CONFDB: Allow configuring [application] sections as non-POSIX domains

Related to: https://pagure.io/SSSD/sssd/issue/3310 Allows to add a new section: [application/$name] This section internally (on the confdb level) expands to: [domain/$name] domain_type = application The reasons to add this new section is two-fold. One, to make the configuration of application domains more explicit and two, to make it possible to share configuration between two domains, one POSIX and one non-POSIX by application domain's inherit_from option: [application/$name] inherit_from = posix_domain_name Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
author: Jakub Hrozek <jhrozek@redhat.com> 2017-03-27 09:48:46 +0200
committer: Jakub Hrozek <jhrozek@redhat.com> 2017-03-30 14:09:10 +0200
commit: 825e8bf2f73a815c2eceb36ae805145fcbacf74d (patch)
tree: 8456d4851d62d582d64961a8939708ff13c2a051 /src/man
parent: 6324eaf1fb321c41ca9883966118df6d45259b7e (diff)
download: sssd-825e8bf2f73a815c2eceb36ae805145fcbacf74d.tar.gz
sssd-825e8bf2f73a815c2eceb36ae805145fcbacf74d.tar.xz
sssd-825e8bf2f73a815c2eceb36ae805145fcbacf74d.zip
1 files changed, 77 insertions, 0 deletions
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 9abcff84a..8294793c7 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1539,6 +1539,10 @@ pam_account_locked_message = Account locked, please contact help desk.
                             <quote>id_provider=ldap</quote> only.
                         </para>
                         <para>
+                            For an easy way to configure a non-POSIX domains, please
+                            see the <quote>Application domains</quote> section.
+                        </para>
+                        <para>
                             Default: posix
                         </para>
                     </listitem>
@@ -2692,6 +2696,79 @@ subdomain_inherit = ldap_purge_cache_timeout
             </variablelist>
         </para>
 
+        <refsect2 id='app_domains'>
+            <title>Application domains</title>
+            <para>
+                SSSD, with its D-Bus interface (see
+                <citerefentry>
+                    <refentrytitle>sssd-ifp</refentrytitle>
+                    <manvolnum>5</manvolnum>
+                </citerefentry>) is appealing to applications
+                as a gateway to an LDAP directory where users and groups
+                are stored. However, contrary to the traditional SSSD
+                deployment where all users and groups either have POSIX
+                attributes or those attributes can be inferred from the
+                Windows SIDs, in many cases the users and groups in the
+                application support scenario have no POSIX attributes.
+                Instead of setting a
+                <quote>[domain/<replaceable>NAME</replaceable>]</quote>
+                section, the administrator can set up an
+                <quote>[application/<replaceable>NAME</replaceable>]</quote>
+                section that internally represents a domain with type
+                <quote>application</quote> optionally inherits settings
+                from a tradition SSSD domain.
+            </para>
+            <para>
+                Please note that the application domain must still be
+                explicitly enabled in the <quote>domains</quote> parameter
+                so that the lookup order between the application domain
+                and its POSIX sibling domain is set correctly.
+            </para>
+            <variablelist>
+                <title>Application domain parameters</title>
+                <varlistentry>
+                    <term>inherit_from (string)</term>
+                    <listitem>
+                        <para>
+                            The SSSD POSIX-type domain the application
+                            domain inherits all settings from. The
+                            application domain can moreover add its own
+                            settings to the application settings that augment
+                            or override the <quote>sibling</quote>
+                            domain settings.
+                        </para>
+                        <para>
+                            Default: Not set
+                        </para>
+                    </listitem>
+                </varlistentry>
+            </variablelist>
+            <para>
+                The following example illustrates the use of an application
+                domain. In this setup, the POSIX domain is connected to an LDAP
+                server and is used by the OS through the NSS responder. In addition,
+                the application domains also requests the telephoneNumber attribute,
+                stores it as the phone attribute in the cache and makes the phone
+                attribute reachable through the D-Bus interface.
+            </para>
+<programlisting>
+[sssd]
+domains = appdom, posixdom
+
+[ifp]
+user_attributes = +phone
+
+[domain/posixdom]
+id_provider = ldap
+ldap_uri = ldap://ldap.example.com
+ldap_search_base = dc=example,dc=com
+
+[application/appdom]
+inherit_from = posixdom
+ldap_user_extra_attrs = phone:telephoneNumber
+</programlisting>
+        </refsect2>
+
         <refsect2 id='local_domain'>
             <title>The local domain section</title>
             <para>
author	Jakub Hrozek <jhrozek@redhat.com>	2017-03-27 09:48:46 +0200
committer	Jakub Hrozek <jhrozek@redhat.com>	2017-03-30 14:09:10 +0200
commit	825e8bf2f73a815c2eceb36ae805145fcbacf74d (patch)
tree	8456d4851d62d582d64961a8939708ff13c2a051 /src/man
parent	6324eaf1fb321c41ca9883966118df6d45259b7e (diff)
download	sssd-825e8bf2f73a815c2eceb36ae805145fcbacf74d.tar.gz sssd-825e8bf2f73a815c2eceb36ae805145fcbacf74d.tar.xz sssd-825e8bf2f73a815c2eceb36ae805145fcbacf74d.zip