Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document support for the domain user attribute #424

Merged
merged 4 commits into from
Sep 3, 2017
Merged

Document support for the domain user attribute #424

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5f39058
Document support for the domain user attribute
jvlcek Jul 10, 2017
6d543ea
Add description of minimum RHEL and SSSD version
jvlcek Jul 25, 2017
7e26174
Update the active directory and ipa ad trust docs
jvlcek Aug 21, 2017
4f1d2a2
Fix typo "will provided" to "will provide"
jvlcek Aug 25, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions auth/active_directory.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,8 @@ Password for user: xxxxxxxx

Update the */etc/sssd/sssd.conf* file as follows:

*Note*: Starting with SSSD version 1.15.2, which will be available in CentOS version 7.4, SSSD will provide the domain name as a user attribute. The below examples show how to set _ldap_user_extra_attrs_ and _user_attributes_ to take advantage of this new feature. If running an appliance built with CentOS version prior to CentOS 7.4 do not include _domainname_ for these attributes.

----
[domain/example.com]
ad_domain = example.com
Expand All @@ -90,7 +92,7 @@ Update the */etc/sssd/sssd.conf* file as follows:
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad
=> ldap_user_extra_attrs = mail, givenname, sn, displayname
=> ldap_user_extra_attrs = mail, givenname, sn, displayname, domainname

=> [sssd]
=> domains = example.com
Expand All @@ -107,7 +109,7 @@ Update the */etc/sssd/sssd.conf* file as follows:
=> [ifp]
=> default_domain_suffix = example.com
=> allowed_uids = apache, root
=> user_attributes = +mail, +givenname, +sn, +displayname
=> user_attributes = +mail, +givenname, +sn, +displayname, +domainname
----

[[configure-apache]]
Expand Down
11 changes: 10 additions & 1 deletion auth/ipa_ad_trust.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,9 +39,18 @@ The SSSD configuration file on the IPA Server must be updated to list needed use

Add the following entry to the SSSD configuration file /etc/sssd/sssd.conf

*Note*: Starting with SSSD version 1.15.2, which will be available in CentOS version 7.4, SSSD will provide the domain name as a user attribute. The below examples show how to set _ldap_user_extra_attrs_ and _user_attributes_ to take advantage of this new feature. If running an appliance built with CentOS version prior to CentOS 7.4 do not include _domainname_ for these attributes.

```bash
[ifp]
user_attributes = +mail, +givenname, +sn, +displayname
user_attributes = +mail, +givenname, +sn, +displayname, +domainname
```

and update _ldap_user_extra_attrs_ to include _domainname_ where appropriate.

```bash
[domain/example.com]
ldap_user_extra_attrs = mail, givenname, sn, displayname, domainname
```

* DNS Configuration Significance
Expand Down
8 changes: 5 additions & 3 deletions auth/ldap.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,8 @@ Configure SSSD based authentication against LDAP via SSL:
Edit the different sections in */etc/sssd/sssd.conf* for the Appliance as in the following
example, customizing the main *[domain/example.com]* section for the particular Ldap installation.

*Note*: Starting with SSSD version 1.15.2, which will be available in CentOS version 7.4, SSSD will provide the domain name as a user attribute. The below examples show how to set _ldap_user_extra_attrs_ and _user_attributes_ to take advantage of this new feature. If running an appliance built with CentOS version prior to CentOS 7.4 do not include _domainname_ for these attributes.

----
=> [domain/example.com]
autofs_provider = ldap
Expand Down Expand Up @@ -134,7 +136,7 @@ example, customizing the main *[domain/example.com]* section for the particular
cache_credentials = True
=> entry_cache_timeout = 600

=> ldap_user_extra_attrs = mail, givenname, sn, displayname
=> ldap_user_extra_attrs = mail, givenname, sn, displayname, domainname

[sssd]
=> domains = example.com
Expand All @@ -152,7 +154,7 @@ example, customizing the main *[domain/example.com]* section for the particular
=> [ifp]
=> default_domain_suffix = example.com
=> allowed_uids = apache, root
=> user_attributes = +mail, +givenname, +sn, +displayname
=> user_attributes = +mail, +givenname, +sn, +displayname, +domainname
----

==== Testing SSSD Updates
Expand All @@ -176,7 +178,7 @@ systemctl restart sssd
Example query of user attributes for user evmuser. This primarily validates the _ldap_user__ attributes of *sssd.conf*.

----
# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:evmuser array:string:mail,givenname,sn,displayname
# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:evmuser array:string:mail,givenname,sn,displayname,domainname
----

Query groups of user evmuser. This primarily validates the _ldap_group__ attributes of *sssd.conf*.
Expand Down