summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/config/SSSDConfig/__init__.py.in5
-rwxr-xr-xsrc/config/SSSDConfigTest.py3
-rw-r--r--src/config/etc/sssd.api.d/sssd-ad.conf121
-rw-r--r--src/man/Makefile.am2
-rw-r--r--src/man/include/seealso.xml3
-rw-r--r--src/man/po/po4a.cfg1
-rw-r--r--src/man/sssd-ad.5.xml155
7 files changed, 288 insertions, 2 deletions
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 99ccc5ab..f6030678 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -133,6 +133,11 @@ option_strings = {
'ipa_master_domain_search_base': _("Search base for object containing info about IPA domain"),
'ipa_ranges_search_base': _("Search base for objects containing info about ID ranges"),
+ # [provider/ad]
+ 'ad_domain' : _('Active Directory domain'),
+ 'ad_server' : _('Active Directory server address'),
+ 'ad_hostname' : _('Active Directory client hostname'),
+
# [provider/krb5]
'krb5_kdcip' : _('Kerberos server address'),
'krb5_server' : _('Kerberos server address'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index f4d4d541..c1fbe481 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -704,7 +704,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
domain = SSSDConfig.SSSDDomain('sssd', self.schema)
control_provider_dict = {
- 'ipa': ['id', 'auth', 'access', 'chpass', 'autofs', 'session' ],
+ 'ipa': ['id', 'auth', 'access', 'chpass', 'autofs', 'session'],
+ 'ad': ['id', 'auth', 'access', 'chpass'],
'local': ['id', 'auth', 'chpass'],
'ldap': ['id', 'auth', 'access', 'chpass', 'sudo', 'autofs'],
'krb5': ['auth', 'access', 'chpass'],
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
new file mode 100644
index 00000000..f7c6d2d1
--- /dev/null
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -0,0 +1,121 @@
+[provider/ad]
+ad_domain = str, None, false
+ad_server = str, None, false
+ad_hostname = str, None, false
+ldap_uri = str, None, false
+ldap_search_base = str, None, false
+ldap_schema = str, None, false
+ldap_default_bind_dn = str, None, false
+ldap_default_authtok_type = str, None, false
+ldap_default_authtok = str, None, false
+ldap_network_timeout = int, None, false
+ldap_opt_timeout = int, None, false
+ldap_offline_timeout = int, None, false
+ldap_tls_cacert = str, None, false
+ldap_tls_cacertdir = str, None, false
+ldap_tls_cert = str, None, false
+ldap_tls_key = str, None, false
+ldap_tls_cipher_suite = str, None, false
+ldap_tls_reqcert = str, None, false
+ldap_sasl_mech = str, None, false
+ldap_sasl_authid = str, None, false
+ldap_sasl_minssf = int, None, false
+krb5_kdcip = str, None, false
+krb5_server = str, None, false
+krb5_realm = str, None, false
+krb5_auth_timeout = int, None, false
+krb5_canonicalize = bool, None, false
+ldap_krb5_keytab = str, None, false
+ldap_krb5_init_creds = bool, None, false
+ldap_entry_usn = str, None, false
+ldap_rootdse_last_usn = str, None, false
+ldap_referrals = bool, None, false
+ldap_krb5_ticket_lifetime = int, None, false
+ldap_dns_service_name = str, None, false
+ldap_deref = str, None, false
+ldap_page_size = int, None, false
+ldap_deref_threshold = int, None, false
+ldap_connection_expire_timeout = int, None, false
+ldap_disable_paging = bool, None, false
+
+[provider/ad/id]
+ldap_search_timeout = int, None, false
+ldap_enumeration_refresh_timeout = int, None, false
+ldap_purge_cache_timeout = int, None, false
+ldap_id_use_start_tls = bool, None, false
+ldap_id_mapping = bool, None, false
+ldap_user_search_base = str, None, false
+ldap_user_search_scope = str, None, false
+ldap_user_search_filter = str, None, false
+ldap_user_object_class = str, None, false
+ldap_user_name = str, None, false
+ldap_user_uid_number = str, None, false
+ldap_user_gid_number = str, None, false
+ldap_user_gecos = str, None, false
+ldap_user_home_directory = str, None, false
+ldap_user_shell = str, None, false
+ldap_user_uuid = str, None, false
+ldap_user_objectsid = str, None, false
+ldap_user_primary_group = str, None, false
+ldap_user_principal = str, None, false
+ldap_user_fullname = str, None, false
+ldap_user_member_of = str, None, false
+ldap_user_modify_timestamp = str, None, false
+ldap_user_entry_usn = str, None, false
+ldap_user_shadow_last_change = str, None, false
+ldap_user_shadow_min = str, None, false
+ldap_user_shadow_max = str, None, false
+ldap_user_shadow_warning = str, None, false
+ldap_user_shadow_inactive = str, None, false
+ldap_user_shadow_expire = str, None, false
+ldap_user_shadow_flag = str, None, false
+ldap_user_krb_last_pwd_change = str, None, false
+ldap_user_krb_password_expiration = str, None, false
+ldap_pwd_attribute = str, None, false
+ldap_user_ssh_public_key = str, None, false
+ldap_group_search_base = str, None, false
+ldap_group_search_scope = str, None, false
+ldap_group_search_filter = str, None, false
+ldap_group_object_class = str, None, false
+ldap_group_name = str, None, false
+ldap_group_gid_number = str, None, false
+ldap_group_member = str, None, false
+ldap_group_uuid = str, None, false
+ldap_group_objectsid = str, None, false
+ldap_group_modify_timestamp = str, None, false
+ldap_group_entry_usn = str, None, false
+ldap_force_upper_case_realm = bool, None, false
+ldap_group_nesting_level = int, None, false
+ldap_netgroup_search_base = str, None, false
+ldap_service_object_class = str, None, false
+ldap_service_name = str, None, false
+ldap_service_port = str, None, false
+ldap_service_proto = str, None, false
+ldap_service_search_base = str, None, false
+ldap_service_entry_usn = str, None, false
+ldap_idmap_range_min = int, None, false
+ldap_idmap_range_max = int, None, false
+ldap_idmap_range_size = int, None, false
+ldap_idmap_autorid_compat = bool, None, false
+ldap_idmap_default_domain = str, None, false
+ldap_idmap_default_domain_sid = str, None, false
+ldap_groups_use_matching_rule_in_chain = bool, None, false
+ldap_initgroups_use_matching_rule_in_chain = bool, None, false
+
+[provider/ad/auth]
+krb5_ccachedir = str, None, false
+krb5_ccname_template = str, None, false
+krb5_keytab = str, None, false
+krb5_validate = bool, None, false
+ldap_pwd_policy = str, None, false
+krb5_store_password_if_offline = bool, None, false
+krb5_renewable_lifetime = str, None, false
+krb5_lifetime = str, None, false
+krb5_renew_interval = int, None, false
+krb5_use_fast = str, None, false
+krb5_fast_principal = str, None, false
+
+[provider/ad/access]
+
+[provider/ad/chpass]
+krb5_kpasswd = str, None, false
diff --git a/src/man/Makefile.am b/src/man/Makefile.am
index aa2907f0..ca1a2261 100644
--- a/src/man/Makefile.am
+++ b/src/man/Makefile.am
@@ -40,7 +40,7 @@ man_MANS = \
sss_useradd.8 sss_userdel.8 sss_usermod.8 \
sss_groupadd.8 sss_groupdel.8 sss_groupmod.8 \
sssd.8 sssd.conf.5 sssd-ldap.5 \
- sssd-krb5.5 sssd-ipa.5 sssd-simple.5 \
+ sssd-krb5.5 sssd-ipa.5 sssd-simple.5 sssd-ad.5 \
sssd_krb5_locator_plugin.8 sss_groupshow.8 \
pam_sss.8 sss_obfuscate.8 sss_cache.8 sss_debuglevel.8
diff --git a/src/man/include/seealso.xml b/src/man/include/seealso.xml
index b12dbbbe..cb2fa4cb 100644
--- a/src/man/include/seealso.xml
+++ b/src/man/include/seealso.xml
@@ -20,6 +20,9 @@
<refentrytitle>sssd-ipa</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
+ <refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
<refentrytitle>sss_cache</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
diff --git a/src/man/po/po4a.cfg b/src/man/po/po4a.cfg
index d64acb3c..af6629c0 100644
--- a/src/man/po/po4a.cfg
+++ b/src/man/po/po4a.cfg
@@ -7,6 +7,7 @@
[type:docbook] sssd_krb5_locator_plugin.8.xml $lang:$(builddir)/$lang/sssd_krb5_locator_plugin.8.xml
[type:docbook] sssd-simple.5.xml $lang:$(builddir)/$lang/sssd-simple.5.xml
[type:docbook] sssd-ipa.5.xml $lang:$(builddir)/$lang/sssd-ipa.5.xml
+[type:docbook] sssd-ad.5.xml $lang:$(builddir)/$lang/sssd-ad.5.xml
[type:docbook] sssd.8.xml $lang:$(builddir)/$lang/sssd.8.xml
[type:docbook] sss_obfuscate.8.xml $lang:$(builddir)/$lang/sss_obfuscate.8.xml
[type:docbook] sss_useradd.8.xml $lang:$(builddir)/$lang/sss_useradd.8.xml
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
new file mode 100644
index 00000000..46660b30
--- /dev/null
+++ b/src/man/sssd-ad.5.xml
@@ -0,0 +1,155 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<reference>
+<title>SSSD Manual pages</title>
+<refentry>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
+
+ <refmeta>
+ <refentrytitle>sssd-ad</refentrytitle>
+ <manvolnum>5</manvolnum>
+ <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
+ </refmeta>
+
+ <refnamediv id='name'>
+ <refname>sssd-ad</refname>
+ <refpurpose>the configuration file for SSSD</refpurpose>
+ </refnamediv>
+
+ <refsect1 id='description'>
+ <title>DESCRIPTION</title>
+ <para>
+ This manual page describes the configuration of the AD provider
+ for
+ <citerefentry>
+ <refentrytitle>sssd</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>.
+ For a detailed syntax reference, refer to the <quote>FILE FORMAT</quote> section of the
+ <citerefentry>
+ <refentrytitle>sssd.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry> manual page.
+ </para>
+ <para>
+ The AD provider is a back end used to connect to an Active
+ Directory server. This provider requires that the machine be
+ joined to the AD domain and a keytab is available.
+ </para>
+ <para>
+ The AD provider supports connecting to Active Directory 2008 R2
+ or later. Earlier versions may work, but are unsupported.
+ </para>
+ <para>
+ The AD provider accepts the same options used by the
+ <citerefentry>
+ <refentrytitle>sssd-ldap</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry> identity provider and the
+ <citerefentry>
+ <refentrytitle>sssd-krb5</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry> authentication provider with some exceptions described
+ below.
+ </para>
+ <para>
+ However, it is neither necessary nor recommended to set these
+ options. The AD provider can also be used as an access and chpass
+ provider. No configuration of the access provider is required on
+ the client side.
+ </para>
+ </refsect1>
+
+ <refsect1 id='file-format'>
+ <title>CONFIGURATION OPTIONS</title>
+ <para>Refer to the section <quote>DOMAIN SECTIONS</quote> of the
+ <citerefentry>
+ <refentrytitle>sssd.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry> manual page for details on the configuration of an SSSD domain.
+ <variablelist>
+ <varlistentry>
+ <term>ad_domain (string)</term>
+ <listitem>
+ <para>
+ Specifies the name of the Active Directory domain.
+ This is optional. If not provided, the
+ configuration domain name is used.
+ </para>
+ <para>
+ For proper operation, this option should be
+ specified as the lower-case version of the long
+ version of the Active Directory domain.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ad_server (string)</term>
+ <listitem>
+ <para>
+ The comma-separated list of IP addresses or
+ hostnames of the AD servers to which SSSD should
+ connect in order of preference. For more
+ information on failover and server redundancy, see
+ the <quote>FAILOVER</quote> section.
+ This is optional if autodiscovery is enabled.
+ For more information on service discovery, refer
+ to the the <quote>SERVICE DISCOVERY</quote> section.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ad_hostname (string)</term>
+ <listitem>
+ <para>
+ Optional. May be set on machines where the
+ hostname(5) does not reflect the fully qualified
+ name used in the Active Directory domain to
+ identify this host.
+ </para>
+ <para>
+ This field is used to determine the host principal
+ in use in the keytab. It must match the hostname
+ for which the keytab was issued.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+ </para>
+ </refsect1>
+
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/failover.xml" />
+
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/service_discovery.xml" />
+
+ <refsect1 id='example'>
+ <title>EXAMPLE</title>
+ <para>
+ The following example assumes that SSSD is correctly
+ configured and example.com is one of the domains in the
+ <replaceable>[sssd]</replaceable> section. This example shows only
+ the AD provider-specific options.
+ </para>
+ <para>
+<programlisting>
+[domain/EXAMPLE]
+id_provider = ad
+auth_provider = ad
+access_provider = ad
+chpass_provider = ad
+
+ad_server = dc1.example.com
+ad_hostname = client.example.com
+ad_domain = example.com
+</programlisting>
+ </para>
+ </refsect1>
+
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
+
+</refentry>
+</reference>