13.2.12. Creating Domains: Identity Management (IdM)
*_providerparameters for a domain. Additionally, Identity Management has configuration options within its own domain to manage SELinux policies, automount information, and host-based access control. All of those features in IdM domains can be tied to SSSD configuraiton, allowing those security-related policies to be applied and cached for system users.
Example 13.3. Basic IdM Provider
- Use the specific IdM schema rather than the default RFC 2307 schema.
- Set SSSD to update the Identity Management domain's DNS server with the IP address of this client when the client first connects to the IdM domain.
[sssd] domains = local,example.com ... [domain/example.com] id_provider = ipa ipa_server = ipaserver.example.com ipa_hostname = ipa1.example.com auth_provider = ipa access_provider = ipa chpass_provider = ipa # set which schema to use ldap_schema = ipa # automatically update IdM DNS records ipa_dyndns_update = true
Example 13.4. IdM Provider with SELinux
selinux_providerparameter. The provider defaults to the
id_providervalue, so this is not necessary to set explicitly to support SELinux rules. However, it can be useful to explicitly disable SELinux support for the IdM provider in SSSD.
selinux_provider = ipa
Example 13.5. IdM Provider with Host-Based Access Control
- SSSD can evaluate what machine (source host) the user is using to connect to the IdM resource; this is disabled by default, so that only the target host part of the rule is evaluated.
- SSSD can refresh the host-based access control rules in its cache at a specified interval.
access_provider = ipa ipa_hbac_refresh = 120 # check for source machine rules; disabled by default ipa_hbac_support_srchost = true
Example 13.6. Identity Management with Cross-Realm Kerberos Trusts
- A service that adds required data to Kerberos tickets
- A setting to support subdomains
pacservice in SSSD:
[sssd] services = nss, pam,
subdomains_providerparameter to the IdM domain section. This is actually an optional parameter; if a subdomain is discovered, then SSSD defaults to using the
ipaprovider type. However, this parameter can also be used to disable subdomain fetches by setting a value of
[domain/IDM] ... subdomains_provider = ipa get_domains_timeout = 300