SSSD-LDAP-ATTRIBUT(5) | File Formats and Conventions | SSSD-LDAP-ATTRIBUT(5) |
NAME¶
sssd-ldap-attributes - SSSD LDAP Provider: Mapping Attributes
DESCRIPTION¶
This manual page describes the mapping attributes of SSSD LDAP provider sssd-ldap(5). Refer to the sssd-ldap(5) manual page for full details about SSSD LDAP provider configuration options.
USER ATTRIBUTES¶
ldap_user_object_class (string)
Default: posixAccount
ldap_user_name (string)
Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)
ldap_user_uid_number (string)
Default: uidNumber
ldap_user_gid_number (string)
Default: gidNumber
ldap_user_primary_group (string)
Default: unset (LDAP), primaryGroupID (AD)
ldap_user_gecos (string)
Default: gecos
ldap_user_home_directory (string)
Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)
ldap_user_shell (string)
Default: loginShell
ldap_user_uuid (string)
Default: not set in the general case, objectGUID for AD and ipaUniqueID for IPA
ldap_user_objectsid (string)
Default: objectSid for ActiveDirectory, not set for other servers.
ldap_user_modify_timestamp (string)
Default: modifyTimestamp
ldap_user_shadow_last_change (string)
Default: shadowLastChange
ldap_user_shadow_min (string)
Default: shadowMin
ldap_user_shadow_max (string)
Default: shadowMax
ldap_user_shadow_warning (string)
Default: shadowWarning
ldap_user_shadow_inactive (string)
Default: shadowInactive
ldap_user_shadow_expire (string)
Default: shadowExpire
ldap_user_krb_last_pwd_change (string)
Default: krbLastPwdChange
ldap_user_krb_password_expiration (string)
Default: krbPasswordExpiration
ldap_user_ad_account_expires (string)
Default: accountExpires
ldap_user_ad_user_account_control (string)
Default: userAccountControl
ldap_ns_account_lock (string)
Default: nsAccountLock
ldap_user_nds_login_disabled (string)
Default: loginDisabled
ldap_user_nds_login_expiration_time (string)
Default: loginDisabled
ldap_user_nds_login_allowed_time_map (string)
Default: loginAllowedTimeMap
ldap_user_principal (string)
Default: krbPrincipalName
ldap_user_extra_attrs (string)
The list can either contain LDAP attribute names only, or colon-separated tuples of SSSD cache attribute name and LDAP attribute name. In case only LDAP attribute name is specified, the attribute is saved to the cache verbatim. Using a custom SSSD attribute name might be required by environments that configure several SSSD domains with different LDAP schemas.
Please note that several attribute names are reserved by SSSD, notably the “name” attribute. SSSD would report an error if any of the reserved attribute names is used as an extra attribute name.
Examples:
ldap_user_extra_attrs = telephoneNumber
Save the “telephoneNumber” attribute from LDAP as “telephoneNumber” to the cache.
ldap_user_extra_attrs = phone:telephoneNumber
Save the “telephoneNumber” attribute from LDAP as “phone” to the cache.
Default: not set
ldap_user_ssh_public_key (string)
Default: sshPublicKey
ldap_user_fullname (string)
Default: cn
ldap_user_member_of (string)
Default: memberOf
ldap_user_authorized_service (string)
An explicit deny (!svc) is resolved first. Second, SSSD searches for explicit allow (svc) and finally for allow_all (*).
Please note that the ldap_access_order configuration option must include “authorized_service” in order for the ldap_user_authorized_service option to work.
Some distributions (such as Fedora-29+ or RHEL-8) always include the “systemd-user” PAM service as part of the login process. Therefore when using service-based access control, the “systemd-user” service might need to be added to the list of allowed services.
Default: authorizedService
ldap_user_authorized_host (string)
An explicit deny (!host) is resolved first. Second, SSSD searches for explicit allow (host) and finally for allow_all (*).
Please note that the ldap_access_order configuration option must include “host” in order for the ldap_user_authorized_host option to work.
Default: host
ldap_user_authorized_rhost (string)
An explicit deny (!rhost) is resolved first. Second, SSSD searches for explicit allow (rhost) and finally for allow_all (*).
Please note that the ldap_access_order configuration option must include “rhost” in order for the ldap_user_authorized_rhost option to work.
Default: rhost
ldap_user_certificate (string)
Default: userCertificate;binary
ldap_user_email (string)
Note: If an email address of a user conflicts with an email address or fully qualified name of another user, then SSSD will not be able to serve those users properly. This option allows users to login by (1) username, and (2) e-mail address. If for some reason several users need to share the same email address then set this option to a nonexistent attribute name in order to disable user lookup/login by email.
Default: mail
ldap_user_passkey (string)
Default: passkey (LDAP), ipaPassKey (IPA), altSecurityIdentities (AD)
GROUP ATTRIBUTES¶
ldap_group_object_class (string)
Default: posixGroup
ldap_group_name (string)
Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)
ldap_group_gid_number (string)
Default: gidNumber
ldap_group_member (string)
Default: memberuid (rfc2307) / member (rfc2307bis)
ldap_group_uuid (string)
Default: not set in the general case, objectGUID for AD and ipaUniqueID for IPA
ldap_group_objectsid (string)
Default: objectSid for ActiveDirectory, not set for other servers.
ldap_group_modify_timestamp (string)
Default: modifyTimestamp
ldap_group_type (string)
This attribute is currently only used by the AD provider to determine if a group is a domain local groups and has to be filtered out for trusted domains.
Default: groupType in the AD provider, otherwise not set
ldap_group_external_member (string)
Default: ipaExternalMember in the IPA provider, otherwise unset.
NETGROUP ATTRIBUTES¶
ldap_netgroup_object_class (string)
In IPA provider, ipa_netgroup_object_class should be used instead.
Default: nisNetgroup
ldap_netgroup_name (string)
In IPA provider, ipa_netgroup_name should be used instead.
Default: cn
ldap_netgroup_member (string)
In IPA provider, ipa_netgroup_member should be used instead.
Default: memberNisNetgroup
ldap_netgroup_triple (string)
This option is not available in IPA provider.
Default: nisNetgroupTriple
ldap_netgroup_modify_timestamp (string)
This option is not available in IPA provider.
Default: modifyTimestamp
HOST ATTRIBUTES¶
ldap_host_object_class (string)
Default: ipService
ldap_host_name (string)
Default: cn
ldap_host_fqdn (string)
Default: fqdn
ldap_host_serverhostname (string)
Default: serverHostname
ldap_host_member_of (string)
Default: memberOf
ldap_host_ssh_public_key (string)
Default: sshPublicKey
ldap_host_uuid (string)
Default: not set
SERVICE ATTRIBUTES¶
ldap_service_object_class (string)
Default: ipService
ldap_service_name (string)
Default: cn
ldap_service_port (string)
Default: ipServicePort
ldap_service_proto (string)
Default: ipServiceProtocol
SUDO ATTRIBUTES¶
ldap_sudorule_object_class (string)
Default: sudoRole
ldap_sudorule_name (string)
Default: cn
ldap_sudorule_command (string)
Default: sudoCommand
ldap_sudorule_host (string)
Default: sudoHost
ldap_sudorule_user (string)
Default: sudoUser
ldap_sudorule_option (string)
Default: sudoOption
ldap_sudorule_runasuser (string)
Default: sudoRunAsUser
ldap_sudorule_runasgroup (string)
Default: sudoRunAsGroup
ldap_sudorule_notbefore (string)
Default: sudoNotBefore
ldap_sudorule_notafter (string)
Default: sudoNotAfter
ldap_sudorule_order (string)
Default: sudoOrder
AUTOFS ATTRIBUTES¶
ldap_autofs_map_object_class (string)
Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap
ldap_autofs_map_name (string)
Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName
ldap_autofs_entry_object_class (string)
Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount
ldap_autofs_entry_key (string)
Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey
ldap_autofs_entry_value (string)
Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise automountInformation
IP HOST ATTRIBUTES¶
ldap_iphost_object_class (string)
Default: ipHost
ldap_iphost_name (string)
Default: cn
ldap_iphost_number (string)
Default: ipHostNumber
IP NETWORK ATTRIBUTES¶
ldap_ipnetwork_object_class (string)
Default: ipNetwork
ldap_ipnetwork_name (string)
Default: cn
ldap_ipnetwork_number (string)
Default: ipNetworkNumber
SEE ALSO¶
sssd(8), sssd.conf(5), sssd-ldap(5), sssd-ldap-attributes(5), sssd-krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-sudo(5), sssd-session-recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8), sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8), sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5) sssd-systemtap(5)
AUTHORS¶
The SSSD upstream - https://github.com/SSSD/sssd/
09/04/2024 | SSSD |