[deployment-guide/comm-rel: 127/727] BZ 601870: Configure AD as LDAP back end
Jaromir Hradilek
jhradile at fedoraproject.org
Tue Oct 19 12:34:53 UTC 2010
commit 0f88d9dd70772771420f4b093e250b1d13b1165d
Author: David O'Brien <davido at redhat.com>
Date: Fri Jul 23 13:53:36 2010 +1000
BZ 601870: Configure AD as LDAP back end
en-US/SSSD.xml | 46 +++++++++++++++++++++++++++++++++++++---------
1 files changed, 37 insertions(+), 9 deletions(-)
---
diff --git a/en-US/SSSD.xml b/en-US/SSSD.xml
index 79f9b27..fcba9fd 100644
--- a/en-US/SSSD.xml
+++ b/en-US/SSSD.xml
@@ -749,7 +749,7 @@ ipauser01:x:937315651:937315651:ipauser01:/home/ipauser01:/bin/sh
<secondary>Configuring an LDAP domain for</secondary>
</indexterm>
<para>
- An LDAP domain is one where the <option>id_provider</option> option is set to <literal>ldap</literal> (<option>id_provider = ldap</option>). Such a domain requires a running LDAP server against which to authenticate. This can be an open source LDAP server such as OpenLDAP or Microsoft Active Directory. SSSD currently supports Microsoft Active Directory 2003 (+Services For UNIX) and Active Directory 2008. In all cases, the client configuration is stored in the <filename>/etc/sssd/sssd.conf</filename> file.
+ An LDAP domain is one where the <option>id_provider</option> option is set to <literal>ldap</literal> (<option>id_provider = ldap</option>). Such a domain requires a running LDAP server against which to authenticate. This can be an open source LDAP server such as OpenLDAP or Microsoft Active Directory. SSSD currently supports Microsoft Active Directory 2003 (+Services For UNIX) and Active Directory 2008 (+Subsystem for UNIX-based applications). In all cases, the client configuration is stored in the <filename>/etc/sssd/sssd.conf</filename> file.
</para>
<formalpara id="form-SSSD_User_Guide-Configuring_a_Native_LDAP_Domain-How_to_Authenticate_Against_an_LDAP_Server">
@@ -789,7 +789,7 @@ ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
</formalpara>
<para>
- SSSD assumes by default that your LDAP server is using <citetitle>RFC 2307</citetitle>. If your LDAP server is using <citetitle>RFC 2307bis</citetitle>, and you do not update the <filename>/etc/sssd/sssd.conf</filename> file accordingly, this can impact how your users and groups are displayed. It also means that some groups will not be available and network resources may be inaccessible even though you have permissions to use them.
+ SSSD assumes that your LDAP server is using <citetitle>RFC 2307</citetitle>. If your LDAP server is using <citetitle>RFC 2307bis</citetitle>, and you do not update the <filename>/etc/sssd/sssd.conf</filename> file accordingly, this can impact how your users and groups are displayed. It also means that some groups will not be available and network resources may be inaccessible even though you have permissions to use them.
</para>
<para>
@@ -866,17 +866,21 @@ uid=500(f12server) gid=500(f12server) groups=500(f12server),510(f12tester)
<secondary>Configuring a Microsoft Active Directory Domain for</secondary>
</indexterm>
- <remark>https://bugzilla.redhat.com/show_bug.cgi?id=601870</remark>
<para>
- You can configure SSSD to use Microsoft Active Directory as an LDAP back end, providing both identity and authentication services. If you are using Active Directory 2003, SSSD requires that you install Windows Services for UNIX on the Active Directory machine. This requirement does not apply to Active Directory 2008.
+ You can configure SSSD to use Microsoft Active Directory as an LDAP back end, providing both identity and authentication services. If you are using Active Directory 2003, SSSD requires that you install Windows Services for UNIX (SFU) on the machine where Active Directory is installed. If instead you are using Active Directory 2008, you need to install the Subsystem for UNIX-based Applications (SUA) on the Active Directory machine.
</para>
+ <note>
+ <para>
+ SFU is not supported on 64-bit operating systems. You should refer to <ulink url="http://support.microsoft.com/kb/920751"></ulink> for more information about which Windows systems can provide a suitable platform for an SSSD LDAP back end.
+ </para>
+ </note>
<section><title>Configuring Active Directory 2003 as an LDAP Back End</title>
<para>
The example <filename>/etc/sssd/sssd.conf</filename> file that ships with SSSD contains the following sample configuration for Active Directory 2003:
</para>
-<screen># Example LDAP domain where the LDAP server is an Active Directory server.
+<screen># Example LDAP domain where the LDAP server is an Active Directory 2003 server.
[domain/AD]
description = LDAP domain with AD server
@@ -904,11 +908,35 @@ ldap_group_name = msSFU30Name
ldap_group_gid_number = msSFU30GidNumber</screen>
</section>
- <!--
<section><title>Configuring Active Directory 2008 as an LDAP Back End</title>
- <para><remark>dummy text</remark></para>
- <remark>BZ 601870 NEED_INFO=ckannan</remark>
- </section>-->
+ <para>
+ The configuration of <filename>/etc/sssd/sssd.conf</filename> to support an Active Directory 2008 back end is similar to that for AD 2003. The following example configuration highlights the necessary changes.
+ </para>
+
+<screen># Example LDAP domain where the LDAP server is an Active Directory 2008 server.
+
+[domain/AD]
+description = LDAP domain with AD server
+; debug_level = 9
+enumerate = false
+
+id_provider = ldap
+auth_provider = ldap
+chpass_provider = ldap
+
+ldap_uri = ldap://your.ad.server.com
+ldap_tls_cacertdir = /etc/openldap/cacerts
+ldap_tls_cacert = /etc/openldap/cacerts/test.cer
+ldap_user_search_base = cn=Users,dc=example,dc=com
+ldap_search_base = dc=example,dc=com
+ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com
+ldap_default_authtok_type = password
+ldap_default_authtok = YOUR_PASSWORD
+ldap_pwd_policy = none
+ldap_user_object_class = user
+ldap_group_object_class = group</screen>
+
+ </section>
</section>
More information about the docs-commits
mailing list