Add detailed description of WAD domain service parameters for sssd configuration (dsr8mr3, dsr8mr2+)

Change-Id: I385a383b6ca63536ef276e22504b86de3129b29a Signed-off-by: Ngairangbam Mili <ngairangbam.mili@windriver.com>
2024-07-03 06:02:31 +00:00
parent d53bbc2f7a
commit 7c72c0d6ee
1 changed files with 43 additions and 4 deletions
--- a/doc/source/security/kubernetes/sssd-support-5fb6c4b0320b.rst
+++ b/doc/source/security/kubernetes/sssd-support-5fb6c4b0320b.rst
@@ -75,16 +75,49 @@ need to be added using system service parameter commands:

 -   ``domain_name``

+    A valid domain name (example: ``wad.mydomain.com``) that will be the name of the
+    |SSSD| domain configuration section (example: [domain/<domain name>]).
+
 -   ``ldap_uri``

+    The server URI that the |SSSD| client needs to connect to. For example:
+    ``ldaps://wad.mydomain.com`` where ``ldaps`` indicates that the secure |LDAP|
+    protocol should be used for the connection. This |SSSD| attribute can accept
+    the IP address of the server but it is not recommended.
+
 -   ``ldap_access_filter``

+    An |LDAP| search filter criteria that must be met for the user to get
+    access on this host. All the |WAD| server supported filters are allowed.
+    For the |WAD| supported filters, see
+    `https://learn.microsoft.com/en-us/archive/technet-wiki/5392.active-directory-ldap-syntax-filters
+    <https://learn.microsoft.com/en-us/archive/technet-wiki/5392.active-directory-ldap-syntax-filters>`__.
+    Verify that the |LDAP| filter is valid using the :command:`ldapsearch`
+    command prior to setting it in the ``ldap_access_filter`` parameter.
+
+    .. note::
+
+        Offline caching for this feature is limited to determining whether the
+        user's last online login was granted access permission. If they were
+        granted access during their last login, they will continue to get
+        access while offline and vice-versa.
+
 -   ``ldap_search_base``

+    The default base |DN| used to perform |LDAP| searches. The filter must be a
+    valid |LDAP| search filter as specified by `http://www.ietf.org/rfc/rfc2254.txt <http://www.ietf.org/rfc/rfc2254.txt>`__.
+    Example: ``ldap_search_base=CN=Users,DC=wad,DC=mydomain,DC=com``.
+
 -   ``ldap_default_bind_dn``

+    The default bind |DN| used to perform |LDAP| operations. Example:
+    ``ldap_default_bind_dn=CN=Administrator,CN=Users,DC=wad,DC=mydomain,DC=com``.
+
 -   ``ldap_default_authtok``

+    The authentication token of the default bind |DN|. Currently, only clear
+    text passwords are supported.
+
 If a mandatory parameter is missing, an error will be displayed, naming the
 missing parameter for the domain and the domain will not be created.

@@ -121,13 +154,15 @@ Commands to add mandatory parameters for a remote ldap domain:

    .. code-block:: none

-        system service-parameter-add identity ldap-domain1 ldap_access_filter=memberOf=CN=allowedusers,CN=Users,DC=wad-1,DC=cumulus,DC=wrs,DC=com
+        system service-parameter-add identity ldap-domain1 ldap_access_filter=memberOf=CN=allowedusers,CN=Users,DC=wad-server,DC=com

    The ``allowedusers`` group is a |WAD| group where the ``gidNumber``
    |LDAP| attribute must be set to a unique group number among Linux groups so
    that it is mapped on the Linux platform as a Linux |LDAP| group with a
    unique ``gid`` value.

+For more details on |SSSD| parameters, refer to `https://linux.die.net/man/5/sssd-ldap <https://linux.die.net/man/5/sssd-ldap>`__.
+
 Optional Parameters
 -------------------

@@ -136,8 +171,14 @@ parameter commands:

 -   ``ldap_user_search_base``

+    An optional base |DN|, search scope, and |LDAP| filter to restrict |LDAP| searches
+    for user objects. If not specified, the default value is ``ldap_search_base``.
+
 -   ``ldap_group_search_base``

+    An optional base |DN|, search scope, and |LDAP| filter to restrict |LDAP| searches
+    for group objects. If not specified, the default value is ``ldap_search_base``.
+
 For example:

 .. code-block:: none
@@ -146,10 +187,8 @@ For example:

    system service-parameter-add identity ldap-domain1 ldap_group_search_base=CN=Groups,DC=wad-server,DC=com

-.. note::

-    When not set, the 2 optional service parameters, will have as default
-    value, the value of ``ldap_search_base`` service parameter.
+For more details on |SSSD| parameters, refer to `https://linux.die.net/man/5/sssd-ldap <https://linux.die.net/man/5/sssd-ldap>`__.

 Apply parameters
 ----------------