diff --git a/auth/active_directory.adoc b/auth/active_directory.adoc index f9c467256..aab58effd 100644 --- a/auth/active_directory.adoc +++ b/auth/active_directory.adoc @@ -77,6 +77,8 @@ Password for user: xxxxxxxx Update the */etc/sssd/sssd.conf* file as follows: +*Note*: Starting with SSSD version 1.15.2, which will be available in CentOS version 7.4, SSSD will provide the domain name as a user attribute. The below examples show how to set _ldap_user_extra_attrs_ and _user_attributes_ to take advantage of this new feature. If running an appliance built with CentOS version prior to CentOS 7.4 do not include _domainname_ for these attributes. + ---- [domain/example.com] ad_domain = example.com @@ -90,7 +92,7 @@ Update the */etc/sssd/sssd.conf* file as follows: use_fully_qualified_names = True fallback_homedir = /home/%d/%u access_provider = ad -=> ldap_user_extra_attrs = mail, givenname, sn, displayname +=> ldap_user_extra_attrs = mail, givenname, sn, displayname, domainname => [sssd] => domains = example.com @@ -107,7 +109,7 @@ Update the */etc/sssd/sssd.conf* file as follows: => [ifp] => default_domain_suffix = example.com => allowed_uids = apache, root -=> user_attributes = +mail, +givenname, +sn, +displayname +=> user_attributes = +mail, +givenname, +sn, +displayname, +domainname ---- [[configure-apache]] diff --git a/auth/ipa_ad_trust.adoc b/auth/ipa_ad_trust.adoc index d2fc7ef87..43e7d9af9 100644 --- a/auth/ipa_ad_trust.adoc +++ b/auth/ipa_ad_trust.adoc @@ -39,9 +39,18 @@ The SSSD configuration file on the IPA Server must be updated to list needed use Add the following entry to the SSSD configuration file /etc/sssd/sssd.conf +*Note*: Starting with SSSD version 1.15.2, which will be available in CentOS version 7.4, SSSD will provide the domain name as a user attribute. The below examples show how to set _ldap_user_extra_attrs_ and _user_attributes_ to take advantage of this new feature. If running an appliance built with CentOS version prior to CentOS 7.4 do not include _domainname_ for these attributes. + ```bash [ifp] -user_attributes = +mail, +givenname, +sn, +displayname +user_attributes = +mail, +givenname, +sn, +displayname, +domainname +``` + +and update _ldap_user_extra_attrs_ to include _domainname_ where appropriate. + +```bash +[domain/example.com] +ldap_user_extra_attrs = mail, givenname, sn, displayname, domainname ``` * DNS Configuration Significance diff --git a/auth/ldap.adoc b/auth/ldap.adoc index 066117780..b3a41f61c 100644 --- a/auth/ldap.adoc +++ b/auth/ldap.adoc @@ -103,6 +103,8 @@ Configure SSSD based authentication against LDAP via SSL: Edit the different sections in */etc/sssd/sssd.conf* for the Appliance as in the following example, customizing the main *[domain/example.com]* section for the particular Ldap installation. +*Note*: Starting with SSSD version 1.15.2, which will be available in CentOS version 7.4, SSSD will provide the domain name as a user attribute. The below examples show how to set _ldap_user_extra_attrs_ and _user_attributes_ to take advantage of this new feature. If running an appliance built with CentOS version prior to CentOS 7.4 do not include _domainname_ for these attributes. + ---- => [domain/example.com] autofs_provider = ldap @@ -134,7 +136,7 @@ example, customizing the main *[domain/example.com]* section for the particular cache_credentials = True => entry_cache_timeout = 600 -=> ldap_user_extra_attrs = mail, givenname, sn, displayname +=> ldap_user_extra_attrs = mail, givenname, sn, displayname, domainname [sssd] => domains = example.com @@ -152,7 +154,7 @@ example, customizing the main *[domain/example.com]* section for the particular => [ifp] => default_domain_suffix = example.com => allowed_uids = apache, root -=> user_attributes = +mail, +givenname, +sn, +displayname +=> user_attributes = +mail, +givenname, +sn, +displayname, +domainname ---- ==== Testing SSSD Updates @@ -176,7 +178,7 @@ systemctl restart sssd Example query of user attributes for user evmuser. This primarily validates the _ldap_user__ attributes of *sssd.conf*. ---- -# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:evmuser array:string:mail,givenname,sn,displayname +# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:evmuser array:string:mail,givenname,sn,displayname,domainname ---- Query groups of user evmuser. This primarily validates the _ldap_group__ attributes of *sssd.conf*.