SSSD-IPA(5) File Formats and Conventions SSSD-IPA(5)NAME
sssd-ipa - the configuration file for SSSD
DESCRIPTION
This manual page describes the configuration of the IPA provider for
sssd(8). For a detailed syntax reference, refer to the “FILE FORMAT”
section of the sssd.conf(5) manual page.
The IPA provider is a back end used to connect to an IPA server. (Refer
to the freeipa.org web site for information about IPA servers.) This
provider requires that the machine be joined to the IPA domain;
configuration is almost entirely self-discovered and obtained directly
from the server.
The IPA provider accepts the same options used by the sssd-ldap(5)
identity provider and the sssd-krb5(5) authentication provider with
some exceptions described below.
However, it is neither necessary nor recommended to set these options.
IPA provider can also be used as an access and chpass provider. As an
access provider it uses HBAC (host-based access control) rules. Please
refer to freeipa.org for more information about HBAC. No configuration
of access provider is required on the client side.
The IPA provider will use the PAC responder if the Kerberos tickets of
users from trusted realms contain a PAC. To make configuration easier
the PAC responder is started automatically if the IPA ID provider is
configured.
CONFIGURATION OPTIONS
Refer to the section “DOMAIN SECTIONS” of the sssd.conf(5) manual page
for details on the configuration of an SSSD domain.
ipa_domain (string)
Specifies the name of the IPA domain. This is optional. If not
provided, the configuration domain name is used.
ipa_server, ipa_backup_server (string)
The comma-separated list of IP addresses or hostnames of the IPA
servers to which SSSD should connect in the order of preference.
For more information on failover and server redundancy, see the
“FAILOVER” section. This is optional if autodiscovery is enabled.
For more information on service discovery, refer to the “SERVICE
DISCOVERY” section.
ipa_hostname (string)
Optional. May be set on machines where the hostname(5) does not
reflect the fully qualified name used in the IPA domain to identify
this host.
ipa_dyndns_update (boolean)
Optional. This option tells SSSD to automatically update the DNS
server built into FreeIPA v2 with the IP address of this client.
NOTE: On older systems (such as RHEL 5), for this behavior to work
reliably, the default Kerberos realm must be set properly in
/etc/krb5.conf
Default: false
ipa_dyndns_iface (string)
Optional. Applicable only when ipa_dyndns_update is true. Choose
the interface whose IP address should be used for dynamic DNS
updates.
Default: Use the IP address of the IPA LDAP connection
ipa_hbac_search_base (string)
Optional. Use the given string as search base for HBAC related
objects.
Default: Use base DN
ipa_host_search_base (string)
Optional. Use the given string as search base for host objects.
See “ldap_search_base” for information about configuring multiple
search bases.
If filter is given in any of search bases and
ipa_hbac_support_srchost is set to False, the filter will be
ignored.
Default: the value of ldap_search_base
ipa_selinux_search_base (string)
Optional. Use the given string as search base for SELinux user
maps.
See “ldap_search_base” for information about configuring multiple
search bases.
Default: the value of ldap_search_base
ipa_subdomains_search_base (string)
Optional. Use the given string as search base for trusted domains.
See “ldap_search_base” for information about configuring multiple
search bases.
Default: the value of cn=trusts,%basedn
ipa_master_domain_search_base (string)
Optional. Use the given string as search base for master domain
object.
See “ldap_search_base” for information about configuring multiple
search bases.
Default: the value of cn=ad,cn=etc,%basedn
krb5_validate (boolean)
Verify with the help of krb5_keytab that the TGT obtained has not
been spoofed.
Default: true
Note that this default differs from the traditional Kerberos
provider back end.
krb5_realm (string)
The name of the Kerberos realm. This is optional and defaults to
the value of “ipa_domain”.
The name of the Kerberos realm has a special meaning in IPA - it is
converted into the base DN to use for performing LDAP operations.
krb5_canonicalize (boolean)
Specifies if the host and user principal should be canonicalized
when connecting to IPA LDAP and also for AS requests. This feature
is available with MIT Kerberos >= 1.7
Default: true
ipa_hbac_refresh (integer)
The amount of time between lookups of the HBAC rules against the
IPA server. This will reduce the latency and load on the IPA server
if there are many access-control requests made in a short period.
Default: 5 (seconds)
ipa_hbac_treat_deny_as (string)
This option specifies how to treat the deprecated DENY-type HBAC
rules. As of FreeIPA v2.1, DENY rules are no longer supported on
the server. All users of FreeIPA will need to migrate their rules
to use only the ALLOW rules. The client will support two modes of
operation during this transition period:
DENY_ALL: If any HBAC DENY rules are detected, all users will be
denied access.
IGNORE: SSSD will ignore any DENY rules. Be very careful with this
option, as it may result in opening unintended access.
Default: DENY_ALL
ipa_hbac_support_srchost (boolean)
If this is set to false, then srchost as given to SSSD by PAM will
be ignored.
Note that if set to False, this option casuses filters given in
ipa_host_search_base to be ignored;
Default: false
ipa_automount_location (string)
The automounter location this IPA client will be using
Default: The location named "default"
Please note that the automounter only reads the master map on
startup, so if any autofs-related changes are made to the
sssd.conf, you typically also need to restart the automounter
daemon after restarting the SSSD.
ipa_netgroup_member_of (string)
The LDAP attribute that lists netgroup's memberships.
Default: memberOf
ipa_netgroup_member_user (string)
The LDAP attribute that lists system users and groups that are
direct members of the netgroup.
Default: memberUser
ipa_netgroup_member_host (string)
The LDAP attribute that lists hosts and host groups that are direct
members of the netgroup.
Default: memberHost
ipa_netgroup_member_ext_host (string)
The LDAP attribute that lists FQDNs of hosts and host groups that
are members of the netgroup.
Default: externalHost
ipa_netgroup_domain (string)
The LDAP attribute that contains NIS domain name of the netgroup.
Default: nisDomainName
ipa_host_object_class (string)
The object class of a host entry in LDAP.
Default: ipaHost
ipa_host_fqdn (string)
The LDAP attribute that contains FQDN of the host.
Default: fqdn
ipa_selinux_usermap_object_class (string)
The object class of a host entry in LDAP.
Default: ipaHost
ipa_selinux_usermap_name (string)
The LDAP attribute that contains the name of SELinux usermap.
Default: cn
ipa_selinux_usermap_member_user (string)
The LDAP attribute that contains all users / groups this rule match
against.
Default: memberUser
ipa_selinux_usermap_member_host (string)
The LDAP attribute that contains all hosts / hostgroups this rule
match against.
Default: memberHost
ipa_selinux_usermap_see_also (string)
The LDAP attribute that contains DN of HBAC rule which can be used
for matching instead of memberUser and memberHost
Default: seeAlso
ipa_selinux_usermap_selinux_user (string)
The LDAP attribute that contains SELinux user string itself.
Default: ipaSELinuxUser
ipa_selinux_usermap_enabled (string)
The LDAP attribute that contains whether or not is user map enabled
for usage.
Default: ipaEnabledFlag
ipa_selinux_usermap_user_category (string)
The LDAP attribute that contains user category such as 'all'.
Default: userCategory
ipa_selinux_usermap_host_category (string)
The LDAP attribute that contains host category such as 'all'.
Default: hostCategory
ipa_selinux_usermap_uuid (string)
The LDAP attribute that contains unique ID of the user map.
Default: ipaUniqueID
ipa_host_ssh_public_key (string)
The LDAP attribute that contains the host's SSH public keys.
Default: ipaSshPubKey
SUBDOMAINS PROVIDER
The IPA subdomains provider behaves slightly differently if it is
configured explicitly or implicitly.
If the option 'subdomains_provider = ipa' is found in the domain
section of sssd.conf, the IPA subdomains provider is configured
explicitly, and all subdomain requests are sent to the IPA server if
necessary.
If the option 'subdomains_provider' is not set in the domain section of
sssd.conf but there is the option 'id_provider = ipa', the IPA
subdomains provider is configured implictly. In this case, if a
subdomain request fails and indicates that the server does not support
subdomains, i.e. is not configured for trusts, the IPA subdomains
provider is disabled. After an hour or after the IPA provider goes
online, the subdomains provider is enabled again.
FAILOVER
The failover feature allows back ends to automatically switch to a
different server if the current server fails.
Failover Syntax
The list of servers is given as a comma-separated list; any number of
spaces is allowed around the comma. The servers are listed in order of
preference. The list can contain any number of servers.
For each failover-enabled config option, two variants exist: primary
and backup. The idea is that servers in the primary list are preferred
and backup servers are only searched if no primary servers can be
reached. If a backup server is selected, a timeout of 31 seconds is
set. After this timeout SSSD will periodically try to reconnect to one
of the primary servers. If it succeeds, it will replace the current
active (backup) server.
The Failover Mechanism
The failover mechanism distinguishes between a machine and a service.
The back end first tries to resolve the hostname of a given machine; if
this resolution attempt fails, the machine is considered offline. No
further attempts are made to connect to this machine for any other
service. If the resolution attempt succeeds, the back end tries to
connect to a service on this machine. If the service connection attempt
fails, then only this particular service is considered offline and the
back end automatically switches over to the next service. The machine
is still considered online and might still be tried for another
service.
Further connection attempts are made to machines or services marked as
offline after a specified period of time; this is currently hard coded
to 30 seconds.
If there are no more machines to try, the back end as a whole switches
to offline mode, and then attempts to reconnect every 30 seconds.
SERVICE DISCOVERY
The service discovery feature allows back ends to automatically find
the appropriate servers to connect to using a special DNS query. This
feature is not supported for backup servers.
Configuration
If no servers are specified, the back end automatically uses service
discovery to try to find a server. Optionally, the user may choose to
use both fixed server addresses and service discovery by inserting a
special keyword, “_srv_”, in the list of servers. The order of
preference is maintained. This feature is useful if, for example, the
user prefers to use service discovery whenever possible, and fall back
to a specific server when no servers can be discovered using DNS.
The domain name
Please refer to the “dns_discovery_domain” parameter in the
sssd.conf(5) manual page for more details.
The protocol
The queries usually specify _tcp as the protocol. Exceptions are
documented in respective option description.
See Also
For more information on the service discovery mechanism, refer to RFC
2782.
EXAMPLE
The following example assumes that SSSD is correctly configured and
example.com is one of the domains in the [sssd] section. This examples
shows only the ipa provider-specific options.
[domain/example.com]
id_provider = ipa
ipa_server = ipaserver.example.com
ipa_hostname = myhost.example.com
SEE ALSOsssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
sssd-ipa(5), sssd-ad(5), sssd-sudo(5),sss_cache(8), sss_debuglevel(8),
sss_groupadd(8), sss_groupdel(8), sss_groupshow(8), sss_groupmod(8),
sss_useradd(8), sss_userdel(8), sss_usermod(8), sss_obfuscate(8),
sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
sss_ssh_knowhostsproxy(8),pam_sss(8).
AUTHORS
The SSSD upstream - http://fedorahosted.org/sssd
SSSD 04/23/2013 SSSD-IPA(5)