[deployment-guide/comm-rel: 268/727] BZ 621741/Trac #368: Add 'Support for dynamic DNS updates' to SSSD section
Jaromir Hradilek
jhradile at fedoraproject.org
Tue Oct 19 12:47:06 UTC 2010
commit cc384def8f9ab55c35b22684872b2850925e79c7
Author: David O'Brien <davido at redhat.com>
Date: Fri Aug 6 12:21:57 2010 +1000
BZ 621741/Trac #368: Add 'Support for dynamic DNS updates' to SSSD section
en-US/SSSD.xml | 58 ++++++++++++++++++++++++++++++++++++++++---------------
1 files changed, 42 insertions(+), 16 deletions(-)
---
diff --git a/en-US/SSSD.xml b/en-US/SSSD.xml
index 96a40c3..2d4d9bb 100644
--- a/en-US/SSSD.xml
+++ b/en-US/SSSD.xml
@@ -18,7 +18,7 @@
The System Security Services Daemon (SSSD) is a service which provides access to different identity and authentication providers. You can configure SSSD to use a native LDAP domain (that is, an LDAP identity provider with LDAP authentication), or an LDAP identity provider with Kerberos authentication. It provides an NSS and PAM interface to the system, and a pluggable back-end system to connect to multiple different account sources.
</para>
<para>
- SSSD is also extensible; you can configure it to use new identity sources and authentication mechanisms should they arise.
+ SSSD is also extensible; you can configure it to use new identity sources and authentication mechanisms should they arise. In addition, SSSD is fully IPv6-compatible, provided that it is built against <package>c-ares 1.7.1</package> or later and <package>krb5-libs 1.8.1</package> or later.
</para>
<!--<para>Further, you can configure SSSD to use local identity storage for users and groups in an on-disk, LDAP-like database (<abbrev>LDB</abbrev>), rather than the traditional <filename>/etc/passwd</filename> and <filename>/etc/group</filename> file storage mechanisms.</para>-->
@@ -27,19 +27,19 @@
<section id="sect-SSSD_User_Guide-Introduction-SSSD_Features">
<title>SSSD Features</title>
- <section id="sect-SSSD_User_Guide-SSSD_Features-Performing_Offline_Authentication">
- <title>Performing Offline Authentication</title>
+ <section id="sect-SSSD_User_Guide-SSSD_Features-Offline_Authentication">
+ <title>Offline Authentication</title>
<para>One of the primary benefits of SSSD is offline authentication. This solves the case of users having a separate corporate account and a local machine account because of the common requirement to implement a Virtual Private Network (<abbrev>VPN</abbrev>).</para>
<para>SSSD can cache remote identities and authentication credentials. This means that you can still authenticate with these remote identities even when a machine is offline. In an SSSD system, you only need to manage one account.</para>
</section>
- <section id="sect-SSSD_User_Guide-SSSD_Features-Reducing_Server_Load">
- <title>Reducing Server Load</title>
+ <section id="sect-SSSD_User_Guide-SSSD_Features-Server_Load_Reduction">
+ <title>Server Load Reduction</title>
<para>The use of SSSD also helps to reduce the load on identification servers. For example, using <package>nss_ldap</package>, every client application that needs to request user information opens its own connection to the LDAP server. Managing these multiple connections can lead to a heavy load on the LDAP server. In an SSSD system, only the SSSD Data Provider process actually communicates with the LDAP server, reducing the load to one connection per client system.</para>
</section>
- <section id="sect-SSSD_User_Guide-SSSD_Features-Specifying_Multiple_Domains">
- <title>Specifying Multiple Domains</title>
+ <section id="sect-SSSD_User_Guide-SSSD_Features-Support_for_Multiple_Domains">
+ <title>Support for Multiple Domains</title>
<indexterm>
<primary>multiple domains</primary>
<secondary>specifying in SSSD</secondary>
@@ -146,9 +146,37 @@
<para>SSSD also introduces the concept of nested groups. SSSD groups are fully POSIX-compatible, and can contain other groups as members. Any users who are members of child groups are automatically members of parent groups. This can provide significant time savings and reduced administrative overhead for system administrators.</para>
</section>-->
- <section id="sect-SSSD_User_Guide-SSSD_Features-Integrating_with_Other_Products">
- <title>Integrating with Other Products</title>
- <para>Beyond the offline authentication, multiple domain management and other features already described, SSSD is also designed to integrate with and enhance the functionality of IPA clients. In an environment with the latest version of IPA installed, SSSD provides added functionality, including host-based access control, and password migration from an LDAP-only environment into the LDAP/Kerberos 5 environment employed by IPA.</para>
+ <section id="sect-SSSD_User_Guide-SSSD_Features-Integration_with_IPA">
+ <title>Integration with IPA</title>
+ <para>
+ Beyond the offline authentication, multiple domain management and other features already described, SSSD is also designed to integrate with and enhance the functionality of IPA clients. In an environment with the latest version of IPA installed, SSSD provides additional functionality, including support for dynamic DNS updates, host-based access control, and password migration from an LDAP-only environment into the LDAP/Kerberos 5 environment employed by IPA.
+ </para>
+
+ <section><title>Support for Dynamic DNS Updates</title>
+ <para>
+ Because the IP address of IPA clients can change, SSSD provides the ability to dynamically update the client's DNS entry on the IPA server. Using a combination of Kerberos and GSS-TSIG (Generic Security Service Algorithm for Secret Key Transaction), IPA can determine the identity of the host machine, authenticate it, and allow that machine to edit its own DNS record. These changes are then stored in the LDAP back end.
+ </para>
+ <note>
+ <para>
+ Using this authentication system means that each IPA client can only edit its own DNS record; it cannot edit the DNS record of any other client.
+ </para>
+ </note>
+ <formalpara><title>Setting up Dynamic DNS Updates</title>
+ <para>
+ The SSSD configuration file provides two options used for setting up dynamic DNS updates: <option>ipa_dyndns_update</option>, used to enable dynamic DNS updates; and <option>ipa_dyndns_iface</option>, which specifies the interface whose IP address should be used for dynamic DNS updates.
+ </para>
+ </formalpara>
+ <para>
+ Refer to the <citetitle>sssd-ipa</citetitle> manual page for more information about these options, and how to configure dynamic DNS updates.
+ </para>
+ <note>
+ <para>
+ Support for dynamic DNS updates is only available on IPA version 2 or later, and with DNS correctly configured.
+ </para>
+ </note>
+
+ </section>
+
</section>
</section>
@@ -159,7 +187,7 @@
<section id="sect-SSSD_User_Guide-Setting_Up_SSSD-Installing_SSSD">
<title>Installing SSSD</title>
- <para>Run the following command to install SSSD and any dependencies, including the SSSD Client:</para>
+ <para>Run the following command to install SSSD and any dependencies, including the SSSD client:</para>
<para>
<command># yum install sssd</command>
</para>
@@ -170,11 +198,6 @@
<section id="sect-SSSD_User_Guide-Installing_SSSD-Upgrading_from_a_Previous_Version">
<title>Upgrading from a Previous Version</title>
-
- <para>The format of the configuration file is described in <xref
- linkend="sect-SSSD_User_Guide-SSSD_Example_Configuration_Files-SSSD_Configuration_File_Format"/>
- </para>
-
<formalpara id="form-SSSD_User_Guide-Upgrading_from_a_Previous_Version-Upgrading_Using_RPM_Packages">
<title>Upgrading Using RPM Packages</title>
<para>If you are upgrading using RPM packages, the script will run automatically when you upgrade to the new version. This will upgrade the <filename>/etc/sssd/sssd.conf</filename> file to the new format, and copy the existing version to <filename>/etc/sssd/sssd.conf.bak</filename>.</para>
@@ -257,6 +280,9 @@ key10 = val10,val11
class="option">-c</parameter> (or <parameter
class="option">--config</parameter>) parameter on the command line to specify a different configuration file for SSSD.</para>
</note>
+ <para>
+ The format of the configuration file is described in <xref linkend="sect-SSSD_User_Guide-SSSD_Example_Configuration_Files-SSSD_Configuration_File_Format"/>
+ </para>
<para>Refer to the <citetitle>sssd.conf(5)</citetitle> manual page for more information on global SSSD configuration options.</para>
<section id="sect-SSSD_User_Guide-Configuring_SSSD-Configuring_NSS">
More information about the docs-commits
mailing list