SSSD Manual pages sssd-ipa 5 File Formats and Conventions sssd-ipa the configuration file for SSSD DESCRIPTION This manual page describes the configuration of the IPA provider for sssd 8 . For a detailed syntax reference, refer to the FILE FORMAT section of the sssd.conf 5 manual page. The IPA provider is a back end used to connect to an IPA server. (Refer to the freeipa.org web site for information about IPA servers.) This provider requires that the machine be joined to the IPA domain; configuration is almost entirely self-discovered and obtained directly from the server. The IPA provider accepts the same options used by the sssd-ldap 5 identity provider and the sssd-krb5 5 authentication provider with some exceptions described below. However, it is neither necessary nor recommended to set these options. IPA provider can also be used as an access and chpass provider. As an access provider it uses HBAC (host-based access control) rules. Please refer to freeipa.org for more information about HBAC. No configuration of access provider is required on the client side. The IPA provider will use the PAC responder if the Kerberos tickets of users from trusted realms contain a PAC. To make configuration easier the PAC responder is started automatically if the IPA ID provider is configured. CONFIGURATION OPTIONS Refer to the section DOMAIN SECTIONS of the sssd.conf 5 manual page for details on the configuration of an SSSD domain. ipa_domain (string) Specifies the name of the IPA domain. This is optional. If not provided, the configuration domain name is used. ipa_server, ipa_backup_server (string) The comma-separated list of IP addresses or hostnames of the IPA servers to which SSSD should connect in the order of preference. For more information on failover and server redundancy, see the FAILOVER section. This is optional if autodiscovery is enabled. For more information on service discovery, refer to the SERVICE DISCOVERY section. ipa_hostname (string) Optional. May be set on machines where the hostname(5) does not reflect the fully qualified name used in the IPA domain to identify this host. dyndns_update (boolean) Optional. This option tells SSSD to automatically update the DNS server built into FreeIPA v2 with the IP address of this client. The update is secured using GSS-TSIG. The IP address of the IPA LDAP connection is used for the updates, if it is not otherwise specified by using the dyndns_iface option. NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, the default Kerberos realm must be set properly in /etc/krb5.conf NOTE: While it is still possible to use the old ipa_dyndns_update option, users should migrate to using dyndns_update in their config file. Default: false dyndns_ttl (integer) The TTL to apply to the client DNS record when updating it. If dyndns_update is false this has no effect. This will override the TTL serverside if set by an administrator. NOTE: While it is still possible to use the old ipa_dyndns_ttl option, users should migrate to using dyndns_ttl in their config file. Default: 1200 (seconds) dyndns_iface (string) Optional. Applicable only when dyndns_update is true. Choose the interface whose IP address should be used for dynamic DNS updates. NOTE: While it is still possible to use the old ipa_dyndns_iface option, users should migrate to using dyndns_iface in their config file. Default: Use the IP address of the IPA LDAP connection ipa_enable_dns_sites (boolean) Enables DNS sites - location based service discovery. If true and service discovery (see Service Discovery paragraph at the bottom of the man page) is enabled, then the SSSD will first attempt location based discovery using a query that contains "_location.hostname.example.com" and then fall back to traditional SRV discovery. If the location based discovery succeeds, the IPA servers located with the location based discovery are treated as primary servers and the IPA servers located using the traditional SRV discovery are used as back up servers Default: false dyndns_refresh_interval (integer) How often should the back end perform periodic DNS update in addition to the automatic update performed when the back end goes online. This option is optional and applicable only when dyndns_update is true. Default: 0 (disabled) dyndns_update_ptr (bool) Whether the PTR record should also be explicitly updated when updating the client's DNS records. Applicable only when dyndns_update is true. This option should be False in most IPA deployments as the IPA server generates the PTR records automatically when forward records are changed. Default: False (disabled) dyndns_force_tcp (bool) Whether the nsupdate utility should default to using TCP for communicating with the DNS server. Default: False (let nsupdate choose the protocol) ipa_hbac_search_base (string) Optional. Use the given string as search base for HBAC related objects. Default: Use base DN ipa_host_search_base (string) Optional. Use the given string as search base for host objects. See ldap_search_base for information about configuring multiple search bases. If filter is given in any of search bases and ipa_hbac_support_srchost is set to False, the filter will be ignored. Default: the value of ldap_search_base ipa_selinux_search_base (string) Optional. Use the given string as search base for SELinux user maps. See ldap_search_base for information about configuring multiple search bases. Default: the value of ldap_search_base ipa_subdomains_search_base (string) Optional. Use the given string as search base for trusted domains. See ldap_search_base for information about configuring multiple search bases. Default: the value of cn=trusts,%basedn ipa_master_domain_search_base (string) Optional. Use the given string as search base for master domain object. See ldap_search_base for information about configuring multiple search bases. Default: the value of cn=ad,cn=etc,%basedn krb5_validate (boolean) Verify with the help of krb5_keytab that the TGT obtained has not been spoofed. Default: true Note that this default differs from the traditional Kerberos provider back end. krb5_realm (string) The name of the Kerberos realm. This is optional and defaults to the value of ipa_domain. The name of the Kerberos realm has a special meaning in IPA - it is converted into the base DN to use for performing LDAP operations. krb5_canonicalize (boolean) Specifies if the host and user principal should be canonicalized when connecting to IPA LDAP and also for AS requests. This feature is available with MIT Kerberos >= 1.7 Default: true ipa_hbac_refresh (integer) The amount of time between lookups of the HBAC rules against the IPA server. This will reduce the latency and load on the IPA server if there are many access-control requests made in a short period. Default: 5 (seconds) ipa_hbac_selinux (integer) The amount of time between lookups of the SELinux maps against the IPA server. This will reduce the latency and load on the IPA server if there are many user login requests made in a short period. Default: 5 (seconds) ipa_hbac_treat_deny_as (string) This option specifies how to treat the deprecated DENY-type HBAC rules. As of FreeIPA v2.1, DENY rules are no longer supported on the server. All users of FreeIPA will need to migrate their rules to use only the ALLOW rules. The client will support two modes of operation during this transition period: DENY_ALL: If any HBAC DENY rules are detected, all users will be denied access. IGNORE: SSSD will ignore any DENY rules. Be very careful with this option, as it may result in opening unintended access. Default: DENY_ALL ipa_hbac_support_srchost (boolean) If this is set to false, then srchost as given to SSSD by PAM will be ignored. Note that if set to False, this option casuses filters given in ipa_host_search_base to be ignored; Default: false ipa_automount_location (string) The automounter location this IPA client will be using Default: The location named "default" ipa_netgroup_member_of (string) The LDAP attribute that lists netgroup's memberships. Default: memberOf ipa_netgroup_member_user (string) The LDAP attribute that lists system users and groups that are direct members of the netgroup. Default: memberUser ipa_netgroup_member_host (string) The LDAP attribute that lists hosts and host groups that are direct members of the netgroup. Default: memberHost ipa_netgroup_member_ext_host (string) The LDAP attribute that lists FQDNs of hosts and host groups that are members of the netgroup. Default: externalHost ipa_netgroup_domain (string) The LDAP attribute that contains NIS domain name of the netgroup. Default: nisDomainName ipa_host_object_class (string) The object class of a host entry in LDAP. Default: ipaHost ipa_host_fqdn (string) The LDAP attribute that contains FQDN of the host. Default: fqdn ipa_selinux_usermap_object_class (string) The object class of a host entry in LDAP. Default: ipaHost ipa_selinux_usermap_name (string) The LDAP attribute that contains the name of SELinux usermap. Default: cn ipa_selinux_usermap_member_user (string) The LDAP attribute that contains all users / groups this rule match against. Default: memberUser ipa_selinux_usermap_member_host (string) The LDAP attribute that contains all hosts / hostgroups this rule match against. Default: memberHost ipa_selinux_usermap_see_also (string) The LDAP attribute that contains DN of HBAC rule which can be used for matching instead of memberUser and memberHost Default: seeAlso ipa_selinux_usermap_selinux_user (string) The LDAP attribute that contains SELinux user string itself. Default: ipaSELinuxUser ipa_selinux_usermap_enabled (string) The LDAP attribute that contains whether or not is user map enabled for usage. Default: ipaEnabledFlag ipa_selinux_usermap_user_category (string) The LDAP attribute that contains user category such as 'all'. Default: userCategory ipa_selinux_usermap_host_category (string) The LDAP attribute that contains host category such as 'all'. Default: hostCategory ipa_selinux_usermap_uuid (string) The LDAP attribute that contains unique ID of the user map. Default: ipaUniqueID ipa_host_ssh_public_key (string) The LDAP attribute that contains the host's SSH public keys. Default: ipaSshPubKey SUBDOMAINS PROVIDER The IPA subdomains provider behaves slightly differently if it is configured explicitly or implicitly. If the option 'subdomains_provider = ipa' is found in the domain section of sssd.conf, the IPA subdomains provider is configured explicitly, and all subdomain requests are sent to the IPA server if necessary. If the option 'subdomains_provider' is not set in the domain section of sssd.conf but there is the option 'id_provider = ipa', the IPA subdomains provider is configured implicitly. In this case, if a subdomain request fails and indicates that the server does not support subdomains, i.e. is not configured for trusts, the IPA subdomains provider is disabled. After an hour or after the IPA provider goes online, the subdomains provider is enabled again. EXAMPLE The following example assumes that SSSD is correctly configured and example.com is one of the domains in the [sssd] section. This examples shows only the ipa provider-specific options. [domain/example.com] id_provider = ipa ipa_server = ipaserver.example.com ipa_hostname = myhost.example.com