diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/config/SSSDConfig/__init__.py.in | 5 | ||||
-rwxr-xr-x | src/config/SSSDConfigTest.py | 3 | ||||
-rw-r--r-- | src/config/etc/sssd.api.d/sssd-ad.conf | 121 | ||||
-rw-r--r-- | src/man/Makefile.am | 2 | ||||
-rw-r--r-- | src/man/include/seealso.xml | 3 | ||||
-rw-r--r-- | src/man/po/po4a.cfg | 1 | ||||
-rw-r--r-- | src/man/sssd-ad.5.xml | 155 |
7 files changed, 288 insertions, 2 deletions
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 99ccc5ab..f6030678 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -133,6 +133,11 @@ option_strings = { 'ipa_master_domain_search_base': _("Search base for object containing info about IPA domain"), 'ipa_ranges_search_base': _("Search base for objects containing info about ID ranges"), + # [provider/ad] + 'ad_domain' : _('Active Directory domain'), + 'ad_server' : _('Active Directory server address'), + 'ad_hostname' : _('Active Directory client hostname'), + # [provider/krb5] 'krb5_kdcip' : _('Kerberos server address'), 'krb5_server' : _('Kerberos server address'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index f4d4d541..c1fbe481 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -704,7 +704,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): domain = SSSDConfig.SSSDDomain('sssd', self.schema) control_provider_dict = { - 'ipa': ['id', 'auth', 'access', 'chpass', 'autofs', 'session' ], + 'ipa': ['id', 'auth', 'access', 'chpass', 'autofs', 'session'], + 'ad': ['id', 'auth', 'access', 'chpass'], 'local': ['id', 'auth', 'chpass'], 'ldap': ['id', 'auth', 'access', 'chpass', 'sudo', 'autofs'], 'krb5': ['auth', 'access', 'chpass'], diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf new file mode 100644 index 00000000..f7c6d2d1 --- /dev/null +++ b/src/config/etc/sssd.api.d/sssd-ad.conf @@ -0,0 +1,121 @@ +[provider/ad] +ad_domain = str, None, false +ad_server = str, None, false +ad_hostname = str, None, false +ldap_uri = str, None, false +ldap_search_base = str, None, false +ldap_schema = str, None, false +ldap_default_bind_dn = str, None, false +ldap_default_authtok_type = str, None, false +ldap_default_authtok = str, None, false +ldap_network_timeout = int, None, false +ldap_opt_timeout = int, None, false +ldap_offline_timeout = int, None, false +ldap_tls_cacert = str, None, false +ldap_tls_cacertdir = str, None, false +ldap_tls_cert = str, None, false +ldap_tls_key = str, None, false +ldap_tls_cipher_suite = str, None, false +ldap_tls_reqcert = str, None, false +ldap_sasl_mech = str, None, false +ldap_sasl_authid = str, None, false +ldap_sasl_minssf = int, None, false +krb5_kdcip = str, None, false +krb5_server = str, None, false +krb5_realm = str, None, false +krb5_auth_timeout = int, None, false +krb5_canonicalize = bool, None, false +ldap_krb5_keytab = str, None, false +ldap_krb5_init_creds = bool, None, false +ldap_entry_usn = str, None, false +ldap_rootdse_last_usn = str, None, false +ldap_referrals = bool, None, false +ldap_krb5_ticket_lifetime = int, None, false +ldap_dns_service_name = str, None, false +ldap_deref = str, None, false +ldap_page_size = int, None, false +ldap_deref_threshold = int, None, false +ldap_connection_expire_timeout = int, None, false +ldap_disable_paging = bool, None, false + +[provider/ad/id] +ldap_search_timeout = int, None, false +ldap_enumeration_refresh_timeout = int, None, false +ldap_purge_cache_timeout = int, None, false +ldap_id_use_start_tls = bool, None, false +ldap_id_mapping = bool, None, false +ldap_user_search_base = str, None, false +ldap_user_search_scope = str, None, false +ldap_user_search_filter = str, None, false +ldap_user_object_class = str, None, false +ldap_user_name = str, None, false +ldap_user_uid_number = str, None, false +ldap_user_gid_number = str, None, false +ldap_user_gecos = str, None, false +ldap_user_home_directory = str, None, false +ldap_user_shell = str, None, false +ldap_user_uuid = str, None, false +ldap_user_objectsid = str, None, false +ldap_user_primary_group = str, None, false +ldap_user_principal = str, None, false +ldap_user_fullname = str, None, false +ldap_user_member_of = str, None, false +ldap_user_modify_timestamp = str, None, false +ldap_user_entry_usn = str, None, false +ldap_user_shadow_last_change = str, None, false +ldap_user_shadow_min = str, None, false +ldap_user_shadow_max = str, None, false +ldap_user_shadow_warning = str, None, false +ldap_user_shadow_inactive = str, None, false +ldap_user_shadow_expire = str, None, false +ldap_user_shadow_flag = str, None, false +ldap_user_krb_last_pwd_change = str, None, false +ldap_user_krb_password_expiration = str, None, false +ldap_pwd_attribute = str, None, false +ldap_user_ssh_public_key = str, None, false +ldap_group_search_base = str, None, false +ldap_group_search_scope = str, None, false +ldap_group_search_filter = str, None, false +ldap_group_object_class = str, None, false +ldap_group_name = str, None, false +ldap_group_gid_number = str, None, false +ldap_group_member = str, None, false +ldap_group_uuid = str, None, false +ldap_group_objectsid = str, None, false +ldap_group_modify_timestamp = str, None, false +ldap_group_entry_usn = str, None, false +ldap_force_upper_case_realm = bool, None, false +ldap_group_nesting_level = int, None, false +ldap_netgroup_search_base = str, None, false +ldap_service_object_class = str, None, false +ldap_service_name = str, None, false +ldap_service_port = str, None, false +ldap_service_proto = str, None, false +ldap_service_search_base = str, None, false +ldap_service_entry_usn = str, None, false +ldap_idmap_range_min = int, None, false +ldap_idmap_range_max = int, None, false +ldap_idmap_range_size = int, None, false +ldap_idmap_autorid_compat = bool, None, false +ldap_idmap_default_domain = str, None, false +ldap_idmap_default_domain_sid = str, None, false +ldap_groups_use_matching_rule_in_chain = bool, None, false +ldap_initgroups_use_matching_rule_in_chain = bool, None, false + +[provider/ad/auth] +krb5_ccachedir = str, None, false +krb5_ccname_template = str, None, false +krb5_keytab = str, None, false +krb5_validate = bool, None, false +ldap_pwd_policy = str, None, false +krb5_store_password_if_offline = bool, None, false +krb5_renewable_lifetime = str, None, false +krb5_lifetime = str, None, false +krb5_renew_interval = int, None, false +krb5_use_fast = str, None, false +krb5_fast_principal = str, None, false + +[provider/ad/access] + +[provider/ad/chpass] +krb5_kpasswd = str, None, false diff --git a/src/man/Makefile.am b/src/man/Makefile.am index aa2907f0..ca1a2261 100644 --- a/src/man/Makefile.am +++ b/src/man/Makefile.am @@ -40,7 +40,7 @@ man_MANS = \ sss_useradd.8 sss_userdel.8 sss_usermod.8 \ sss_groupadd.8 sss_groupdel.8 sss_groupmod.8 \ sssd.8 sssd.conf.5 sssd-ldap.5 \ - sssd-krb5.5 sssd-ipa.5 sssd-simple.5 \ + sssd-krb5.5 sssd-ipa.5 sssd-simple.5 sssd-ad.5 \ sssd_krb5_locator_plugin.8 sss_groupshow.8 \ pam_sss.8 sss_obfuscate.8 sss_cache.8 sss_debuglevel.8 diff --git a/src/man/include/seealso.xml b/src/man/include/seealso.xml index b12dbbbe..cb2fa4cb 100644 --- a/src/man/include/seealso.xml +++ b/src/man/include/seealso.xml @@ -20,6 +20,9 @@ <refentrytitle>sssd-ipa</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> + <refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> <refentrytitle>sss_cache</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> diff --git a/src/man/po/po4a.cfg b/src/man/po/po4a.cfg index d64acb3c..af6629c0 100644 --- a/src/man/po/po4a.cfg +++ b/src/man/po/po4a.cfg @@ -7,6 +7,7 @@ [type:docbook] sssd_krb5_locator_plugin.8.xml $lang:$(builddir)/$lang/sssd_krb5_locator_plugin.8.xml [type:docbook] sssd-simple.5.xml $lang:$(builddir)/$lang/sssd-simple.5.xml [type:docbook] sssd-ipa.5.xml $lang:$(builddir)/$lang/sssd-ipa.5.xml +[type:docbook] sssd-ad.5.xml $lang:$(builddir)/$lang/sssd-ad.5.xml [type:docbook] sssd.8.xml $lang:$(builddir)/$lang/sssd.8.xml [type:docbook] sss_obfuscate.8.xml $lang:$(builddir)/$lang/sss_obfuscate.8.xml [type:docbook] sss_useradd.8.xml $lang:$(builddir)/$lang/sss_useradd.8.xml diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml new file mode 100644 index 00000000..46660b30 --- /dev/null +++ b/src/man/sssd-ad.5.xml @@ -0,0 +1,155 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" +"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<reference> +<title>SSSD Manual pages</title> +<refentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" /> + + <refmeta> + <refentrytitle>sssd-ad</refentrytitle> + <manvolnum>5</manvolnum> + <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo> + </refmeta> + + <refnamediv id='name'> + <refname>sssd-ad</refname> + <refpurpose>the configuration file for SSSD</refpurpose> + </refnamediv> + + <refsect1 id='description'> + <title>DESCRIPTION</title> + <para> + This manual page describes the configuration of the AD provider + for + <citerefentry> + <refentrytitle>sssd</refentrytitle> + <manvolnum>8</manvolnum> + </citerefentry>. + For a detailed syntax reference, refer to the <quote>FILE FORMAT</quote> section of the + <citerefentry> + <refentrytitle>sssd.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> manual page. + </para> + <para> + The AD provider is a back end used to connect to an Active + Directory server. This provider requires that the machine be + joined to the AD domain and a keytab is available. + </para> + <para> + The AD provider supports connecting to Active Directory 2008 R2 + or later. Earlier versions may work, but are unsupported. + </para> + <para> + The AD provider accepts the same options used by the + <citerefentry> + <refentrytitle>sssd-ldap</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> identity provider and the + <citerefentry> + <refentrytitle>sssd-krb5</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> authentication provider with some exceptions described + below. + </para> + <para> + However, it is neither necessary nor recommended to set these + options. The AD provider can also be used as an access and chpass + provider. No configuration of the access provider is required on + the client side. + </para> + </refsect1> + + <refsect1 id='file-format'> + <title>CONFIGURATION OPTIONS</title> + <para>Refer to the section <quote>DOMAIN SECTIONS</quote> of the + <citerefentry> + <refentrytitle>sssd.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> manual page for details on the configuration of an SSSD domain. + <variablelist> + <varlistentry> + <term>ad_domain (string)</term> + <listitem> + <para> + Specifies the name of the Active Directory domain. + This is optional. If not provided, the + configuration domain name is used. + </para> + <para> + For proper operation, this option should be + specified as the lower-case version of the long + version of the Active Directory domain. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ad_server (string)</term> + <listitem> + <para> + The comma-separated list of IP addresses or + hostnames of the AD servers to which SSSD should + connect in order of preference. For more + information on failover and server redundancy, see + the <quote>FAILOVER</quote> section. + This is optional if autodiscovery is enabled. + For more information on service discovery, refer + to the the <quote>SERVICE DISCOVERY</quote> section. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ad_hostname (string)</term> + <listitem> + <para> + Optional. May be set on machines where the + hostname(5) does not reflect the fully qualified + name used in the Active Directory domain to + identify this host. + </para> + <para> + This field is used to determine the host principal + in use in the keytab. It must match the hostname + for which the keytab was issued. + </para> + </listitem> + </varlistentry> + + </variablelist> + </para> + </refsect1> + + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/failover.xml" /> + + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/service_discovery.xml" /> + + <refsect1 id='example'> + <title>EXAMPLE</title> + <para> + The following example assumes that SSSD is correctly + configured and example.com is one of the domains in the + <replaceable>[sssd]</replaceable> section. This example shows only + the AD provider-specific options. + </para> + <para> +<programlisting> +[domain/EXAMPLE] +id_provider = ad +auth_provider = ad +access_provider = ad +chpass_provider = ad + +ad_server = dc1.example.com +ad_hostname = client.example.com +ad_domain = example.com +</programlisting> + </para> + </refsect1> + + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" /> + +</refentry> +</reference> |