Add detailed description of WAD domain service parameters for sssd configuration (dsr8mr3, dsr8mr2+)
Change-Id: I385a383b6ca63536ef276e22504b86de3129b29a Signed-off-by: Ngairangbam Mili <ngairangbam.mili@windriver.com>
This commit is contained in:
@@ -75,16 +75,49 @@ need to be added using system service parameter commands:
|
|||||||
|
|
||||||
- ``domain_name``
|
- ``domain_name``
|
||||||
|
|
||||||
|
A valid domain name (example: ``wad.mydomain.com``) that will be the name of the
|
||||||
|
|SSSD| domain configuration section (example: [domain/<domain name>]).
|
||||||
|
|
||||||
- ``ldap_uri``
|
- ``ldap_uri``
|
||||||
|
|
||||||
|
The server URI that the |SSSD| client needs to connect to. For example:
|
||||||
|
``ldaps://wad.mydomain.com`` where ``ldaps`` indicates that the secure |LDAP|
|
||||||
|
protocol should be used for the connection. This |SSSD| attribute can accept
|
||||||
|
the IP address of the server but it is not recommended.
|
||||||
|
|
||||||
- ``ldap_access_filter``
|
- ``ldap_access_filter``
|
||||||
|
|
||||||
|
An |LDAP| search filter criteria that must be met for the user to get
|
||||||
|
access on this host. All the |WAD| server supported filters are allowed.
|
||||||
|
For the |WAD| supported filters, see
|
||||||
|
`https://learn.microsoft.com/en-us/archive/technet-wiki/5392.active-directory-ldap-syntax-filters
|
||||||
|
<https://learn.microsoft.com/en-us/archive/technet-wiki/5392.active-directory-ldap-syntax-filters>`__.
|
||||||
|
Verify that the |LDAP| filter is valid using the :command:`ldapsearch`
|
||||||
|
command prior to setting it in the ``ldap_access_filter`` parameter.
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
|
||||||
|
Offline caching for this feature is limited to determining whether the
|
||||||
|
user's last online login was granted access permission. If they were
|
||||||
|
granted access during their last login, they will continue to get
|
||||||
|
access while offline and vice-versa.
|
||||||
|
|
||||||
- ``ldap_search_base``
|
- ``ldap_search_base``
|
||||||
|
|
||||||
|
The default base |DN| used to perform |LDAP| searches. The filter must be a
|
||||||
|
valid |LDAP| search filter as specified by `http://www.ietf.org/rfc/rfc2254.txt <http://www.ietf.org/rfc/rfc2254.txt>`__.
|
||||||
|
Example: ``ldap_search_base=CN=Users,DC=wad,DC=mydomain,DC=com``.
|
||||||
|
|
||||||
- ``ldap_default_bind_dn``
|
- ``ldap_default_bind_dn``
|
||||||
|
|
||||||
|
The default bind |DN| used to perform |LDAP| operations. Example:
|
||||||
|
``ldap_default_bind_dn=CN=Administrator,CN=Users,DC=wad,DC=mydomain,DC=com``.
|
||||||
|
|
||||||
- ``ldap_default_authtok``
|
- ``ldap_default_authtok``
|
||||||
|
|
||||||
|
The authentication token of the default bind |DN|. Currently, only clear
|
||||||
|
text passwords are supported.
|
||||||
|
|
||||||
If a mandatory parameter is missing, an error will be displayed, naming the
|
If a mandatory parameter is missing, an error will be displayed, naming the
|
||||||
missing parameter for the domain and the domain will not be created.
|
missing parameter for the domain and the domain will not be created.
|
||||||
|
|
||||||
@@ -121,13 +154,15 @@ Commands to add mandatory parameters for a remote ldap domain:
|
|||||||
|
|
||||||
.. code-block:: none
|
.. code-block:: none
|
||||||
|
|
||||||
system service-parameter-add identity ldap-domain1 ldap_access_filter=memberOf=CN=allowedusers,CN=Users,DC=wad-1,DC=cumulus,DC=wrs,DC=com
|
system service-parameter-add identity ldap-domain1 ldap_access_filter=memberOf=CN=allowedusers,CN=Users,DC=wad-server,DC=com
|
||||||
|
|
||||||
The ``allowedusers`` group is a |WAD| group where the ``gidNumber``
|
The ``allowedusers`` group is a |WAD| group where the ``gidNumber``
|
||||||
|LDAP| attribute must be set to a unique group number among Linux groups so
|
|LDAP| attribute must be set to a unique group number among Linux groups so
|
||||||
that it is mapped on the Linux platform as a Linux |LDAP| group with a
|
that it is mapped on the Linux platform as a Linux |LDAP| group with a
|
||||||
unique ``gid`` value.
|
unique ``gid`` value.
|
||||||
|
|
||||||
|
For more details on |SSSD| parameters, refer to `https://linux.die.net/man/5/sssd-ldap <https://linux.die.net/man/5/sssd-ldap>`__.
|
||||||
|
|
||||||
Optional Parameters
|
Optional Parameters
|
||||||
-------------------
|
-------------------
|
||||||
|
|
||||||
@@ -136,8 +171,14 @@ parameter commands:
|
|||||||
|
|
||||||
- ``ldap_user_search_base``
|
- ``ldap_user_search_base``
|
||||||
|
|
||||||
|
An optional base |DN|, search scope, and |LDAP| filter to restrict |LDAP| searches
|
||||||
|
for user objects. If not specified, the default value is ``ldap_search_base``.
|
||||||
|
|
||||||
- ``ldap_group_search_base``
|
- ``ldap_group_search_base``
|
||||||
|
|
||||||
|
An optional base |DN|, search scope, and |LDAP| filter to restrict |LDAP| searches
|
||||||
|
for group objects. If not specified, the default value is ``ldap_search_base``.
|
||||||
|
|
||||||
For example:
|
For example:
|
||||||
|
|
||||||
.. code-block:: none
|
.. code-block:: none
|
||||||
@@ -146,10 +187,8 @@ For example:
|
|||||||
|
|
||||||
system service-parameter-add identity ldap-domain1 ldap_group_search_base=CN=Groups,DC=wad-server,DC=com
|
system service-parameter-add identity ldap-domain1 ldap_group_search_base=CN=Groups,DC=wad-server,DC=com
|
||||||
|
|
||||||
.. note::
|
|
||||||
|
|
||||||
When not set, the 2 optional service parameters, will have as default
|
For more details on |SSSD| parameters, refer to `https://linux.die.net/man/5/sssd-ldap <https://linux.die.net/man/5/sssd-ldap>`__.
|
||||||
value, the value of ``ldap_search_base`` service parameter.
|
|
||||||
|
|
||||||
Apply parameters
|
Apply parameters
|
||||||
----------------
|
----------------
|
||||||
|
Reference in New Issue
Block a user