13.2.11. Creating Domains: LDAP
- Red Hat Directory Server
- Identity Management (IdM or IPA)
- Microsoft Active Directory 2008 R2
Parameters for Configuring an LDAP Domain
ldap_pwd_policy=shadowoption, the policies defined with the
shadowLPAD attributes for a user have no effect on whether the password policy is enabled on the OpenLDAP server.
Table 13.8. LDAP Domain Configuration Parameters
|ldap_uri||Gives a comma-separated list of the URIs of the LDAP servers to which SSSD will connect. The list is given in order of preference, so the first server in the list is tried first. Listing additional servers provides failover protection. This can be detected from the DNS SRV records if it is not given.|
Gives the base DN to use for performing LDAP user operations.
If used incorrectly,
With an AD provider, setting
|ldap_tls_reqcert|| Specifies how to check for SSL server certificates in a TLS session. There are four options:
The default is hard.
|ldap_tls_cacert|| Gives the full path and file name to the file that contains the CA certificates for all of the CAs that SSSD recognizes. SSSD will accept any certificate issued by these CAs.
This uses the OpenLDAP system defaults if it is not given explicitly.
|ldap_referrals|| Sets whether SSSD will use LDAP referrals, meaning forwarding queries from one LDAP database to another. SSSD supports database-level and subtree referrals. For referrals within the same LDAP server, SSSD will adjust the DN of the entry being queried. For referrals that go to different LDAP servers, SSSD does an exact match on the DN. Setting this value to |
Referrals can negatively impact overall performance because of the time spent attempting to trace referrals. Disabling referral checking can significantly improve performance.
|ldap_schema|| Sets what version of schema to use when searching for user entries. This can be |
In RFC 2307, group objects use a multi-valued attribute,
For example, with RFC 2307bis, all groups are returned when using nested groups or primary/secondary groups.
$ id uid=500(myserver) gid=500(myserver) groups=500(myserver),510(myothergroup)
If SSSD is using RFC 2307 schema, only the primary group is returned.
This setting only affects how SSSD determines the group members. It does not change the actual user data.
|ldap_search_timeout|| Sets the time, in seconds, that LDAP searches are allowed to run before they are canceled and cached results are returned. |
When an LDAP search times out, SSSD automatically switches to offline mode.
|ldap_network_timeout||Sets the time, in seconds, SSSD attempts to poll an LDAP server after a connection attempt fails. The default is six seconds.|
|ldap_opt_timeout||Sets the time, in seconds, to wait before aborting synchronous LDAP operations if no response is received from the server. This option also controls the timeout when communicating with the KDC in case of a SASL bind. The default is five seconds.|
LDAP Domain Example
sssd.conffile. For example:
domains = LOCAL,LDAP1,AD,PROXYNIS
Example 13.2. A Basic LDAP Domain Configuration
- An LDAP server
- The search base
- A way to establish a secure connection
# An LDAP domain [domain/LDAP] cache_credentials = true id_provider = ldap auth_provider = ldap ldap_uri = ldaps://ldap.example.com:636 ldap_search_base = dc=example,dc=com
ldap_id_use_start_tlsoption to use Start TLS and then
ldap_tls_cacertto identify the CA certificate which issued the SSL server certificates.
# An LDAP domain [domain/LDAP] cache_credentials = true id_provider = ldap auth_provider = ldap ldap_uri = ldap://ldap.example.com ldap_search_base = dc=example,dc=com ldap_id_use_start_tls = true ldap_tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt