sssd-ipa 5 File Formats and Conventions sssd-ipa SSSD IPA provider This manual page describes the configuration of the IPA provider for sssd 8 . For a detailed syntax reference, refer to the FILE FORMAT section of the sssd.conf 5 manual page. The IPA provider is a back end used to connect to an IPA server. (Refer to the freeipa.org web site for information about IPA servers.) This provider requires that the machine be joined to the IPA domain; configuration is almost entirely self-discovered and obtained directly from the server. The IPA provider enables SSSD to use the sssd-ldap 5 identity provider and the sssd-krb5 5 authentication provider with optimizations for IPA environments. The IPA provider accepts the same options used by the sssd-ldap and sssd-krb5 providers with some exceptions. However, it is neither necessary nor recommended to set these options. The IPA provider primarily copies the traditional ldap and krb5 provider default options with some exceptions, the differences are listed in the MODIFIED DEFAULT OPTIONS section. As an access provider, the IPA provider has a minimal configuration (see ipa_access_order) as it mainly uses HBAC (host-based access control) rules. Please refer to freeipa.org for more information about HBAC. If auth_provider=ipa or access_provider=ipa is configured in sssd.conf then the id_provider must also be set to ipa. The IPA provider will use the PAC responder if the Kerberos tickets of users from trusted realms contain a PAC. To make configuration easier the PAC responder is started automatically if the IPA ID provider is configured. Refer to the section DOMAIN SECTIONS of the sssd.conf 5 manual page for details on the configuration of an SSSD domain. ipa_domain (string) Specifies the name of the IPA domain. This is optional. If not provided, the configuration domain name is used. ipa_server, ipa_backup_server (string) The comma-separated list of IP addresses or hostnames of the IPA servers to which SSSD should connect in the order of preference. For more information on failover and server redundancy, see the FAILOVER section. This is optional if autodiscovery is enabled. For more information on service discovery, refer to the SERVICE DISCOVERY section. ipa_hostname (string) Optional. May be set on machines where the hostname(5) does not reflect the fully qualified name used in the IPA domain to identify this host. The hostname must be fully qualified. dyndns_update (boolean) Optional. This option tells SSSD to automatically update the DNS server built into FreeIPA with the IP address of this client. The update is secured using GSS-TSIG. The IP address of the IPA LDAP connection is used for the updates, if it is not otherwise specified by using the dyndns_iface option. NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, the default Kerberos realm must be set properly in /etc/krb5.conf NOTE: While it is still possible to use the old ipa_dyndns_update option, users should migrate to using dyndns_update in their config file. Default: false dyndns_ttl (integer) The TTL to apply to the client DNS record when updating it. If dyndns_update is false this has no effect. This will override the TTL serverside if set by an administrator. NOTE: While it is still possible to use the old ipa_dyndns_ttl option, users should migrate to using dyndns_ttl in their config file. Default: 1200 (seconds) dyndns_iface (string) Optional. Applicable only when dyndns_update is true. Choose the interface or a list of interfaces whose IP addresses should be used for dynamic DNS updates. Special value * implies that IPs from all interfaces should be used. NOTE: While it is still possible to use the old ipa_dyndns_iface option, users should migrate to using dyndns_iface in their config file. Default: Use the IP addresses of the interface which is used for IPA LDAP connection Example: dyndns_iface = em1, vnet1, vnet2 dyndns_auth (string) Whether the nsupdate utility should use GSS-TSIG authentication for secure updates with the DNS server, insecure updates can be sent by setting this option to 'none'. Default: GSS-TSIG dyndns_auth_ptr (string) Whether the nsupdate utility should use GSS-TSIG authentication for secure PTR updates with the DNS server, insecure updates can be sent by setting this option to 'none'. Default: Same as dyndns_auth ipa_enable_dns_sites (boolean) Enables DNS sites - location based service discovery. If true and service discovery (see Service Discovery paragraph at the bottom of the man page) is enabled, then the SSSD will first attempt location based discovery using a query that contains "_location.hostname.example.com" and then fall back to traditional SRV discovery. If the location based discovery succeeds, the IPA servers located with the location based discovery are treated as primary servers and the IPA servers located using the traditional SRV discovery are used as back up servers Default: false dyndns_refresh_interval (integer) How often should the back end perform periodic DNS update in addition to the automatic update performed when the back end goes online. This option is optional and applicable only when dyndns_update is true. Default: 0 (disabled) dyndns_update_ptr (bool) Whether the PTR record should also be explicitly updated when updating the client's DNS records. Applicable only when dyndns_update is true. This option should be False in most IPA deployments as the IPA server generates the PTR records automatically when forward records are changed. Note that dyndns_update_per_family parameter does not apply for PTR record updates. Those updates are always sent separately. Default: False (disabled) dyndns_force_tcp (bool) Whether the nsupdate utility should default to using TCP for communicating with the DNS server. Default: False (let nsupdate choose the protocol) dyndns_server (string) The DNS server to use when performing a DNS update. In most setups, it's recommended to leave this option unset. Setting this option makes sense for environments where the DNS server is different from the identity server. Please note that this option will be only used in fallback attempt when previous attempt using autodetected settings failed. Default: None (let nsupdate choose the server) dyndns_update_per_family (boolean) DNS update is by default performed in two steps - IPv4 update and then IPv6 update. In some cases it might be desirable to perform IPv4 and IPv6 update in single step. Default: true ipa_access_order (string) Comma separated list of access control options. Allowed values are: expire: use IPA's account expiration policy. pwd_expire_policy_reject, pwd_expire_policy_warn, pwd_expire_policy_renew: These options are useful if users are interested in being warned that password is about to expire and authentication is based on using a different method than passwords - for example SSH keys. The difference between these options is the action taken if user password is expired: pwd_expire_policy_reject - user is denied to log in, pwd_expire_policy_warn - user is still able to log in, pwd_expire_policy_renew - user is prompted to change their password immediately. Please note that 'access_provider = ipa' must be set for this feature to work. ipa_deskprofile_search_base (string) Optional. Use the given string as search base for Desktop Profile related objects. Default: Use base DN ipa_subid_ranges_search_base (string) Optional. Use the given string as search base for subordinate ranges related objects. Default: the value of cn=subids,%basedn ipa_hbac_search_base (string) Optional. Use the given string as search base for HBAC related objects. Default: Use base DN ipa_host_search_base (string) Deprecated. Use ldap_host_search_base instead. ipa_selinux_search_base (string) Optional. Use the given string as search base for SELinux user maps. See ldap_search_base for information about configuring multiple search bases. Default: the value of ldap_search_base ipa_subdomains_search_base (string) Optional. Use the given string as search base for trusted domains. See ldap_search_base for information about configuring multiple search bases. Default: the value of cn=trusts,%basedn ipa_master_domain_search_base (string) Optional. Use the given string as search base for master domain object. See ldap_search_base for information about configuring multiple search bases. Default: the value of cn=ad,cn=etc,%basedn ipa_views_search_base (string) Optional. Use the given string as search base for views containers. See ldap_search_base for information about configuring multiple search bases. Default: the value of cn=views,cn=accounts,%basedn krb5_realm (string) The name of the Kerberos realm. This is optional and defaults to the value of ipa_domain. The name of the Kerberos realm has a special meaning in IPA - it is converted into the base DN to use for performing LDAP operations. krb5_confd_path (string) Absolute path of a directory where SSSD should place Kerberos configuration snippets. To disable the creation of the configuration snippets set the parameter to 'none'. Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory) ipa_deskprofile_refresh (integer) The amount of time between lookups of the Desktop Profile rules against the IPA server. This will reduce the latency and load on the IPA server if there are many desktop profiles requests made in a short period. Default: 5 (seconds) ipa_deskprofile_request_interval (integer) The amount of time between lookups of the Desktop Profile rules against the IPA server in case the last request did not return any rule. Default: 60 (minutes) ipa_hbac_refresh (integer) The amount of time between lookups of the HBAC rules against the IPA server. This will reduce the latency and load on the IPA server if there are many access-control requests made in a short period. Default: 5 (seconds) ipa_hbac_selinux (integer) The amount of time between lookups of the SELinux maps against the IPA server. This will reduce the latency and load on the IPA server if there are many user login requests made in a short period. Default: 5 (seconds) ipa_server_mode (boolean) This option will be set by the IPA installer (ipa-server-install) automatically and denotes if SSSD is running on an IPA server or not. On an IPA server SSSD will lookup users and groups from trusted domains directly while on a client it will ask an IPA server. NOTE: There are currently some assumptions that must be met when SSSD is running on an IPA server. The ipa_server option must be configured to point to the IPA server itself. This is already the default set by the IPA installer, so no manual change is required. The full_name_format option must not be tweaked to only print short names for users from trusted domains. Default: false ipa_automount_location (string) The automounter location this IPA client will be using Default: The location named "default" SSSD can handle views and overrides which are offered by FreeIPA 4.1 and later version. Since all paths and objectclasses are fixed on the server side there is basically no need to configure anything. For completeness the related options are listed here with their default values. ipa_view_class (string) Objectclass of the view container. Default: nsContainer ipa_view_name (string) Name of the attribute holding the name of the view. Default: cn ipa_override_object_class (string) Objectclass of the override objects. Default: ipaOverrideAnchor ipa_anchor_uuid (string) Name of the attribute containing the reference to the original object in a remote domain. Default: ipaAnchorUUID ipa_user_override_object_class (string) Name of the objectclass for user overrides. It is used to determine if the found override object is related to a user or a group. User overrides can contain attributes given by ldap_user_name ldap_user_uid_number ldap_user_gid_number ldap_user_gecos ldap_user_home_directory ldap_user_shell ldap_user_ssh_public_key Default: ipaUserOverride ipa_group_override_object_class (string) Name of the objectclass for group overrides. It is used to determine if the found override object is related to a user or a group. Group overrides can contain attributes given by ldap_group_name ldap_group_gid_number Default: ipaGroupOverride The IPA subdomains provider behaves slightly differently if it is configured explicitly or implicitly. If the option 'subdomains_provider = ipa' is found in the domain section of sssd.conf, the IPA subdomains provider is configured explicitly, and all subdomain requests are sent to the IPA server if necessary. If the option 'subdomains_provider' is not set in the domain section of sssd.conf but there is the option 'id_provider = ipa', the IPA subdomains provider is configured implicitly. In this case, if a subdomain request fails and indicates that the server does not support subdomains, i.e. is not configured for trusts, the IPA subdomains provider is disabled. After an hour or after the IPA provider goes online, the subdomains provider is enabled again. Some configuration options can also be set for a trusted domain. A trusted domain configuration can be set using the trusted domain subsection as shown in the example below. Alternatively, the subdomain_inherit option can be used in the parent domain. [domain/ipa.domain.com/ad.domain.com] ad_server = dc.ad.domain.com For more details, see the sssd.conf 5 manual page. Different configuration options are tunable for a trusted domain depending on whether you are configuring SSSD on an IPA server or an IPA client. The following options can be set in a subdomain section on an IPA master: ad_server ad_backup_server ad_site ldap_search_base ldap_user_search_base ldap_group_search_base use_fully_qualified_names The following options can be set in a subdomain section on an IPA client: ad_server ad_site Note that if both options are set, only ad_server is evaluated. Since any request for a user or a group identity from a trusted domain triggered from an IPA client is resolved by the IPA server, the ad_server and ad_site options only affect which AD DC will the authentication be performed against. In particular, the addresses resolved from these lists will be written to kdcinfo files read by the Kerberos locator plugin. Please refer to the sssd_krb5_locator_plugin 8 manual page for more details on the Kerberos locator plugin. The following example assumes that SSSD is correctly configured and example.com is one of the domains in the [sssd] section. This examples shows only the ipa provider-specific options. [domain/example.com] id_provider = ipa ipa_server = ipaserver.example.com ipa_hostname = myhost.example.com