SSSD-IPA(5) | File Formats and Conventions | SSSD-IPA(5) |
NAME¶
sssd-ipa - SSSD IPA provider
DESCRIPTION¶
This manual page describes the configuration of the IPA provider for sssd(8). For a detailed syntax reference, refer to the “FILE FORMAT” section of the sssd.conf(5) manual page.
The IPA provider is a back end used to connect to an IPA server. (Refer to the freeipa.org web site for information about IPA servers.) This provider requires that the machine be joined to the IPA domain; configuration is almost entirely self-discovered and obtained directly from the server.
The IPA provider enables SSSD to use the sssd-ldap(5) identity provider and the sssd-krb5(5) authentication provider with optimizations for IPA environments. The IPA provider accepts the same options used by the sssd-ldap and sssd-krb5 providers with some exceptions. However, it is neither necessary nor recommended to set these options.
The IPA provider primarily copies the traditional ldap and krb5 provider default options with some exceptions, the differences are listed in the “MODIFIED DEFAULT OPTIONS” section.
As an access provider, the IPA provider has a minimal configuration (see “ipa_access_order”) as it mainly uses HBAC (host-based access control) rules. Please refer to freeipa.org for more information about HBAC.
If “auth_provider=ipa” or “access_provider=ipa” is configured in sssd.conf then the id_provider must also be set to “ipa”.
The IPA provider will use the PAC responder if the Kerberos tickets of users from trusted realms contain a PAC. To make configuration easier the PAC responder is started automatically if the IPA ID provider is configured.
CONFIGURATION OPTIONS¶
Refer to the section “DOMAIN SECTIONS” of the sssd.conf(5) manual page for details on the configuration of an SSSD domain.
ipa_domain (string)
ipa_server, ipa_backup_server (string)
ipa_hostname (string)
dyndns_update (boolean)
NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, the default Kerberos realm must be set properly in /etc/krb5.conf
NOTE: While it is still possible to use the old ipa_dyndns_update option, users should migrate to using dyndns_update in their config file.
Default: false
dyndns_ttl (integer)
NOTE: While it is still possible to use the old ipa_dyndns_ttl option, users should migrate to using dyndns_ttl in their config file.
Default: 1200 (seconds)
dyndns_iface (string)
NOTE: While it is still possible to use the old ipa_dyndns_iface option, users should migrate to using dyndns_iface in their config file.
Default: Use the IP addresses of the interface which is used for IPA LDAP connection
Example: dyndns_iface = em1, vnet1, vnet2
dyndns_auth (string)
Default: GSS-TSIG
dyndns_auth_ptr (string)
Default: Same as dyndns_auth
ipa_enable_dns_sites (boolean)
If true and service discovery (see Service Discovery paragraph at the bottom of the man page) is enabled, then the SSSD will first attempt location based discovery using a query that contains "_location.hostname.example.com" and then fall back to traditional SRV discovery. If the location based discovery succeeds, the IPA servers located with the location based discovery are treated as primary servers and the IPA servers located using the traditional SRV discovery are used as back up servers
Default: false
dyndns_refresh_interval (integer)
Default: 0 (disabled)
dyndns_update_ptr (bool)
This option should be False in most IPA deployments as the IPA server generates the PTR records automatically when forward records are changed.
Note that dyndns_update_per_family parameter does not apply for PTR record updates. Those updates are always sent separately.
Default: False (disabled)
dyndns_force_tcp (bool)
Default: False (let nsupdate choose the protocol)
dyndns_server (string)
Setting this option makes sense for environments where the DNS server is different from the identity server.
Please note that this option will be only used in fallback attempt when previous attempt using autodetected settings failed.
Default: None (let nsupdate choose the server)
dyndns_update_per_family (boolean)
Default: true
ipa_access_order (string)
expire: use IPA's account expiration policy.
pwd_expire_policy_reject, pwd_expire_policy_warn, pwd_expire_policy_renew: These options are useful if users are interested in being warned that password is about to expire and authentication is based on using a different method than passwords - for example SSH keys.
The difference between these options is the action taken if user password is expired:
Please note that 'access_provider = ipa' must be set for this feature to work.
ipa_deskprofile_search_base (string)
Default: Use base DN
ipa_hbac_search_base (string)
Default: Use base DN
ipa_host_search_base (string)
ipa_selinux_search_base (string)
See “ldap_search_base” for information about configuring multiple search bases.
Default: the value of ldap_search_base
ipa_subdomains_search_base (string)
See “ldap_search_base” for information about configuring multiple search bases.
Default: the value of cn=trusts,%basedn
ipa_master_domain_search_base (string)
See “ldap_search_base” for information about configuring multiple search bases.
Default: the value of cn=ad,cn=etc,%basedn
ipa_views_search_base (string)
See “ldap_search_base” for information about configuring multiple search bases.
Default: the value of cn=views,cn=accounts,%basedn
krb5_realm (string)
The name of the Kerberos realm has a special meaning in IPA - it is converted into the base DN to use for performing LDAP operations.
krb5_confd_path (string)
To disable the creation of the configuration snippets set the parameter to 'none'.
Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)
ipa_deskprofile_refresh (integer)
Default: 5 (seconds)
ipa_deskprofile_request_interval (integer)
Default: 60 (minutes)
ipa_hbac_refresh (integer)
Default: 5 (seconds)
ipa_hbac_selinux (integer)
Default: 5 (seconds)
ipa_server_mode (boolean)
On an IPA server SSSD will lookup users and groups from trusted domains directly while on a client it will ask an IPA server.
NOTE: There are currently some assumptions that must be met when SSSD is running on an IPA server.
Default: false
ipa_automount_location (string)
Default: The location named "default"
Please note that the automounter only reads the master map on startup, so if any autofs-related changes are made to the sssd.conf, you typically also need to restart the automounter daemon after restarting the SSSD.
VIEWS AND OVERRIDES¶
SSSD can handle views and overrides which are offered by FreeIPA 4.1 and later version. Since all paths and objectclasses are fixed on the server side there is basically no need to configure anything. For completeness the related options are listed here with their default values.
ipa_view_class (string)
Default: nsContainer
ipa_view_name (string)
Default: cn
ipa_override_object_class (string)
Default: ipaOverrideAnchor
ipa_anchor_uuid (string)
Default: ipaAnchorUUID
ipa_user_override_object_class (string)
User overrides can contain attributes given by
Default: ipaUserOverride
ipa_group_override_object_class (string)
Group overrides can contain attributes given by
Default: ipaGroupOverride
MODIFIED DEFAULT OPTIONS¶
Certain option defaults do not match their respective backend provider defaults, these option names and IPA provider-specific defaults are listed below:
KRB5 Provider¶
LDAP Provider - General¶
LDAP Provider - User options¶
LDAP Provider - Group options¶
SUBDOMAINS PROVIDER¶
The IPA subdomains provider behaves slightly differently if it is configured explicitly or implicitly.
If the option 'subdomains_provider = ipa' is found in the domain section of sssd.conf, the IPA subdomains provider is configured explicitly, and all subdomain requests are sent to the IPA server if necessary.
If the option 'subdomains_provider' is not set in the domain section of sssd.conf but there is the option 'id_provider = ipa', the IPA subdomains provider is configured implicitly. In this case, if a subdomain request fails and indicates that the server does not support subdomains, i.e. is not configured for trusts, the IPA subdomains provider is disabled. After an hour or after the IPA provider goes online, the subdomains provider is enabled again.
TRUSTED DOMAINS CONFIGURATION¶
Some configuration options can also be set for a trusted domain. A trusted domain configuration can be set using the trusted domain subsection as shown in the example below. Alternatively, the “subdomain_inherit” option can be used in the parent domain.
[domain/ipa.domain.com/ad.domain.com] ad_server = dc.ad.domain.com
For more details, see the sssd.conf(5) manual page.
Different configuration options are tunable for a trusted domain depending on whether you are configuring SSSD on an IPA server or an IPA client.
OPTIONS TUNABLE ON IPA MASTERS¶
The following options can be set in a subdomain section on an IPA master:
OPTIONS TUNABLE ON IPA CLIENTS¶
The following options can be set in a subdomain section on an IPA client:
Note that if both options are set, only “ad_server” is evaluated.
Since any request for a user or a group identity from a trusted domain triggered from an IPA client is resolved by the IPA server, the “ad_server” and “ad_site” options only affect which AD DC will the authentication be performed against. In particular, the addresses resolved from these lists will be written to “kdcinfo” files read by the Kerberos locator plugin. Please refer to the sssd_krb5_locator_plugin(8) manual page for more details on the Kerberos locator plugin.
FAILOVER¶
The failover feature allows back ends to automatically switch to a different server if the current server fails.
Failover Syntax¶
The list of servers is given as a comma-separated list; any number of spaces is allowed around the comma. The servers are listed in order of preference. The list can contain any number of servers.
For each failover-enabled config option, two variants exist: primary and backup. The idea is that servers in the primary list are preferred and backup servers are only searched if no primary servers can be reached. If a backup server is selected, a timeout of 31 seconds is set. After this timeout SSSD will periodically try to reconnect to one of the primary servers. If it succeeds, it will replace the current active (backup) server.
The Failover Mechanism¶
The failover mechanism distinguishes between a machine and a service. The back end first tries to resolve the hostname of a given machine; if this resolution attempt fails, the machine is considered offline. No further attempts are made to connect to this machine for any other service. If the resolution attempt succeeds, the back end tries to connect to a service on this machine. If the service connection attempt fails, then only this particular service is considered offline and the back end automatically switches over to the next service. The machine is still considered online and might still be tried for another service.
Further connection attempts are made to machines or services marked as offline after a specified period of time; this is currently hard coded to 30 seconds.
If there are no more machines to try, the back end as a whole switches to offline mode, and then attempts to reconnect every 30 seconds.
Failover time outs and tuning¶
Resolving a server to connect to can be as simple as running a single DNS query or can involve several steps, such as finding the correct site or trying out multiple host names in case some of the configured servers are not reachable. The more complex scenarios can take some time and SSSD needs to balance between providing enough time to finish the resolution process but on the other hand, not trying for too long before falling back to offline mode. If the SSSD debug logs show that the server resolution is timing out before a live server is contacted, you can consider changing the time outs.
This section lists the available tunables. Please refer to their description in the sssd.conf(5), manual page.
dns_resolver_server_timeout
Default: 1000
dns_resolver_op_timeout
Default: 3
dns_resolver_timeout
Default: 6
For LDAP-based providers, the resolve operation is performed as part of an LDAP connection operation. Therefore, also the “ldap_opt_timeout” timeout should be set to a larger value than “dns_resolver_timeout” which in turn should be set to a larger value than “dns_resolver_op_timeout” which should be larger than “dns_resolver_server_timeout”.
SERVICE DISCOVERY¶
The service discovery feature allows back ends to automatically find the appropriate servers to connect to using a special DNS query. This feature is not supported for backup servers.
Configuration¶
If no servers are specified, the back end automatically uses service discovery to try to find a server. Optionally, the user may choose to use both fixed server addresses and service discovery by inserting a special keyword, “_srv_”, in the list of servers. The order of preference is maintained. This feature is useful if, for example, the user prefers to use service discovery whenever possible, and fall back to a specific server when no servers can be discovered using DNS.
The domain name¶
Please refer to the “dns_discovery_domain” parameter in the sssd.conf(5) manual page for more details.
The protocol¶
The queries usually specify _tcp as the protocol. Exceptions are documented in respective option description.
See Also¶
For more information on the service discovery mechanism, refer to RFC 2782.
EXAMPLE¶
The following example assumes that SSSD is correctly configured and example.com is one of the domains in the [sssd] section. This examples shows only the ipa provider-specific options.
[domain/example.com] id_provider = ipa ipa_server = ipaserver.example.com ipa_hostname = myhost.example.com
SEE ALSO¶
sssd(8), sssd.conf(5), sssd-ldap(5), sssd-ldap-attributes(5), sssd-krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-sudo(5), sssd-session-recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8), sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8), sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5) sssd-systemtap(5)
AUTHORS¶
The SSSD upstream - https://github.com/SSSD/sssd/
05/24/2024 | SSSD |