commit a6ce1179d1f09ce1f945cb95ddccedfe5853bd58
Author: David O'Brien <davido(a)redhat.com>
Date: Fri Jun 18 13:14:20 2010 +1000
[Bug 590513] SSSD default min_uid not compatible with older defaults
en-US/SSSD.xml | 33 +++++++++++++++++++++------------
1 files changed, 21 insertions(+), 12 deletions(-)
---
diff --git a/en-US/SSSD.xml b/en-US/SSSD.xml
index 8aa89b9..05e73fb 100644
--- a/en-US/SSSD.xml
+++ b/en-US/SSSD.xml
@@ -559,7 +559,7 @@ krb5_realm = EXAMPLE.COM</screen>
<para>If <option>min_id</option> is unspecified, it
defaults to <literal>1</literal> for any back end. This default was chosen to
provide compatibility with existing systems and to ease any migration attempts. LDAP
administrators should be aware that granting identities in this range may conflict with
users in the local <filename>/etc/passwd</filename> file. To avoid these
conflicts, <option>min_id</option> should be set to
<literal>1000</literal> or higher wherever possible.
</para>
<para>
- This restriction applies to both UIDs and GIDs.
+ The <option>min_id</option> option determines the minimum
acceptable value for both UID and GID numbers. Accounts with either UID or GID values
below the <option>min_id</option> value are filtered out and not made
available on the client.
</para>
</important>
</listitem>
@@ -683,7 +683,7 @@ ipauser01:x:937315651:937315651:ipauser01:/home/ipauser01:/bin/sh
</para>
</section>
- <!--<section
+ <section
id="sect-SSSD_User_Guide-Domain_Configuration_Options-Proxy_Configuration_Options">
<title>Proxy Configuration Options</title>
<itemizedlist>
@@ -692,7 +692,7 @@ ipauser01:x:937315651:937315651:ipauser01:/home/ipauser01:/bin/sh
<option>proxy_pam_target</option>
<type>(string)</type>
</para>
- <para>This option is only used when the
<option>auth_provider</option> option is set to
<literal>proxy</literal>, and specifies the proxy target that
<acronym>PAM</acronym> proxies to.</para>
+ <para>This option is only used when the
<option>auth_provider</option> option is set to
<literal>proxy</literal>, and specifies the target to which
<acronym>PAM</acronym> must proxy.</para>
<para>This option has no default value. If proxy authentication is
required, you need to specify your own <acronym>PAM</acronym> target. This
corresponds to a file containing <acronym>PAM</acronym> stack information in
the system's default <acronym>PAM</acronym> configuration directory. On
&MAJOROS;-based systems, this is the <filename>/etc/pam.d/</filename>
directory.</para>
</listitem>
<listitem>
@@ -701,14 +701,12 @@ ipauser01:x:937315651:937315651:ipauser01:/home/ipauser01:/bin/sh
<type>(string)</type>
</para>
<para>This option is only used when the
<option>id_provider</option> option is set to
<literal>proxy</literal>, and specifies which existing NSS library to proxy
identity requests through.</para>
-
<para>This option has no default value. You need to manually specify an
existing library to take advantage of this option. For example, set this value to
<literal>nis</literal> to use the existing
<filename>libnss_nis.so</filename> file.</para>
</listitem>
</itemizedlist>
- </section>-->
+ </section>
-<!-- <para>The following sections contain examples of how to configure
different types of domains.</para> -->
</section>
<!--
<section
@@ -740,12 +738,16 @@ ipauser01:x:937315651:937315651:ipauser01:/home/ipauser01:/bin/sh
<secondary>Configuring a Native LDAP Domain for</secondary>
</indexterm>
- <para>A native LDAP domain is one where the
<option>id_provider</option> option is set to
<literal>ldap</literal>
(<option>id_provider = ldap</option>). Such a domain
requires a running LDAP server against which to authenticate. The client configuration is
stored in the <filename>/etc/sssd/sssd.conf</filename> file.</para>
- <para>SSSD does not support authentication over an unencrypted channel.
Consequently, if you want to authenticate against an LDAP server, <systemitem
class="protocol">TLS/SSL</systemitem> is required. If the LDAP server
is used only as an identity provider, an encrypted channel is not needed.</para>
- <formalpara
id="form-SSSD_User_Guide-Configuring_a_Native_LDAP_Domain-How_to_Authenticate_Against_a_Native_LDAP_Domain">
- <title>How to Authenticate Against a Native LDAP Domain</title>
- <para>Edit your <filename>/etc/sssd/sssd.conf</filename> file
to reflect the following example:</para>
- </formalpara>
+ <para>
+ A native LDAP domain is one where the <option>id_provider</option>
option is set to <literal>ldap</literal>
(<option>id_provider = ldap</option>). Such a domain
requires a running LDAP server against which to authenticate. This can be an open source
LDAP server such as OpenLDAP or Microsoft Active Directory. SSSD currently supports
Microsoft Active Directory 2003 (+Services For UNIX) and Active Directory 2008. In all
cases, the client configuration is stored in the
<filename>/etc/sssd/sssd.conf</filename> file.
+ </para>
+ <para>
+ SSSD does not support authentication over an unencrypted channel. Consequently,
if you want to authenticate against an LDAP server, <systemitem
class="protocol">TLS/SSL</systemitem> is required. If the LDAP server
is used only as an identity provider, an encrypted channel is not needed.
+ </para>
+ <formalpara
id="form-SSSD_User_Guide-Configuring_a_Native_LDAP_Domain-How_to_Authenticate_Against_a_Native_LDAP_Domain">
+ <title>How to Authenticate Against a Native LDAP Domain</title>
+ <para>Edit your <filename>/etc/sssd/sssd.conf</filename> file
to reflect the following example:</para>
+ </formalpara>
<screen># A native LDAP domain
[domain/LDAP]
@@ -763,6 +765,13 @@ tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
</screen>
+ <formalpara><title>How to Authenticate Against a Microsoft Active Directory
LDAP Domain</title>
+ <indexterm>
+ <primary>SSSD</primary>
+ <secondary>Authenticating against Microsoft Active
Directory</secondary>
+ </indexterm>
+ <para>dummy text</para>
+ </formalpara>
<formalpara>
<title>Selecting an LDAP Schema</title>
Show replies by date