Provided by: sssd_0.5.0-0ubuntu2_i386 bug

NAME
       sssd-ldap - the configuration file for SSSD


DESCRIPTION
       This manual page describes the configuration of LDAP domains for
       sssd(8). For detailed syntax reference, please refer to sssd.conf(5)
       manual page, section “FILE FORMAT”

       There can be more than one LDAP domain configured with SSSD.


CONFIGURATION OPTIONS
       All the common configuration options for SSSD domains apply for LDAP
       domains, too. See the sssd.conf(5) manual page, section “DOMAIN
       SECTIONS”

       ldapUri (string)
           Specifies the URI of the LDAP server to which SSSD should connect.

           Default: ldap://localhost

       defaultBindDn (string)
           The default bind DN to use for performing LDAP operations.

       defaultAuthtokType (string)
           The type of the authentication token of the default bind DN. So far
           "password" is the only supported value.

       defaultAuthtok (string)
           The authentication token of the default bind DN. So far only a
           clear text password is supported.

       userSearchBase (string)
           The default base DN to use for performing LDAP operations.

       userObjectClass (string)
           The object class of a user entry in LDAP.

           Default: posixAccount

       userName (string)
           The LDAP attribute that corresponds to user´s login name.

           Default: uid

       userUidNumber (string)
           The LDAP attribute that corresponds to user´s id.

           Default: uidNumber

       userGidNumber (string)
           The LDAP attribute that corresponds to user´s primary group id.

           Default: gidNumber

       userGecos (string)
           The LDAP attribute that corresponds to user´s gecos field.

           Default: gecos

       userHomeDirectory (string)
           The LDAP attribute that contains the name of the home directory of
           a user.

           Default: homeDirectory

       userShell (string)
           The LDAP attribute that contains the path of the user´s default
           shell.

           Default: loginShell

       userUUID (string)
           The LDAP attribute that contains the UUID/GUID of a LDAP user
           object.

           Default: nsUniqueId

       userPrincipal (string)
           The LDAP attribute that contains the Kerberos User Principle Name
           (UPN) of the user.

           Default: krbPrincipalName

       force_upper_case_realm (boolean)
           Some directory servers, for example Active Directory, might deliver
           the realm part of the UPN lower case which may cause the
           authentication to fail. Set this option to a non-zero value, if you
           want to use an upper case realm.

           Default: false

       userFullname (string)
           The LDAP attribute that corresponds to full name of the user.

           Default: cn

       userMemberOf (string)
           The LDAP attribute that list the user´s group memberships.

           Default: memberOf

       groupObjectClass (string)
           The object class of a group entry in LDAP.

           Default: posixGroup

       groupName (string)
           The LDAP attribute that corresponds to the group name.

           Default: cn

       groupGidNumber (string)
           The LDAP attribute that corresponds to group´s id.

           Default: gidNumber

       groupMember (string)
           The LDAP attribute that contains the names of the members of the
           group.

           Default: memberuid

       groupUUID (string)
           The LDAP attribute that contains the UUID/GUID of a LDAP group
           object.

           Default: nsUniqueId

       network_timeout (integer)
           Specifies the timeout (in seconds) after which the
           poll(2)/select(2) following a connect(2) returns in case of no
           activity.

           Default: 5

       opt_timeout (integer)
           Specifies a timeout (in seconds) after which calls to synchronous
           LDAP APIs will abort if no response is received.

           Default: 5

       tls_reqcert (string)
           Specifies what checks to perform on server certificates in a TLS
           session, if any. It can be specified as one of the following
           values:

           never = The client will not request or check any server
           certificate.

           allow = The server certificate is requested. If no certificate is
           provided, the session proceeds normally. If a bad certificate is
           provided, it will be ignored and the session proceeds normally.

           try = The server certificate is requested. If no certificate is
           provided, the session proceeds normally. If a bad certificate is
           provided, the session is immediately terminated.

           demand = The server certificate is requested. If no certificate is
           provided, or a bad certificate is provided, the session is
           immediately terminated.

           hard = Same as “demand”


EXAMPLE
       The following example assumes that SSSD is correctly configured and
       LDAP is set set one of the domains in the [domains] section.

               [domains/LDAP]
               auth-module = ldap
               ldapUri = ldap://ldap.mydomain.org
               userSearchBase = dc=mydomain,dc=org


NOTES
       Description of some of the configuration options in this manual page is
       based on ldap.conf(5) manual page from the OpenLDAP 2.4 distribution.


SEE ALSO
       sssd.conf(5), sssd(8)


AUTHORS
       The SSSD upstream - http://fedorahosted.org/sssd