AD: Add manpages and SSSDConfig entries

9 files changed, 290 insertions, 2 deletions

diff --git a/Makefile.am b/Makefile.am
index 35930621..4e78ae13 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1536,6 +1536,7 @@ dist_sssddata_DATA = \
     src/config/etc/sssd.api.conf
 dist_sssdapiplugin_DATA = \
     src/config/etc/sssd.api.d/sssd-ipa.conf \
+    src/config/etc/sssd.api.d/sssd-ad.conf \
     src/config/etc/sssd.api.d/sssd-krb5.conf \
     src/config/etc/sssd.api.d/sssd-ldap.conf \
     src/config/etc/sssd.api.d/sssd-local.conf \
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index f69132d4..4ffc563e 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -362,6 +362,7 @@ rm -rf $RPM_BUILD_ROOT
 %{_datadir}/sssd/sssd.api.d
 %{_mandir}/man5/sssd.conf.5*
 %{_mandir}/man5/sssd-ipa.5*
+%{_mandir}/man5/sssd-ad.5*
 %{_mandir}/man5/sssd-krb5.5*
 %{_mandir}/man5/sssd-ldap.5*
 %{_mandir}/man5/sssd-simple.5*
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 99ccc5ab..f6030678 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -133,6 +133,11 @@ option_strings = {
     'ipa_master_domain_search_base': _("Search base for object containing info about IPA domain"),
     'ipa_ranges_search_base': _("Search base for objects containing info about ID ranges"),
 
+    # [provider/ad]
+    'ad_domain' : _('Active Directory domain'),
+    'ad_server' : _('Active Directory server address'),
+    'ad_hostname' : _('Active Directory client hostname'),
+
     # [provider/krb5]
     'krb5_kdcip' : _('Kerberos server address'),
     'krb5_server' : _('Kerberos server address'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index f4d4d541..c1fbe481 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -704,7 +704,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
         domain = SSSDConfig.SSSDDomain('sssd', self.schema)
 
         control_provider_dict = {
-            'ipa': ['id', 'auth', 'access', 'chpass', 'autofs', 'session' ],
+            'ipa': ['id', 'auth', 'access', 'chpass', 'autofs', 'session'],
+            'ad': ['id', 'auth', 'access', 'chpass'],
             'local': ['id', 'auth', 'chpass'],
             'ldap': ['id', 'auth', 'access', 'chpass', 'sudo', 'autofs'],
             'krb5': ['auth', 'access', 'chpass'],
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
new file mode 100644
index 00000000..f7c6d2d1
--- /dev/null
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -0,0 +1,121 @@
+[provider/ad]
+ad_domain = str, None, false
+ad_server = str, None, false
+ad_hostname = str, None, false
+ldap_uri = str, None, false
+ldap_search_base = str, None, false
+ldap_schema = str, None, false
+ldap_default_bind_dn = str, None, false
+ldap_default_authtok_type = str, None, false
+ldap_default_authtok = str, None, false
+ldap_network_timeout = int, None, false
+ldap_opt_timeout = int, None, false
+ldap_offline_timeout = int, None, false
+ldap_tls_cacert = str, None, false
+ldap_tls_cacertdir = str, None, false
+ldap_tls_cert = str, None, false
+ldap_tls_key = str, None, false
+ldap_tls_cipher_suite = str, None, false
+ldap_tls_reqcert = str, None, false
+ldap_sasl_mech = str, None, false
+ldap_sasl_authid = str, None, false
+ldap_sasl_minssf = int, None, false
+krb5_kdcip = str, None, false
+krb5_server = str, None, false
+krb5_realm = str, None, false
+krb5_auth_timeout = int, None, false
+krb5_canonicalize = bool, None, false
+ldap_krb5_keytab = str, None, false
+ldap_krb5_init_creds = bool, None, false
+ldap_entry_usn = str, None, false
+ldap_rootdse_last_usn = str, None, false
+ldap_referrals = bool, None, false
+ldap_krb5_ticket_lifetime = int, None, false
+ldap_dns_service_name = str, None, false
+ldap_deref = str, None, false
+ldap_page_size = int, None, false
+ldap_deref_threshold = int, None, false
+ldap_connection_expire_timeout = int, None, false
+ldap_disable_paging = bool, None, false
+
+[provider/ad/id]
+ldap_search_timeout = int, None, false
+ldap_enumeration_refresh_timeout = int, None, false
+ldap_purge_cache_timeout = int, None, false
+ldap_id_use_start_tls = bool, None, false
+ldap_id_mapping = bool, None, false
+ldap_user_search_base = str, None, false
+ldap_user_search_scope = str, None, false
+ldap_user_search_filter = str, None, false
+ldap_user_object_class = str, None, false
+ldap_user_name = str, None, false
+ldap_user_uid_number = str, None, false
+ldap_user_gid_number = str, None, false
+ldap_user_gecos = str, None, false
+ldap_user_home_directory = str, None, false
+ldap_user_shell = str, None, false
+ldap_user_uuid = str, None, false
+ldap_user_objectsid = str, None, false
+ldap_user_primary_group = str, None, false
+ldap_user_principal = str, None, false
+ldap_user_fullname = str, None, false
+ldap_user_member_of = str, None, false
+ldap_user_modify_timestamp = str, None, false
+ldap_user_entry_usn = str, None, false
+ldap_user_shadow_last_change = str, None, false
+ldap_user_shadow_min = str, None, false
+ldap_user_shadow_max = str, None, false
+ldap_user_shadow_warning = str, None, false
+ldap_user_shadow_inactive = str, None, false
+ldap_user_shadow_expire = str, None, false
+ldap_user_shadow_flag = str, None, false
+ldap_user_krb_last_pwd_change = str, None, false
+ldap_user_krb_password_expiration = str, None, false
+ldap_pwd_attribute = str, None, false
+ldap_user_ssh_public_key = str, None, false
+ldap_group_search_base = str, None, false
+ldap_group_search_scope = str, None, false
+ldap_group_search_filter = str, None, false
+ldap_group_object_class = str, None, false
+ldap_group_name = str, None, false
+ldap_group_gid_number = str, None, false
+ldap_group_member = str, None, false
+ldap_group_uuid = str, None, false
+ldap_group_objectsid = str, None, false
+ldap_group_modify_timestamp = str, None, false
+ldap_group_entry_usn = str, None, false
+ldap_force_upper_case_realm = bool, None, false
+ldap_group_nesting_level = int, None, false
+ldap_netgroup_search_base = str, None, false
+ldap_service_object_class = str, None, false
+ldap_service_name = str, None, false
+ldap_service_port = str, None, false
+ldap_service_proto = str, None, false
+ldap_service_search_base = str, None, false
+ldap_service_entry_usn = str, None, false
+ldap_idmap_range_min = int, None, false
+ldap_idmap_range_max = int, None, false
+ldap_idmap_range_size = int, None, false
+ldap_idmap_autorid_compat = bool, None, false
+ldap_idmap_default_domain = str, None, false
+ldap_idmap_default_domain_sid = str, None, false
+ldap_groups_use_matching_rule_in_chain = bool, None, false
+ldap_initgroups_use_matching_rule_in_chain = bool, None, false
+
+[provider/ad/auth]
+krb5_ccachedir = str, None, false
+krb5_ccname_template = str, None, false
+krb5_keytab = str, None, false
+krb5_validate = bool, None, false
+ldap_pwd_policy = str, None, false
+krb5_store_password_if_offline = bool, None, false
+krb5_renewable_lifetime = str, None, false
+krb5_lifetime = str, None, false
+krb5_renew_interval = int, None, false
+krb5_use_fast = str, None, false
+krb5_fast_principal = str, None, false
+
+[provider/ad/access]
+
+[provider/ad/chpass]
+krb5_kpasswd = str, None, false
diff --git a/src/man/Makefile.am b/src/man/Makefile.am
index aa2907f0..ca1a2261 100644
--- a/src/man/Makefile.am
+++ b/src/man/Makefile.am
@@ -40,7 +40,7 @@ man_MANS = \
     sss_useradd.8 sss_userdel.8 sss_usermod.8 \
     sss_groupadd.8 sss_groupdel.8 sss_groupmod.8 \
     sssd.8 sssd.conf.5 sssd-ldap.5 \
-    sssd-krb5.5 sssd-ipa.5 sssd-simple.5 \
+    sssd-krb5.5 sssd-ipa.5 sssd-simple.5 sssd-ad.5 \
     sssd_krb5_locator_plugin.8 sss_groupshow.8 \
     pam_sss.8 sss_obfuscate.8 sss_cache.8 sss_debuglevel.8
 
diff --git a/src/man/include/seealso.xml b/src/man/include/seealso.xml
index b12dbbbe..cb2fa4cb 100644
--- a/src/man/include/seealso.xml
+++ b/src/man/include/seealso.xml
@@ -20,6 +20,9 @@
                 <refentrytitle>sssd-ipa</refentrytitle><manvolnum>5</manvolnum>
             </citerefentry>,
             <citerefentry>
+                <refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum>
+            </citerefentry>,
+            <citerefentry>
                 <refentrytitle>sss_cache</refentrytitle><manvolnum>8</manvolnum>
             </citerefentry>,
             <citerefentry>
diff --git a/src/man/po/po4a.cfg b/src/man/po/po4a.cfg
index d64acb3c..af6629c0 100644
--- a/src/man/po/po4a.cfg
+++ b/src/man/po/po4a.cfg
@@ -7,6 +7,7 @@
 [type:docbook] sssd_krb5_locator_plugin.8.xml $lang:$(builddir)/$lang/sssd_krb5_locator_plugin.8.xml
 [type:docbook] sssd-simple.5.xml $lang:$(builddir)/$lang/sssd-simple.5.xml
 [type:docbook] sssd-ipa.5.xml $lang:$(builddir)/$lang/sssd-ipa.5.xml
+[type:docbook] sssd-ad.5.xml $lang:$(builddir)/$lang/sssd-ad.5.xml
 [type:docbook] sssd.8.xml $lang:$(builddir)/$lang/sssd.8.xml
 [type:docbook] sss_obfuscate.8.xml $lang:$(builddir)/$lang/sss_obfuscate.8.xml
 [type:docbook] sss_useradd.8.xml $lang:$(builddir)/$lang/sss_useradd.8.xml
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
new file mode 100644
index 00000000..46660b30
--- /dev/null
+++ b/src/man/sssd-ad.5.xml
@@ -0,0 +1,155 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<reference>
+<title>SSSD Manual pages</title>
+<refentry>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
+
+    <refmeta>
+        <refentrytitle>sssd-ad</refentrytitle>
+        <manvolnum>5</manvolnum>
+        <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
+    </refmeta>
+
+    <refnamediv id='name'>
+        <refname>sssd-ad</refname>
+        <refpurpose>the configuration file for SSSD</refpurpose>
+    </refnamediv>
+
+    <refsect1 id='description'>
+        <title>DESCRIPTION</title>
+        <para>
+            This manual page describes the configuration of the AD provider
+            for
+            <citerefentry>
+                <refentrytitle>sssd</refentrytitle>
+                <manvolnum>8</manvolnum>
+            </citerefentry>.
+            For a detailed syntax reference, refer to the <quote>FILE FORMAT</quote> section of the
+            <citerefentry>
+                <refentrytitle>sssd.conf</refentrytitle>
+                <manvolnum>5</manvolnum>
+            </citerefentry> manual page.
+        </para>
+        <para>
+            The AD provider is a back end used to connect to an Active
+            Directory server. This provider requires that the machine be
+            joined to the AD domain and a keytab is available.
+        </para>
+        <para>
+            The AD provider supports connecting to Active Directory 2008 R2
+            or later. Earlier versions may work, but are unsupported.
+        </para>
+        <para>
+            The AD provider accepts the same options used by the
+            <citerefentry>
+                <refentrytitle>sssd-ldap</refentrytitle>
+                <manvolnum>5</manvolnum>
+            </citerefentry> identity provider and the
+            <citerefentry>
+                <refentrytitle>sssd-krb5</refentrytitle>
+                <manvolnum>5</manvolnum>
+            </citerefentry> authentication provider with some exceptions described
+            below.
+        </para>
+        <para>
+            However, it is neither necessary nor recommended to set these
+            options. The AD provider can also be used as an access and chpass
+            provider. No configuration of the access provider is required on
+            the client side.
+        </para>
+    </refsect1>
+
+    <refsect1 id='file-format'>
+        <title>CONFIGURATION OPTIONS</title>
+        <para>Refer to the section <quote>DOMAIN SECTIONS</quote> of the
+            <citerefentry>
+                <refentrytitle>sssd.conf</refentrytitle>
+                <manvolnum>5</manvolnum>
+            </citerefentry> manual page for details on the configuration of an SSSD domain.
+            <variablelist>
+                <varlistentry>
+                    <term>ad_domain (string)</term>
+                    <listitem>
+                        <para>
+                            Specifies the name of the Active Directory domain.
+                            This is optional. If not provided, the
+                            configuration domain name is used.
+                        </para>
+                        <para>
+                            For proper operation, this option should be
+                            specified as the lower-case version of the long
+                            version of the Active Directory domain.
+                        </para>
+                    </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                    <term>ad_server (string)</term>
+                    <listitem>
+                        <para>
+                            The comma-separated list of IP addresses or
+                            hostnames of the AD servers to which SSSD should
+                            connect in order of preference. For more
+                            information on failover and server redundancy, see
+                            the <quote>FAILOVER</quote> section.
+                            This is optional if autodiscovery is enabled.
+                            For more information on service discovery, refer
+                            to the the <quote>SERVICE DISCOVERY</quote> section.
+                        </para>
+                    </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                    <term>ad_hostname (string)</term>
+                    <listitem>
+                        <para>
+                            Optional. May be set on machines where the
+                            hostname(5) does not reflect the fully qualified
+                            name used in the Active Directory domain to
+                            identify this host.
+                        </para>
+                        <para>
+                            This field is used to determine the host principal
+                            in use in the keytab. It must match the hostname
+                            for which the keytab was issued.
+                        </para>
+                    </listitem>
+                </varlistentry>
+
+            </variablelist>
+        </para>
+    </refsect1>
+
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/failover.xml" />
+
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/service_discovery.xml" />
+
+    <refsect1 id='example'>
+        <title>EXAMPLE</title>
+        <para>
+            The following example assumes that SSSD is correctly
+            configured and example.com is one of the domains in the
+            <replaceable>[sssd]</replaceable> section. This example shows only
+            the AD provider-specific options.
+        </para>
+        <para>
+<programlisting>
+[domain/EXAMPLE]
+id_provider = ad
+auth_provider = ad
+access_provider = ad
+chpass_provider = ad
+
+ad_server = dc1.example.com
+ad_hostname = client.example.com
+ad_domain = example.com
+</programlisting>
+        </para>
+    </refsect1>
+
+	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
+
+</refentry>
+</reference>