commit a6ce1179d1f09ce1f945cb95ddccedfe5853bd58 Author: David O'Brien <davido(a)redhat.com&gt; Date: Fri Jun 18 13:14:20 2010 +1000 [Bug 590513] SSSD default min_uid not compatible with older defaults en-US/SSSD.xml | 33 +++++++++++++++++++++------------ 1 files changed, 21 insertions(+), 12 deletions(-) --- diff --git a/en-US/SSSD.xml b/en-US/SSSD.xml index 8aa89b9..05e73fb 100644 --- a/en-US/SSSD.xml +++ b/en-US/SSSD.xml @@ -559,7 +559,7 @@ krb5_realm = EXAMPLE.COM</screen> <para>If <option>min_id</option> is unspecified, it defaults to <literal>1</literal> for any back end. This default was chosen to provide compatibility with existing systems and to ease any migration attempts. LDAP administrators should be aware that granting identities in this range may conflict with users in the local <filename>/etc/passwd</filename> file. To avoid these conflicts, <option>min_id</option> should be set to <literal>1000</literal> or higher wherever possible. </para> <para> - This restriction applies to both UIDs and GIDs. + The <option>min_id</option> option determines the minimum acceptable value for both UID and GID numbers. Accounts with either UID or GID values below the <option>min_id</option> value are filtered out and not made available on the client. </para> </important> </listitem> @@ -683,7 +683,7 @@ ipauser01:x:937315651:937315651:ipauser01:/home/ipauser01:/bin/sh </para> </section> - <!--<section + <section id="sect-SSSD_User_Guide-Domain_Configuration_Options-Proxy_Configuration_Options"> <title>Proxy Configuration Options</title> <itemizedlist> @@ -692,7 +692,7 @@ ipauser01:x:937315651:937315651:ipauser01:/home/ipauser01:/bin/sh <option>proxy_pam_target</option> <type>(string)</type> </para> - <para>This option is only used when the <option>auth_provider</option> option is set to <literal>proxy</literal>, and specifies the proxy target that <acronym>PAM</acronym> proxies to.</para> + <para>This option is only used when the <option>auth_provider</option> option is set to <literal>proxy</literal>, and specifies the target to which <acronym>PAM</acronym> must proxy.</para> <para>This option has no default value. If proxy authentication is required, you need to specify your own <acronym>PAM</acronym> target. This corresponds to a file containing <acronym>PAM</acronym> stack information in the system's default <acronym>PAM</acronym> configuration directory. On &MAJOROS;-based systems, this is the <filename>/etc/pam.d/</filename> directory.</para> </listitem> <listitem> @@ -701,14 +701,12 @@ ipauser01:x:937315651:937315651:ipauser01:/home/ipauser01:/bin/sh <type>(string)</type> </para> <para>This option is only used when the <option>id_provider</option> option is set to <literal>proxy</literal>, and specifies which existing NSS library to proxy identity requests through.</para> - <para>This option has no default value. You need to manually specify an existing library to take advantage of this option. For example, set this value to <literal>nis</literal> to use the existing <filename>libnss_nis.so</filename> file.</para> </listitem> </itemizedlist> - </section>--> + </section> -<!-- <para>The following sections contain examples of how to configure different types of domains.</para> --> </section> <!-- <section @@ -740,12 +738,16 @@ ipauser01:x:937315651:937315651:ipauser01:/home/ipauser01:/bin/sh <secondary>Configuring a Native LDAP Domain for</secondary> </indexterm> - <para>A native LDAP domain is one where the <option>id_provider</option> option is set to <literal>ldap</literal> (<option>id_provider&nbsp;=&nbsp;ldap</option>). Such a domain requires a running LDAP server against which to authenticate. The client configuration is stored in the <filename>/etc/sssd/sssd.conf</filename> file.</para> - <para>SSSD does not support authentication over an unencrypted channel. Consequently, if you want to authenticate against an LDAP server, <systemitem class="protocol">TLS/SSL</systemitem> is required. If the LDAP server is used only as an identity provider, an encrypted channel is not needed.</para> - <formalpara id="form-SSSD_User_Guide-Configuring_a_Native_LDAP_Domain-How_to_Authenticate_Against_a_Native_LDAP_Domain"> - <title>How to Authenticate Against a Native LDAP Domain</title> - <para>Edit your <filename>/etc/sssd/sssd.conf</filename> file to reflect the following example:</para> - </formalpara> + <para> + A native LDAP domain is one where the <option>id_provider</option> option is set to <literal>ldap</literal> (<option>id_provider&nbsp;=&nbsp;ldap</option>). Such a domain requires a running LDAP server against which to authenticate. This can be an open source LDAP server such as OpenLDAP or Microsoft Active Directory. SSSD currently supports Microsoft Active Directory 2003 (+Services For UNIX) and Active Directory 2008. In all cases, the client configuration is stored in the <filename>/etc/sssd/sssd.conf</filename> file. + </para> + <para> + SSSD does not support authentication over an unencrypted channel. Consequently, if you want to authenticate against an LDAP server, <systemitem class="protocol">TLS/SSL</systemitem> is required. If the LDAP server is used only as an identity provider, an encrypted channel is not needed. + </para> + <formalpara id="form-SSSD_User_Guide-Configuring_a_Native_LDAP_Domain-How_to_Authenticate_Against_a_Native_LDAP_Domain"> + <title>How to Authenticate Against a Native LDAP Domain</title> + <para>Edit your <filename>/etc/sssd/sssd.conf</filename> file to reflect the following example:</para> + </formalpara> <screen># A native LDAP domain [domain/LDAP] @@ -763,6 +765,13 @@ tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt </screen> + <formalpara><title>How to Authenticate Against a Microsoft Active Directory LDAP Domain</title> + <indexterm> + <primary>SSSD</primary> + <secondary>Authenticating against Microsoft Active Directory</secondary> + </indexterm> + <para>dummy text</para> + </formalpara> <formalpara> <title>Selecting an LDAP Schema</title>