SSSD Manual pages
sssd-ipa
5
File Formats and Conventions
sssd-ipa
the configuration file for SSSD
DESCRIPTION
This manual page describes the configuration of the IPA provider
for
sssd
8
.
For a detailed syntax reference, refer to the FILE FORMAT
section of the
sssd.conf
5
manual page.
The IPA provider is a back end used to connect to an IPA server.
(Refer to the freeipa.org web site for information about IPA servers.)
This provider requires that the machine be joined to the IPA domain;
configuration is almost entirely self-discovered and obtained
directly from the server.
The IPA provider accepts the same options used by the
sssd-ldap
5
identity provider and the
sssd-krb5
5
authentication provider with some exceptions described
below.
However, it is neither necessary nor recommended to set these options.
IPA provider can also be used as an access and chpass provider. As an
access provider it uses HBAC (host-based access control) rules. Please
refer to freeipa.org for more information about HBAC. No configuration
of access provider is required on the client side.
The IPA provider will use the PAC responder if the Kerberos tickets
of users from trusted realms contain a PAC. To make configuration
easier the PAC responder is started automatically if the IPA ID
provider is configured.
CONFIGURATION OPTIONS
Refer to the section DOMAIN SECTIONS
of the
sssd.conf
5
manual page for details on the configuration of an SSSD domain.
ipa_domain (string)
Specifies the name of the IPA domain.
This is optional. If not provided, the configuration
domain name is used.
ipa_server, ipa_backup_server (string)
The comma-separated list of IP addresses or hostnames of the
IPA servers to which SSSD should connect in
the order of preference. For more information
on failover and server redundancy, see the
FAILOVER
section.
This is optional if autodiscovery is enabled.
For more information on service discovery, refer
to the SERVICE DISCOVERY
section.
ipa_hostname (string)
Optional. May be set on machines where the
hostname(5) does not reflect the fully qualified
name used in the IPA domain to identify this host.
dyndns_update (boolean)
Optional. This option tells SSSD to automatically
update the DNS server built into FreeIPA v2 with
the IP address of this client. The update is
secured using GSS-TSIG. The IP address of the IPA
LDAP connection is used for the updates, if it is
not otherwise specified by using the
dyndns_iface
option.
NOTE: On older systems (such as RHEL 5), for this
behavior to work reliably, the default Kerberos
realm must be set properly in /etc/krb5.conf
NOTE: While it is still possible to use the old
ipa_dyndns_update option, users
should migrate to using dyndns_update
in their config file.
Default: false
dyndns_ttl (integer)
The TTL to apply to the client DNS record when updating it.
If dyndns_update is false this has no effect. This will
override the TTL serverside if set by an administrator.
NOTE: While it is still possible to use the old
ipa_dyndns_ttl option, users
should migrate to using dyndns_ttl
in their config file.
Default: 1200 (seconds)
dyndns_iface (string)
Optional. Applicable only when dyndns_update
is true. Choose the interface whose IP address
should be used for dynamic DNS updates.
NOTE: While it is still possible to use the old
ipa_dyndns_iface option, users
should migrate to using dyndns_iface
in their config file.
Default: Use the IP address of the IPA LDAP connection
ipa_enable_dns_sites (boolean)
Enables DNS sites - location based
service discovery.
If true and service discovery (see Service
Discovery paragraph at the bottom of the man page)
is enabled, then the SSSD will first attempt
location based discovery using a query that contains
"_location.hostname.example.com" and then fall back
to traditional SRV discovery. If the location based
discovery succeeds, the IPA servers located with
the location based discovery are treated as primary
servers and the IPA servers located using the
traditional SRV discovery are used as back up
servers
Default: false
dyndns_refresh_interval (integer)
How often should the back end perform periodic DNS update in
addition to the automatic update performed when the back end
goes online.
This option is optional and applicable only when dyndns_update
is true.
Default: 0 (disabled)
dyndns_update_ptr (bool)
Whether the PTR record should also be explicitly
updated when updating the client's DNS records.
Applicable only when dyndns_update is true.
This option should be False in most IPA
deployments as the IPA server generates the
PTR records automatically when forward records
are changed.
Default: False (disabled)
dyndns_force_tcp (bool)
Whether the nsupdate utility should default to using
TCP for communicating with the DNS server.
Default: False (let nsupdate choose the protocol)
ipa_hbac_search_base (string)
Optional. Use the given string as search base for
HBAC related objects.
Default: Use base DN
ipa_host_search_base (string)
Optional. Use the given string as search base for
host objects.
See ldap_search_base
for
information about configuring multiple search
bases.
If filter is given in any of search bases and
ipa_hbac_support_srchost
is set to False, the filter will be ignored.
Default: the value of
ldap_search_base
ipa_selinux_search_base (string)
Optional. Use the given string as search base for
SELinux user maps.
See ldap_search_base
for
information about configuring multiple search
bases.
Default: the value of
ldap_search_base
ipa_subdomains_search_base (string)
Optional. Use the given string as search base for
trusted domains.
See ldap_search_base
for
information about configuring multiple search
bases.
Default: the value of
cn=trusts,%basedn
ipa_master_domain_search_base (string)
Optional. Use the given string as search base for
master domain object.
See ldap_search_base
for
information about configuring multiple search
bases.
Default: the value of
cn=ad,cn=etc,%basedn
krb5_validate (boolean)
Verify with the help of krb5_keytab that the TGT
obtained has not been spoofed.
Default: true
Note that this default differs from the
traditional Kerberos provider back end.
krb5_realm (string)
The name of the Kerberos realm. This is optional and
defaults to the value of ipa_domain
.
The name of the Kerberos realm has a special
meaning in IPA - it is converted into the base
DN to use for performing LDAP operations.
krb5_canonicalize (boolean)
Specifies if the host and user principal should be
canonicalized when connecting to IPA LDAP and also for AS
requests. This feature is available with MIT
Kerberos >= 1.7
Default: true
ipa_hbac_refresh (integer)
The amount of time between lookups of the HBAC
rules against the IPA server. This will reduce the
latency and load on the IPA server if there are
many access-control requests made in a short
period.
Default: 5 (seconds)
ipa_hbac_selinux (integer)
The amount of time between lookups of the SELinux
maps against the IPA server. This will reduce the
latency and load on the IPA server if there are
many user login requests made in a short
period.
Default: 5 (seconds)
ipa_hbac_treat_deny_as (string)
This option specifies how to treat the deprecated
DENY-type HBAC rules. As of FreeIPA v2.1, DENY
rules are no longer supported on the server. All
users of FreeIPA will need to migrate their rules
to use only the ALLOW rules. The client will
support two modes of operation during this
transition period:
DENY_ALL: If any HBAC DENY
rules are detected, all users will be denied
access.
IGNORE: SSSD will ignore any
DENY rules. Be very careful with this option, as
it may result in opening unintended access.
Default: DENY_ALL
ipa_hbac_support_srchost (boolean)
If this is set to false, then srchost as given
to SSSD by PAM will be ignored.
Note that if set to False,
this option casuses filters given in
ipa_host_search_base to be ignored;
Default: false
ipa_automount_location (string)
The automounter location this IPA client will be using
Default: The location named "default"
ipa_netgroup_member_of (string)
The LDAP attribute that lists netgroup's
memberships.
Default: memberOf
ipa_netgroup_member_user (string)
The LDAP attribute that lists system users
and groups that are direct members of the
netgroup.
Default: memberUser
ipa_netgroup_member_host (string)
The LDAP attribute that lists hosts and host groups
that are direct members of the netgroup.
Default: memberHost
ipa_netgroup_member_ext_host (string)
The LDAP attribute that lists FQDNs of hosts
and host groups that are members of the netgroup.
Default: externalHost
ipa_netgroup_domain (string)
The LDAP attribute that contains NIS domain
name of the netgroup.
Default: nisDomainName
ipa_host_object_class (string)
The object class of a host entry in LDAP.
Default: ipaHost
ipa_host_fqdn (string)
The LDAP attribute that contains FQDN of the host.
Default: fqdn
ipa_selinux_usermap_object_class (string)
The object class of a host entry in LDAP.
Default: ipaHost
ipa_selinux_usermap_name (string)
The LDAP attribute that contains the name
of SELinux usermap.
Default: cn
ipa_selinux_usermap_member_user (string)
The LDAP attribute that contains all users / groups
this rule match against.
Default: memberUser
ipa_selinux_usermap_member_host (string)
The LDAP attribute that contains all hosts / hostgroups
this rule match against.
Default: memberHost
ipa_selinux_usermap_see_also (string)
The LDAP attribute that contains DN of HBAC
rule which can be used for matching instead
of memberUser and memberHost
Default: seeAlso
ipa_selinux_usermap_selinux_user (string)
The LDAP attribute that contains SELinux user
string itself.
Default: ipaSELinuxUser
ipa_selinux_usermap_enabled (string)
The LDAP attribute that contains whether
or not is user map enabled for usage.
Default: ipaEnabledFlag
ipa_selinux_usermap_user_category (string)
The LDAP attribute that contains user category
such as 'all'.
Default: userCategory
ipa_selinux_usermap_host_category (string)
The LDAP attribute that contains host category
such as 'all'.
Default: hostCategory
ipa_selinux_usermap_uuid (string)
The LDAP attribute that contains unique ID
of the user map.
Default: ipaUniqueID
ipa_host_ssh_public_key (string)
The LDAP attribute that contains the host's SSH
public keys.
Default: ipaSshPubKey
SUBDOMAINS PROVIDER
The IPA subdomains provider behaves slightly differently
if it is configured explicitly or implicitly.
If the option 'subdomains_provider = ipa' is found in the
domain section of sssd.conf, the IPA subdomains provider is
configured explicitly, and all subdomain requests are sent to the
IPA server if necessary.
If the option 'subdomains_provider' is not set in the domain
section of sssd.conf but there is the option 'id_provider = ipa',
the IPA subdomains provider is configured implicitly. In this case,
if a subdomain request fails and indicates that the server does not
support subdomains, i.e. is not configured for trusts, the IPA
subdomains provider is disabled. After an hour or after the IPA
provider goes online, the subdomains provider is enabled again.
EXAMPLE
The following example assumes that SSSD is correctly
configured and example.com is one of the domains in the
[sssd] section. This examples shows only
the ipa provider-specific options.
[domain/example.com]
id_provider = ipa
ipa_server = ipaserver.example.com
ipa_hostname = myhost.example.com