SSSD-IPA(5) NAME sssd-ipa - IPA SSSD IPA sssd(8). , << >> sssd.conf(5). IPA -- , ' IPA. ( IPA freeipa.org.) ' IPA. , . IPA SSSD sssd- ldap(5) sssd-krb5(5) IPA. IPA , sssd-ldap sssd-krb5, . , ' . IPA ldap krb5 . " ". As an access provider, the IPA provider has a minimal configuration (see "ipa_access_order") as it mainly uses HBAC (host-based access control) rules. Please refer to freeipa.org for more information about HBAC. sssd.conf "auth_provider=ipa" "access_provider=ipa", id_provider "ipa". IPA PAC, Kerberos PAC. PAC , IPA. << >> (man) sssd.conf(5), SSSD. ipa_domain () IPA. '. , . ipa_server, ipa_backup_server () IP- , , IPA, ' SSSD. <<>>. ', . << >>. ipa_hostname () '. ', hostname(5) , IPA . . dyndns_update ( ) '. SSSD DNS, FreeIPA, IP- . GSS-TSIG. IP- ' LDAP IPA, <>. : ( RHEL 5) Kerberos /etc/krb5.conf : , ipa_dyndns_update, , dyndns_update, . : false dyndns_ttl ( ) TTL, DNS . dyndns_update false, . TTL , . : , ipa_dyndns_ttl, , dyndns_ttl, . : 1200 () dyndns_iface () '. , dyndns_update true. , IP- DNS. "*" , IP- . : , ipa_dyndns_iface, , dyndns_iface, . : IP- , ' LDAP IPA : dyndns_iface = em1, vnet1, vnet2 dyndns_auth () , nsupdate GSS-TSIG DNS, <>. : GSS-TSIG dyndns_auth_ptr () , nsupdate GSS-TSIG PTR DNS, <>. : , dyndns_auth ipa_enable_dns_sites ( ) DNS -- . true (. (man)), SSSD , "_location.hostname.example.com", SRV. , IPA, , , IPA, SRV, . : false dyndns_refresh_interval ( ) , DNS , ' . ', , dyndns_update true. : 0 () dyndns_update_ptr ( ) , PTR DNS . , dyndns_update true. IPA False, IPA PTR . Note that dyndns_update_per_family parameter does not apply for PTR record updates. Those updates are always sent separately. : False () dyndns_force_tcp ( ) , nsupdate TCP DNS. : False ( nsupdate ) dyndns_server () DNS, DNS. . , DNS . , , , . : ( nsupdate ) dyndns_update_per_family ( ) DNS, , -- IPv4, IPv6. IPv4 IPv6 . : true ipa_access_order (string) . : expire: use IPA's account expiration policy. pwd_expire_policy_reject, pwd_expire_policy_warn, pwd_expire_policy_renew: , , , , SSH. The difference between these options is the action taken if user password is expired: o pwd_expire_policy_reject - user is denied to log in, o pwd_expire_policy_warn - user is still able to log in, o pwd_expire_policy_renew - user is prompted to change their password immediately. Please note that 'access_provider = ipa' must be set for this feature to work. ipa_deskprofile_search_base () '. ' (Desktop Profile) '. : ipa_hbac_search_base () '. ' HBAC '. : ipa_host_search_base () . ldap_host_search_base. ipa_selinux_search_base () '. SELinux. <>, . : ldap_search_base ipa_subdomains_search_base () '. . <>, . : cn=trusts,%basedn ipa_master_domain_search_base () '. ' . <>, . : cn=ad,cn=etc,%basedn ipa_views_search_base () '. . <>, . : cn=views,cn=accounts,%basedn krb5_realm () Kerberos. ', <>. Kerberos IPA: DN LDAP. krb5_confd_path () , SSSD Kerberos. , <>. : ( krb5.include.d pubconf SSSD) ipa_deskprofile_refresh ( ) (Desktop Profile) IPA. IPA, . : 5 () ipa_deskprofile_request_interval ( ) IPA, . : 60 () ipa_hbac_refresh ( ) HBAC IPA. IPA, . : 5 () ipa_hbac_selinux ( ) SELinux IPA. IPA, . : 5 () ipa_server_mode ( ) IPA (ipa-server-install) , , SSSD IPA. IPA SSSD , SSSD IPA. : , SSSD IPA. o "ipa_server" , IPA. IPA, . o "full_name_format" , . : false ipa_automount_location () , IPA : "default" , , , ssd.conf - ' autofs , SSSD. SSSD , FreeIPA 4.1 . ' , , . , . ipa_view_class () ' . : nsContainer ipa_view_name () , . : cn ipa_override_object_class () ' ' : ipaOverrideAnchor ipa_anchor_uuid () , ' . : ipaAnchorUUID ipa_user_override_object_class () ' . , ' ' . , o ldap_user_name o ldap_user_uid_number o ldap_user_gid_number o ldap_user_gecos o ldap_user_home_directory o ldap_user_shell o ldap_user_ssh_public_key : ipaUserOverride ipa_group_override_object_class () ' . , ' ' . , o ldap_group_name o ldap_group_gid_number : ipaGroupOverride . IPA : KRB5 o krb5_validate = true o krb5_use_fast = try o krb5_canonicalize = true LDAP -- o ldap_schema = ipa_v1 o ldap_force_upper_case_realm = true o ldap_sasl_mech = GSSAPI o ldap_sasl_minssf = 56 o ldap_account_expire_policy = ipa o ldap_use_tokengroups = true LDAP -- o ldap_user_member_of = memberOf o ldap_user_uuid = ipaUniqueID o ldap_user_ssh_public_key = ipaSshPubKey o ldap_user_auth_type = ipaUserAuthType LDAP -- o ldap_group_object_class = ipaUserGroup o ldap_group_object_class_alt = posixGroup o ldap_group_member = member o ldap_group_uuid = ipaUniqueID o ldap_group_objectsid = ipaNTSecurityIdentifier o ldap_group_external_member = ipaExternalMember IPA , : . sssd.conf <>, IPA , IPA, . sssdconf <>, <>, IPA . , , , IPA . IPA, . , . , . , "subdomain_inherit" . [domain/ipa.domain.com/ad.domain.com] ad_server = dc.ad.domain.com , sssd.conf(5). , SSSD IPA IPA. , IPA IPA : o ad_server o ad_backup_server o ad_site o ldap_search_base o ldap_user_search_base o ldap_group_search_base o use_fully_qualified_names , IPA IPA : o ad_server o ad_site , , "ad_server". - , IPA, IPA, "ad_server" "ad_site" , DC AD . , , , "kdcinfo", Kerberos. , sssd_krb5_locator_plugin(8), Kerberos. , ' . , . . . - . : . , , , ' . , 31 . SSSD ' . , . ' . '. , ' ' . ' ' . , ' '. ' , , . ' ' , . ' ' , , , . 30 . ' , ' 30 . ' DNS , , . , SSSD . SSSD , ' , . . , sssd.conf(5). dns_resolver_server_timeout , SSSD DNS, ' . : 1000 dns_resolver_op_timeout , , SSSD DNS ( SRV), . : 3 dns_resolver_timeout SSSD . , DNS SRV . : 6 LDAP ' LDAP. "ldap_opt_timeout" , "dns_resolver_timeout", "dns_resolver_op_timeout", "dns_resolver_server_timeout". ' , DNS. . , . , . , <<_srv_>>, . . , , , , , , DNS . <> (man) sssd.conf(5). _tcp. . RFC 2782. , SSSD , example.com [sssd]. , ipa. [domain/example.com] id_provider = ipa ipa_server = ipaserver.example.com ipa_hostname = myhost.example.com sssd(8), sssd.conf(5), sssd-ldap(5), sssd-ldap-attributes(5), sssd- krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd- sudo(5), sssd-session-recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8), sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8), sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5) AUTHORS SSSD -- https://pagure.io/SSSD/sssd/ SSSD 04/09/2024 SSSD-IPA(5)