From 1620655d069823d60e9bc1eab86f2abb6b2cc127 Mon Sep 17 00:00:00 2001 From: Alex Rodin Date: Thu, 7 Nov 2019 08:18:58 -0500 Subject: [PATCH] Created a new sssd-ldap-attributes.5 man page man: Created a new sssd-ldap-attributes.5 man page I've moved all SSSD LDAP mapping attributes from sssd-ldap.5 to a new sssd-ldap-attributes.5 man page Resolves: https://pagure.io/SSSD/sssd/issue/689 --- contrib/sssd.spec.in | 1 + contrib/suse/sssd.spec.in | 1 + src/man/Makefile.am | 2 +- src/man/include/autofs_attributes.xml | 70 ++ src/man/sssd-ldap-attributes.5.xml | 1186 ++++++++++++++++++++++ src/man/sssd-ldap.5.xml | 1342 ++----------------------- 6 files changed, 1348 insertions(+), 1254 deletions(-) create mode 100644 src/man/include/autofs_attributes.xml create mode 100644 src/man/sssd-ldap-attributes.5.xml diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index e5a4ec2465..e7bb5cf332 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -1099,6 +1099,7 @@ done %license COPYING %{_libdir}/%{name}/libsss_ldap.so %{_mandir}/man5/sssd-ldap.5* +%{_mandir}/man5/sssd-ldap-attributes.5* %files krb5-common %defattr(-,root,root,-) diff --git a/contrib/suse/sssd.spec.in b/contrib/suse/sssd.spec.in index 847a79a159..ab067e2ba9 100644 --- a/contrib/suse/sssd.spec.in +++ b/contrib/suse/sssd.spec.in @@ -195,6 +195,7 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man5/sssd-ipa.5* %{_mandir}/man5/sssd-krb5.5* %{_mandir}/man5/sssd-ldap.5* +%{_mandir}/man5/sssd-ldap-attributes.5* %{_mandir}/man8/sssd.8* %{_mandir}/man8/sss_groupadd.8* %{_mandir}/man8/sss_groupdel.8* diff --git a/src/man/Makefile.am b/src/man/Makefile.am index e11dbf4562..7d45c1b248 100644 --- a/src/man/Makefile.am +++ b/src/man/Makefile.am @@ -71,7 +71,7 @@ endif EXTRA_DIST = $(wildcard $(srcdir)/*.xml) $(wildcard $(srcdir)/include/*.xml) man_MANS = \ - sssd.8 sssd.conf.5 sssd-ldap.5 \ + sssd.8 sssd.conf.5 sssd-ldap.5 sssd-ldap-attributes.5 \ sssd-krb5.5 sssd-simple.5 sss-certmap.5 \ sssd_krb5_locator_plugin.8 \ pam_sss.8 sss_obfuscate.8 sss_cache.8 sss_debuglevel.8 sss_seed.8 \ diff --git a/src/man/include/autofs_attributes.xml b/src/man/include/autofs_attributes.xml new file mode 100644 index 0000000000..c804cb0969 --- /dev/null +++ b/src/man/include/autofs_attributes.xml @@ -0,0 +1,70 @@ + + + ldap_autofs_map_object_class (string) + + + The object class of an automount map entry in LDAP. + + + Default: nisMap (rfc2307, autofs_provider=ad), + otherwise automountMap + + + + + + ldap_autofs_map_name (string) + + + The name of an automount map entry in LDAP. + + + Default: nisMapName (rfc2307, + autofs_provider=ad), otherwise automountMapName + + + + + + ldap_autofs_entry_object_class (string) + + + The object class of an automount entry + in LDAP. The entry usually corresponds to a mount + point. + + + Default: nisObject (rfc2307, autofs_provider=ad), + otherwise automount + + + + + + ldap_autofs_entry_key (string) + + + The key of an automount entry in LDAP. The + entry usually corresponds to a mount point. + + + Default: cn (rfc2307, autofs_provider=ad), + otherwise automountKey + + + + + + ldap_autofs_entry_value (string) + + + The key of an automount entry in LDAP. The + entry usually corresponds to a mount point. + + + Default: nisMapEntry (rfc2307, + autofs_provider=ad), otherwise automountInformation + + + + \ No newline at end of file diff --git a/src/man/sssd-ldap-attributes.5.xml b/src/man/sssd-ldap-attributes.5.xml new file mode 100644 index 0000000000..56aa044f84 --- /dev/null +++ b/src/man/sssd-ldap-attributes.5.xml @@ -0,0 +1,1186 @@ + + + +SSSD Manual pages + + + + + sssd-ldap-attributes + 5 + File Formats and Conventions + + + + sssd-ldap-attributes + SSSD LDAP Provider: Mapping Attributes + + + + DESCRIPTION + + This manual page describes the mapping attributes of + SSSD LDAP provider + + sssd-ldap + 5 + . Refer to the + + sssd-ldap + 5 + manual page for full details about SSSD LDAP provider + configuration options. + + + + + USER ATTRIBUTES + + + + ldap_user_object_class (string) + + + The object class of a user entry in LDAP. + + + Default: posixAccount + + + + + + ldap_user_name (string) + + + The LDAP attribute that corresponds to the + user's login name. + + + Default: uid (rfc2307, rfc2307bis and IPA), + sAMAccountName (AD) + + + + + + ldap_user_uid_number (string) + + + The LDAP attribute that corresponds to the + user's id. + + + Default: uidNumber + + + + + + ldap_user_gid_number (string) + + + The LDAP attribute that corresponds to the + user's primary group id. + + + Default: gidNumber + + + + + + ldap_user_primary_group (string) + + + Active Directory primary group attribute + for ID-mapping. Note that this attribute should + only be set manually if you are running the + ldap provider with ID mapping. + + + Default: unset (LDAP), primaryGroupID (AD) + + + + + + ldap_user_gecos (string) + + + The LDAP attribute that corresponds to the + user's gecos field. + + + Default: gecos + + + + + + ldap_user_home_directory (string) + + + The LDAP attribute that contains the name of the user's + home directory. + + + Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD) + + + + + + ldap_user_shell (string) + + + The LDAP attribute that contains the path to the + user's default shell. + + + Default: loginShell + + + + + + ldap_user_uuid (string) + + + The LDAP attribute that contains the UUID/GUID of + an LDAP user object. + + + Default: not set in the general case, objectGUID for + AD and ipaUniqueID for IPA + + + + + + ldap_user_objectsid (string) + + + The LDAP attribute that contains the objectSID of + an LDAP user object. This is usually only + necessary for ActiveDirectory servers. + + + Default: objectSid for ActiveDirectory, not set + for other servers. + + + + + + ldap_user_modify_timestamp (string) + + + The LDAP attribute that contains timestamp of the + last modification of the parent object. + + + Default: modifyTimestamp + + + + + + ldap_user_shadow_last_change (string) + + + When using ldap_pwd_policy=shadow, this parameter + contains the name of an LDAP attribute corresponding + to its + + shadow + 5 + counterpart (date of the last + password change). + + + Default: shadowLastChange + + + + + + ldap_user_shadow_min (string) + + + When using ldap_pwd_policy=shadow, this parameter + contains the name of an LDAP attribute corresponding + to its + + shadow + 5 + counterpart (minimum password age). + + + Default: shadowMin + + + + + + ldap_user_shadow_max (string) + + + When using ldap_pwd_policy=shadow, this parameter + contains the name of an LDAP attribute corresponding + to its + + shadow + 5 + counterpart (maximum password age). + + + Default: shadowMax + + + + + + ldap_user_shadow_warning (string) + + + When using ldap_pwd_policy=shadow, this parameter + contains the name of an LDAP attribute corresponding + to its + + shadow + 5 + counterpart (password warning + period). + + + Default: shadowWarning + + + + + + ldap_user_shadow_inactive (string) + + + When using ldap_pwd_policy=shadow, this parameter + contains the name of an LDAP attribute corresponding + to its + + shadow + 5 + counterpart (password inactivity + period). + + + Default: shadowInactive + + + + + + ldap_user_shadow_expire (string) + + + When using ldap_pwd_policy=shadow or + ldap_account_expire_policy=shadow, this parameter + contains the name of an LDAP attribute corresponding + to its + + shadow + 5 + counterpart (account expiration date). + + + Default: shadowExpire + + + + + + ldap_user_krb_last_pwd_change (string) + + + When using ldap_pwd_policy=mit_kerberos, this + parameter contains the name of an LDAP attribute + storing the date and time of last password change + in kerberos. + + + Default: krbLastPwdChange + + + + + + ldap_user_krb_password_expiration (string) + + + When using ldap_pwd_policy=mit_kerberos, this + parameter contains the name of an LDAP attribute + storing the date and time when current password + expires. + + + Default: krbPasswordExpiration + + + + + + ldap_user_ad_account_expires (string) + + + When using ldap_account_expire_policy=ad, this + parameter contains the name of an LDAP attribute + storing the expiration time of the account. + + + Default: accountExpires + + + + + + ldap_user_ad_user_account_control (string) + + + When using ldap_account_expire_policy=ad, this + parameter contains the name of an LDAP attribute + storing the user account control bit field. + + + Default: userAccountControl + + + + + + ldap_ns_account_lock (string) + + + When using ldap_account_expire_policy=rhds or + equivalent, this parameter determines if access is + allowed or not. + + + Default: nsAccountLock + + + + + + ldap_user_nds_login_disabled (string) + + + When using ldap_account_expire_policy=nds, this + attribute determines if access is allowed or not. + + + Default: loginDisabled + + + + + + ldap_user_nds_login_expiration_time (string) + + + When using ldap_account_expire_policy=nds, this + attribute determines until which date access is + granted. + + + Default: loginDisabled + + + + + + ldap_user_nds_login_allowed_time_map (string) + + + When using ldap_account_expire_policy=nds, this + attribute determines the hours of a day in a week + when access is granted. + + + Default: loginAllowedTimeMap + + + + + + ldap_user_principal (string) + + + The LDAP attribute that contains the user's Kerberos + User Principal Name (UPN). + + + Default: krbPrincipalName + + + + + + ldap_user_extra_attrs (string) + + + Comma-separated list of LDAP attributes that SSSD + would fetch along with the usual set of user + attributes. + + + The list can either contain LDAP attribute names + only, or colon-separated tuples of SSSD cache + attribute name and LDAP attribute name. In + case only LDAP attribute name is specified, + the attribute is saved to the cache verbatim. + Using a custom SSSD attribute name might be + required by environments that configure several + SSSD domains with different LDAP schemas. + + + Please note that several attribute names are + reserved by SSSD, notably the name + attribute. SSSD would report an error if any of + the reserved attribute names is used as an extra + attribute name. + + + Examples: + + + ldap_user_extra_attrs = telephoneNumber + + + Save the telephoneNumber attribute from LDAP + as telephoneNumber to the cache. + + + ldap_user_extra_attrs = phone:telephoneNumber + + + Save the telephoneNumber attribute from LDAP + as phone to the cache. + + + Default: not set + + + + + + ldap_user_ssh_public_key (string) + + + The LDAP attribute that contains the user's SSH + public keys. + + + Default: sshPublicKey + + + + + + ldap_user_fullname (string) + + + The LDAP attribute that corresponds to the + user's full name. + + + Default: cn + + + + + + ldap_user_member_of (string) + + + The LDAP attribute that lists the user's + group memberships. + + + Default: memberOf + + + + + + ldap_user_authorized_service (string) + + + If access_provider=ldap and + ldap_access_order=authorized_service, SSSD will + use the presence of the authorizedService + attribute in the user's LDAP entry to determine + access privilege. + + + An explicit deny (!svc) is resolved first. Second, + SSSD searches for explicit allow (svc) and finally + for allow_all (*). + + + Please note that the ldap_access_order + configuration option must include + authorized_service in order for the + ldap_user_authorized_service option + to work. + + + Some distributions (such as Fedora-29+ or RHEL-8) + always include the systemd-user PAM + service as part of the login process. Therefore when + using service-based access control, the + systemd-user service might need to be + added to the list of allowed services. + + + Default: authorizedService + + + + + + ldap_user_authorized_host (string) + + + If access_provider=ldap and + ldap_access_order=host, SSSD will use the presence + of the host attribute in the user's LDAP entry to + determine access privilege. + + + An explicit deny (!host) is resolved first. Second, + SSSD searches for explicit allow (host) and finally + for allow_all (*). + + + Please note that the ldap_access_order + configuration option must + include host in order for the + ldap_user_authorized_host option + to work. + + + Default: host + + + + + + ldap_user_authorized_rhost (string) + + + If access_provider=ldap and + ldap_access_order=rhost, SSSD will use the presence + of the rhost attribute in the user's LDAP entry to + determine access privilege. Similarly to host + verification process. + + + An explicit deny (!rhost) is resolved first. Second, + SSSD searches for explicit allow (rhost) and finally + for allow_all (*). + + + Please note that the ldap_access_order + configuration option must + include rhost in order for the + ldap_user_authorized_rhost option + to work. + + + Default: rhost + + + + + + ldap_user_certificate (string) + + + Name of the LDAP attribute containing the X509 + certificate of the user. + + + Default: userCertificate;binary + + + + + + ldap_user_email (string) + + + Name of the LDAP attribute containing the email + address of the user. + + + Note: If an email address of a user conflicts with + an email address or fully qualified name of another + user, then SSSD will not be able to serve those + users properly. If for some reason several users + need to share the same email address then set + this option to a nonexistent attribute name in + order to disable user lookup/login by email. + + + Default: mail + + + + + + + + + GROUP ATTRIBUTES + + + + ldap_group_object_class (string) + + + The object class of a group entry in LDAP. + + + Default: posixGroup + + + + + + ldap_group_name (string) + + + The LDAP attribute that corresponds to + the group name. + + + Default: cn (rfc2307, rfc2307bis and IPA), + sAMAccountName (AD) + + + + + + ldap_group_gid_number (string) + + + The LDAP attribute that corresponds to the + group's id. + + + Default: gidNumber + + + + + + ldap_group_member (string) + + + The LDAP attribute that contains the names of + the group's members. + + + Default: memberuid (rfc2307) / member (rfc2307bis) + + + + + + ldap_group_uuid (string) + + + The LDAP attribute that contains the UUID/GUID of + an LDAP group object. + + + Default: not set in the general case, objectGUID for + AD and ipaUniqueID for IPA + + + + + + ldap_group_objectsid (string) + + + The LDAP attribute that contains the objectSID of + an LDAP group object. This is usually only + necessary for ActiveDirectory servers. + + + Default: objectSid for ActiveDirectory, not set + for other servers. + + + + + + ldap_group_modify_timestamp (string) + + + The LDAP attribute that contains timestamp of the + last modification of the parent object. + + + Default: modifyTimestamp + + + + + + ldap_group_type (string) + + + The LDAP attribute that contains an integer value + indicating the type of the group and maybe other + flags. + + + This attribute is currently only used by the AD + provider to determine if a group is a domain local + groups and has to be filtered out for trusted + domains. + + + Default: groupType in the AD provider, otherwise not + set + + + + + + ldap_group_external_member (string) + + + The LDAP attribute that references group + members that are defined in an external + domain. At the moment, only IPA's external + members are supported. + + + Default: ipaExternalMember in the IPA provider, + otherwise unset. + + + + + + + + + NETGROUP ATTRIBUTES + + + + ldap_netgroup_object_class (string) + + + The object class of a netgroup entry in LDAP. + + + In IPA provider, ipa_netgroup_object_class should + be used instead. + + + Default: nisNetgroup + + + + + + ldap_netgroup_name (string) + + + The LDAP attribute that corresponds to + the netgroup name. + + + In IPA provider, ipa_netgroup_name should + be used instead. + + + Default: cn + + + + + + ldap_netgroup_member (string) + + + The LDAP attribute that contains the names of + the netgroup's members. + + + In IPA provider, ipa_netgroup_member should + be used instead. + + + Default: memberNisNetgroup + + + + + + ldap_netgroup_triple (string) + + + The LDAP attribute that contains the (host, user, + domain) netgroup triples. + + + This option is not available in IPA provider. + + + Default: nisNetgroupTriple + + + + + + ldap_netgroup_modify_timestamp (string) + + + The LDAP attribute that contains timestamp of the + last modification of the parent object. + + + This option is not available in IPA provider. + + + Default: modifyTimestamp + + + + + + + + + HOST ATTRIBUTES + + + + ldap_host_object_class (string) + + + The object class of a host entry in LDAP. + + + Default: ipService + + + + + + ldap_host_name (string) + + + The LDAP attribute that corresponds to the host's + name. + + + Default: cn + + + + + + ldap_host_fqdn (string) + + + The LDAP attribute that corresponds to the host's + fully-qualified domain name. + + + Default: fqdn + + + + + + ldap_host_serverhostname (string) + + + The LDAP attribute that corresponds to the host's + name. + + + Default: serverHostname + + + + + + ldap_host_member_of (string) + + + The LDAP attribute that lists the host's group + memberships. + + + Default: memberOf + + + + + + ldap_host_ssh_public_key (string) + + + The LDAP attribute that contains the host's SSH + public keys. + + + Default: sshPublicKey + + + + + + ldap_host_uuid (string) + + + The LDAP attribute that contains the UUID/GUID of + an LDAP host object. + + + Default: not set + + + + + + + + + SERVICE ATTRIBUTES + + + + ldap_service_object_class (string) + + + The object class of a service entry in LDAP. + + + Default: ipService + + + + + + ldap_service_name (string) + + + The LDAP attribute that contains the name of + service attributes and their aliases. + + + Default: cn + + + + + + ldap_service_port (string) + + + The LDAP attribute that contains the port managed + by this service. + + + Default: ipServicePort + + + + + + ldap_service_proto (string) + + + The LDAP attribute that contains the protocols + understood by this service. + + + Default: ipServiceProtocol + + + + + + + + + SUDO ATTRIBUTES + + + + ldap_sudorule_object_class (string) + + + The object class of a sudo rule entry in LDAP. + + + Default: sudoRole + + + + + + ldap_sudorule_name (string) + + + The LDAP attribute that corresponds to + the sudo rule name. + + + Default: cn + + + + + + ldap_sudorule_command (string) + + + The LDAP attribute that corresponds to the + command name. + + + Default: sudoCommand + + + + + + ldap_sudorule_host (string) + + + The LDAP attribute that corresponds to the + host name (or host IP address, host IP network, + or host netgroup) + + + Default: sudoHost + + + + + + ldap_sudorule_user (string) + + + The LDAP attribute that corresponds to the + user name (or UID, group name or user's netgroup) + + + Default: sudoUser + + + + + + ldap_sudorule_option (string) + + + The LDAP attribute that corresponds to the + sudo options. + + + Default: sudoOption + + + + + + ldap_sudorule_runasuser (string) + + + The LDAP attribute that corresponds to the + user name that commands may be run as. + + + Default: sudoRunAsUser + + + + + + ldap_sudorule_runasgroup (string) + + + The LDAP attribute that corresponds to the group + name or group GID that commands may be run as. + + + Default: sudoRunAsGroup + + + + + + ldap_sudorule_notbefore (string) + + + The LDAP attribute that corresponds to the + start date/time for when the sudo rule is valid. + + + Default: sudoNotBefore + + + + + + ldap_sudorule_notafter (string) + + + The LDAP attribute that corresponds to the + expiration date/time, after which the sudo rule + will no longer be valid. + + + Default: sudoNotAfter + + + + + + ldap_sudorule_order (string) + + + The LDAP attribute that corresponds to the + ordering index of the rule. + + + Default: sudoOrder + + + + + + + + + AUTOFS ATTRIBUTES + + + + + + + + + diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index 664c507d5f..6d1ae23ecb 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -55,6 +55,12 @@ 5 manual page for full details. + Note that SSSD LDAP mapping attributes are described in the + + sssd-ldap-attributes + 5 + manual page. + ldap_uri, ldap_backup_uri (string) @@ -234,1127 +240,174 @@ verify current password by binding as the user that requested password change. If successful, this connection is used to change the password - therefore the user must have write access to - userPassword attribute. - - - Default: exop - - - - - - ldap_default_bind_dn (string) - - - The default bind DN to use for - performing LDAP operations. - - - - - - ldap_default_authtok_type (string) - - - The type of the authentication token of the - default bind DN. - - - The two mechanisms currently supported are: - - - password - - - obfuscated_password - - - Default: password - - - - - - ldap_default_authtok (string) - - - The authentication token of the default bind DN. - Only clear text passwords are currently supported. - - - - - - ldap_user_object_class (string) - - - The object class of a user entry in LDAP. - - - Default: posixAccount - - - - - - ldap_user_name (string) - - - The LDAP attribute that corresponds to the - user's login name. - - - Default: uid (rfc2307, rfc2307bis and IPA), - sAMAccountName (AD) - - - - - - ldap_user_uid_number (string) - - - The LDAP attribute that corresponds to the - user's id. - - - Default: uidNumber - - - - - - ldap_user_gid_number (string) - - - The LDAP attribute that corresponds to the - user's primary group id. - - - Default: gidNumber - - - - - - ldap_user_primary_group (string) - - - Active Directory primary group attribute - for ID-mapping. Note that this attribute should - only be set manually if you are running the - ldap provider with ID mapping. - - - Default: unset (LDAP), primaryGroupID (AD) - - - - - - ldap_user_gecos (string) - - - The LDAP attribute that corresponds to the - user's gecos field. - - - Default: gecos - - - - - - ldap_user_home_directory (string) - - - The LDAP attribute that contains the name of the user's - home directory. - - - Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD) - - - - - - ldap_user_shell (string) - - - The LDAP attribute that contains the path to the - user's default shell. - - - Default: loginShell - - - - - - ldap_user_uuid (string) - - - The LDAP attribute that contains the UUID/GUID of - an LDAP user object. - - - Default: not set in the general case, objectGUID for - AD and ipaUniqueID for IPA - - - - - - ldap_user_objectsid (string) - - - The LDAP attribute that contains the objectSID of - an LDAP user object. This is usually only - necessary for ActiveDirectory servers. - - - Default: objectSid for ActiveDirectory, not set - for other servers. - - - - - - ldap_user_modify_timestamp (string) - - - The LDAP attribute that contains timestamp of the - last modification of the parent object. - - - Default: modifyTimestamp - - - - - - ldap_user_shadow_last_change (string) - - - When using ldap_pwd_policy=shadow, this parameter - contains the name of an LDAP attribute corresponding - to its - - shadow - 5 - counterpart (date of the last - password change). - - - Default: shadowLastChange - - - - - - ldap_user_shadow_min (string) - - - When using ldap_pwd_policy=shadow, this parameter - contains the name of an LDAP attribute corresponding - to its - - shadow - 5 - counterpart (minimum password age). - - - Default: shadowMin - - - - - - ldap_user_shadow_max (string) - - - When using ldap_pwd_policy=shadow, this parameter - contains the name of an LDAP attribute corresponding - to its - - shadow - 5 - counterpart (maximum password age). - - - Default: shadowMax - - - - - - ldap_user_shadow_warning (string) - - - When using ldap_pwd_policy=shadow, this parameter - contains the name of an LDAP attribute corresponding - to its - - shadow - 5 - counterpart (password warning - period). - - - Default: shadowWarning - - - - - - ldap_user_shadow_inactive (string) - - - When using ldap_pwd_policy=shadow, this parameter - contains the name of an LDAP attribute corresponding - to its - - shadow - 5 - counterpart (password inactivity - period). - - - Default: shadowInactive - - - - - - ldap_user_shadow_expire (string) - - - When using ldap_pwd_policy=shadow or - ldap_account_expire_policy=shadow, this parameter - contains the name of an LDAP attribute corresponding - to its - - shadow - 5 - counterpart (account expiration date). - - - Default: shadowExpire - - - - - - ldap_user_krb_last_pwd_change (string) - - - When using ldap_pwd_policy=mit_kerberos, this - parameter contains the name of an LDAP attribute - storing the date and time of last password change - in kerberos. - - - Default: krbLastPwdChange - - - - - - ldap_user_krb_password_expiration (string) - - - When using ldap_pwd_policy=mit_kerberos, this - parameter contains the name of an LDAP attribute - storing the date and time when current password - expires. - - - Default: krbPasswordExpiration - - - - - - ldap_user_ad_account_expires (string) - - - When using ldap_account_expire_policy=ad, this - parameter contains the name of an LDAP attribute - storing the expiration time of the account. - - - Default: accountExpires - - - - - - ldap_user_ad_user_account_control (string) - - - When using ldap_account_expire_policy=ad, this - parameter contains the name of an LDAP attribute - storing the user account control bit field. - - - Default: userAccountControl - - - - - - ldap_ns_account_lock (string) - - - When using ldap_account_expire_policy=rhds or - equivalent, this parameter determines if access is - allowed or not. - - - Default: nsAccountLock - - - - - - ldap_user_nds_login_disabled (string) - - - When using ldap_account_expire_policy=nds, this - attribute determines if access is allowed or not. - - - Default: loginDisabled - - - - - - ldap_user_nds_login_expiration_time (string) - - - When using ldap_account_expire_policy=nds, this - attribute determines until which date access is - granted. - - - Default: loginDisabled - - - - - - ldap_user_nds_login_allowed_time_map (string) - - - When using ldap_account_expire_policy=nds, this - attribute determines the hours of a day in a week - when access is granted. - - - Default: loginAllowedTimeMap - - - - - - ldap_user_principal (string) - - - The LDAP attribute that contains the user's Kerberos - User Principal Name (UPN). - - - Default: krbPrincipalName - - - - - - ldap_user_extra_attrs (string) - - - Comma-separated list of LDAP attributes that SSSD - would fetch along with the usual set of user - attributes. - - - The list can either contain LDAP attribute names - only, or colon-separated tuples of SSSD cache - attribute name and LDAP attribute name. In - case only LDAP attribute name is specified, - the attribute is saved to the cache verbatim. - Using a custom SSSD attribute name might be - required by environments that configure several - SSSD domains with different LDAP schemas. - - - Please note that several attribute names are - reserved by SSSD, notably the name - attribute. SSSD would report an error if any of - the reserved attribute names is used as an extra - attribute name. - - - Examples: - - - ldap_user_extra_attrs = telephoneNumber - - - Save the telephoneNumber attribute from LDAP - as telephoneNumber to the cache. - - - ldap_user_extra_attrs = phone:telephoneNumber - - - Save the telephoneNumber attribute from LDAP - as phone to the cache. - - - Default: not set - - - - - - ldap_user_ssh_public_key (string) - - - The LDAP attribute that contains the user's SSH - public keys. - - - Default: sshPublicKey - - - - - - ldap_force_upper_case_realm (boolean) - - - Some directory servers, for example Active Directory, - might deliver the realm part of the UPN in lower case, - which might cause the authentication to fail. Set this - option to a non-zero value if you want to use an - upper-case realm. - - - Default: false - - - - - - ldap_enumeration_refresh_timeout (integer) - - - Specifies how many seconds SSSD has to wait - before refreshing its cache of enumerated - records. - - - Default: 300 - - - - - - ldap_purge_cache_timeout (integer) - - - Determine how often to check the cache for - inactive entries (such as groups with no - members and users who have never logged in) and - remove them to save space. - - - Setting this option to zero will disable the - cache cleanup operation. Please note that if - enumeration is enabled, the cleanup task is - required in order to detect entries removed from - the server and can't be disabled. By default, - the cleanup task will run every 3 hours with - enumeration enabled. - - - Default: 0 (disabled) - - - - - - ldap_user_fullname (string) - - - The LDAP attribute that corresponds to the - user's full name. - - - Default: cn - - - - - - ldap_user_member_of (string) - - - The LDAP attribute that lists the user's - group memberships. - - - Default: memberOf - - - - - - ldap_user_authorized_service (string) - - - If access_provider=ldap and - ldap_access_order=authorized_service, SSSD will - use the presence of the authorizedService - attribute in the user's LDAP entry to determine - access privilege. - - - An explicit deny (!svc) is resolved first. Second, - SSSD searches for explicit allow (svc) and finally - for allow_all (*). - - - Please note that the ldap_access_order - configuration option must include - authorized_service in order for the - ldap_user_authorized_service option - to work. - - - Some distributions (such as Fedora-29+ or RHEL-8) - always include the systemd-user PAM - service as part of the login process. Therefore when - using service-based access control, the - systemd-user service might need to be - added to the list of allowed services. - - - Default: authorizedService - - - - - - ldap_user_authorized_host (string) - - - If access_provider=ldap and - ldap_access_order=host, SSSD will use the presence - of the host attribute in the user's LDAP entry to - determine access privilege. - - - An explicit deny (!host) is resolved first. Second, - SSSD searches for explicit allow (host) and finally - for allow_all (*). - - - Please note that the ldap_access_order - configuration option must - include host in order for the - ldap_user_authorized_host option - to work. - - - Default: host - - - - - - ldap_user_authorized_rhost (string) - - - If access_provider=ldap and - ldap_access_order=rhost, SSSD will use the presence - of the rhost attribute in the user's LDAP entry to - determine access privilege. Similarly to host - verification process. - - - An explicit deny (!rhost) is resolved first. Second, - SSSD searches for explicit allow (rhost) and finally - for allow_all (*). - - - Please note that the ldap_access_order - configuration option must - include rhost in order for the - ldap_user_authorized_rhost option - to work. - - - Default: rhost - - - - - - ldap_user_certificate (string) - - - Name of the LDAP attribute containing the X509 - certificate of the user. - - - Default: userCertificate;binary - - - - - - ldap_user_email (string) - - - Name of the LDAP attribute containing the email - address of the user. - - - Note: If an email address of a user conflicts with - an email address or fully qualified name of another - user, then SSSD will not be able to serve those - users properly. If for some reason several users - need to share the same email address then set - this option to a nonexistent attribute name in - order to disable user lookup/login by email. - - - Default: mail - - - - - - ldap_group_object_class (string) - - - The object class of a group entry in LDAP. - - - Default: posixGroup - - - - - - ldap_group_name (string) - - - The LDAP attribute that corresponds to - the group name. - - - Default: cn (rfc2307, rfc2307bis and IPA), - sAMAccountName (AD) - - - - - - ldap_group_gid_number (string) - - - The LDAP attribute that corresponds to the - group's id. - - - Default: gidNumber - - - - - - ldap_group_member (string) - - - The LDAP attribute that contains the names of - the group's members. - - - Default: memberuid (rfc2307) / member (rfc2307bis) - - - - - - ldap_group_uuid (string) - - - The LDAP attribute that contains the UUID/GUID of - an LDAP group object. - - - Default: not set in the general case, objectGUID for - AD and ipaUniqueID for IPA - - - - - - ldap_group_objectsid (string) - - - The LDAP attribute that contains the objectSID of - an LDAP group object. This is usually only - necessary for ActiveDirectory servers. - - - Default: objectSid for ActiveDirectory, not set - for other servers. - - - - - - ldap_group_modify_timestamp (string) - - - The LDAP attribute that contains timestamp of the - last modification of the parent object. - - - Default: modifyTimestamp - - - - - - ldap_group_type (string) - - - The LDAP attribute that contains an integer value - indicating the type of the group and maybe other - flags. - - - This attribute is currently only used by the AD - provider to determine if a group is a domain local - groups and has to be filtered out for trusted - domains. - - - Default: groupType in the AD provider, otherwise not - set - - - - - - ldap_group_external_member (string) - - - The LDAP attribute that references group - members that are defined in an external - domain. At the moment, only IPA's external - members are supported. - - - Default: ipaExternalMember in the IPA provider, - otherwise unset. - - - - - - ldap_group_nesting_level (integer) - - - If ldap_schema is set to a schema format that - supports nested groups (e.g. RFC2307bis), then - this option controls how many levels of nesting - SSSD will follow. This option has no effect on the - RFC2307 schema. - - - Note: This option specifies the guaranteed level of - nested groups to be processed for any lookup. However, - nested groups beyond this limit - may be returned if previous - lookups already resolved the deeper nesting levels. - Also, subsequent lookups for other groups may enlarge - the result set for original lookup if re-queried. - - - If ldap_group_nesting_level is set to 0 then no - nested groups are processed at all. However, when - connected to Active-Directory Server 2008 - and later using id_provider=ad - it is furthermore required to disable usage of - Token-Groups by setting ldap_use_tokengroups - to false in order to restrict group nesting. - - - Default: 2 - - - - - - ldap_use_tokengroups - - - This options enables or disables use of Token-Groups - attribute when performing initgroup for users from - Active Directory Server 2008 and later. - - - Default: True for AD and IPA otherwise False. - - - - - - ldap_netgroup_object_class (string) - - - The object class of a netgroup entry in LDAP. - - - In IPA provider, ipa_netgroup_object_class should - be used instead. - - - Default: nisNetgroup - - - - - - ldap_netgroup_name (string) - - - The LDAP attribute that corresponds to - the netgroup name. - - - In IPA provider, ipa_netgroup_name should - be used instead. - - - Default: cn - - - - - - ldap_netgroup_member (string) - - - The LDAP attribute that contains the names of - the netgroup's members. - - - In IPA provider, ipa_netgroup_member should - be used instead. - - - Default: memberNisNetgroup - - - - - - ldap_netgroup_triple (string) - - - The LDAP attribute that contains the (host, user, - domain) netgroup triples. - - - This option is not available in IPA provider. - - - Default: nisNetgroupTriple - - - - - - ldap_netgroup_modify_timestamp (string) - - - The LDAP attribute that contains timestamp of the - last modification of the parent object. - - - This option is not available in IPA provider. - - - Default: modifyTimestamp - - - - - - ldap_host_object_class (string) - - - The object class of a host entry in LDAP. + therefore the user must have write access to + userPassword attribute. - Default: ipService + Default: exop - ldap_host_name (string) + ldap_default_bind_dn (string) - The LDAP attribute that corresponds to the host's - name. - - - Default: cn + The default bind DN to use for + performing LDAP operations. - ldap_host_fqdn (string) + ldap_default_authtok_type (string) - The LDAP attribute that corresponds to the host's - fully-qualified domain name. + The type of the authentication token of the + default bind DN. - Default: fqdn + The two mechanisms currently supported are: + + + password - - - - - ldap_host_serverhostname (string) - - The LDAP attribute that corresponds to the host's - name. + obfuscated_password - Default: serverHostname + Default: password - ldap_host_member_of (string) + ldap_default_authtok (string) - The LDAP attribute that lists the host's group - memberships. - - - Default: memberOf + The authentication token of the default bind DN. + Only clear text passwords are currently supported. - ldap_host_search_base (string) + ldap_force_upper_case_realm (boolean) - Optional. Use the given string as search base for - host objects. - - - See ldap_search_base for - information about configuring multiple search - bases. + Some directory servers, for example Active Directory, + might deliver the realm part of the UPN in lower case, + which might cause the authentication to fail. Set this + option to a non-zero value if you want to use an + upper-case realm. - Default: the value of - ldap_search_base + Default: false - - ldap_host_ssh_public_key (string) + + ldap_enumeration_refresh_timeout (integer) - The LDAP attribute that contains the host's SSH - public keys. + Specifies how many seconds SSSD has to wait + before refreshing its cache of enumerated + records. - Default: sshPublicKey + Default: 300 - ldap_host_uuid (string) + ldap_purge_cache_timeout (integer) - The LDAP attribute that contains the UUID/GUID of - an LDAP host object. + Determine how often to check the cache for + inactive entries (such as groups with no + members and users who have never logged in) and + remove them to save space. - Default: not set + Setting this option to zero will disable the + cache cleanup operation. Please note that if + enumeration is enabled, the cleanup task is + required in order to detect entries removed from + the server and can't be disabled. By default, + the cleanup task will run every 3 hours with + enumeration enabled. + + + Default: 0 (disabled) - ldap_service_object_class (string) + ldap_group_nesting_level (integer) - The object class of a service entry in LDAP. + If ldap_schema is set to a schema format that + supports nested groups (e.g. RFC2307bis), then + this option controls how many levels of nesting + SSSD will follow. This option has no effect on the + RFC2307 schema. - Default: ipService + Note: This option specifies the guaranteed level of + nested groups to be processed for any lookup. However, + nested groups beyond this limit + may be returned if previous + lookups already resolved the deeper nesting levels. + Also, subsequent lookups for other groups may enlarge + the result set for original lookup if re-queried. - - - - - ldap_service_name (string) - - The LDAP attribute that contains the name of - service attributes and their aliases. + If ldap_group_nesting_level is set to 0 then no + nested groups are processed at all. However, when + connected to Active-Directory Server 2008 + and later using id_provider=ad + it is furthermore required to disable usage of + Token-Groups by setting ldap_use_tokengroups + to false in order to restrict group nesting. - Default: cn + Default: 2 - ldap_service_port (string) + ldap_use_tokengroups - The LDAP attribute that contains the port managed - by this service. + This options enables or disables use of Token-Groups + attribute when performing initgroup for users from + Active Directory Server 2008 and later. - Default: ipServicePort + Default: True for AD and IPA otherwise False. - ldap_service_proto (string) + ldap_host_search_base (string) - The LDAP attribute that contains the protocols - understood by this service. + Optional. Use the given string as search base for + host objects. + + + See ldap_search_base for + information about configuring multiple search + bases. - Default: ipServiceProtocol + Default: the value of + ldap_search_base @@ -2389,150 +1442,6 @@ ldap_access_filter = (employeeType=admin) - - ldap_sudorule_object_class (string) - - - The object class of a sudo rule entry in LDAP. - - - Default: sudoRole - - - - - - ldap_sudorule_name (string) - - - The LDAP attribute that corresponds to - the sudo rule name. - - - Default: cn - - - - - - ldap_sudorule_command (string) - - - The LDAP attribute that corresponds to the - command name. - - - Default: sudoCommand - - - - - - ldap_sudorule_host (string) - - - The LDAP attribute that corresponds to the - host name (or host IP address, host IP network, - or host netgroup) - - - Default: sudoHost - - - - - - ldap_sudorule_user (string) - - - The LDAP attribute that corresponds to the - user name (or UID, group name or user's netgroup) - - - Default: sudoUser - - - - - - ldap_sudorule_option (string) - - - The LDAP attribute that corresponds to the - sudo options. - - - Default: sudoOption - - - - - - ldap_sudorule_runasuser (string) - - - The LDAP attribute that corresponds to the - user name that commands may be run as. - - - Default: sudoRunAsUser - - - - - - ldap_sudorule_runasgroup (string) - - - The LDAP attribute that corresponds to the group - name or group GID that commands may be run as. - - - Default: sudoRunAsGroup - - - - - - ldap_sudorule_notbefore (string) - - - The LDAP attribute that corresponds to the - start date/time for when the sudo rule is valid. - - - Default: sudoNotBefore - - - - - - ldap_sudorule_notafter (string) - - - The LDAP attribute that corresponds to the - expiration date/time, after which the sudo rule - will no longer be valid. - - - Default: sudoNotAfter - - - - - - ldap_sudorule_order (string) - - - The LDAP attribute that corresponds to the - ordering index of the rule. - - - Default: sudoOrder - - - - ldap_sudo_full_refresh_interval (integer) @@ -2716,80 +1625,7 @@ ldap_access_filter = (employeeType=admin) - - - ldap_autofs_map_object_class (string) - - - The object class of an automount map entry in LDAP. - - - Default: nisMap (rfc2307, autofs_provider=ad), - otherwise automountMap - - - - - - - ldap_autofs_map_name (string) - - - The name of an automount map entry in LDAP. - - - Default: nisMapName (rfc2307, - autofs_provider=ad), otherwise automountMapName - - - - - - - ldap_autofs_entry_object_class (string) - - - The object class of an automount entry - in LDAP. The entry usually corresponds to a mount - point. - - - Default: nisObject (rfc2307, autofs_provider=ad), - otherwise automount - - - - - - - ldap_autofs_entry_key (string) - - - The key of an automount entry in LDAP. The - entry usually corresponds to a mount point. - - - Default: cn (rfc2307, autofs_provider=ad), - otherwise automountKey - - - - - - - ldap_autofs_entry_value (string) - - - The key of an automount entry in LDAP. The - entry usually corresponds to a mount point. - - - Default: nisMapEntry (rfc2307, - autofs_provider=ad), otherwise automountInformation - - - - +