From 74aa0bc6779af38018a03fd2cf4419fe85917904 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 07:31:45 +0200 Subject: Adding upstream version 2.9.4. Signed-off-by: Daniel Baumann --- src/man/sssd-ipa.5.xml | 950 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 950 insertions(+) create mode 100644 src/man/sssd-ipa.5.xml (limited to 'src/man/sssd-ipa.5.xml') diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml new file mode 100644 index 0000000..4802ce8 --- /dev/null +++ b/src/man/sssd-ipa.5.xml @@ -0,0 +1,950 @@ + + + +SSSD Manual pages + + + + + sssd-ipa + 5 + File Formats and Conventions + + + + sssd-ipa + SSSD IPA provider + + + + DESCRIPTION + + This manual page describes the configuration of the IPA provider + for + + sssd + 8 + . + For a detailed syntax reference, refer to the FILE FORMAT section of the + + sssd.conf + 5 + manual page. + + + The IPA provider is a back end used to connect to an IPA server. + (Refer to the freeipa.org web site for information about IPA servers.) + This provider requires that the machine be joined to the IPA domain; + configuration is almost entirely self-discovered and obtained + directly from the server. + + + The IPA provider enables SSSD to use the + + sssd-ldap + 5 + identity provider and the + + sssd-krb5 + 5 + authentication provider with optimizations for IPA + environments. The IPA provider accepts the same options used by the + sssd-ldap and sssd-krb5 providers with some exceptions. However, it is + neither necessary nor recommended to set these options. + + + The IPA provider primarily copies the traditional ldap and krb5 provider + default options with some exceptions, the differences are listed in the + MODIFIED DEFAULT OPTIONS section. + + + As an access provider, the IPA provider has a minimal configuration + (see ipa_access_order) as it mainly uses HBAC + (host-based access control) rules. Please refer to freeipa.org for + more information about HBAC. + + + If auth_provider=ipa or + access_provider=ipa is configured + in sssd.conf then the id_provider must also be set to + ipa. + + + The IPA provider will use the PAC responder if the Kerberos tickets + of users from trusted realms contain a PAC. To make configuration + easier the PAC responder is started automatically if the IPA ID + provider is configured. + + + + + CONFIGURATION OPTIONS + Refer to the section DOMAIN SECTIONS of the + + sssd.conf + 5 + manual page for details on the configuration of an SSSD domain. + + + ipa_domain (string) + + + Specifies the name of the IPA domain. + This is optional. If not provided, the configuration + domain name is used. + + + + + + ipa_server, ipa_backup_server (string) + + + The comma-separated list of IP addresses or hostnames of the + IPA servers to which SSSD should connect in + the order of preference. For more information + on failover and server redundancy, see the + FAILOVER section. + This is optional if autodiscovery is enabled. + For more information on service discovery, refer + to the SERVICE DISCOVERY section. + + + + + + ipa_hostname (string) + + + Optional. May be set on machines where the + hostname(5) does not reflect the fully qualified + name used in the IPA domain to identify this host. + The hostname must be fully qualified. + + + + + + dyndns_update (boolean) + + + Optional. This option tells SSSD to automatically + update the DNS server built into FreeIPA with + the IP address of this client. The update is + secured using GSS-TSIG. The IP address of the IPA + LDAP connection is used for the updates, if it is + not otherwise specified by using the + dyndns_iface option. + + + NOTE: On older systems (such as RHEL 5), for this + behavior to work reliably, the default Kerberos + realm must be set properly in /etc/krb5.conf + + + NOTE: While it is still possible to use the old + ipa_dyndns_update option, users + should migrate to using dyndns_update + in their config file. + + + Default: false + + + + + + dyndns_ttl (integer) + + + The TTL to apply to the client DNS record when updating it. + If dyndns_update is false this has no effect. This will + override the TTL serverside if set by an administrator. + + + NOTE: While it is still possible to use the old + ipa_dyndns_ttl option, users + should migrate to using dyndns_ttl + in their config file. + + + Default: 1200 (seconds) + + + + + + dyndns_iface (string) + + + Optional. Applicable only when dyndns_update + is true. Choose the interface or a list of interfaces + whose IP addresses should be used for dynamic DNS + updates. Special value * implies that + IPs from all interfaces should be used. + + + NOTE: While it is still possible to use the old + ipa_dyndns_iface option, users + should migrate to using dyndns_iface + in their config file. + + + Default: Use the IP addresses of the interface which + is used for IPA LDAP connection + + + Example: dyndns_iface = em1, vnet1, vnet2 + + + + + + dyndns_auth (string) + + + Whether the nsupdate utility should use GSS-TSIG + authentication for secure updates with the DNS + server, insecure updates can be sent by setting + this option to 'none'. + + + Default: GSS-TSIG + + + + + + dyndns_auth_ptr (string) + + + Whether the nsupdate utility should use GSS-TSIG + authentication for secure PTR updates with the DNS + server, insecure updates can be sent by setting + this option to 'none'. + + + Default: Same as dyndns_auth + + + + + + ipa_enable_dns_sites (boolean) + + + Enables DNS sites - location based + service discovery. + + + If true and service discovery (see Service + Discovery paragraph at the bottom of the man page) + is enabled, then the SSSD will first attempt + location based discovery using a query that contains + "_location.hostname.example.com" and then fall back + to traditional SRV discovery. If the location based + discovery succeeds, the IPA servers located with + the location based discovery are treated as primary + servers and the IPA servers located using the + traditional SRV discovery are used as back up + servers + + + Default: false + + + + + + dyndns_refresh_interval (integer) + + + How often should the back end perform periodic DNS update in + addition to the automatic update performed when the back end + goes online. + This option is optional and applicable only when dyndns_update + is true. + + + Default: 0 (disabled) + + + + + + dyndns_update_ptr (bool) + + + Whether the PTR record should also be explicitly + updated when updating the client's DNS records. + Applicable only when dyndns_update is true. + + + This option should be False in most IPA + deployments as the IPA server generates the + PTR records automatically when forward records + are changed. + + + Note that dyndns_update_per_family + parameter does not apply for PTR record updates. + Those updates are always sent separately. + + + Default: False (disabled) + + + + + + dyndns_force_tcp (bool) + + + Whether the nsupdate utility should default to using + TCP for communicating with the DNS server. + + + Default: False (let nsupdate choose the protocol) + + + + + + dyndns_server (string) + + + The DNS server to use when performing a DNS + update. In most setups, it's recommended to leave + this option unset. + + + Setting this option makes sense for environments + where the DNS server is different from the identity + server. + + + Please note that this option will be only used in + fallback attempt when previous attempt using + autodetected settings failed. + + + Default: None (let nsupdate choose the server) + + + + + + dyndns_update_per_family (boolean) + + + DNS update is by default performed in two steps - + IPv4 update and then IPv6 update. In some cases + it might be desirable to perform IPv4 and IPv6 + update in single step. + + + Default: true + + + + + + ipa_access_order (string) + + + Comma separated list of access control options. + Allowed values are: + + + expire: use + IPA's account expiration policy. + + + pwd_expire_policy_reject, + pwd_expire_policy_warn, + pwd_expire_policy_renew: + + These options are useful if users are interested + in being warned that password is about to expire + and authentication is based on using a different + method than passwords - for example SSH keys. + + + The difference between these options is the action + taken if user password is expired: + + + + pwd_expire_policy_reject - + user is denied to log in, + + + + + pwd_expire_policy_warn - + user is still able to log in, + + + + + pwd_expire_policy_renew - + user is prompted to change their + password immediately. + + + + + + Please note that 'access_provider = ipa' must + be set for this feature to work. + + + + + + ipa_deskprofile_search_base (string) + + + Optional. Use the given string as search base for + Desktop Profile related objects. + + + Default: Use base DN + + + + + + ipa_subid_ranges_search_base (string) + + + Optional. Use the given string as search base for + subordinate ranges related objects. + + + Default: the value of + cn=subids,%basedn + + + + + + ipa_hbac_search_base (string) + + + Optional. Use the given string as search base for + HBAC related objects. + + + Default: Use base DN + + + + + + ipa_host_search_base (string) + + + Deprecated. Use ldap_host_search_base instead. + + + + + + ipa_selinux_search_base (string) + + + Optional. Use the given string as search base for + SELinux user maps. + + + See ldap_search_base for + information about configuring multiple search + bases. + + + Default: the value of + ldap_search_base + + + + + + ipa_subdomains_search_base (string) + + + Optional. Use the given string as search base for + trusted domains. + + + See ldap_search_base for + information about configuring multiple search + bases. + + + Default: the value of + cn=trusts,%basedn + + + + + + ipa_master_domain_search_base (string) + + + Optional. Use the given string as search base for + master domain object. + + + See ldap_search_base for + information about configuring multiple search + bases. + + + Default: the value of + cn=ad,cn=etc,%basedn + + + + + + ipa_views_search_base (string) + + + Optional. Use the given string as search base for + views containers. + + + See ldap_search_base for + information about configuring multiple search + bases. + + + Default: the value of + cn=views,cn=accounts,%basedn + + + + + + krb5_realm (string) + + + The name of the Kerberos realm. This is optional and + defaults to the value of ipa_domain. + + + The name of the Kerberos realm has a special + meaning in IPA - it is converted into the base + DN to use for performing LDAP operations. + + + + + + krb5_confd_path (string) + + + Absolute path of a directory where SSSD should place + Kerberos configuration snippets. + + + To disable the creation of the configuration + snippets set the parameter to 'none'. + + + Default: not set (krb5.include.d subdirectory of + SSSD's pubconf directory) + + + + + + ipa_deskprofile_refresh (integer) + + + The amount of time between lookups of the Desktop + Profile rules against the IPA server. This will + reduce the latency and load on the IPA server if + there are many desktop profiles requests made in a + short period. + + + Default: 5 (seconds) + + + + + + ipa_deskprofile_request_interval (integer) + + + The amount of time between lookups of the Desktop + Profile rules against the IPA server in case the + last request did not return any rule. + + + Default: 60 (minutes) + + + + + + ipa_hbac_refresh (integer) + + + The amount of time between lookups of the HBAC + rules against the IPA server. This will reduce the + latency and load on the IPA server if there are + many access-control requests made in a short + period. + + + Default: 5 (seconds) + + + + + + ipa_hbac_selinux (integer) + + + The amount of time between lookups of the SELinux + maps against the IPA server. This will reduce the + latency and load on the IPA server if there are + many user login requests made in a short + period. + + + Default: 5 (seconds) + + + + + + ipa_server_mode (boolean) + + + This option will be set by the IPA installer + (ipa-server-install) automatically and denotes + if SSSD is running on an IPA server or not. + + + On an IPA server SSSD will lookup users and groups + from trusted domains directly while on a client + it will ask an IPA server. + + + NOTE: There are currently some assumptions that + must be met when SSSD is running on an IPA server. + + + + The ipa_server option + must be configured to point to the + IPA server itself. This is already + the default set by the IPA installer, + so no manual change is required. + + + + + The full_name_format + option must not be tweaked to only + print short names for users from + trusted domains. + + + + + + Default: false + + + + + + ipa_automount_location (string) + + + The automounter location this IPA client will be using + + + Default: The location named "default" + + + + + + + + VIEWS AND OVERRIDES + + SSSD can handle views and overrides which are offered by + FreeIPA 4.1 and later version. Since all paths and objectclasses + are fixed on the server side there is basically no need to + configure anything. For completeness the related options are + listed here with their default values. + + + ipa_view_class (string) + + + Objectclass of the view container. + + + Default: nsContainer + + + + + + ipa_view_name (string) + + + Name of the attribute holding the name of the + view. + + + Default: cn + + + + + + ipa_override_object_class (string) + + + Objectclass of the override objects. + + + Default: ipaOverrideAnchor + + + + + + ipa_anchor_uuid (string) + + + Name of the attribute containing the reference + to the original object in a remote domain. + + + Default: ipaAnchorUUID + + + + + + ipa_user_override_object_class (string) + + + Name of the objectclass for user overrides. It + is used to determine if the found override + object is related to a user or a group. + + + User overrides can contain attributes given by + + + ldap_user_name + + + ldap_user_uid_number + + + ldap_user_gid_number + + + ldap_user_gecos + + + ldap_user_home_directory + + + ldap_user_shell + + + ldap_user_ssh_public_key + + + + + Default: ipaUserOverride + + + + + + ipa_group_override_object_class (string) + + + Name of the objectclass for group overrides. It + is used to determine if the found override + object is related to a user or a group. + + + Group overrides can contain attributes given by + + + ldap_group_name + + + ldap_group_gid_number + + + + + Default: ipaGroupOverride + + + + + + + + + + + + SUBDOMAINS PROVIDER + + The IPA subdomains provider behaves slightly differently + if it is configured explicitly or implicitly. + + + If the option 'subdomains_provider = ipa' is found in the + domain section of sssd.conf, the IPA subdomains provider is + configured explicitly, and all subdomain requests are sent to the + IPA server if necessary. + + + If the option 'subdomains_provider' is not set in the domain + section of sssd.conf but there is the option 'id_provider = ipa', + the IPA subdomains provider is configured implicitly. In this case, + if a subdomain request fails and indicates that the server does not + support subdomains, i.e. is not configured for trusts, the IPA + subdomains provider is disabled. After an hour or after the IPA + provider goes online, the subdomains provider is enabled again. + + + + + TRUSTED DOMAINS CONFIGURATION + + Some configuration options can also be set for a trusted domain. + A trusted domain configuration can be set using the trusted domain + subsection as shown in the example below. Alternatively, + the subdomain_inherit option can be used in the + parent domain. + +[domain/ipa.domain.com/ad.domain.com] +ad_server = dc.ad.domain.com + + + + For more details, see the + + sssd.conf + 5 + manual page. + + + Different configuration options are tunable for a trusted + domain depending on whether you are configuring SSSD on an + IPA server or an IPA client. + + + OPTIONS TUNABLE ON IPA MASTERS + + The following options can be set in a subdomain + section on an IPA master: + + + ad_server + + + ad_backup_server + + + ad_site + + + ldap_search_base + + + ldap_user_search_base + + + ldap_group_search_base + + + use_fully_qualified_names + + + + + + OPTIONS TUNABLE ON IPA CLIENTS + + The following options can be set in a subdomain + section on an IPA client: + + + ad_server + + + ad_site + + + + + Note that if both options are set, only + ad_server is evaluated. + + + Since any request for a user or a group identity from a + trusted domain triggered from an IPA client is resolved + by the IPA server, the ad_server and + ad_site options only affect which AD DC will + the authentication be performed against. In particular, + the addresses resolved from these lists will be written to + kdcinfo files read by the Kerberos locator + plugin. Please refer to the + + sssd_krb5_locator_plugin + 8 + manual page for more details on the Kerberos + locator plugin. + + + + + + + + + + EXAMPLE + + The following example assumes that SSSD is correctly + configured and example.com is one of the domains in the + [sssd] section. This examples shows only + the ipa provider-specific options. + + + +[domain/example.com] +id_provider = ipa +ipa_server = ipaserver.example.com +ipa_hostname = myhost.example.com + + + + + + + + -- cgit v1.2.3