SSSD-LDAP(5)
NAME
sssd-ldap -
LDAP SSSD
LDAP sssd(8).
,
<< >>
sssd.conf(5).
SSSD
LDAP.
LDAP back end supports id, auth, access and chpass providers. If you
want to authenticate against an LDAP server either TLS/SSL or LDAPS is
required. sssd does not support authentication over an unencrypted
channel. Even if the LDAP server is used only as an identity provider,
an encrypted channel is strongly recommended. Please refer to
"ldap_access_filter" config option for more information about using
LDAP as an access provider.
,
SSSD,
LDAP.
<< >>
sssd.conf(5),
.
,
' LDAP SSSD
sssd-ldap-attributes(5).
ldap_uri, ldap_backup_uri ()
LDAP,
,
SSSD
'
.
<<>>,
.
,
.
<< >>.
,
RFC 2732:
ldap[s]://<>[:]
IPv6 <>
, []
: ldap://[fc00::126:25]:389
ldap_chpass_uri, ldap_chpass_backup_uri ()
LDAP,
,
SSSD
'
.
<<>>,
.
,
,
ldap_chpass_dns_service_name.
: ,
ldap_uri.
ldap_search_base ()
,
LDAP.
SSSD 1.7.0, SSSD
:
_[??[][?_??[]]*]
, <>
(), <> (
) <>
().
LDAP,
http://www.ietf.org/rfc/rfc2254.txt
:
ldap_search_base = dc=example,dc=com
( ) ldap_search_base =
dc=example,dc=com?subtree?
ldap_search_base =
cn=host_specific,dc=example,dc=com?subtree?(host=thishost)?dc=example.com?subtree?
:
'
(
)
.
'.
:
,
defaultNamingContext namingContexts RootDSE
LDAP.
defaultNamingContext
,
namingContexts.
,
namingContexts
DN
LDAP.
.
ldap_schema ()
,
LDAP .
,
,
,
.
.
:
o rfc2307
o rfc2307bis
o IPA
o AD
.
rfc2307,
memberUid.
rfc2307bis IPA,
(DN)
member.
AD,
Active Directory 2008r2.
: rfc2307
ldap_pwmodify_mode ()
,
.
:
o exop --
(RFC 3062)
o ldap_modify --
userPassword
( ).
:
'
'
,
.
'
,
,
userPassword.
: exop
ldap_default_bind_dn ()
',
LDAP.
ldap_default_authtok_type ()
'.
:
password
obfuscated_password
: password
,
sss_obfuscate(8).
ldap_default_authtok ()
'.
ldap_force_upper_case_realm (
)
, Active
Directory,
UPN
(
),
.
,
.
: false
ldap_enumeration_refresh_timeout ( )
, SSSD
.
subdomain_inherit.
: 300
ldap_purge_cache_timeout ( )
(
,
)
.
.
, ,
,
,
,
.
, ,
,
3 .
subdomain_inherit.
: 0
()
ldap_group_nesting_level ( )
ldap_schema
,
( RFC2307bis),
,
SSSD.
,
RFC2307.
:
- . ,
,
. ,
,
.
ldap_group_nesting_level
0,
. ,
'
Active-Directory Server 2008
"id_provider=ad",
(Token-Groups)
ldap_use_tokengroups
false
.
: 2
ldap_use_tokengroups
Token-Groups
initgroup Active
Directory Server 2008
.
subdomain_inherit.
: True AD
IPA, False.
ldap_host_search_base ()
'.
' .
<>,
.
:
ldap_search_base
ldap_service_search_base ()
DN,
LDAP
LDAP .
:
search_base[?scope?[filter][?search_base?scope?[filter]]*]
, <>
(), <> (
) <>
().
4.5.1.2
http://tools.ietf.org/html/rfc4511
LDAP,
http://www.ietf.org/rfc/rfc2254.txt
<>.
:
ldap_search_base
, ,
Active Directory
.
(Range Retrieval).
ldap_iphost_search_base ()
DN,
LDAP
LDAP .
:
search_base[?scope?[filter][?search_base?scope?[filter]]*]
, <>
(), <> (
) <>
().
4.5.1.2
http://tools.ietf.org/html/rfc4511
LDAP,
http://www.ietf.org/rfc/rfc2254.txt
<>.
:
ldap_search_base
, ,
Active Directory
.
(Range Retrieval).
ldap_ipnetwork_search_base ()
DN,
LDAP
LDAP .
:
search_base[?scope?[filter][?search_base?scope?[filter]]*]
, <>
(), <> (
) <>
().
4.5.1.2
http://tools.ietf.org/html/rfc4511
LDAP,
http://www.ietf.org/rfc/rfc2254.txt
<>.
:
ldap_search_base
, ,
Active Directory
.
(Range Retrieval).
ldap_search_timeout ( )
( )
ldap,
(
)
:
SSSD.
,
.
subdomain_inherit.
: 6
ldap_enumeration_search_timeout ( )
( )
ldap,
(
)
subdomain_inherit.
: 60
ldap_network_timeout ( )
( ),
poll(2)/select(2)
connect(2)
.
subdomain_inherit.
: 6
ldap_opt_timeout ( )
( ),
LDAP ,
.
KDC
' SASL,
' LDAP,
StartTLS.
subdomain_inherit.
: 8
ldap_connection_expire_timeout ( )
( ),
' LDAP.
'.
SASL/GSSAPI
(
TGT).
'
(
) ldap_opt_timeout
,
,
,
'
. ,
, '
,
ldap_connection_expire_timeout <= ldap_opt_timout
,
ldap_connection_expire_offset
subdomain_inherit.
: 900 (15
)
ldap_connection_expire_offset ( )
0
,
ldap_connection_expire_timeout.
subdomain_inherit.
: 0
ldap_connection_idle_timeout ( )
( ),
'
LDAP.
'
, '
.
,
0.
subdomain_inherit.
: 900 (15
)
ldap_page_size ( )
,
LDAP
.
LDAP
.
: 1000
ldap_disable_paging ( )
LDAP.
,
LDAP
LDAP RootDSE,
.
: OpenLDAP
,
,
,
RootDSE,
.
: 389 DS ,
' ,
'.
.
: False
ldap_disable_range_retrieval (
)
Active Directory.
Active Directory
MaxValRange (
1500 )
,
.
,
AD
.
,
,
.
: False
ldap_sasl_minssf ( )
LDAP
SASL
,
'.
OpenLDAP.
:
(,
ldap.conf)
ldap_sasl_maxssf ( )
LDAP
SASL
,
'.
OpenLDAP.
:
(,
ldap.conf)
ldap_deref_threshold ( )
,
.
,
.
0.
, ,
SSSD,
HBAC IPA,
,
,
,
' rootDSE.
--
LDAP.
LDAP
.
389/RHDS, OpenLDAP Active
Directory.
:
,
,
.
: 10
ldap_ignore_unreadable_references (
)
LDAP,
.
<>,
,
,
.
,
AD,
', sssd
'
AD,
LDAP
.
: False
ldap_tls_reqcert ()
,
TLS,
.
:
never =
.
allow =
.
,
.
,
.
try =
.
,
.
,
.
demand =
.
,
.
hard = , "demand"
: hard
ldap_tls_cacert ()
,
,
sssd.
:
OpenLDAP,
/etc/openldap/ldap.conf
ldap_tls_cacertdir ()
,
(CA).
<<.0>>.
cacertdir_rehash,
.
:
OpenLDAP,
/etc/openldap/ldap.conf
ldap_tls_cert ()
,
.
: not set
ldap_tls_key ()
,
.
: not set
ldap_tls_cipher_suite ()
.
.
ldap.conf(5).
:
OpenLDAP,
/etc/openldap/ldap.conf
ldap_id_use_start_tls ( )
Specifies that the id_provider connection must also use tls to
protect the channel. true is strongly recommended for security
reasons.
: false
ldap_id_mapping ( )
, SSSD
ldap_user_objectsid
ldap_group_objectsid,
ldap_user_uid_number
ldap_group_gid_number.
objectSID
ActiveDirectory.
: false
ldap_min_id, ldap_max_id ( )
'
SID,
,
ldap_id_mapping
true,
ldap_user_uid_number ldap_group_gid_number
.
.
,
ldap_min_id ldap_max_id
,
.
'
.
:
(
0)
ldap_sasl_mech ()
SASL,
.
GSSAPI
GSS-SPNEGO.
,
ldap_sasl_mech
.
,
ldap_sasl_mech
.
sssd.conf(5).
: not set
ldap_sasl_authid ()
SASL,
.
GSSAPI/GSS-SPNEGO,
Kerberos,
.
( host/myhost@EXAMPLE.COM)
( host/myhost). ,
:
hostname@REALM
netbiosname$@REALM
host/hostname@REALM
*$@REALM
host/*@REALM
host/*
,
.
:
/_@
ldap_sasl_realm ()
SASL,
.
,
krb5_realm. ldap_sasl_authid
,
.
:
krb5_realm.
ldap_sasl_canonicalize ( )
true (1),
LDAP
' SASL.
: false;
ldap_krb5_keytab ()
,
SASL/GSSAPI/GSS-SPNEGO.
subdomain_inherit.
:
,
/etc/krb5.keytab
ldap_krb5_init_creds ( )
, id_provider
Kerberos (TGT).
,
SASL
GSSAPI
GSS-SPNEGO.
: true
ldap_krb5_ticket_lifetime ( )
(
) TGT,
GSSAPI
GSS-SPNEGO.
subdomain_inherit.
: 86400 (24
)
krb5_server, krb5_backup_server ()
IP-
,
,
Kerberos, SSSD
'.
.
<<>>.
(
).
,
.
<< >>.
KDC kpasswd SSSD
DNS,
_udp.
_tcp ,
.
SSSD
<>.
,
<>
.
krb5_realm ()
Kerberos (
SASL/GSSAPI/GSS-SPNEGO).
:
, .
/etc/krb5.conf
krb5_canonicalize ( )
,
' LDAP.
MIT Kerberos >= 1.7
: false
krb5_use_kdcinfo ( )
, SSSD
Kerberos,
KDC
. ,
.
,
Kerberos
krb5.conf(5).
.
(man) sssd_krb5_locator_plugin(8),
.
: true
ldap_pwd_policy ()
.
:
none --
.
.
shadow --
shadow(5)
,
.
mit_kerberos --
MIT Kerberos
.
chpass_provider=krb5
.
: none
:
,
,
.
ldap_referrals ( )
,
.
, sssd
,
OpenLDAP 2.4.13
.
,
.
Microsoft
Active Directory.
',
<>
. ,
false
,
LDAP SSSD
Microsoft Active
Directory. SSSD
AD DC,
.
: true
ldap_dns_service_name ()
,
.
: ldap
ldap_chpass_dns_service_name ()
,
LDAP,
,
.
:
,
ldap_chpass_update_last_change (
)
,
ldap_user_shadow_last_change
.
,
"ldap_pwd_policy =
shadow", SSSD ,
LDAP
shadowLastChange
SSSD
.
: False
ldap_access_filter ()
access_provider = ldap ldap_access_order = filter
( ),
'.
LDAP,
.
access_provider = ldap
ldap_access_order = filter,
,
.
,
access_provider = permit.
, ,
LDAP,
,
(,
memberOf AD
).
,
,
,
sssd-simple(5).
:
access_provider = ldap
ldap_access_filter = (employeeType=admin)
,
employeeType
<>.
,
.
,
.
,
.
:
ldap_account_expire_policy ()
.
, ,
,
LDAP
'
,
.
:
shadow: ldap_user_shadow_expire
,
.
ad:
32-
ldap_user_ad_user_account_control
,
.
,
.
,
.
rhds, ipa, 389ds:
ldap_ns_account_lock.
nds:
ldap_user_nds_login_allowed_time_map,
ldap_user_nds_login_disabled
ldap_user_nds_login_expiration_time.
,
.
, ,
ldap_access_order "expire",
ldap_account_expire_policy.
:
ldap_access_order ()
.
:
filter:
ldap_access_filter
lockout:
.
,
,
ldap <>
<<000001010000Z>>.
,
ldap_pwdlockout_dn.
,
<>.
, ,
<>,
.
ppolicy:
.
,
ldap
<> <<000001010000Z>>
,
.
<>
<>,
UTC.
,
,
.
ldap_pwdlockout_dn. ,
,
<>.
expire:
ldap_account_expire_policy
pwd_expire_policy_reject, pwd_expire_policy_warn,
pwd_expire_policy_renew:
,
,
,
,
SSH.
The difference between these options is the action taken if user
password is expired:
o pwd_expire_policy_reject - user is denied to log in,
o pwd_expire_policy_warn - user is still able to log in,
o pwd_expire_policy_renew - user is prompted to change their
password immediately.
, ,
,
,
<>.
,
<>
.
authorized_service:
authorizedService
host:
rhost:
rhost
,
, ,
rhost pam
.
,
pam,
.
: filter
,
,
.
ldap_pwdlockout_dn ()
DN
LDAP. ,
, ,
sssd.conf,
,
ppolicy
LDAP
.
: cn=ppolicy,ou=policies,dc=example,dc=com
:
cn=ppolicy,ou=policies,$ldap_search_base
ldap_deref ()
.
:
never:
.
searching:
',
' .
finding:
' .
always:
,
' .
:
(
LDAP
never)
ldap_rfc2307_fallback_to_local_users (
)
LDAP
,
RFC2307.
,
RFC2307,
LDAP
memberUid.
,
,
SSSD
, <<
>>,
, nsswitch
getpw*()
initgroups().
,
initgroups()
LDAP.
: false
wildcard_limit ( )
,
-.
-
InfoPipe.
: 1000 (
)
ldap_library_debug_level ( )
libldap
.
libldap
debug_level.
OpenLDAP
, -1
.
: 0
( libldap
)
SUDO
sudo_provider
(man) sssd-sudo(5).
ldap_sudo_full_refresh_interval ( )
sudo SSSD
.
,
.
ldap_sudo_smart_refresh_interval
0. ,
'
.
: 21600 (6
)
ldap_sudo_smart_refresh_interval ( )
sudo SSSD
.
, USN
USN, SSSD.
USN
,
modifyTimestamp.
:
USN
: 1)
sudo
(
), 2)
(
) 3)
'
(, 15
, . ldap_connection_expire_timeout).
0.
, '
.
: 900 (15
)
ldap_sudo_random_offset ( )
0
,
.
.
,
SSSD,
sudo.
,
sudo
.
,
0.
: 0
()
ldap_sudo_use_host_filter ( )
true, SSSD
,
' (
IPv4 IPv6
).
: true
ldap_sudo_hostnames ()
,
,
.
, SSSD
'
.
ldap_sudo_use_host_filter
false,
.
:
ldap_sudo_ip ()
IPv4 IPv6
.
, SSSD
.
ldap_sudo_use_host_filter
false,
.
:
ldap_sudo_include_netgroups (
)
true,
SSSD
,
(netgroup)
sudoHost.
ldap_sudo_use_host_filter
false,
.
: true
ldap_sudo_include_regexp ( )
true,
SSSD
,
sudoHost.
ldap_sudo_use_host_filter
false,
.
Note
-
LDAP!
: false
.
,
' sudo,
sudoers.ldap(5).
AUTOFS
,
,
LDAP.
ldap_autofs_map_master_name ()
LDAP.
: auto.master
ldap_autofs_map_object_class ()
'
LDAP.
: nisMap (rfc2307,
autofs_provider=ad),
automountMap
ldap_autofs_map_name ()
LDAP.
: nisMapName (rfc2307,
autofs_provider=ad),
automountMapName
ldap_autofs_entry_object_class ()
'
LDAP.
.
: nisObject (rfc2307,
autofs_provider=ad),
automount
ldap_autofs_entry_key ()
LDAP.
.
: cn (rfc2307,
autofs_provider=ad),
automountKey
ldap_autofs_entry_value ()
LDAP.
.
: nisMapEntry (rfc2307,
autofs_provider=ad),
automountInformation
, ,
,
ssd.conf
- ' autofs
,
SSSD.
LDAP,
. ,
,
.
ldap_netgroup_search_base ()
DN,
LDAP
LDAP .
:
search_base[?scope?[filter][?search_base?scope?[filter]]*]
, <>
(), <> (
) <>
().
4.5.1.2
http://tools.ietf.org/html/rfc4511
LDAP,
http://www.ietf.org/rfc/rfc2254.txt
<>.
:
ldap_search_base
, ,
Active Directory
.
(Range Retrieval).
ldap_user_search_base ()
DN,
LDAP
LDAP .
:
search_base[?scope?[filter][?search_base?scope?[filter]]*]
, <>
(), <> (
) <>
().
4.5.1.2
http://tools.ietf.org/html/rfc4511
LDAP,
http://www.ietf.org/rfc/rfc2254.txt
<>.
:
ldap_search_base
, ,
Active Directory
.
(Range Retrieval).
ldap_group_search_base ()
DN,
LDAP
LDAP .
:
search_base[?scope?[filter][?search_base?scope?[filter]]*]
, <>
(), <> (
) <>
().
4.5.1.2
http://tools.ietf.org/html/rfc4511
LDAP,
http://www.ietf.org/rfc/rfc2254.txt
<>.
:
ldap_search_base
, ,
Active Directory
.
(Range Retrieval).
Note
"ldap_use_tokengroups", Active Directory
--
,
' GID.
,
.
ldap_sudo_search_base ()
DN,
LDAP
LDAP .
:
search_base[?scope?[filter][?search_base?scope?[filter]]*]
, <>
(), <> (
) <>
().
4.5.1.2
http://tools.ietf.org/html/rfc4511
LDAP,
http://www.ietf.org/rfc/rfc2254.txt
<>.
:
ldap_search_base
, ,
Active Directory
.
(Range Retrieval).
ldap_autofs_search_base ()
DN,
LDAP
LDAP .
:
search_base[?scope?[filter][?search_base?scope?[filter]]*]
, <>
(), <> (
) <>
().
4.5.1.2
http://tools.ietf.org/html/rfc4511
LDAP,
http://www.ietf.org/rfc/rfc2254.txt
<>.
:
ldap_search_base
, ,
Active Directory
.
(Range Retrieval).
,
'
.
,
.
.
.
-
.
:
.
,
,
,
'
.
,
31 .
SSSD
'
.
,
.
' .
'.
, '
'
.
' '
.
,
'
'.
'
,
,
.
'
'
,
.
'
' ,
,
,
.
30
.
'
,
' 30 .
'
DNS
,
,
.
, SSSD
.
SSSD
,
'
,
.
.
,
sssd.conf(5).
dns_resolver_server_timeout
,
SSSD
DNS,
' .
: 1000
dns_resolver_op_timeout
,
,
SSSD
DNS
(
SRV),
.
: 3
dns_resolver_timeout
SSSD
.
,
DNS SRV
.
: 6
LDAP
'
LDAP.
"ldap_opt_timeout"
,
"dns_resolver_timeout",
"dns_resolver_op_timeout",
"dns_resolver_server_timeout".
'
,
DNS.
.
,
. ,
.
,
<<_srv_>>, .
.
,
, ,
, ,
,
DNS
.
<>
(man) sssd.conf(5).
_tcp.
.
RFC 2782.
SSSD
Active Directory
POSIX
.
:
,
uidNumber gidNumber
.
.
,
.
, ,
, '
,
.
SSSD
, ,
SSSD.
,
,
,
.
.
sss_cache(8),
:
o ,
.
o
SSSD
o
o SSSD
,
,
,
.
Active Directory objectSID
'
.
objectSID
,
Active Directory
(RID) '
.
SSSD
UID
,
<<>>.
,
Active Directory.
SSSD
, SSSD
.
,
:
SID
murmurhash3
32-
.
.
:
.
,
' (
,
).
,
POSIX Active Directory
(
)
,
.
<<>>.
(
"[domain/_]"):
ldap_id_mapping = True
ldap_schema = ad
10000 ,
200000 ,
2000000 2000200000.
.
ldap_idmap_range_min ( )
()
POSIX,
SID
Active
Directory.
POSIX,
'.
:
"min_id"
, "min_id"
,
.
,
"min_id"
"ldap_idmap_range_min"
: 200000
ldap_idmap_range_max ( )
()
POSIX,
SID
Active
Directory.
POSIX,
',
,
,
'.
:
"max_id"
, "max_id"
,
.
,
"max_id"
"ldap_idmap_range_max"
: 2000200000
ldap_idmap_range_size ( )
.
,
.
:
RID
Active Directory.
-
RID,
,
.
:
Active Directory
objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107,
<>
,
1108,
SID
SID 1.
(, 1108 = 1107 - 0 + 1).
,
'
,
.
: 200000
ldap_idmap_default_domain_sid ()
SID
.
,
murmurhash
.
: not set
ldap_idmap_default_domain ()
.
: not set
ldap_idmap_autorid_compat (
)
,
"idmap_autorid" winbind.
When this option is configured, domains will be allocated
starting with slice zero and increasing monotonically with each
additional domain.
:
(
).
,
winbind,
,
"ldap_idmap_default_domain_sid"
.
: False
ldap_idmap_helper_table_size ( )
,
'
UNIX SID.
:
' SID
UNIX
, RID SID
.
ldap_idmap_helper_table_size 0,
.
: 10
SID
SSSD
(Well-Known) SID, SID
.
, '
SID
Linux/UNIX, POSIX
' .
SID
,
.
(Well-Known) SID
o
(Null Authority)
o
(World Authority)
o
(Local Authority)
o
(Creator Authority)
o '
o
o NT (NT
Authority)
o (Built-in)
(Well-Known) SID.
SID
,
, SSSD
SID .
,
(Well-Known)
SID
. ,
sssd.conf :
<>, <>, <>, <>, <>, <>, <> <>.
,
SSSD
, LDAP
[domains].
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://ldap.mydomain.org
ldap_search_base = dc=mydomain,dc=org
ldap_tls_reqcert = demand
cache_credentials = true
LDAP
,
SSSD
ldap_access_order=lockout.
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
access_provider = ldap
ldap_access_order = lockout
ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org
ldap_uri = ldap://ldap.mydomain.org
ldap_search_base = dc=mydomain,dc=org
ldap_tls_reqcert = demand
cache_credentials = true
(man)
ldap.conf(5) OpenLDAP 2.4.
sssd(8), sssd.conf(5), sssd-ldap(5), sssd-ldap-attributes(5), sssd-
krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-
sudo(5), sssd-session-recording(5), sss_cache(8), sss_debuglevel(8),
sss_obfuscate(8), sss_seed(8), sssd_krb5_locator_plugin(8),
sss_ssh_authorizedkeys(8), sss_ssh_knownhostsproxy(8), sssd-ifp(5),
pam_sss(8). sss_rpcidmapd(5)
AUTHORS
SSSD --
https://pagure.io/SSSD/sssd/
SSSD 04/09/2024 SSSD-LDAP(5)