SSSD Manual pages sssd-ldap 5 File Formats and Conventions sssd-ldap the configuration file for SSSD DESCRIPTION This manual page describes the configuration of LDAP domains for sssd 8 . For detailed syntax reference, please refer to sssd.conf 5 manual page, section FILE FORMAT There can be more than one LDAP domain configured with SSSD. If you want to authenticate against an LDAP server TLS/SSL is required. sssd does not support authentication over an unencrypted channel. If the LDAP server is used only as an identify provider, an encrypted channel is not needed. CONFIGURATION OPTIONS All the common configuration options for SSSD domains apply for LDAP domains, too. See the sssd.conf 5 manual page, section DOMAIN SECTIONS ldap_uri (string) Specifies the URI of the LDAP server to which SSSD should connect. Default: ldap://localhost ldap_search_base (string) The default base DN to use for performing LDAP user operations. ldap_schema (string) Specifies the Schema Type in use on the target LDAP server. Depending on the selected schema the default attribute names retrieved from the servers may vary. Also the way some attributes are handled may differ. There are currently 2 schema types supported: rfc2307 rfc2307bis The main difference between these 2 schema types is how group memberships are recorder in the server. With rfc2307 group members are listed by name in an attribute called memberUid. With rfc2307bis grpoup members are listed by DN and stored in an attribute called member. Default: rfc2307 ldap_default_bind_dn (string) The default bind DN to use for performing LDAP operations. ldap_default_authtok_type (string) The type of the authentication token of the default bind DN. So far "password" is the only supported value. ldap_default_authtok (string) The authentication token of the default bind DN. So far only a clear text password is supported. ldap_user_search_base (string) An optional base DN to restrict user searches to a specific subtree. Default: the value of ldap_search_base ldap_user_object_class (string) The object class of a user entry in LDAP. Default: posixAccount ldap_user_name (string) The LDAP attribute that corresponds to user's login name. Default: uid ldap_user_uid_number (string) The LDAP attribute that corresponds to user's id. Default: uidNumber ldap_user_gid_number (string) The LDAP attribute that corresponds to user's primary group id. Default: gidNumber ldap_user_gecos (string) The LDAP attribute that corresponds to user's gecos field. Default: gecos ldap_user_home_directory (string) The LDAP attribute that contains the name of the home directory of a user. Default: homeDirectory ldap_user_shell (string) The LDAP attribute that contains the path of the user's default shell. Default: loginShell ldap_user_uuid (string) The LDAP attribute that contains the UUID/GUID of a LDAP user object. Default: nsUniqueId ldap_user_principal (string) The LDAP attribute that contains the Kerberos User Principle Name (UPN) of the user. Default: krbPrincipalName ldap_force_upper_case_realm (boolean) Some directory servers, for example Active Directory, might deliver the realm part of the UPN lower case which may cause the authentication to fail. Set this option to a non-zero value, if you want to use an upper case realm. Default: false ldap_user_fullname (string) The LDAP attribute that corresponds to full name of the user. Default: cn ldap_user_member_of (string) The LDAP attribute that list the user's group memberships. Default: memberOf ldap_group_search_base (string) An optional base DN to restrict group searches to a specific subtree. Default: the value of ldap_search_base ldap_group_object_class (string) The object class of a group entry in LDAP. Default: posixGroup ldap_group_name (string) The LDAP attribute that corresponds to the group name. Default: cn ldap_group_gid_number (string) The LDAP attribute that corresponds to group's id. Default: gidNumber ldap_group_member (string) The LDAP attribute that contains the names of the members of the group. Default: memberuid (rfc2307) / member (rfc2307bis) ldap_group_uuid (string) The LDAP attribute that contains the UUID/GUID of a LDAP group object. Default: nsUniqueId ldap_network_timeout (integer) Specifies the timeout (in seconds) after which the poll 2 / select 2 following a connect 2 returns in case of no activity. Default: 5 ldap_opt_timeout (integer) Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs will abort if no response is received. Also controls the timeout when communicating to KDC in case of SASL bind. Default: 5 ldap_tls_reqcert (string) Specifies what checks to perform on server certificates in a TLS session, if any. It can be specified as one of the following values: never = The client will not request or check any server certificate. allow = The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, it will be ignored and the session proceeds normally. try = The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, the session is immediately terminated. demand = The server certificate is requested. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated. hard = Same as demand Default: hard ldap_tls_cacert (string) Specifies the file that contains certificates for all of the Certificate Authorities sssd will recognize. Default: use OpenLDAP defaults, typically in /etc/openldap/ldap.conf ldap_tls_cacertdir (string) Specifies the path of a directory that contains Certificate Authority certificates in separate individual files. Typically the file names need to be the hash of the certificate followed by '.0'. If available cacertdir_rehash can be used to create the correct names. Default: use OpenLDAP defaults, typically in /etc/openldap/ldap.conf ldap_id_use_start_tls (boolean) Specifies that the id_provider connection must also use tls to protect the channel. Default: false ldap_sasl_mech (string) Specify the sasl mechanism to use. Currently only GSSAPI is tested and supported. Default: none ldap_sasl_authid (string) Specify the sasl authorization id to use. When GSSAPI is used, this represents the kerberos principal used for authentication to the directory. Default: host/machine.fqdn@REALM ldap_krb5_keytab (string) Specify keytab to use when using SASL/GSSAPI. Default: System keytab, normally /etc/krb5.keytab ldap_krb5_init_creds (boolean) Specifies that the id_provider should init kerberos credentials (TGT). This action is perfromed only if SASL is used and the mechanism selected is GSSAPI. Default: true krb5_realm (string) Specify the kerberos REALM (for SASL/GSSAPI auth). Default: System defaults, see /etc/krb5.conf ldap_pwd_policy (string) Select the policy to evaluate the password expiration on the client side. The following values are allowed: none No evaluation on the client side. This option cannot disable server side password policies. shadow use shadow 5 style attributes to evaluate if the password is expired. Please note that the current version of sssd cannot update this attribute during a password change. mit_kerberos use the attributes used by MIT Kerberos to evaluate if the password is expired. Use chpass_provider=krb5 to update these attributes when the password is changed. Default: none EXAMPLE The following example assumes that SSSD is correctly configured and LDAP is set set one of the domains in the [domains] section. [domain/LDAP] id_provider = ldap auth_provider = ldap ldap_uri = ldap://ldap.mydomain.org ldap_user_search_base = dc=mydomain,dc=org ldap_tls_reqcert = demand cache_credentials = true enumerate = true NOTES Description of some of the configuration options in this manual page is based on ldap.conf 5 manual page from the OpenLDAP 2.4 distribution. SEE ALSO sssd.conf5 , sssd8