SSSD-LDAP(5) NAME sssd-ldap - LDAP SSSD LDAP sssd(8). " " sssd.conf(5). SSSD LDAP. LDAP back end supports id, auth, access and chpass providers. If you want to authenticate against an LDAP server either TLS/SSL or LDAPS is required. sssd does not support authentication over an unencrypted channel. Even if the LDAP server is used only as an identity provider, an encrypted channel is strongly recommended. Please refer to "ldap_access_filter" config option for more information about using LDAP as an access provider. , SSSD, LDAP. " " sssd.conf(5). , LDAP SSSD LDAP sssd-ldap-attributes(5). ldap_uri, ldap_backup_uri () URI LDAP, SSSD . " ". , . " ". URI , RFC 2732: ldap[s]://[:port] IPv6 [] : ldap://[fc00::126:25]:389 ldap_chpass_uri, ldap_chpass_backup_uri () URI LDAP, SSSD . " ". ldap_chpass_dns_service_name. : , ldap_uri. ldap_search_base () base DN, LDAP. 1.7.0, SSSD . : search_base[?scope?[filter][?search_base?scope?[filter]]*] : <>, <> <>. LDAP http://www.ietf.org/rfc/rfc2254.txt : ldap_search_base = dc=example,dc=com ( ) ldap_search_base = dc=example,dc=com?subtree? ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?(host=thishost)?dc=example.com?subtree? : , (, ). . : , defaultNamingContext namingContexts RootDSE LDAP. defaultNamingContext , namingContexts. , namingContexts DN LDAP. . ldap_schema () , LDAP . , , . . : o rfc2307 o rfc2307bis o IPA o AD . rfc2307 memberUid. rfc2307bis IPA DN member. AD 2008r2 Active Directory. : rfc2307 ldap_pwmodify_mode () , . : o exop -- (RFC 3062) o ldap_modify -- userPassword ( ). : , . , , userPassword. : exop ldap_default_bind_dn () DN , LDAP. ldap_default_authtok_type () bind DN . : password obfuscated_password : password sss_obfuscate(8). ldap_default_authtok () DN . ldap_force_upper_case_realm ( ) , Active Directory, UPN , . , , . : false ldap_enumeration_refresh_timeout ( ) SSSD ( ) . subdomain_inherit. : 300 ldap_purge_cache_timeout ( ) , (, , ) . <<0>> . : , , , . 3 , . subdomain_inherit. : 0 () ldap_group_nesting_level ( ) ldap_schema , (, RFC2307bis), , SSSD. RFC2307, . : , . , , , . , , . ldap_group_nesting_level <<0>>, . , "id_provider=ad" Active Directory Server 2008 , ldap_use_tokengroups <> . : 2 ldap_use_tokengroups initgroup Active Directory Server 2008 . subdomain_inherit. : True AD IPA, -- False. ldap_host_search_base () . . "ldap_search_base". : ldap_search_base ldap_service_search_base () base DN, LDAP LDAP . : search_base[?scope?[filter][?search_base?scope?[filter]]*] : <>, <> <>. 4.5.1.2 http://tools.ietf.org/html/rfc4511 LDAP http://www.ietf.org/rfc/rfc2254.txt "ldap_search_base". : ldap_search_base , Active Directory; (Range Retrieval) . ldap_iphost_search_base () base DN, LDAP LDAP . : search_base[?scope?[filter][?search_base?scope?[filter]]*] : <>, <> <>. 4.5.1.2 http://tools.ietf.org/html/rfc4511 LDAP http://www.ietf.org/rfc/rfc2254.txt "ldap_search_base". : ldap_search_base , Active Directory; (Range Retrieval) . ldap_ipnetwork_search_base () base DN, LDAP LDAP . : search_base[?scope?[filter][?search_base?scope?[filter]]*] : <>, <> <>. 4.5.1.2 http://tools.ietf.org/html/rfc4511 LDAP http://www.ietf.org/rfc/rfc2254.txt "ldap_search_base". : ldap_search_base , Active Directory; (Range Retrieval) . ldap_search_timeout ( ) - ( ) LDAP, ( ) : SSSD. , - . subdomain_inherit. : 6 ldap_enumeration_search_timeout ( ) - ( ) LDAP , ( ) subdomain_inherit. : 60 ldap_network_timeout ( ) - ( ), poll(2)/select(2) connect(2). subdomain_inherit. : 6 ldap_opt_timeout ( ) - ( ), LDAP , . - KDC SASL, - LDAP, StartTLS. subdomain_inherit. : 8 ldap_connection_expire_timeout ( ) - ( ), LDAP. . SASL/GSSAPI, ( TGT). ( ) ldap_opt_timeout , , , , . , , , ldap_connection_expire_timeout <= ldap_opt_timout - , ldap_connection_expire_offset subdomain_inherit. : 900 (15 ) ldap_connection_expire_offset ( ) 0 ldap_connection_expire_timeout. subdomain_inherit. : 0 ldap_connection_idle_timeout ( ) - ( ), LDAP. , . -, <<0>>. subdomain_inherit. : 900 (15 ) ldap_page_size ( ) LDAP . LDAP . : 1000 ldap_disable_paging ( ) LDAP. , LDAP , LDAP RootDSE, . : OpenLDAP , , , RootDSE, . : 389 DS , - . , . : false ldap_disable_range_retrieval ( ) Active Directory. Active Directory , , MaxValRange ( -- 1500 ). , AD . , , . : false ldap_sasl_minssf ( ) , LDAP SASL. OpenLDAP. : ( ldap.conf) ldap_sasl_maxssf ( ) , LDAP SASL. OpenLDAP. : ( ldap.conf) ldap_deref_threshold ( ) , . , . , <<0>>. , SSSD, HBAC IPA, , . , , rootDSE. LDAP. LDAP . : 389/RHDS, OpenLDAP Active Directory. : - , , . : 10 ldap_ignore_unreadable_references ( ) LDAP, . <>, , . , AD, , sssd AD, LDAP . : false ldap_tls_reqcert () , TLS, . : never = . allow = . , . , , . try = . , . , . demand = . , . hard = "demand" : hard ldap_tls_cacert () , , sssd. : OpenLDAP, /etc/openldap/ldap.conf ldap_tls_cacertdir () , , . -- , <<.0>>. cacertdir_rehash, . : OpenLDAP, /etc/openldap/ldap.conf ldap_tls_cert () , . : ldap_tls_key () , . : ldap_tls_cipher_suite () . , . ldap.conf(5). : OpenLDAP, /etc/openldap/ldap.conf ldap_id_use_start_tls ( ) Specifies that the id_provider connection must also use tls to protect the channel. true is strongly recommended for security reasons. : false ldap_id_mapping ( ) , SSSD ldap_user_objectsid ldap_group_objectsid, ldap_user_uid_number ldap_group_gid_number. objectSID Active Directory. : false ldap_min_id, ldap_max_id ( ) SID, , ldap_id_mapping <>, ldap_user_uid_number ldap_group_gid_number . . , ldap_min_id ldap_max_id , . . : ( 0) ldap_sasl_mech () SASL, . GSSAPI GSS-SPNEGO. , ldap_sasl_mech . , , ldap_sasl_mech . << >> sssd.conf(5). : ldap_sasl_authid () SASL, . GSSAPI/GSS-SPNEGO, Kerberos, . (, host/myhost@EXAMPLE.COM), (, host/myhost). , : hostname@REALM netbiosname$@REALM host/hostname@REALM *$@REALM host/*@REALM host/* , . : host/hostname@REALM ldap_sasl_realm () SASL, . , krb5_realm. ldap_sasl_authid , . : krb5_realm. ldap_sasl_canonicalize ( ) <>, LDAP SASL. : false; ldap_krb5_keytab () , SASL/GSSAPI/GSS-SPNEGO. subdomain_inherit. : , /etc/krb5.keytab ldap_krb5_init_creds ( ) , id_provider Kerberos (TGT). , SASL GSSAPI GSS-SPNEGO. : true ldap_krb5_ticket_lifetime ( ) TGT ( ), GSSAPI GSS-SPNEGO. subdomain_inherit. : 86400 (24 ) krb5_server, krb5_backup_server () IP- Kerberos, SSSD . " ". () ( ). , -- " ". KDC kpasswd SSSD DNS, _udp. , SSSD DNS, _tcp. SSSD "krb5_kdcip". , "krb5_server" . krb5_realm () Kerberos ( SASL/GSSAPI/GSS-SPNEGO). : , . /etc/krb5.conf krb5_canonicalize ( ) , - LDAP. MIT Kerberos >= 1.7 : false krb5_use_kdcinfo ( ) , SSSD , KDC . . , Kerberos krb5.conf(5). sssd_krb5_locator_plugin(8). : true ldap_pwd_policy () . : none -- . . shadow -- shadow(5) , . . <>. mit_kerberos -- , MIT Kerberos, , . , chpass_provider=krb5. : none : , , . ldap_referrals ( ) , . , sssd , OpenLDAP 2.4.13 . , . -- Microsoft Active Directory. , <>; . , LDAP SSSD Microsoft Active Directory , <>. SSSD AD, . : true ldap_dns_service_name () , , . : ldap ldap_chpass_dns_service_name () LDAP, , . : , ldap_chpass_update_last_change ( ) , ldap_user_shadow_last_change . , <>, SSSD, LDAP shadowLastChange LDAP SSSD . : false ldap_access_filter () access_provider = ldap ldap_access_order = filter ( ) . LDAP, . access_provider = ldap, ldap_access_order = filter , . , access_provider = permit. , LDAP , , (, memberOf AD ). , sssd- simple(5). : access_provider = ldap ldap_access_filter = (employeeType=admin) , employeeType <>. , . , . , . : ldap_account_expire_policy () . , , LDAP , . : shadow: ldap_user_shadow_expire , . ad: 32- ldap_user_ad_user_account_control , . , . , . rhds, ipa, 389ds: ldap_ns_account_lock, , . nds: ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled ldap_user_nds_login_expiration_time, , . , . , ldap_access_order "expire", ldap_account_expire_policy. : ldap_access_order () . : filter: ldap_access_filter lockout: . , , LDAP <> <<000001010000Z>>. ldap_pwdlockout_dn. , <>. , "ppolicy" . ppolicy: . , , LDAP <> <<000001010000Z>> . <> <> ( UTC). ; , . ldap_pwdlockout_dn. , <>. expire: ldap_account_expire_policy pwd_expire_policy_reject, pwd_expire_policy_warn, pwd_expire_policy_renew: , , , , , , SSH. The difference between these options is the action taken if user password is expired: o pwd_expire_policy_reject - user is denied to log in, o pwd_expire_policy_warn - user is still able to log in, o pwd_expire_policy_renew - user is prompted to change their password immediately. , <>. <>. authorized_service: authorizedService host: host rhost: rhost , rhost pam ; , pam, : filter , . ldap_pwdlockout_dn () DN LDAP. : sssd.conf , , - ppolicy LDAP. : cn=ppolicy,ou=policies,dc=example,dc=com : cn=ppolicy,ou=policies,$ldap_search_base ldap_deref () , . : never: . searching: , . finding: . always: , . : ( never LDAP) ldap_rfc2307_fallback_to_local_users ( ) LDAP , RFC2307. , RFC2307, LDAP memberUid. , SSSD <<>> , nsswitch getpw*() initgroups(). , initgroups() LDAP. : false wildcard_limit ( ) , . InfoPipe . : 1000 ( ) ldap_library_debug_level ( ) libldap . libldap debug_level. OpenLDAP , -1 . : 0 ( libldap ) SUDO sudo_provider sssd- sudo(5). ldap_sudo_full_refresh_interval ( ) sudo SSSD ( , ). , ldap_sudo_smart_refresh_interval , <<0>>. , . : 21600 (6 ) ldap_sudo_smart_refresh_interval ( ) , SSSD sudo ( , USN USN , SSSD). USN, modifyTimestamp. : USN : 1) sudo ( ), 2) ( ) 3) ( 15 , . ldap_connection_expire_timeout). , <<0>>. , . : 900 (15 ) ldap_sudo_random_offset ( ) 0 . . , SSSD, sudo. , sudo . , <<0>>. : 0 () ldap_sudo_use_host_filter ( ) <>, SSSD , ( / IPv4 IPv6). : true ldap_sudo_hostnames () , . , SSSD . ldap_sudo_use_host_filter false, . : ldap_sudo_ip () IPv4 IPv6 /, . , SSSD . ldap_sudo_use_host_filter false, . : ldap_sudo_include_netgroups ( ) <>, SSSD , sudoHost. ldap_sudo_use_host_filter false, . : true ldap_sudo_include_regexp ( ) <>, SSSD , sudoHost. ldap_sudo_use_host_filter false, . Note -- LDAP! : false . , sudo, sudoers.ldap(5) AUTOFS LDAP. ldap_autofs_map_master_name () LDAP. : auto.master ldap_autofs_map_object_class () LDAP. : nisMap (rfc2307, autofs_provider=ad), -- automountMap ldap_autofs_map_name () LDAP. : nisMapName (rfc2307, autofs_provider=ad), -- automountMapName ldap_autofs_entry_object_class () LDAP. . : nisObject (rfc2307, autofs_provider=ad), -- automount ldap_autofs_entry_key () LDAP. . : cn (rfc2307, autofs_provider=ad), -- automountKey ldap_autofs_entry_value () LDAP. . : nisMapEntry (rfc2307, autofs_provider=ad), -- automountInformation , , - , autofs, sssd.conf, SSSD. LDAP, . , , . ldap_netgroup_search_base () base DN, LDAP LDAP . : search_base[?scope?[filter][?search_base?scope?[filter]]*] : <>, <> <>. 4.5.1.2 http://tools.ietf.org/html/rfc4511 LDAP http://www.ietf.org/rfc/rfc2254.txt "ldap_search_base". : ldap_search_base , Active Directory; (Range Retrieval) . ldap_user_search_base () base DN, LDAP LDAP . : search_base[?scope?[filter][?search_base?scope?[filter]]*] : <>, <> <>. 4.5.1.2 http://tools.ietf.org/html/rfc4511 LDAP http://www.ietf.org/rfc/rfc2254.txt "ldap_search_base". : ldap_search_base , Active Directory; (Range Retrieval) . ldap_group_search_base () base DN, LDAP LDAP . : search_base[?scope?[filter][?search_base?scope?[filter]]*] : <>, <> <>. 4.5.1.2 http://tools.ietf.org/html/rfc4511 LDAP http://www.ietf.org/rfc/rfc2254.txt "ldap_search_base". : ldap_search_base , Active Directory; (Range Retrieval) . Note "ldap_use_tokengroups" , Active Directory - , , GID. , . ldap_sudo_search_base () base DN, LDAP LDAP . : search_base[?scope?[filter][?search_base?scope?[filter]]*] : <>, <> <>. 4.5.1.2 http://tools.ietf.org/html/rfc4511 LDAP http://www.ietf.org/rfc/rfc2254.txt "ldap_search_base". : ldap_search_base , Active Directory; (Range Retrieval) . ldap_autofs_search_base () base DN, LDAP LDAP . : search_base[?scope?[filter][?search_base?scope?[filter]]*] : <>, <> <>. 4.5.1.2 http://tools.ietf.org/html/rfc4511 LDAP http://www.ietf.org/rfc/rfc2254.txt "ldap_search_base". : ldap_search_base , Active Directory; (Range Retrieval) . . ; . . . : (primary) (backup). , , , . , 31- -. SSSD . , () . . ; , . . , . , , . , . , , , ; 30 . , 30 . - , , DNS, , , , . , SSSD . SSSD , , -. . sssd.conf(5). dns_resolver_server_timeout ( ), SSSD DNS . : 1000 dns_resolver_op_timeout ( ), SSSD DNS (, SRV) . : 3 dns_resolver_timeout SSSD . , , SRV DNS . : 6 LDAP LDAP-. , - "ldap_opt_timeout" , "dns_resolver_timeout", , , , "dns_resolver_op_timeout", "dns_resolver_server_timeout". , , DNS. . , , . () , , "_srv_". . , , , , , DNS. "dns_discovery_domain" sssd.conf(5). _tcp. . . RFC 2782. SSSD Active Directory, POSIX . : , uidNumber gidNumber . , , , . , , . , , , . SSSD , SSSD . , , ; . . sss_cache(8), : o o SSSD o o SSSD , , , . Active Directory objectSID . objectSID , Active Directory (RID) . SSSD UID -- <<>>. , Active Directory. SSSD , SSSD . , : SID murmurhash3 32- . . : . , ( , , ). POSIX Active Directory ( ), , . . "". ( "[domain/DOMAINNAME]"): ldap_id_mapping = True ldap_schema = ad 10000 , 200000 , 200000 2000200000. . ldap_idmap_range_min ( ) () POSIX, SID Active Directory. POSIX, . : "min_id": "min_id" , . , "min_id" "ldap_idmap_range_min" : 200000 ldap_idmap_range_max ( ) ( ) POSIX, SID Active Directory. POSIX, , .. , . : "max_id": "max_id" , . , "max_id" "ldap_idmap_range_max" : 2000200000 ldap_idmap_range_size ( ) , . , , . : RID , Active Directory. , RID . , Active Directory objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, "ldap_idmap_range_size" 1108, SID SID (.. 1108 = 1107 - 0 + 1). , , , . : 200000 ldap_idmap_default_domain_sid () SID . , , murmurhash. : ldap_idmap_default_domain () . : ldap_idmap_autorid_compat ( ) , "idmap_autorid" winbind. When this option is configured, domains will be allocated starting with slice zero and increasing monotonically with each additional domain. : ( , ). , winbind, "ldap_idmap_default_domain_sid", . : false ldap_idmap_helper_table_size ( ) , UNIX SID. : , SID UNIX RID SID . ldap_idmap_helper_table_size , . : 10 SID SSSD SID, SID . , SID, Linux/UNIX, POSIX. SID , . SID o Null Authority o World Authority o Local Authority o Creator Authority o Mandatory Label Authority o Authentication Authority o NT Authority o Built-in SID. SID , SID, SSSD SID . , SID . , sssd.conf : "NULL AUTHORITY", "WORLD AUTHORITY", " LOCAL AUTHORITY", "CREATOR AUTHORITY", "MANDATORY LABEL AUTHORITY", "AUTHENTICATION AUTHORITY", "NT AUTHORITY" "BUILTIN". , SSSD LDAP [domains]. [domain/LDAP] id_provider = ldap auth_provider = ldap ldap_uri = ldap://ldap.mydomain.org ldap_search_base = dc=mydomain,dc=org ldap_tls_reqcert = demand cache_credentials = true LDAP , SSSD ldap_access_order=lockout. [domain/LDAP] id_provider = ldap auth_provider = ldap access_provider = ldap ldap_access_order = lockout ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org ldap_uri = ldap://ldap.mydomain.org ldap_search_base = dc=mydomain,dc=org ldap_tls_reqcert = demand cache_credentials = true ldap.conf(5) OpenLDAP 2.4. . sssd(8), sssd.conf(5), sssd-ldap(5), sssd-ldap-attributes(5), sssd- krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd- sudo(5), sssd-session-recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8), sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8), sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5) AUTHORS (<<>>) SSSD -- https://github.com/SSSD/sssd/ SSSD 04/09/2024 SSSD-LDAP(5)