) + + + The default base DN to use for + performing LDAP user operations. + + + + + + ldap_schema (string) + + + Specifies the Schema Type in use on the target LDAP + server. + Depending on the selected schema, the default + attribute names retrieved from the servers may vary. + The way that some attributes are handled may also differ. + + Two schema types are currently supported: + rfc2307 + rfc2307bis + + The main difference between these two schema types is + how group memberships are recorded in the server. + With rfc2307, group members are listed by name in the + memberUid attribute. + With rfc2307bis, group members are listed by DN and + stored in the member attribute. + + + + Default: rfc2307 + + + + + + ldap_default_bind_dn (string) + + + The default bind DN to use for + performing LDAP operations. + + + + + + ldap_default_authtok_type (string) + + + The type of the authentication token of the + default bind DN. The only currently supported value is "password". + + + + + + ldap_default_authtok (string) + + + The authentication token of the default bind DN. + Only clear text passwords are currently supported. + + + + + + ldap_user_search_base (string) + + + An optional base DN to restrict user searches + to a specific subtree. + + + Default: the value of + ldap_search_base + + + + + + ldap_user_object_class (string) + + + The object class of a user entry in LDAP. + + + Default: posixAccount + + + + + + ldap_user_name (string) + + + The LDAP attribute that corresponds to the + user's login name. + + + Default: uid + + + + + + ldap_user_uid_number (string) + + + The LDAP attribute that corresponds to the + user's id. + + + Default: uidNumber + + + + + + ldap_user_gid_number (string) + + + The LDAP attribute that corresponds to the + user's primary group id. + + + Default: gidNumber + + + + + + ldap_user_gecos (string) + + + The LDAP attribute that corresponds to the + user's gecos field. + + + Default: gecos + + + + + + ldap_user_home_directory (string) + + + The LDAP attribute that contains the name of the user's + home directory. + + + Default: homeDirectory + + + + + + ldap_user_shell (string) + + + The LDAP attribute that contains the path to the + user's default shell. + + + Default: loginShell + + + + + + ldap_user_uuid (string) + + + The LDAP attribute that contains the UUID/GUID of + an LDAP user object. + + + Default: nsUniqueId + + + + + + ldap_user_principal (string) + + + The LDAP attribute that contains the user's Kerberos + User Principle Name (UPN). + + + Default: krbPrincipalName + + + + + + ldap_force_upper_case_realm (boolean) + + + Some directory servers, for example Active Directory, + might deliver the realm part of the UPN in lower case, + which might cause the authentication to fail. Set this + option to a non-zero value if you want to use an + upper-case realm. + + + Default: false + + + + + + ldap_user_fullname (string) + + + The LDAP attribute that corresponds to the + user's full name. + + + Default: cn + + + + + + ldap_user_member_of (string) + + + The LDAP attribute that lists the user's + group memberships. + + + Default: memberOf + + + + + + ldap_group_search_base (string) + + + An optional base DN to restrict group searches + to a specific subtree. + + + Default: the value of + ldap_search_base + + + + + + ldap_group_object_class (string) + + + The object class of a group entry in LDAP. + + + Default: posixGroup + + + + + + ldap_group_name (string) + + + The LDAP attribute that corresponds to + the group name. + + + Default: cn + + + + + + ldap_group_gid_number (string) + + + The LDAP attribute that corresponds to the + group's id. + + + Default: gidNumber + + + + + + ldap_group_member (string) + + + The LDAP attribute that contains the names of + the group's members. + + + Default: memberuid (rfc2307) / member (rfc2307bis) + + + + + + ldap_group_uuid (string) + + + The LDAP attribute that contains the UUID/GUID of + an LDAP group object. + + + Default: nsUniqueId + + + + + + ldap_network_timeout (integer) + + + Specifies the timeout (in seconds) after which + the + + poll + 2 + / + select + 2 + + following a + + connect + 2 + + returns in case of no activity. + + + Default: 5 + + + + + + ldap_opt_timeout (integer) + + + Specifies a timeout (in seconds) after which + calls to synchronous LDAP APIs will abort if no + response is received. Also controls the timeout + when communicating with the KDC in case of SASL bind. + + + Default: 5 + + + + + + ldap_tls_reqcert (string) + + + Specifies what checks to perform on server + certificates in a TLS session, if any. It + can be specified as one of the following + values: + + + never = The client will + not request or check any server certificate. + + + allow = The server + certificate is requested. If no certificate is + provided, the session proceeds normally. If a + bad certificate is provided, it will be ignored + and the session proceeds normally. + + + try = The server certificate + is requested. If no certificate is provided, the + session proceeds normally. If a bad certificate + is provided, the session is immediately terminated. + + + demand = The server + certificate is requested. If no certificate + is provided, or a bad certificate is provided, + the session is immediately terminated. + + + hard = Same as + demand + + + Default: hard + + + + + + ldap_tls_cacert (string) + + + Specifies the file that contains certificates for + all of the Certificate Authorities that + sssd will recognize. + + + Default: use OpenLDAP defaults, typically in + /etc/openldap/ldap.conf + + + + + + ldap_tls_cacertdir (string) + + + Specifies the path of a directory that contains + Certificate Authority certificates in separate + individual files. Typically the file names need to + be the hash of the certificate followed by '.0'. + If available, cacertdir_rehash + can be used to create the correct names. + + + Default: use OpenLDAP defaults, typically in + /etc/openldap/ldap.conf + + + + + + ldap_id_use_start_tls (boolean) + + + Specifies that the id_provider connection must also + use tls to protect the channel. + + + Default: false + + + + + + ldap_sasl_mech (string) + + + Specify the SASL mechanism to use. + Currently only GSSAPI is tested and supported. + + + Default: none + + + + + + ldap_sasl_authid (string) + + + Specify the SASL authorization id to use. + When GSSAPI is used, this represents the Kerberos + principal used for authentication to the directory. + + + Default: host/machine.fqdn@REALM + + + + + + ldap_krb5_keytab (string) + + + Specify the keytab to use when using SASL/GSSAPI. + + + Default: System keytab, normally /etc/krb5.keytab + + + + + + ldap_krb5_init_creds (boolean) + + + Specifies that the id_provider should init + Kerberos credentials (TGT). + This action is performed only if SASL is used and + the mechanism selected is GSSAPI. + + + Default: true + + + + + + krb5_realm (string) + + + Specify the Kerberos REALM (for SASL/GSSAPI auth). + + + Default: System defaults, see /etc/krb5.conf + + + + + + ldap_pwd_policy (string) + + + Select the policy to evaluate the password + expiration on the client side. The following values + are allowed: + + + none - No evaluation on the + client side. This option cannot disable server-side + password policies. + + + shadow - Use + shadow + 5 style + attributes to evaluate if the password has expired. + Note that the current version of sssd cannot + update this attribute during a password change. + + + mit_kerberos - Use the attributes + used by MIT Kerberos to determine if the password has + expired. Use chpass_provider=krb5 to update these + attributes when the password is changed. + + + Default: none + + + + + + ldap_referrals (boolean) + + + Specifies whether automatic referral chasing should + be enabled. + + + Please note that sssd only supports referral chasing + when it is compiled with OpenLDAP version 2.4.13 or + higher. + + + Default: true + + + + + + + + + + + + EXAMPLE + + The following example assumes that SSSD is correctly + configured and LDAP is set to one of the domains in the + [domains] section. + + + + [domain/LDAP] + id_provider = ldap + auth_provider = ldap + ldap_uri = ldap://ldap.mydomain.org + ldap_search_base = dc=mydomain,dc=org + ldap_tls_reqcert = demand + cache_credentials = true + enumerate = true + + + + + + NOTES + + The descriptions of some of the configuration options in this manual + page are based on the + ldap.conf + 5 + manual page from the OpenLDAP 2.4 distribution. + + + + + SEE ALSO + + + sssd.conf5 + , + + sssd-krb55 + , + + sssd8 + + + + + -- cgit