Provided by: sssd_1.8.2-0ubuntu1_i386 bug

NAME

       sssd-ipa - the configuration file for SSSD

DESCRIPTION

       This manual page describes the configuration of the IPA provider for
       sssd(8). For a detailed syntax reference, refer to the "FILE FORMAT"
       section of the sssd.conf(5) manual page.

       The IPA provider is a back end used to connect to an IPA server. (Refer
       to the freeipa.org web site for information about IPA servers.) This
       provider requires that the machine be joined to the IPA domain;
       configuration is almost entirely self-discovered and obtained directly
       from the server.

       The IPA provider accepts the same options used by the sssd-ldap(5)
       identity provider and the sssd-krb5(5) authentication provider with
       some exceptions described below.

       However, it is neither necessary nor recommended to set these options.
       IPA provider can also be used as an access and chpass provider. As an
       access provider it uses HBAC (host-based access control) rules. Please
       refer to freeipa.org for more information about HBAC. No configuration
       of access provider is required on the client side.

CONFIGURATION OPTIONS

       Refer to the section "DOMAIN SECTIONS" of the sssd.conf(5) manual page
       for details on the configuration of an SSSD domain.

       ipa_domain (string)
           Specifies the name of the IPA domain. This is optional. If not
           provided, the configuration domain name is used.

       ipa_server (string)
           The comma-separated list of IP addresses or hostnames of the IPA
           servers to which SSSD should connect in the order of preference.
           For more information on failover and server redundancy, see the
           "FAILOVER" section. This is optional if autodiscovery is enabled.
           For more information on service discovery, refer to the the
           "SERVICE DISCOVERY" section.

       ipa_hostname (string)
           Optional. May be set on machines where the hostname(5) does not
           reflect the fully qualified name used in the IPA domain to identify
           this host.

       ipa_dyndns_update (boolean)
           Optional. This option tells SSSD to automatically update the DNS
           server built into FreeIPA v2 with the IP address of this client.

           NOTE: On older systems (such as RHEL 5), for this behavior to work
           reliably, the default Kerberos realm must be set properly in
           /etc/krb5.conf

           Default: false

       ipa_dyndns_iface (string)
           Optional. Applicable only when ipa_dyndns_update is true. Choose
           the interface whose IP address should be used for dynamic DNS
           updates.

           Default: Use the IP address of the IPA LDAP connection

       ipa_hbac_search_base (string)
           Optional. Use the given string as search base for HBAC related
           objects.

           Default: Use base DN

       ipa_host_search_base (string)
           Optional. Use the given string as search base for host objects.

           See "ldap_search_base" for information about configuring multiple
           search bases.

           If filter is given in any of search bases and
           ipa_hbac_support_srchost is set to False, the filter will be
           ignored.

           Default: the value of ldap_search_base

       ipa_selinux_search_base (string)
           Optional. Use the given string as search base for SELinux user
           maps.

           See "ldap_search_base" for information about configuring multiple
           search bases.

           Default: the value of ldap_search_base

       krb5_validate (boolean)
           Verify with the help of krb5_keytab that the TGT obtained has not
           been spoofed.

           Default: true

           Note that this default differs from the traditional Kerberos
           provider back end.

       krb5_realm (string)
           The name of the Kerberos realm. This is optional and defaults to
           the value of "ipa_domain".

           The name of the Kerberos realm has a special meaning in IPA - it is
           converted into the base DN to use for performing LDAP operations.

       krb5_canonicalize (boolean)
           Specifies if the host and user principal should be canonicalized
           when connecting to IPA LDAP and also for AS requests. This feature
           is available with MIT Kerberos >= 1.7

           Default: true

       ipa_hbac_refresh (integer)
           The amount of time between lookups of the HBAC rules against the
           IPA server. This will reduce the latency and load on the IPA server
           if there are many access-control requests made in a short period.

           Default: 5 (seconds)

       ipa_hbac_treat_deny_as (string)
           This option specifies how to treat the deprecated DENY-type HBAC
           rules. As of FreeIPA v2.1, DENY rules are no longer supported on
           the server. All users of FreeIPA will need to migrate their rules
           to use only the ALLOW rules. The client will support two modes of
           operation during this transition period:

           DENY_ALL: If any HBAC DENY rules are detected, all users will be
           denied access.

           IGNORE: SSSD will ignore any DENY rules. Be very careful with this
           option, as it may result in opening unintended access.

           Default: DENY_ALL

       ipa_hbac_support_srchost (boolean)
           If this is set to false, then srchost as given to SSSD by PAM will
           be ignored.

           Note that if set to False, this option casuses filters given in
           ipa_host_search_base to be ignored;

           Default: false

       ipa_automount_location (string)
           The automounter location this IPA client will be using

           Default: The location named "default"

       ipa_netgroup_member_of (string)
           The LDAP attribute that lists netgroup's memberships.

           Default: memberOf

       ipa_netgroup_member_user (string)
           The LDAP attribute that lists system users and groups that are
           direct members of the netgroup.

           Default: memberUser

       ipa_netgroup_member_host (string)
           The LDAP attribute that lists hosts and host groups that are direct
           members of the netgroup.

           Default: memberHost

       ipa_netgroup_member_ext_host (string)
           The LDAP attribute that lists FQDNs of hosts and host groups that
           are members of the netgroup.

           Default: externalHost

       ipa_netgroup_domain (string)
           The LDAP attribute that contains NIS domain name of the netgroup.

           Default: nisDomainName

       ipa_host_object_class (string)
           The object class of a host entry in LDAP.

           Default: ipaHost

       ipa_host_fqdn (string)
           The LDAP attribute that contains FQDN of the host.

           Default: fqdn

       ipa_selinux_usermap_object_class (string)
           The object class of a host entry in LDAP.

           Default: ipaHost

       ipa_selinux_usermap_name (string)
           The LDAP attribute that contains the name of SELinux usermap.

           Default: cn

       ipa_selinux_usermap_member_user (string)
           The LDAP attribute that contains all users / groups this rule match
           against.

           Default: memberUser

       ipa_selinux_usermap_member_host (string)
           The LDAP attribute that contains all hosts / hostgroups this rule
           match against.

           Default: memberHost

       ipa_selinux_usermap_see_also (string)
           The LDAP attribute that contains DN of HBAC rule which can be used
           for matching instead of memberUser and memberHost

           Default: seeAlso

       ipa_selinux_usermap_selinux_user (string)
           The LDAP attribute that contains SELinux user string itself.

           Default: ipaSELinuxUser

       ipa_selinux_usermap_enabled (string)
           The LDAP attribute that contains whether or not is user map enabled
           for usage.

           Default: ipaEnabledFlag

       ipa_selinux_usermap_user_category (string)
           The LDAP attribute that contains user category such as 'all'.

           Default: userCategory

       ipa_selinux_usermap_host_category (string)
           The LDAP attribute that contains host category such as 'all'.

           Default: hostCategory

       ipa_selinux_usermap_uuid (string)
           The LDAP attribute that contains unique ID of the user map.

           Default: ipaUniqueID

       ipa_host_ssh_public_key (string)
           The LDAP attribute that contains the host's SSH public keys.

           Default: ipaSshPubKey

FAILOVER

       The failover feature allows back ends to automatically switch to a
       different server if the primary server fails.

   Failover Syntax
       The list of servers is given as a comma-separated list; any number of
       spaces is allowed around the comma. The servers are listed in order of
       preference. The list can contain any number of servers.

   The Failover Mechanism
       The failover mechanism distinguishes between a machine and a service.
       The back end first tries to resolve the hostname of a given machine; if
       this resolution attempt fails, the machine is considered offline. No
       further attempts are made to connect to this machine for any other
       service. If the resolution attempt succeeds, the back end tries to
       connect to a service on this machine. If the service connection attempt
       fails, then only this particular service is considered offline and the
       back end automatically switches over to the next service. The machine
       is still considered online and might still be tried for another
       service.

       Further connection attempts are made to machines or services marked as
       offline after a specified period of time; this is currently hard coded
       to 30 seconds.

       If there are no more machines to try, the back end as a whole switches
       to offline mode, and then attempts to reconnect every 30 seconds.

SERVICE DISCOVERY

       The service discovery feature allows back ends to automatically find
       the appropriate servers to connect to using a special DNS query.

   Configuration
       If no servers are specified, the back end automatically uses service
       discovery to try to find a server. Optionally, the user may choose to
       use both fixed server addresses and service discovery by inserting a
       special keyword, "_srv_", in the list of servers. The order of
       preference is maintained. This feature is useful if, for example, the
       user prefers to use service discovery whenever possible, and fall back
       to a specific server when no servers can be discovered using DNS.

   The domain name
       Please refer to the "dns_discovery_domain" parameter in the
       sssd.conf(5) manual page for more details.

   The protocol
       The queries usually specify _tcp as the protocol. Exceptions are
       documented in respective option description.

   See Also
       For more information on the service discovery mechanism, refer to RFC
       2782.

EXAMPLE

       The following example assumes that SSSD is correctly configured and
       example.com is one of the domains in the [sssd] section. This examples
       shows only the ipa provider-specific options.

               [domain/example.com]
               id_provider = ipa
               ipa_server = ipaserver.example.com
               ipa_hostname = myhost.example.com

SEE ALSO

       sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd(8)

AUTHORS

       The SSSD upstream - http://fedorahosted.org/sssd