SSSD-IPA(5) NAME sssd-ipa - IPA SSSD IPA sssd(8). " " sssd.conf(5). IPA -- , IPA. ( IPA - freeipa.org.) , IPA; , . IPA SSSD sssd-ldap(5) sssd-krb5(5) IPA. IPA , sssd-ldap sssd-krb5 providers, . , . IPA ldap krb5, . " ". As an access provider, the IPA provider has a minimal configuration (see "ipa_access_order") as it mainly uses HBAC (host-based access control) rules. Please refer to freeipa.org for more information about HBAC. sssd.conf "auth_provider=ipa" "access_provider=ipa", id_provider "ipa". IPA PAC, Kerberos PAC. PAC , IPA. SSSD " " sssd.conf(5). ipa_domain () IPA. . , . ipa_server, ipa_backup_server () IP- IPA, SSSD . " ". , . " ". ipa_hostname () . , hostname(5) , IPA. . dyndns_update ( ) . SSSD DNS, FreeIPA, IP- . GSS-TSIG. IP- LDAP- IPA, "dyndns_iface" . : (, RHEL 5) Kerberos /etc/krb5.conf : , ipa_dyndns_update, , , dyndns_update, . : false dyndns_ttl ( ) TTL, DNS . dyndns_update <>, . TTL , . : , ipa_dyndns_ttl, , , dyndns_ttl, . : 1200 () dyndns_iface () . , dyndns_update <>. , IP- DNS. "*" , IP- . : , ipa_dyndns_iface, , , dyndns_iface, . : IP- , LDAP IPA : dyndns_iface = em1, vnet1, vnet2 dyndns_auth () nsupdate GSS-TSIG DNS. , <>. : GSS-TSIG dyndns_auth_ptr () nsupdate GSS-TSIG PTR DNS. , <>. : , dyndns_auth ipa_enable_dns_sites ( ) DNS -- . <> ( ), SSSD , <<_location.hostname.example.com>>, SRV. , IPA, , , IPA, SRV, : false dyndns_refresh_interval ( ) DNS , . , dyndns_update <>. : 0 () dyndns_update_ptr ( ) PTR DNS . , dyndns_update <>. <> IPA, IPA PTR . Note that dyndns_update_per_family parameter does not apply for PTR record updates. Those updates are always sent separately. : false () dyndns_force_tcp ( ) nsupdate TCP DNS. : false ( nsupdate ) dyndns_server () DNS, DNS. . , DNS . , , , . : none ( nsupdate ) dyndns_update_per_family ( ) DNS : IPv4, IPv4. IPv4 IPv6 . : true ipa_access_order (string) . : expire: use IPA's account expiration policy. pwd_expire_policy_reject, pwd_expire_policy_warn, pwd_expire_policy_renew: , , , , , , SSH. The difference between these options is the action taken if user password is expired: o pwd_expire_policy_reject - user is denied to log in, o pwd_expire_policy_warn - user is still able to log in, o pwd_expire_policy_renew - user is prompted to change their password immediately. Please note that 'access_provider = ipa' must be set for this feature to work. ipa_deskprofile_search_base () . , . : base DN ipa_hbac_search_base () . , HBAC. : base DN ipa_host_search_base () . ldap_host_search_base. ipa_selinux_search_base () . SELinux. "ldap_search_base". : ldap_search_base ipa_subdomains_search_base () . . "ldap_search_base". : cn=trusts,%basedn ipa_master_domain_search_base () . . "ldap_search_base". : cn=ad,cn=etc,%basedn ipa_views_search_base () . . "ldap_search_base". : cn=views,cn=accounts,%basedn krb5_realm () Kerberos. , "ipa_domain". Kerberos IPA -- base DN, LDAP. krb5_confd_path () , SSSD Kerberos. , <>. : ( krb5.include.d pubconf SSSD) ipa_deskprofile_refresh ( ) IPA. IPA, . : 5 () ipa_deskprofile_request_interval ( ) IPA, . : 60 () ipa_hbac_refresh ( ) HBAC IPA. IPA, . : 5 () ipa_hbac_selinux ( ) SELinux IPA. IPA, . : 5 () ipa_server_mode ( ) IPA (ipa-server-install). , SSSD IPA . IPA SSSD , SSSD IPA. : , SSSD IPA. o "ipa_server" , IPA. IPA, . o "full_name_format" , . : false ipa_automount_location () , IPA : <> , , - , autofs, sssd.conf, SSSD. SSSD , FreeIPA 4.1 . , . . ipa_view_class () . : nsContainer ipa_view_name () , . : cn ipa_override_object_class () . : ipaOverrideAnchor ipa_anchor_uuid () , . : ipaAnchorUUID ipa_user_override_object_class () . , , . , o ldap_user_name o ldap_user_uid_number o ldap_user_gid_number o ldap_user_gecos o ldap_user_home_directory o ldap_user_shell o ldap_user_ssh_public_key : ipaUserOverride ipa_group_override_object_class () . , , . , o ldap_group_name o ldap_group_gid_number : ipaGroupOverride . IPA : KRB5 o krb5_validate = true o krb5_use_fast = try o krb5_canonicalize = true LDAP -- o ldap_schema = ipa_v1 o ldap_force_upper_case_realm = true o ldap_sasl_mech = GSSAPI o ldap_sasl_minssf = 56 o ldap_account_expire_policy = ipa o ldap_use_tokengroups = true LDAP -- o ldap_user_member_of = memberOf o ldap_user_uuid = ipaUniqueID o ldap_user_ssh_public_key = ipaSshPubKey o ldap_user_auth_type = ipaUserAuthType LDAP -- o ldap_group_object_class = ipaUserGroup o ldap_group_object_class_alt = posixGroup o ldap_group_member = member o ldap_group_uuid = ipaUniqueID o ldap_group_objectsid = ipaNTSecurityIdentifier o ldap_group_external_member = ipaExternalMember , IPA , . sssd.conf <>, IPA , IPA. sssd.conf <>, <>, IPA . , , , , , IPA . , IPA , . . , . "subdomain_inherit" . [domain/ipa.domain.com/ad.domain.com] ad_server = dc.ad.domain.com sssd.conf(5). , SSSD: IPA IPA. , IPA IPA : o ad_server o ad_backup_server o ad_site o ldap_search_base o ldap_user_search_base o ldap_group_search_base o use_fully_qualified_names , IPA IPA : o ad_server o ad_site : , "ad_server". , IPA, IPA, "ad_server" "ad_site" , AD DC . , "kdcinfo", Kerberos. Kerberos sssd_krb5_locator_plugin(8). . ; . . . : (primary) (backup). , , , . , 31- -. SSSD . , () . . ; , . . , . , , . , . , , , ; 30 . , 30 . - , , DNS, , , , . , SSSD . SSSD , , -. . sssd.conf(5). dns_resolver_server_timeout ( ), SSSD DNS . : 1000 dns_resolver_op_timeout ( ), SSSD DNS (, SRV) . : 3 dns_resolver_timeout SSSD . , , SRV DNS . : 6 LDAP LDAP-. , - "ldap_opt_timeout" , "dns_resolver_timeout", , , , "dns_resolver_op_timeout", "dns_resolver_server_timeout". , , DNS. . , , . () , , "_srv_". . , , , , , DNS. "dns_discovery_domain" sssd.conf(5). _tcp. . . RFC 2782. , SSSD example.com -- [sssd]. , IPA. [domain/example.com] id_provider = ipa ipa_server = ipaserver.example.com ipa_hostname = myhost.example.com . sssd(8), sssd.conf(5), sssd-ldap(5), sssd-ldap-attributes(5), sssd- krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd- sudo(5), sssd-session-recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8), sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8), sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5) AUTHORS (<<>>) SSSD -- https://github.com/SSSD/sssd/ SSSD 05/17/2024 SSSD-IPA(5)